Jake Drew, Marie Vasek, and Tyler Moore
Computer Science and Engineering Department
Southern Methodist University
Dallas, TX, USA
The latex publication pdf for this article can be downloaded here.
Abstract
This case study tells the detailed story of tracking down real world hackers selling counterfeit goods. The adventure starts with a recent breach of a GoDaddy shared webserver running Microsoft IIS. We review a recent mass compromise of IIS shared hosting to provide context for the scale at which such counterfeit good rings operate. We show how the attackers have used the compromise as part of a larger blackhat search engine optimization (SEO) campaign which may have been in operation since as far back as 2006. After locating the hacker’s backdoor script on our compromised server, we demonstrate how such scripts can be deobfuscated to reveal the hacker’s malicious intent. Once deobfuscated, we explain how the attack operates and link the attack to numerous websites promoting counterfeit goods. We developed a program called the ‘Link Spider’ to find infected websites across the internet which are controlled by the same counterfeit goods supply chain. We also identify the internet storefronts which are actually selling counterfeit goods directly to unsuspecting consumers via the major search engines. We include detailed analysis of the major brands, safe haven web hosts, and China’s role in the counterfeit goods supply chain. We show that some of these companies and web hosts participate in the sale of online pharmaceuticals as well. We also estimate the amount of illegal web traffic which may be supported by these hosts. Finally, we inspect a random sample of GoDaddy-hosted IIS webservers to estimate the prevalence of this particular compromise.
I. Introduction and Background
Large-scale attacks are commonplace in the e-commerce market for counterfeit goods. Moore et al. recently estimated that as much as 32% of online search results point to websites selling counterfeit goods with 79% of those results including at least one fraudulent online retailer within the first page search results [10]. They estimate that 33% of the time, the first hit users are presented with while searching for top selling, brand name merchandise is a link to counterfeit goods.
Wang et al. investigated legitimate websites that were compromised to promote luxury goods [11]. They identified distinct “campaigns” tied to the affiliate programs whereby sellers of counterfeit goods pay for referral traffic, using clustering techniques described in [7].
This case study complements such “macro”-level investigations by delving deep into the nuts and bolts of a particular breach of the website jakemdrew.com, operating on GoDaddy’s shared web hosting platform. This website is but one of many websites running Microsoft IIS that has been compromised to promote websites selling counterfeit goods.
Figure 1: The iSKORPiTX hack page replaced the homepage of 38,500 websites in 2006
The paper reviews the steps taken to deobfuscate code running on the compromised server in order to reverse-engineer its operation and help trace the attack to its source. We also estimate the prevalence of such compromises on GoDaddy’s network.
II. The IIS Mass Compromise
In December 2014, Internet sources reported a mass compromise of websites located on shared web hosting servers running Microsoft IIS. Specifically, infected servers and their associated websites were being used to promote selling Black Friday and Cyber Monday counterfeit goods within search engine results [9]. Because GoDaddy appears to be the largest host of webservers running IIS, their customers have been affected most. Previously, a similar IIS vulnerability in 2006 impacted ‘tens of thousands’ of GoDaddy customers causing over 38,500 websites to be defaced in a single day [12]. Figure 1 shows the results of the famous iSKORPiTX hack page which replaced the homepage of its targeted websites around 2006 [12].
Figure 2: An invisible <div> tag injected into a compromised cyber monday hack website (click to enlarge)
The entire scope of the most recent hack impacting IIS webservers is currently unknown. However, the internet secutity company Sucuri reported in December 2014 [9] that they have independently confirmed 1,782 domains and 305 IP Addresses – 61% of which are hosted on GoDaddy representing 1,095 websites and 95 hosts. While these numbers alone are very concerning, representatives at Sucuri concede that their list only represents “the tip of a very large iceberg” [9].
Both of the aforementioned compromises belong to a much larger and more general cybersecurity problem. Once such a compromise occurs, it can be nearly impossible cleanup all of the security holes, or backdoors, which are left behind. Once a criminal has write access to a web server’s directory structure, a backdoor could be left in any number of places. Unfortunately, many companies experiencing a breach merely patch the vulnerability believed to cause the breach and delete any inserted content. However, any number of backdoors could remain indefinitely allowing criminals ongoing access to the host.
Before the iSKORPiTX hack in 2006, reports as far back as April 2005 reference the SSFM directory and scripts which are believed to be responsible for the hack [12]. In this case, some backdoors may have been in place for almost a year before the intended payload was delivered. This underscores a common strategy for criminals – start out with very small exploits and escalate over time as more profitable opportunities arise.
In the case of the Cyber Monday and Black Friday exploit, we will demonstrate how the most recent IIS vulnerability was used first to install a backdoor on an IIS webserver and when used for blackhat SEO purposes, injecting fake links to websites selling counterfeit goods. Furthermore, we uncover striking similarities which suggest that the hackers’ method for gaining initial access to shared IIS web servers may be silently operating under the radar since as far back as the 2005 attack, leaving researchers to wonder if the original vulnerability was ever successfully resolved.
III. Identifying a Breach and Finding the Backdoor
During December 2014, an unusual <div> tag showed up on the website jakemdrew.com, a GoDaddy-hosted IIS webserver maintained by one of the paper’s authors. The first modification occurred on the website’s home page and included a new <div> tag at the bottom of the page containing a number of website links with text such as:
- mcm cyber monday
- coach cyber monday
- juicy couture cyber monday
- uggs black friday
- michael kors black friday
<%@ LANGUAGE=VBSCRIPT CODEPAGE=65001 %>
<%
Function XX777X(ByVal X7XX7X7)
Dim X7X77X7, X77X7XX, X7X77XX
X7XX7X7 = Replace(X7XX7X7, Chr(37) & _
ChrW(-243) & Chr(62), Chr(37) & Chr(62))
For X77X7XX = 1 To Len(X7XX7X7)
If X77X7XX <> X7X77XX Then
X7X77X7 = AscW(Mid(X7XX7X7, X77X7XX, 1))
If X7X77X7 >= 33 And X7X77X7 <= 79 Then
XX777X = XX777X & Chr(X7X77X7 + 47)
ElseIf X7X77X7 >= 80 And X7X77X7 <= 126 Then
XX777X = XX777X & Chr(X7X77X7 - 47)
Else
X7X77XX = X77X7XX + 1
If Mid(X7XX7X7, X7X77XX, 1) = XX777X("o") Then
XX777X = XX777X & ChrW(X7X77X7 + 5)
Else XX777X = XX777X & Mid(X7XX7X7, X77X7XX, 1)
End If
End If
End If
Next
End Function
%>
Figure 3: The original obfuscated function dedicated to the purpose of decrypting strings.
Furthermore, the entire <div> tag was invisible as shown in the style attributes of Figure 2.
Less than two weeks later, the same <div> tag was updated and almost all of the original websites were removed. This confirmed that not only a breach had occurred, but that the criminals were still able to update the content.
The second update prompted a thorough search of all directories on the web server where an unusual file named picture.asp was located in the Scripts directory. While it was obvious this was the hacker’s backdoor, the contents of the file were completely obfuscated and nearly impossible to decipher in their current form. Figure 3 illustrates only one of the obfuscated functions used by the script.
IV. Deobfuscating the Backdoor Script
We now describe the steps taken to deobfuscate the backdoor script.
A. Deobfuscating the Minified Code
Many production ready web programming packages such as jQuery [4] are ‘minified’ to remove all characters unnecessary for successful compilation. This typically removes extra whitespace and sometimes uses additional techniques such as shortening variable names to shrink the overall package file size as much as possible for efficient transport over the Internet. This is also a form of obfuscation as the code becomes nearly impossible for humans to read.
When reviewing the script the first and most obvious clue is that the script was written using VBScript. This can be identified in Figure 3 where the LANGUAGE and CODEPAGE attributes are set. We were then able to quickly ‘prettify’ the script using the website http://www.aspindent.com/ to properly indent the VBScript code. Figure 4 shows the obfuscated code after it has been properly indented making it much easier to proceed further with the deobfuscation process.
Function XX777X(ByVal X7XX7X7)
Dim X7X77X7, X77X7XX, X7X77XX
X7XX7X7 = Replace(X7XX7X7, Chr(37) & _
ChrW(-243) & Chr(62), Chr(37) & Chr(62))
For X77X7XX = 1 To Len(X7XX7X7)
If X77X7XX <> X7X77XX Then
X7X77X7 = AscW(Mid(X7XX7X7, X77X7XX, 1))
If X7X77X7 >= 33 And X7X77X7 <= 79 Then
XX777X = XX777X & Chr(X7X77X7 + 47)
ElseIf X7X77X7 >= 80 And X7X77X7 <= 126 Then
XX777X = XX777X & Chr(X7X77X7 - 47)
Else
X7X77XX = X77X7XX + 1
If Mid(X7XX7X7, X7X77XX, 1) = XX777X("o") Then
XX777X = XX777X & ChrW(X7X77X7 + 5)
Else
XX777X = XX777X & Mid(X7XX7X7, X77X7XX, 1)
End If
End If
End If
Next
End Function
Figure 4: A ‘prettified’ version of the Figure 3 function highlighting all instances of a single variable.
B. Deobfuscating Variable Names
The next obfuscation technique identified was the extensive use of matching length variable names using only the two characters ‘X’ and ‘7’. The variable XX777X can be seen occurring 10 different times within the function displayed in Figure 4. However, since all variables within the code have been named using matching length combinations of the letters ‘X’ and ‘7’ it is very challenging to tell them apart.
Function deObfuscate(ByVal inputString)
Dim chrCode, i, iCheck
inputString = Replace(inputString, Chr(37) & _
ChrW(-243) & Chr(62), Chr(37) & Chr(62))
For i = 1 To Len(inputString)
If i <> iCheck Then
chrCode = AscW(Mid(inputString, i, 1))
If chrCode >= 33 And chrCode <= 79 Then
deObfuscate = deObfuscate & Chr(chrCode + 47)
ElseIf chrCode >= 80 And chrCode <= 126 Then
deObfuscate = deObfuscate & Chr(chrCode - 47)
Else
iCheck = i + 1
If Mid(inputString, iCheck, 1) = "@" Then
deObfuscate = deObfuscate & ChrW(chrCode + 5)
Else
deObfuscate = deObfuscate & Mid(inputString, i, 1)
End If
End If
Next
End Function
Figure 5: The final deobfuscated version of the Figure 3 function including meaningful variable names.
Figure 5 shows the final version of the deobfuscated Figure 3 function with more meaningful variable names included. This function was the first to become of interest for three primary reasons:
- It was the only function which existed outside of the primary class in the script.
- The function appeared to accept an obfuscated string as input and then make strange modifications to the character codes within the string. This behavior seemed outside the normal function of an application designed to modify files on a webserver.
- The function was called 201 times within the script.
C. Deobfuscating Text and Numeric Values
The class initialization routine shown in Figure 6 highlights yet a another obfuscation technique. All 201 string values within the script are further obfuscated and made unreadable to the human eye. In fact, these strings are also meaningless to the VBScript interpreter. The deObfuscate() function shown in Figure 5 is used within the script to convert all 201 strings into meaningful values which are hidden from humans yet resolved during the script’s execution.
Private Sub Class_Initialize
serverStatus = ""
filename = deObfuscate(":?56I]2DA")
csvalue = deObfuscate("A286")
reqServerVars = Request.ServerVariables(
deObfuscate("$t#")&_
deObfuscate("’t#0$~u%")_
&deObfuscate("(p#t"))
XX7X7X = deObfuscate("‘af]_]_]‘"))
dizhi = deObfuscate("‘af]_]_]‘")
XX7XXX = ""
X777777 = Request.ServerVariables(
deObfuscate("w%%!0w~$%"))
cachefile = deObfuscate("^42496")
X77777X = X7XXXX()
End Sub
Figure 6: The class initialize routine shows extensive use of the deobfuscate function shown in Figure 5.
Numeric values are also obfuscated using a more simplistic approach. Every place a numeric constant is used, that constant is replaced with a more convoluted equation. For example, the statement Type = 2 can be obfuscated to Type = (11 * 24 – 262) and the statement mode = 3 can be obfuscated to mode = (43 * 105 – 4512). While this approach may appear rudimentary, when combined with multiple other methods of obfuscation, this further hides the true intent of the script.
The example function in Figure 7 shows all three of these techniques used within the malicious picture.asp backdoor file.
Sub XX77XX (XX7777X,byval Str,CharSet)
On Error Resume Next
set X7XX777=X77X77.CreateObject(_
XX777X("25@")&XX777X("53]DEC")&XX777X("62>"))
X7XX777.Type=(11 * 24 - 262)
X7XX777.mode=(43 * 105 - 4512)
X7XX777.open
X7XX777.WriteText str
X7XX777.SaveToFile X77X77.MapPath(XX7777X)
X7XX777.flush
X7XX777.Close
set X7XX777=nothing
End Sub
Figure 7: Three different obfuscation techniques used within the same malicious function.
D. Deobfuscating the Text
Since VBScript is very similar to VBA (Visual Basic for Applications), we used Microsoft Excel to quickly port the final version of the deObfuscate() function shown in Figure 5 with no additional coding changes. Next, a second VBA function was written to parse the picture.asp file replacing all instances of the deObfuscate() function with its intended output. For example, the class initialize routine previously shown in Figure 6 can now be seen in Figure 8 revealing all of the intended text inputs.
Private Sub Class_Initialize
serverStatus = ""
filename = "index.asp"
csvalue = "page"
reqServerVars =
Request.ServerVariables("SERVER_SOFTWARE")
XX7X7X = "127.0.0.1"
dizhi = "127.0.0.1"
XX7XXX = ""
reqHostServerVars =
Request.ServerVariables("HTTP_HOST")
cachefile = "/cache"
clientIp = getClientIpAddr()
End Sub
Figure 8: The class initialize routine with all deobfuscate() function calls replaced with deobfuscated text.
V. Interpreting the Backdoor Script
After reviewing the picture.asp backdoor script, it is clear that the script is intended to ensure that the criminals have a method to access and download files to the infected client machine. Once the backdoor script is placed on the web server, it can be activated by the criminal simply visiting or loading the file using a web browser or another program. For example, the criminals could access my infected web server by navigating to http://www.MyDomain.com/Scripts/picture.asp.
Once the script has been activated, the script variable csvalue points to a query string within the http request which is expected to contain the file name that is targeted for download from the attacker’s command server located at the obfuscated IP address hidden within the script. In this particular case, the expected query string value containing the target file is named video. The infected client then performs a GET request to the attacker’s command server downloading the appropriate file location provided within the video query string variable. This variable can be modified ‘on the fly‘ using any query string parameter value with the URL such as picture.asp?video=targetFile.htm. In this manner, the actual file on the attacker’s command server need not be included within the script and is further obfuscated from detection. The targeted file is downloaded using a binary adodb stream. If the download is successful, the script performs a series of regular expression searches targeting all href URLs within the downloaded file contents pointing at HTML, asp, htm, css, gif, jpg, and png files. Each of the URLs identified are updated to match the client’s directory structure for the targeted site.
For example, the regular expression href=”\”/(.*?)\.(html|asp|htm)\”” is used to target all URL’s pointing at html, asp, and htm file types. Each URL located is then replaced with the second regular expression href=”&filename&”?”&csvalue&”=$1.$2″. On our particular server, this expression translates to href=”/Styles/picture.asp?video=filename” where filename contains the original file name and file extension requested in the link. This behavior allows the criminals to display any web page which is located on the attacker’s command server. The malicious script will actually download and install any missing files required to support the successful rendering of the criminal’s web page content. In addition, the script will create any folders missing in a given URL’s mapped file path on the targeted server to ensure the referenced content will successfully render.
At first, it may seem counterintuitive that all links to html, asp, and htm file types are updated to point recursively back to the picture.asp file. However, when each link is activated, the script can be executed once again to download and install any files and folders necessary to render and display the requested link’s content.
Using the picture.asp backdoor script in combination with any redirect script placed on any page within the targeted server allows the criminals to display dynamic content from their attack command server. In this particular attack, the criminals were observed creating both blackhat SEO link farms in an effort to boost page ranks for counterfeit good websites and using the picture.asp backdoor script to display dynamic counterfeit goods web content at will.
VI. Tracking the Criminals
After the text deobfuscation process is performed on the entire script, the new text values reveal many important features of the criminal’s backdoor program which could reveal the hacker’s identity. In addition, we created the ‘Link Spider’ to recursively follow all of the links originating from the infected webpages at jakemdrew.com and identify malicious link farms and website redirects which may be pointing to websites selling counterfeit goods.
A. Tracking the Backdoor Script
We can now tell that the script code X7X7X77.dizhi = XX777X(“bf]e‘]aba]‘fb”) actually points to the criminal’s IP address for the attacker’s command server. Decoded, the new text reads backDoorObj.dizhi = “37.61.232.173”. A quick WHOIS on that IP reveals that server is hosted on the UK internet service provider ‘Host Lincoln Limited’.
The script sets a very unusual request header prior to making its HTTP GET request to the criminal’s server. The suspect request header value is X-Realsdflkjwer3l234lkj234lkj234l-IP. This particular request header is always set to the originating IP address of the client connecting to the criminal’s command server. The X-Forwarded-For or XXF request header is the ‘de facto’ standard for identifying this information [8]. Setting this value within such an unusual request header appears to indicate that the hackers are encoding a message within the GET request to the criminal’s server that this particular incoming request has originated from an infected client.
A quick search of the suspect request header value ‘X-Realsdflkjwer3l234lkj234lkj234l-IP’ on Google turns up only two hits. The first hit appears to be a yet another infected website with a very similar copy of the backdoor script which is actually in a deobfuscated form [5]. This site also turns up a second ip address pointing to a criminal server 69.163.33.18 hosted by DirectSpace Networks, LLC. in Portland, OR. The second deobfuscated script also confirms many of our assumptions regarding the picture.asp file.
The second Google hit provides even more valuable information by locating the same request header within a PHP reverse proxy script which had been decoded at http://www.ddecode.com [3], a website associated with Sucuri SiteCheck. The PHP reverse proxy script also included a copyright URL pointing to bseolized.com which turns out to be a website selling its ‘shadowMaker’ software for industrial-strength cloaking and IP delivery. Based on its description, this software is a blackhat SEO tool generating phantom pages and shadow domains for its users [1]. The tool currently sells for 3497 USD. The occurrence of the X-Realsdflkjwer3l234lkj234lkj234l-IP request header within both scripts appears to tie the US based owners of bseolized.com directly to the GoDaddy shared web hosting mass compromise.
The bseolized.com website also sells a product called ‘Template Spinner’: an obfuscation software package for generating truly unique content for each shadow domain created [2]. This is concerning since the software uses many of the same obfuscation techniques used within our picture.asp script, but would make it challenging to locate the sites generated by the Shadow Maker software. This tool currently sells for 495 USD.
B. The Link Spider
A program named the ‘Link Spider’ was written using the C# programming language. The ‘Link Spider’ accepts a list of urls as input and proceeds to check each url for the hidden <div> tags left by the Cyber Monday hack. The program also recursively follows all link urls collected within the targeted <div> tag applying the same logic until there are no more links left to follow.
We started out by searching for opening <div> tags ending with opacity:0.001;z-index:10;”>. All searches were also case insensitive. During identification of each infected <div> tag we collected all link urls, and the link text included within each link <a> tag. All link tags within the infected div were identified using the following regular expression: (<a.*?>.*?</a>).
After reviewing the preliminary results, we identified three additional hidden html tag elements which also included bad links:
These elements were integrated into the Link Spider’s search criteria.
In addition to collecting the infected links, we also searched for both inline and linked <script> tags containing redirects which were only specific to the major search engines. For example, we searched for any scripts containing inspection of the HTTP REFERER server variable for the major search engines Google, Bing, AOL, and Yahoo using script code similar to: if(document.referrer.indexOf(“goo gle”)>0) Then self.location=… Furthermore, this code must include a redirect which directly follows the HTTP REFERER condition.
Using this approach the ‘Link Spider’ was able to identify a total of 29616 links which were directly referenced by the Cyber Monday hackers and specifically related to jakemdrew.com (either directly or indirectly). Table I shows all infected items identified by the ‘Link Spider’.
TABLE I: Infected Items Located by the Link Spider
VII. Hows Does the Hack Work?
A. The Redirect
Backdoor files similar to the picture.asp file were also located at the root of grass.ag, which is another website hosted at jakemdrew.com. These files give a clear picture of how the overall hack operates. A quick search for grass.ag on Google reveals the results displayed in Figure 9.
Figure 9: Google search results showing grass.ag selling counterfeit Nike shoes.
When the Google link is followed, the backdoor script redirects anyone searching for grass.ag to poshjordan.com, a website selling counterfeit Nike footwear. However, the backdoor script only redirects traffic which is referred by the major search engines Google, Bing, Yahoo or AOL. This is accomplished within the backdoor script by requesting the server variable HTTP REFERER and only redirecting the website when it contains the appropriate value. For example, Figure 10 shows the presentation of grass.ag when accessed directly from its URL vs. a referral from a major search engine. Using this technique, the hackers avoid detection by webmasters and individuals visiting an infected website directly using its URL.
Figure 10: The grass.ag website redirects to poshjordan.com only when the request comes from a major search engine.
B. Search Term Poisoning
Using the approach described above, hackers are able to create any number of redirection websites which eventually lead to the solicitation and sale of counterfeit goods to unsuspecting search engine users. Search term poisoning must be used to ensure that each of the redirection websites have the greatest opportunity to show up within a search engine’s search results. This is accomplished by injecting large numbers of malicious links into infected web pages which then influence the placement of redirection websites within the search results for a particular search term.
As shown in Table I, a total of 27616 links using 2451 unique search terms were identified within links associated directly with the jakemdrew.com hack. Table II shows the top 20 search terms used which represent over 60% of the total links identified.
TABLE II: Infected Items Located by the Link Spider
VIII. Examining the Counterfeit Storefronts
We manually reviewed a total of 63 unique websites selling counterfeit goods which were identified by our Link Spider. There were a total of 46 websites which were still active and selling counterfeit products at the time when we visited the URL, and 8 of these websites had been shut down under a DMCA takedown notice.
Table III shows the primary brands represented across each of the 63 websites. When a shop sold more than one brand, we selected the brand which appeared to receive most of the web page’s content. Nike was the top counterfeited brand observed followed closely by Louis Vuitton. However, Louis Vuitton also had the highest level of brand enforcement observed. This was represented by the largest total number of active DMCA takedowns.
TABLE III: Counterfeit Storefront Primary Brands Sold
A large majority of the websites which we reviewed (63%) were registered in China. Table IV shows each of the website’s registration countries.
TABLE IV: Counterfeit Storefront Registration Countries
While the websites were predominately registered in China, a large majority (68%) were hosted in the US and Sweden. When inactive websites from unknown countries are removed from these calculations, 74% of the counterfeit goods websites are registered in China, and 88% are hosted within the US and Sweden. These findings are consistent with Moore et. al. whom observed that websites selling fakes are 17 times more likely to be registered to a Chinese person or business while counterfeit producing countries such as China are more likely to host these websites in countries with stronger IT infrastructures. [10]
Larger clusters within the counterfeit storefronts also seem to appear at both the website host and registration organization levels. For example, the two companies ‘SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD.’ and ‘GUANGDONG NAISINIKE INFORMATION TECHNOLOGY CO LTD’ are listed on 37 out of the 40 websites registered in China. In addition, only 3 hosts represent 67% of these sites. Table V shows all of the hosts associated with the counterfeit websites.
The Chinese company ‘GUANGDONG NAISINIKE INFORMATION TECHNOLOGY CO LTD’ is also cited by legitscript.com as being number two on their ‘Top 10’ list of safe haven registrars where rogue Internet pharmacies cluster. This list was published during October 2014 and identifies the company as being ‘considered non-compliant by LegitScript for a longer period of time’.
We looked further at Jazz Networks Inc., which is a hosting company located in Tampa, FL. We selected the company based on its relatively small number of hosted websites at 528. While manually reviewing the first 100 websites hosted by Jazz listed on http://myip.ms/, we identified 45 websites selling counterfeit goods. If this percentage is representative, then the hosting company facilitates an estimated 238 counterfeit store fronts [6].
According to http://myip.ms/ the registration organizations for the 63 counterfeit storefronts that we reviewed are associated with an additional 150,212 other domain names. We also obtained web traffic statistics for 24 of the 63 websites. These 24 websites averaged 2,030 visitors per day each with a total of 48,720 visitors per day. At similar traffic volumes, Jazz Networks Inc., would support over 482,328 visitors per day or close to 14.5 million customers per month browsing and purchasing illegal counterfeit goods.
TABLE V: Counterfeit Storefront Web Hosts
IX. How Prevalent is this Hack?
We took two general approaches to approximate the continued prevalence of this attack. Our first approach scanned 74 528 domains on IIS shared servers hosted by GoDaddy on January 29, 2015. Of these, 41 361 were parked at the time of the scan. In the remaining domains, We looked for the filter:alpha(opacity=0);opacity:0.001; part of the inserted div tag which is uniquely identifying and a part of every update we have noticed. From these, we found that 128 of them (0.3%) showed signs of this particular infection.
Our second approach mirrored Sucuri’s approach in their analysis [9]. We did a targeted Bing search on ip:IP cyber monday for 50 randomly chosen IP addresses from GoDaddy’s IP range running Microsoft IIS server software (out of 3 871 candidates). We observed that 24% of the IPs showed results for the Cyber Monday hack. Additionally, we noticed this hack remained prevalent in the IP addresses that Sucuri found hacked in December 2014 (50% of their sample of GoDaddy shared hosting IIS domains).
Hence, we conclude that this particular attack vector remains prevalent in the wild.
X. Concluding Remarks
We have presented an in-depth examination of an attack targeting shared webservers running Microsoft IIS. The attacks are part of a blackhat search engine optimization (SEO) scheme to promote websites selling counterfeit goods. We have deobfuscated a backdoor running on the GoDaddy-hosted website jakemdrew.com, revealing how the vulnerable website can be repeatedly updated to promote websites on demand.
Using other infected websites connected to jakemdrew.com, we have shown that this website is part of a counterfeit goods supply chain representing over 27616 links used to poison search results within the major search engines. We have estimated that one safe haven host, Jazz Networks Inc., could be supporting up to 14.5 million customers per month visiting websites selling counterfeit goods. We have also shown that a large majority of the active counterfeit goods storefronts (74%) are registered in China.
Why does this matter? We showed that on GoDaddy alone, at least 0.3% of its 36 million shared hosting websites and 24% of around 4 000 shared hosting servers running IIS have already been hacked in the same manner. Furthermore, these servers have remained hacked for at least one month after yet another attack. Despite the relative simplicity of the backdoor, it appears to have operated with impunity for many months, if not years. It is our hope that by explaining how the hack works and estimating its prevalence, we might motivate the security community to eradicate the mass compromise at scale.
XI. Acknowledgments
This work was partially funded by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) Broad Agency Announcement 11.02, the Government of Australia and SPAWAR Systems Center Pacific via contract number N66001-13-C-0131. This paper represents the position of the authors and not that of the aforementioned agencies.
References
- Bseolized shadowmaker software. http://bseolized.com/products/47-shadowmaker-details. Accessed: 2015-01-24.
- Bseolized template spinner. http://bseolized.com/products/76-bseolizedtemplatespinner. Accessed: 2015-01-24.
- Ddecode, php decoder. http://ddecode.com/hexdecoder/?results=bb297c3ff5bced35219d906789027b96. Accessed: 2015-01-24.
- http://jquery.com/. Accessed: 2015-01-22.
- kkdowning.net (infected website). http://kkdowning.net/index1.asp. Accessed: 2015-01-24.
- Top 10 rogue registrars (october 2014). https://blog.legitscript.com/2014/10/top-10-rogue-registrars-october-2014/. Accessed: 2015-02-10.
- F. Der, L. K. Saul, S. Savage, and G. M. Voelker. Knock it off: Profiling the online storefronts of counterfeit merchandise. In Proceedings of the 20th ACM SIGKDD international conference on Knowledge Discovery and Data Mining, pages 1759–1768. ACM, 2014.
- RFC 7239 – forwarded HTTP extension. http://tools.ietf.org/html/rfc7239. Accessed: 2015-01-24.
- IIS, compromised GoDaddy servers, and cyber monday spam. http://blog.sucuri.net/2014/12/iis-compromised-godaddy-servers-and-cyber-monday-spam.html. Accessed: 2015-01-21.
- Wadleigh, J. Drew, and T. Moore. The e-commerce market for “lemons”: Identification and analysis of websites selling counterfeit goods. In 24th International World Wide Web Conference, Florence, Italy, 2015. ACM.
- D. Y. Wang, M. Der, M. Karami, L. Saul, D. McCoy, S. Savage, and G. M. Voelker. Search + seizure: The effectiveness of interventions on SEO campaigns. In Internet Measurement Conference, pages 359–372. ACM, 2014.
Authors
Jake Drew
Combining over 15 years of Fortune 100 experience in banking analytics and revenue optimization with cutting edge Computer Science techniques, Jake Drew is producing innovative results in the fields of Bioinformatics and Cybercrime Economics. Jake Drew is currently a Ph.D. student and research assistant at Southern Methodist University under the supervision of Professors Tyler Moore and Michael Hahsler. He has also recently acted as an expert witness, expert assistant, and technical consultant in over 20 intellectual property related cases. He holds a Master of Computer Science from Southern Methodist University, and a B.S. degree in Computer Information Systems from The University of Texas at Tyler. Previously he worked as a Vice President in Revenue Optimization at Bank of America, spending almost 15 years in the banking industry.
Tyler Moore
Tyler Moore is an Assistant Professor of Computer Science and Engineering at Southern Methodist University. His research focuses on the economics of information security, the study of electronic crime, and the development of policy for strengthening security. Tyler is Editor in Chief of the Journal of Cybersecurity published by Oxford University Press, and serves as Director of the Economics and Social Sciences program at the Darwin Deason Institute for Cyber Security. Previously he was a postdoctoral fellow at the Center for Research on Computation and Society (CRCS) at Harvard University and the Norma Wilentz Hess Visiting Professor of Computer Science at Wellesley College. He holds B.S. degrees in Computer Science and Applied Mathematics from the University of Tulsa. A British Marshall Scholar, Tyler received his Ph.D. from the University of Cambridge under the supervision of Professor Ross Anderson.
Marie Vasek
Marie Vasek is a PhD student in the Computer Science and Engineering at Southern Methodist University and the research scientist at StopBadware. Her research interests include security economics and cybercrime, particularly web-based malware.