Those of you who read TechCrunch on a regular basis will be familiar with their on-going reporting of the recent attack on twitter. Back in May when the story first broke it was unclear exactly what had happened and there was lots of speculation of how the attack occurred. The CEO of Twitter Evan Williams commented on the story saying that Twitter itself had not been affected and that most of the sensitive information was personal rather than company related.  The guy behind the attack (known as Hacker Croll) was unhappy with this comment, lots of Twitter corporate information had been compromised. So in response to the comment he sent 310 confidential documents to TechCrunch.  There were various posts, comments, tweets and discussion on TechCrunch about these documents and what TechCrunch should do with them.

Earlier this week TechCrunch published more details of the attack.  They spoke with the attacker to find out how the attack took place and what was the scope of it. They also spoke with Twitter and gave them time to close all of the security holes before publishing the story. Here is a brief summary of what happened:

• The hacker first collected as much information as he could find on Twitter employees which enabled him to build a profile of each employee.

• The hacker gained access to the Gmail account of a Twitter employee. He did this by using the password recovery feature of Gmail that sends a reset link to a secondary email. This feature shows you an obfuscated version of your email address a reminder as to what your secondary email address is. In this case the address shown was "******@h******.com". So based on the profile information he had already collected for this employee he was able to make an educated guess as to what the email address was. At this point the Hacker Croll got lucky, this hotmail address has expired so he just registered it, clicked the link and reset the password.  

• Now that the hacker had access to the Gmail account he searched for emails containing a password and found the same password contained in a number of emails. These were emails from various services that the owner of the Gmail account had signed up for. So he changed the users Gmail password to this password. Once again he got lucky turns out this was the correct password. So now the owner of the Gmail account did not know that someone else had access to their account.

• With access to his email and knowledge of the users standard password it was only a matter of time before Hacker Croll had access to the employee's Twitter email on Google Apps, AT&T, MobileMe, Amazon, iTunes and control of Twitter's domain names at GoDaddy. He also had access to full credit card information in clear text due to a security hole in iTunes.

If you have the time I would recommend reading the full article on TechCrunch as they go into greater detail on the attack and the attackers motives. This is not my first Blog post about incidents where the security of an organisation has been compromised by something or someone outside of their direct control. In the case of Twitter the security of an employees personal Gmail account was compromised and as a result the security of an entire organisation was compromised.  Earlier this year we reported how 2,100 Irish email addresses had been published along with passwords for a website. This list of email addresses included Gmail, Hotmail, banking institutions, universities and HSE addresses. I finished that post with 3 web security lessons that we could learn from the incident. These 3 points are also relevant here.

• Do not use the same password for multiple sites. I know I use 'levels' of passwords, when I sign up for something trivial but it requires an account I use one particular password which I do reuse, however any sites that hold credit card data or my email accounts all use different, strong passwords.
• Only use your work email address for work related sites.
• No matter how much emphasis you place on your personal online security you and your online reputation are still at risk when your details are trusted to others

 

Is there anything else we should learn from the Twitter attack?

 

Dave

--

If you liked this article then you should subscribe to our Blog RSS feed.

 

Related Blog Posts:

• List of Irish email addresses made public.
• Gumblar.cn has compromised 60,000 websites
• Gumblar - What is it? How to I remove it?
• Stolen laptop contains account details for 75,000 Bord Gais customers.

Over the past week I have noticed an increased number of Irish sites being flagged in Google search results "This site may harm your computer.". When you click on the title of the search result Google presents you with a warning page instead of directing you to the request site.

This warning page includes a link to Google's "Safe Browsing Diagnostic Page" for the site in question. This page by google answers various questions about the site -

 

• What is the current listing status for www.somewebsite.com?
• What happened when Google visited this site?
• Has this site acted as an intermediary resulting in further distribution of malware?
• Has this site hosted malware?
• How did this happen?

 

Gumblar.cn is listed as malicious software in the answers to the above questions by Google. Sophos are a leading developer of security software and hardware. Their research section SophosLabs refers to Gumblar as Troj/JSRedir-R. On May 14th they reported that between May 6th and May 13th Troj/JSRedir-R accounted for 42% of malicious infections found on websites.

 

So what is Gumblar (Troj/JSRedir-R)?

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from third party sites without the users knowledge. The malware attempts to redirect the victims Google search engine result pages (SERPs) to links that point to fraudulent and malicious websites. It also steals FTP credentials from the victims computer which allows it to spread and infect additional sites. So when someone visits an infected site they get infected and if they have FTP credentials for a website on their machine then those sites will get infected. This explains the exponential growth of the exploit in such a short space of time. The malware also installs a backdoor that connects to the IP address of a known botnet.

The initial attack uses a vulnerability in Adobe Acrobat and Flash player. If you browse to an infected website your local machine can get infected. Then if you have FTP credentials stored locally for your websites then these may get infected. Anyone who browses to this may subsequently get infected. All of this happens without your knowledge.

What makes it different from previous malware exploits?

There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their sites by using their FTP credentials to inject the script onto their site. The obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.

 

How do you remove gumblar?

I have been unable to find a tool for doing so or a specific set of instructions for the removal of gumblar. Here is my suggested approach to removing Gumblar from your site. If you have any problems or suggestions please feel free to post a comment or post on our forum.

On any desktop/laptop that has FTP access to your websites host install a virus scan with the latest updates and ensure removal any malware, torjans or keyloggers. Once you are confident that you have a "clean" machine then you must change your FTP password for the compromised server. If you are unable to clean your local computer then you can change your FTP password from a computer that you know is clean. I would recommend you do not store your FTP credentials in your FTP client and if possible consider using secure connection for transferring files such as SFTP. Changing the FTP password for the compromised server is not enough as Gumblar may have installed a backdoor or made other changes that would allow further exploits. I recommend you do the following:

 

• Check file and directory permissions on your server are set correctly
• Check that php-includes have not been modified
• Check your .htaccess has not be modified

You may need to get assistance from your hosting provider on the above. You also need to clean up your website by removing the malicious code from the compromised pages. If you have been making regular backups of your site then it may be possible to revert to a previous version that has not been compromised. If you are not making regular backups then you should start, talk to your hosting provider as they usually can facilitate this. If restoring from a backup is not an option for you then the clean up will be a manual process. You will have to inspect all files and remove the malicious code. I suggest you start with the following:

 

• Look at the beginning of all .php, .htm, .html and .asp files
• Look at the end of javascript files
• Search for iframes in your source
• Check your image directories for script files

 

 

UPDATE(S):

26-05-2009

Daniel Ansari's Blog provides detailed steps on how to remove Gumblar. This includes a script he created to automate the removal of Gumblar. The script uses PHP expressions to remove Gumblar modifications from HTML, PHP and JS files. I have not tried this script but based on the comments in his feedback it appears to be working for people.

 

27-05-2009
Scansafe STAT Blog has posted a useful method to determine if your Windows machine has been infected by Gumblar. sqlsodbc.chm is a default Windows file that is modified by the Gumblar Malware. Microsoft released a list of SHA1 and file sizes for known good versions of sqlsodbc.chm. So if you want to check if you are infected you can generate a SHA1 for your the version of sqlsodbc.chm and compare it and the file size with the list provided on the STAT Blog article. If you do not find a match then there is a good chance you have a Gumblar infection.

 

28-05-2009
Someone pointed out that my previous update was not much use if you did not know how to get the SHA1 of a file. FileAlyzer is a tool that analyses files and can be to create the SHA1 of sqlsodbc.chm.

 

29-05-2009
Gumbar has been getting a lot of media coverage in the past few days and reports are saying that Gumblar is now worse than Conflicker. The only upside is that this Blog post is now attracting a considerable amount of traffic from the search engines.

 

01-08-2009
It has been over 2 months since this post but Gumblar is still infecting websites. This blog post is one of the most popular pages on our site. I came across a tool that will do a securty check on your website and tell you if you have been infected with malicious code such as Gumblar. It is a really useful tool so I thought it deserved a mention.

 

Useful links relating to Gumblar

I will continue to update this section of the post with relevant links as I find them.

• Unmark Parasites Blog
• Unmark Parasites Website Security Tool
• Scansafe STAT Blog Gumblar Q&A
• Scansafe STAT Blog - Modified Sqlsodbc.chm Clue to Infection

If you have a site that you think I should include please post in the comments and I will add it.

 

Stay Safe!

Dave

--

If you liked this article then you should subscribe to our Blog RSS feed.