Month: July 2015

Fixing hundreds of websites in one day

Remedying Angler infections in Switzerland

Author: Serge Droz

In recent weeks the Angler exploit kit has become the dominating tool for DriveBy attacks. Cleaning Angler compromised web servers is a challenge which has been well mastered in Switzerland, thanks to the close collaboration of Swiss hosters and SWITCH.

The culprit

On Sunday July 5 an the Italian ‘offensive security’ firm HACKING TEAM got hacked and all its files were made public. This included a couple of zero day exploits. Only two days later one of these was already used in the wild by the notorious Angler exploit kit. This is not surprising: Angler today is the most sophisticated exploit kit. Since its inception in 2013 it sported several new innovations which are today uses by others. According to a Sophos blog Angler’s “market share” rose from about 22% last fall to more than 80% this spring.

The payload

Angler used to distribute a variety of different malwares, from ransom-ware to banking trojans. However it seems with the rapid growth of the kit it also focused on distributing mostly Cryptowall 3.0. This malware encrypts all the files on an infected system and demands a hefty ransom of several hundreds of Euros to unlock them. Many people claim to not have “anything important” on their PCs to then discover that all their family pictures of the past ten years are gone. An it’s not looking better for businesses that lose all their data, including their backups on USB disks.

Cleaning Infections in Switzerland

SWITCH has been cleaning up misused domains since several years now through its Safer Internet campaign. We have processed thousands of domains and thus protected visitors of Swiss websites from the evil of exploit kits, such as Angler. Infection rates of Swiss websites have indeed gone down over the past month, or so we believed. On the 22. July 2015 however,  the good folks from the National Cyber Security Centre Finland (NCSC-FI) and abuse.ch have managed to make a small dent into Angles infrastructure. A total of over 200’000 compromised URLs worldwide were reported that are misused by Angular.

Angler Distribution
Distribution of web servers, which are misused by the Angler exploit-kit.

Of these 166 where in the .ch and .li top level domain and thus could be entered into our program. We reported these URLs to the respective domain owners as well as the hoster we have contacts to. Checking on the 23. July over 90% of these domains have been cleaned up and a handful have been added. As of the 24. July 2015 only a few sites remain infected.

This means that Swiss hosters are doing an excellent job. Cleaning a web page is not simple. It’s not enough to just remove the the offending code from that page itself. It’s known that the Angler crew installs several back doors, all of which have to be found and removed. These back doors often are webshells, which give full control over the entire web space of the server. The respective php files are obfuscated and not easily recognizable.

The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.
The Webshell used by the Angler crew. The white box shows the obfuscated php code. The shell gives full access to all resources the webserver has access to.

Some of the hoster report information back to us for which we are very grateful. This information can then be used to make the analysis better and discover new attack patterns quickly.

Conclusion

The close collaboration and exchange of information between all the stakeholders allows for a very rapid reaction to threats. Cleaning these web pages needs substantial resources by the hosters and also SWITCH. But it’s well invested: Taking down these pages quickly protects visitors from being infected by Cryptowall and saves their valuable data, be this treasured personal files or critical business information.

The July 2015 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are:

  • Taking cybercrime to the next level – Duqu 2.0 attack on Kaspersky has implications for Switzerland
  • Taking friendship to the next level – scope of NSA spying on German and French governments continues to widen
  • A whole lot of problems – cyberattack grounds Polish airline LOT’s aircraft
  • Detoxing – the last resort when Darknet dealings come to light?
  • Pass the password – attacks on LastPass and Apple Keychain
  • The Clipboard: interesting presentations, articles and videos

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

 

Safer Internet

Anna is the director of a small kindergarten in Zurich. To give the kindergarten a home on the Internet, she registered a domain name and put up a website where parents can get up-to-date information about the kindergarten. A friend helped her to install a popular open-source content management system (CMS) for the website, so that she can change the menu every week and perform other updates herself. The parents of the kids were delighted to have access to this information online.

Three months after the website went online, one of the parents called her, telling her that the website was no longer available, and a warning was displayed instead. He also told her that he had a virus on his home PC and had to reinstall his operating system and change all his Internet passwords. When she talked to other parents that day, they told her the same.

What happened? Continue reading “Safer Internet”