Why My Website Sells Viagra

DRE ARMEDA,CISSP @ DREMEDA
CO-FOUNDER AT SUCURI SECURITY
ORGANIZER, WORDCAMP SAN DIEGO
12 YEAR NAVY VETERAN
1 ST WORDPRESS THEME IN 2005
LOVES TACOS
DIEHARD CHARGERS FAN
RIDES A HARLEY
SUCURI .NET DRE .IM

THE WEB IS GROWING
Over 2 Billion internet users today. 480% growth in the last 11 years. (Internet World Stats)
300 million websites were added to the internet in 2011 (Pingdom)
100,000+ domains gained weekly (Global Domain Registry)

INNOVATION & CREATIVITY

ITS NOT ALL PEACHY

WHAT IS MALWARE?
SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware examples.
Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

ATTACKERS LOVE YOU
Monitor your web browsing and internet usage
Forced advertising
Redirect affiliate marketing revenue

HOW BAD IS IT?
Over 2 million new malware strings monthly (McAfee)
Cost to US consumers alone = over $2.3 billion in 2010. (Consumer Reports)
Google Safe Browsing issues over 3 million malware warnings a day. (Google)

ENCODED JAVASCRIPT Impact: Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info. Typical Entry Point: Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials. JavaScript that is obfuscated(hidden) so that you can’t tell what it is. It is injected into files/pages on the site and used to serve malware.

ENCODED JAVASCRIPT /wp-admin/js/cat.js – CLEAN

ENCODED JAVASCRIPT /wp-admin/js/cat.js – INFECTED

ENCODED JAVASCRIPT /wp-admin/js/cat.js – INFECTION DECODED – Somewhat 

ENCODED JAVASCRIPT
Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information.
Backdoor file inserted into the environment. This gives the attacker remote access into your world
Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files.
You’ve just enabled your visitors to load fake anti-virus and other cool downloads from your site 
How it works:

ENCODED JAVASCRIPT
Encoded JavaScript Resources:
http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation- analysis
http://www.slideshare.net/yusufmotiwala/reverse-engineering-malicious- javascript
http://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript- Obfuscation.html
QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

CONDITIONAL REDIRECTS Impact: When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website. Typical Entry Point: Outdated, known vulnerable software. An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system.

CONDITIONAL REDIRECTS Infected .htaccess file:

CONDITIONAL REDIRECTS Result of conditional redirect:

CONDITIONAL REDIRECTS
Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes).
.htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files.
You’re now redirecting to some cool malware awesomeness.
How it works:

CONDITIONAL REDIRECTS
Conditional Redirects Resources:
http://blog.sucuri.net/2011/11/the-new-and-old-htaccess-attacks-now-using-in- domains.html
http ://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess- malware.html
http://sucuri.net/malware-update-timthumb-php-and-htaccess-redirection.html

PHARMA HACK Impact: Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages. Typical Entry Point: Outdated, known vulnerable software. Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results.

PHARMA HACK Results of scanning rendered source.:

PHARMA HACK Google Search Engine Results:

PHARMA HACK
Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes)
Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database.
Payload is dropped into the database and Viva Viagra!
How it works: QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

PHARMA HACK
Pharma Hack Resources:
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on- wordpress.html
http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma- hack.html
http://www.pearsonified.com/2010/04/wordpress-pharma- hack.php
http://wpdude.com/refreshing-google-index-after-pharma- hack
QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

WHAT IS SECURITY? PROTECTING THINGS OF VALUE FROM HARM’S WAY.

HOW & WHY

AM I SECURE The percentage of risk can never be 0! The name of the game is minimizing risk.

LOCAL MACHINE
Ensure your local machine stays updated
Use an Anti-Virus solution & enable auto-updates
Mac – Sophos Anti-Virus for Mac Home Edition
Windows - AVG Anti-Virus Free
Don’t store server credentials on your local machine

CONNECT TO YOUR SITE
Consider using sFTP or SSH instead of FTP.
If you’re stuck with FTP:
Deny anonymous login
Limit connections
Practice least privilege
Don’t store server credentials on your local machine

PASSWORDS
Change them often
Don’t write them down, or share them
Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.
Don’t use the same password across all your accounts
Use a password manager
KeePass Password Safe
LastPass
1Password

WHO HOSTS YOU?
CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST!
DO YOUR RESEACH!
What software are they running? How often do they update?
How are server and support credentials stored & who has access? Are they 1 in the same?
What is their malware remediation process?
How many sites have been infected?
http://www.google.com/safebrowsing/diagnostic?site=google.com

GARAGE CLEANING
IF YOU’RE NOT USING IT, REMOVE IT!
UPDATE UPDATE UPDATE UPDATE UPDATE
Only load what’s needed to get your job done.
Check your file and directory permissions.
Remove user accounts! – Practice least privilege.
Have you changed your password lately?
UPDATE UPDATE UPDATE UPDATE UPDATE

BACKUP YOUR WEBSITE
NO BACKUPS = BOOOOO!
BackupBuddy - http:// pluginbuddy.com/ backupbuddy /
VaultPress – http://vaultpress.com

MALWARE SCAN
IS YOUR SITE INFECTED?
Unmask Parasites – http://unmaskparasites.com
Sucuri SiteCheck – http://sitecheck.sucuri.net

MALWARE CLEAN UP
IS YOUR SITE INFECTED?
VaultPress – http://vaultpress.com
Sucuri Security – http://sucuri.net

WORDPRESS PLUGINS
WordPress Exploit Scanner
BulletProof Security
Login Lockdown
Sucuri SiteCheck Malware Scanner

http://dre.im	18065
http://sistermedia.com	956
http://feeds.feedburner.com	413
http://www.wpbeginner.com	350
http://www.northeastern.edu	132
http://wpdaily.co	55
http://sagaciouslinks.com	26
http://feeds2.feedburner.com	24
http://translate.googleusercontent.com	16
http://feeds.kuilder.net	4
http://us-w1.rockmelt.com	3
http://127.0.0.1	2
http://feedproxy.google.com	2
http://www.newsblur.com	2
http://www.hanrss.com	1
http://webcache.googleusercontent.com	1
http://www.interactivelimited.com	1
http://www.interactivelimited.com	1

Why My Website Sells Viagra

by Dre Armeda

Accessibility

Categories

Upload Details

Usage Rights

18 Embeds 20,054

Statistics

Why My Website Sells Viagra Presentation Transcript