KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

Cases of malicious codes circulation exploiting the upload vulnerability

28 Oct 2005

Please indicate the [source: Korea Information Security Agency] when the partial or whole report is quoted.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

1. Overview
Recently, well-known web sites including portal sites are hacked one by one and had malicious codes inserted. This type of attack goes through the following process.

Attackers attempt to hack target systems, exploiting the SQL Injection vulnerability existing in home pages. Attackers insert a specific iframe into the initial web page of hacked web sites. The relevant iframe was linked to a specific web site (malicious code circulation site) to infect PCs of users. Internet users visit the hacked web sites. When PCs of Internet users are not patched, they get infected with Trojan programs from a malicious code circulation web site. Personal information on game IDs and Password of users are transmitted from compromised PCs to a specific address. This attacking process is frequently taken by IPs allocated to China and famous domestic web sites are hacked with iframe inserted and are exploited as a passing through to spread malicious codes. Dozens of domestic web sites to get through to spread malicious codes are set to automatically access a specific web site and get infected by the inserted iframe. Frequently visited web sites are mainly selected to serve as a passing through site for the circulation and also domestic or foreign web sites are exploited as source web site to transmit malicious codes.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

This report deals with a domestic web server, which was actually being exploited as a malicious code-spreading site. Most of domestic web sites serving as a passing through were attacked, due to the SQL Injection vulnerability. However, the malicious code-spreading web site related to this report was attacked by file uploading vulnerability. Inaddition to this, more than 1,000 Internet users were confirmed to have accessed a specific web site where malicious codes (Trojan horse programs) could be downloaded.

2. Analysis on damages
The relevant damaged system is a server of homepage developing company, which was using IIS 5.0 and Windows 2000. The web server was providing the web hosting service to dozens of web sites. In accordance with the information from the relevant company, abnormal symptoms have often experienced but malicious codes have not been found. The attacker exploited the upload vulnerability of a web board, which enables the file attachment function, and installed a hacking program to control the compromised system remotely. Later, the attacker installed malicious codes(icyfox.js) to attack Internet users.

The installation of hacking programs exploiting the upload vulnerability

The relevant infected system was attacked on Aug. 1, 2005, due to the upload vulnerability of a web board. The relevant web board was developed for users to upload message with image files attached. However, the attacker posted messages with a hacking program (file name : svnge.asa) attached and executed the hacking program via a web browser to control the target system. The below image shows a hacking program posted by the attacker.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

The attacker succeeded in the hacking attempt, using the web board because the relevant system had the following three security holes. First of all, attachment files uploaded into the web board were not filtered in accordance with an extension name. In case of this accident, the attacker attached a malicious program file with an extension *.asa, to avoid the script file upload filtering. Accordingly, the web board is required to define file types, which are allowed to be uploaded, and block other files. Secondly, the attacker could trace the location of the uploaded files. If

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

the location of an uploaded file is easily grasped, it is possible to execute the file directly via a web browser. The relevant system also displayed the location route of the attachment file in details and the attacker could easily catch the location. Thirdly, the folders where files are uploaded are given an authorization to execute. Generally, it is recommendable not to give an authorization to execute script programs in the uploaded folder. The above vulnerabilities enabled the penetration into the relevant system. The web log has the following details during the relevant program uploading. (the time for web logging is 9 hours later than the system)

The above log details confirm that the attacker uploaded the hacking program as a file attachment and executed the relevant hacking program via a web browser. The attacking IP is allocated to China and has accesses the infected system continuously from the relevant IP block starting from Aug. 1 to October.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

Analysis on the hacking program (svnge.asa)

The hacking program (svnge.asa) is an executable ASP program, which servers as a kind of back door to control the compromised system freely via a web browser. A majority of system hacked by Chinese IP blocks are found to have hacking programs having similar back doors functions. The svnge.asa hacking program is very sophisticating and intellectual tool. When accessing the program via a web browser, the system requires a password. Accordingly, the program access is only allowed to users knowing a password.

When attempting to execute the program without a password or with a wrong password, it is redirected to the main system of the infected system. After inputting a right password into the hacking program and going through a log in procedure, the following screen comes up.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

The UI of a relevant program is written in Chinese and main functions are as follows; - Editing, deleting , copying or moving of files and folders existing in the system - File uploading (additional hacking program can be installed) - Temporary command can be executed by Shell - DB creation and a temporary SQL command input The remaining log file details confirm that a Chinese IP block has attacked the target system via a hacking program (svnge.asa) continuously from Aug. 1 to October.

Inserting malicious codes to infect PCs of general users

In the damaged system, malicious codes (vcx.htm, ray.js, icyfox.js) were installed to infect PCs of general users visiting the relevant home page. The file vcx.htm was set to execute a java script named ary.js, which was again set to execute the file icyfox.js. Icyfox.js was encoded format, infecting general PCs.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

Most of web sites induce users to access a malicious code circulation web site for the propagation. When PCs of users visiting the circulation site are not patched, the files vcx.htm, ray.js, icyfox.js triggers malicious programs (Trojan horse) to be installed in PCs of user and information on game IDs and passwords are leaked from PCs. The log of the damaged system has traces of a number of users, who accesses the attacker-installed file vcx.htm.

Considering the web logging time is 9 hours later than the actual system operation time, it is assumed that users visit the relevant web page around 5:00, on Oct. 16, when the file vcx.htmfile was created. From dozens of passing through web sites, the vcx.htm file of the system was accessed. Also, the relevant page was uploaded, using the mentioned hacking program (svnge.asa). The following log shows that a relevant file (svnge.asa) was uploaded three times, when three files including vcx.htm, ray.js, icyfox.js were created.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

The possibility of infection in general PC users.

When accessing the file vcx.htm of the compromised system, an unpatched PC gets a Trojan program installed. From when the file vcx.htm was created in 5:00, Oct.16 to when the incident investigation was carried out in 15:00, Oct.17, 1,216 users in total are assumed to have accessed the file. The estimationis calculated from unique IP accessing vcx.htm in the web log. Out of 1,217 PCs, unpatched PCs might have been infected with a Trojan. During 34 hours, approximately 1000 users visited the relevant web page. If the malicious program files has remained neglected, a considerable number of Internet users would have faced Trojan infection threats.

3. Security measures
Regarding domestic web sites attacked by IP blocks allocated to Chine, the file upload vulnerability as well SQL Infection were used. Accordingly, home page administrators are required to come up with security countermeasure against the following security holes. To protect the upload vulnerability, administrators should block the script uploading or execution, by an attachment file uploading function. If the attacker can upload and execute its own malicious script to the server, exploiting the function to transmit any temporary file to the server, not only the relevant server but also server in trustworthy relation to the Application server (ex, Web DB server, internal inter working server) are exposed to possible attacks. This vulnerability is

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

found in the image file uploading function as well as in the web board-uploading module. Accordingly, all modules to allow users to upload files are considered to have the vulnerability. O Extension filtering of attached files - When users upload the attachment files, a routine can be inserted to check whether an extension of the attached file is acceptable or not, blocking other file except defined ones. O Deletion of executing setting for uploaded files in a relevant directory - Create a separate directory for uploaded files to delete the execution setting from the web server-setting file. The deletion of the execution right from the upload directory can be simply accomplished without modifying source codes, even if it is temporary. The deletion can be set, going through the following process. [setting] -> [control panel] > [administrator tool] > [Internet Server administrator] Click on a right button in the relevant upload folder and go to registration information -> directory -> select "none" in the execution authorization category.

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

Also, in developing web programs including a web board, the following points should be considered. O The inspection on attachment files should be implemented in the Server Side Script. O Only specified files should be allowed to be attached by an attachment file checking tool. In the file upload program (php, php3, cgi, html, jpg, etc) should block all executable files from being attached. O In case of activating the filtering function in the program, the filtering tool should check all capital and small letter of extension names, not focusing on just files names. O The filtering tool should include logic to process too large-sized or too small-sized files, deleting or transferring uploaded file from a temporary directory. O When setting a web server engine, the execution authorization of Server Side Script language should be deleted in the upload directory. It is also recommendable to change and save the name of uploaded files temporarily.

4. Conclusion
The incident analysis focuses on web sites with inserted, which can affect PCs of actual users. It can general PC users are faced with security threats environments. This incident draws our attention to the security steps. malicious codes be learned that in normal web following several

Firstly, the monitoring of malicious code circulation sites or passing through sites should be strengthened. In such a short period of 34 hours, more than 1,000 Internet users accessed a specific web page framed by the attacker. A considerable number of unpatched PCs are assumed to have been infected. More seriously, there are hundreds of malicious code circulation web

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

sites or passing through sites. If they are neglected without proper security measures, that might blow dangerous security threats to Internet users. Accordingly, it is very important to closely monitor that distribution or passing through web sites and delete relevant codes. The Internet Incident Response Support Agency in Korea Information Protection Promotion Agency is executing an automatic monitoring of those risky web sites. General web server administrators need to check if their systems are being abused by a regular log inspection and system analysis. Also, general PC users should update the securitypatch to be the latest version to block malicious programs. Secondly, web server administrators need to check and delete various vulnerabilities of home pages. So far, the attack from IP blocks allocated to China have mainly exploited the SQL Injection vulnerability. However, this incident worked on other security holes including the file upload vulnerability. Especially, the recently compromised web sites were related to the file upload vulnerability. Accordingly, any possible vulnerability regarding SQL Injection, XSS should be eliminated in the home page developing process. The [security guide for homepage development] issued last April deals with detailed approach to various possible vulnerabilities occurring in the homepage development and complementary measures. This can be referred to check homepage and come up with security solution. O To download security guidance for homepage development http://www.kisa.or.kr/news/2005/announce_20050427_submit.html The recent web server hacking is not limited to a simple homepage alteration and intended to achieve specific purposes to thieve game IDs and passwords, etc. In case of this incident, the damaged system has been hacked from IP allocated to China starting from August to create a back door. Later, the same attacker accessed the target system frequently to infect the user PC and thieve game-related personal

KrCERT-IN-2005016 Cases of malicious codes circulation exploiting the upload vulnerability

http://www.krcert.or.kr cert@krcert.or.kr

information. Most of hacking attempts were intended for the leakage of game-relevant information. However, it cant be exaggerated to say that the same technique can be adopted to thieve personal financial data, industrial information and confidential data of the nation. As the hacking is more serving to meet criminal purposes and its techniques are getting more sophisticated, homepage administrators should exercise extra care to monitor the security of home pages and update patches.