This is how Polish websites spread viruses

Non-updated Polish websites, as well as incorrectly configured servers have a real impact on the safety of Internet users, private companies and officials. All those who from October 2016 to January 2017 visited the website knf.gov.pl - the Polish Financial Supervision Authority - were bitterly convinced and whose computers matched the malware attack pattern. It is not without reason that we are returning to those events, because, as now, they have a direct impact on how the IT industry will be perceived. Non-updated websites pose a serious threat to their owners and Internet users. Who is really to blame for this state of affairs?

In this article, we have looked at the security of Polish parties. We used, among others with the API scanner Shodan, the riddler.io scanner (by F-Secure), public black lists of IP addresses and identified payloads on the abuse lists. All malware samples that were online on the day of the download, ie August 2, 2018, were still correlated with data from our honeypots network. Here is what we were able to determine.

This is how Polish websites spread viruses

From March 2018, 33707 servers were hacked in the world, Apache, Nginx, IIS, including 21450 servers that are constantly spreading real malware. And yes:

  • 461 pages are located in Poland under the .pl, .com.pl, .net, .edu.pl, .org and regional domains.
  • One domain of cbr.gov.pl was infected, which is still blocked by some anti-viruses, although the threat has already been removed by the administration or by the authors of the burglary.
  • 98% of infected websites in Poland have the .pl domain.
  • Some pages contain more than one virus.
  • We downloaded 2410 malware samples from sites in Poland. Not all samples were available on the day of the collection, ie August 2, 2018, therefore their actual number is impossible to estimate. So we downloaded:
    • 1225 infected Word documents that contained macroviruses.
    • The 9 ZIP archives contained JavaScript and VBS in the middle.
    • 2 infected Excel spreadsheets.
    • 27 binary files.
    • 55 HTML files (most likely part of it is used to display various information on the hacked page).
    • 6 DLLs masquerading as image files. All contain such banking Trojans.
    • 447 EXE executable files (all of them are infected).
    • 632 files with masked extensions, eg name.exe.1, name.doc.2, which are also included in the category of various types of viruses.
    • Several programs for Android in the form of APK files.
    • Several MSI installation files for Windows.

In total, we downloaded 2410 malware samples from infected Polish sites, but this is not the worst. We do not have such statistics and probably no one has, therefore, taking into account the knowledge gained, we suspect that even 99% of infected websites have their source not in a targeted amateur attack or a professional hacker group, but primarily in publicly available vulnerability scanners and ready-to-use scanners. implementing exploits. Thanks to them, searching vulnerabilities and breaking down collateral is easier than ever before. Yesterday we wrote about the tools and techniques that real hackers use, and now it would be a sin not to mention one more dependence that definitely helps the attackers achieve success. Namely, these are not updated modules and engines of websites.

Among the 461 infected websites that are located in Poland, the majority do not have the latest version of Wordpress, Joomla or the proprietary engine, and some contain more than one non-updated system module. We can catalog these websites for the IT, agricultural and clothing industries, private medical, construction, hotel, private blogs and other.

Responsibility for this state of affairs is borne not only by entrepreneurs who, in the worst case, regret the funds on behalf of securing the site. We are convinced that 50% of them do not even realize that their company website has a direct impact on the image, security of their clients, as well as accidental internet users.

The hosting companies, which do not always have the latest versions of HTTP and PHP servers, or in extreme cases do not use adequate security, also have an unwanted role in the spread of malicious software. Small entrepreneurs use just such hosting companies, which in their opinion should be cheap to maintain.

How to secure a website?

In order to meet the acquired information in this conducted experiment, we provide tips that will help secure the website from attack. And it does not matter if the website is powered by Wordpress, Jomla or Drupal, considered to be very safe. Non-updated CMSs, web servers, databases and PHP are asking for trouble.

1. If possible, update the CMS core and all modules to the latest version. Wordpress is particularly interested in hackers.

2. Update the http server, database server and php server (if you manage the entire site yourself).

3. Consider masking the real IP address of the server behind the CDN network (eg CloudFlare). Thanks to this you will avoid many attacks and will automatically block the access of bots and spammers to the site.

4. Consider installing WAF based on mod_security. This way you will protect the website from "incorrect" Internet traffic.

5. If you manage the server, use the latest version of the kernel, preferably with the grsecurity patch, which protects against 0-day threats.

6. Disable logging into the root account via a password and replace it with logging using the keys.

7 If you need to use the root account, log in to the server to the account with lower privileges, and then switch to root.

8. Configure iptables or an alternative CSF.

9. Install fail2ban to protect against brute-force attacks.

10. Use a user account instead of root to log in to FTP accounts.

11. On shared hosting, use separate FTP accounts for each page.

12. For VPS servers, dedicated servers, FTP accounts, log in via SFTP.

13. Take care of very frequent backing up of the page and database files. You never know when you break something (or someone will break it) and you will need backup from an hour ago.

14. The last universal tip for all website managers - as we did, upload this simple PHP script to the FTP server, then add it to the cron (to perform eg once a day), and protect you from unauthorized modification of the page files. Notifications about deleted, added and modified files will be sent to the email.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.