Install Anti-Virus Software on a Webserver? No need mate!
When we contact the owners of websites that have been hacked to serve up malware, we often encounter the response “Install Anti-Virus Software on a Webserver? No need mate!”. This response is fairly common, and not just from the Linux and Mac zealots.
However, installing anti-virus software on your webserver can prevent the need for you to wipe egg off your face at a later stage.
We are currently tracking a malware/porn spam campaign that is exploiting hacked webservers to host the malware.
The spam message has a list of newsworthy subjects that are being used by both the subject and the message body, for example:
The message body also contains a link to a hacked site that when opened displays a website containing porn and some malicious software.
A list of potential subjects
Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston's MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don't belittle the effects of power enlargement
Don't let old age shrivel away your self esteem when you can maintain with herbal supplements
Don't panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men's health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life
The hacked websites serve a page with highly salacious content. The page is made up of pornographic images that link to ‘videos’ [a large naturist image and several smaller images of adult content]. The ‘videos’ are actually a malicious executable hosted on the hacked servers, detected as Mal/EncPk-DA. A webserver running anti-virus would have caught the ‘videos’, alerting the administrator to the hack!
This morning, to generate the list of ~40 subjects, I downloaded ~1000 message bodies. Those message bodies had ~80 unique links to hacked sites. As you can see below, the bulk of these sites are running Apache. As I write, 25% of the sites are still actively serving up malware.
Why aren’t these webservers running anti-virus? You tell me sophosblog@sophos.com.
Posted on June 20th, 2008 by Pob, SophosLabs, UKFiled under: Malware, Spam
Windows 7 security - A great leap forward or business as usual?
