Malvertising and OpenX servers
Malvertising is an abbreviation of malicious advertising and means that legitimate sites spread malware from their infected advertisement systems. There were many malvertising campaigns in last few years, some of them confirmed even on big sites like The New York Times, but most of them go unnoticed because they are well hidden and served only to selected users. Earlier this year, one of our top analysts found a stealth infection on a Czech entertainment site and began to watch it. We were able to obtain source code from infected sites, and I would like to show you how easily hacking is done and what can be done to secure your server.
In this case all infected servers contained OpenX (open source solution for advertisement) which has a rich history of vulnerabilities. Look, for example, at last three versions.
- In version 2.8.9 and previous versions there was a SQL injection
- Version 2.8.10 contained a hidden backdoor that allowed remote PHP execution
- The latest version 2.8.11 offers more security, but there are known vulnerabilities
In summer 2013, OpenX was re-branded as Revive Adserver and several security flaws were patched. I strongly recommend you update to the latest version (currently 3.0.0) to secure your advertisement solution from being misused by hackers.
How do they get in?
An analysis of infected web pages revealed that the attacker used SQL injection to obtain administrator log ins and passwords from the database. Then he used credentials to log in and exploited another flaw to upload a backdoor with executable extension. Actually there were more backdoors and PHP scripts hidden in various places suggesting that this server was attacked multiple times.
This picture shows all scripts and their dates of creation found on the infected page. The first three files are backdoors and tools for server control. The last two files are different; they serve as an interface to the database.
Files “inj” and “minify” seem to be two versions of the same script, which connects to the database and either removes injected scripts or add new ones. The result of this modification is an iframe appended to advertisement banners. The picture below shows a SQL query used to insert malicious java-script.
The described infection is really hard to trace, because it’s not present on the server all the time, but only in predefined times and shows only to users coming from specific zone.
What scripts are injected?
The last file in this chain is a malicious JAR file which exploits Java vulnerability CVE-2010-0840 (remote code execution). This exploit is fairly old, but it can be found in a few Exploit Kits including Blackhole and Nuclear EK. To protect for this flaw, make sure you have installed the latest version of Java on your computer and your browser. There are many vulnerable OpenX servers on the internet. We do not know the exact number, but here is little statistic that can give us a clue to how bad this situation is.
In the picture above is a daily count of users which were redirected to a landing page, but saved by avast! Antivirus from infection. These numbers are slowly dropping as creators of this network modify their scripts to avoid detection. In this case the numbers also fluctuate because malicious script is not present on servers all the time, but only in selected days and hours.
Tips to stay protected.
Here’s a few things that can help you secure your server:
- Pick up the latest version of OpenX, currently known as Revive Adserver
- Install OpenX to an updated server with no other applications
- Choose a strong password for the administrator account
- Don’t let backup files lie on FTP
Samples from this article can be found on Virus Total under following SHA256:
Source and Copyright: Avast Blogs