Mass Compromise of IIS Shared Web Hosting for Blackhat SEO: A Case Study

June 22, 2021

Jake Drew, Marie Vasek, and Tyler Moore
Computer Science and Engineering Department
Southern Methodist University
Dallas, TX, USA

The latex publication pdf for this article can be downloaded here.

Abstract

This case study tells the detailed story of tracking down real world hackers selling counterfeit goods.  The adventure starts with a recent breach of a GoDaddy shared webserver running Microsoft IIS.  We review a recent mass compromise of IIS shared hosting to provide context for the scale at which such counterfeit good rings operate. We show how the attackers have used the compromise as part of a larger blackhat search engine optimization (SEO) campaign which may have been in operation since as far back as 2006.  After locating the hacker’s backdoor script on our compromised server, we demonstrate how such scripts can be deobfuscated to reveal the hacker’s malicious intent.  Once deobfuscated, we explain how the attack operates and link the attack to numerous websites promoting counterfeit goods.  We developed a program called the ‘Link Spider’ to find infected websites across the internet which are controlled by the same counterfeit goods supply chain.  We also identify the internet storefronts which are actually selling counterfeit goods directly to unsuspecting consumers via the major search engines.  We include detailed analysis of the major brands, safe haven web hosts, and China’s role in the counterfeit goods supply chain. We show that some of these companies and web hosts participate in the sale of online pharmaceuticals as well. We also estimate the amount of illegal web traffic which may be supported by these hosts. Finally, we inspect a random sample of GoDaddy-hosted IIS webservers to estimate the prevalence of this particular compromise. 

I. Introduction and Background  

Large-scale attacks are commonplace in the e-commerce market for counterfeit goods. Moore et al. recently estimated that as much as 32% of online search results point to websites selling counterfeit goods with 79% of those results including at least one fraudulent online retailer within the first page search results [10]. They estimate that 33% of the time, the first hit users are presented with while searching for top selling, brand name merchandise is a link to counterfeit goods.

Wang et al. investigated legitimate websites that were compromised to promote luxury goods [11]. They identified distinct “campaigns” tied to the affiliate programs whereby sellers of counterfeit goods pay for referral traffic, using clustering techniques described in [7].

This case study complements such “macro”-level investigations by delving deep into the nuts and bolts of a particular breach of the website jakemdrew.com, operating on GoDaddy’s shared web hosting platform. This website is but one of many websites running Microsoft IIS that has been compromised to promote websites selling counterfeit goods.

2006Hack

Figure 1: The iSKORPiTX hack page replaced the homepage of 38,500 websites in 2006

The paper reviews the steps taken to deobfuscate code running on the compromised server in order to reverse-engineer its operation and help trace the attack to its source. We also estimate the prevalence of such compromises on GoDaddy’s network.

II. The IIS Mass Compromise

In December 2014, Internet sources reported a mass compromise of websites located on shared web hosting servers running Microsoft IIS. Specifically, infected servers and their associated websites were being used to promote selling Black Friday and Cyber Monday counterfeit goods within search engine results [9]. Because GoDaddy appears to be the largest host of webservers running IIS, their customers have been affected most. Previously, a similar IIS vulnerability in 2006 impacted ‘tens of thousands’ of GoDaddy customers causing over 38,500 websites to be defaced in a single day [12]. Figure 1 shows the results of the famous iSKORPiTX hack page which replaced the homepage of its targeted websites around 2006 [12].

baddiv

Figure 2: An invisible

tag injected into a compromised cyber monday hack website (click to enlarge)

The entire scope of the most recent hack impacting IIS webservers is currently unknown. However, the internet secutity company Sucuri reported in December 2014 [9] that they have independently confirmed 1,782 domains and 305 IP Addresses – 61% of which are hosted on GoDaddy representing 1,095 websites and 95 hosts. While these numbers alone are very concerning, representatives at Sucuri concede that their list only represents “the tip of a very large iceberg” [9].

Both of the aforementioned compromises belong to a much larger and more general cybersecurity problem. Once such a compromise occurs, it can be nearly impossible cleanup all of the security holes, or backdoors, which are left behind. Once a criminal has write access to a web server’s directory structure, a backdoor could be left in any number of places. Unfortunately, many companies experiencing a breach merely patch the vulnerability believed to cause the breach and delete any inserted content. However, any number of backdoors could remain indefinitely allowing criminals ongoing access to the host.

Before the iSKORPiTX hack in 2006, reports as far back as April 2005 reference the SSFM directory and scripts which are believed to be responsible for the hack [12]. In this case, some backdoors may have been in place for almost a year before the intended payload was delivered. This underscores a common strategy for criminals – start out with very small exploits and escalate over time as more profitable opportunities arise.

In the case of the Cyber Monday and Black Friday exploit, we will demonstrate how the most recent IIS vulnerability was used first to install a backdoor on an IIS webserver and when used for blackhat SEO purposes, injecting fake links to websites selling counterfeit goods. Furthermore, we uncover striking similarities which suggest that the hackers’ method for gaining initial access to shared IIS web servers may be silently operating under the radar since as far back as the 2005 attack, leaving researchers to wonder if the original vulnerability was ever successfully resolved.

III. Identifying a Breach and Finding the Backdoor

During December 2014, an unusual

tag showed up on the website jakemdrew.com, a GoDaddy-hosted IIS webserver maintained by one of the paper’s authors. The first modification occurred on the website’s home page and included a new

tag at the bottom of the page containing a number of website links with text such as:

  • mcm cyber monday
  • coach cyber monday
  • juicy couture cyber monday
  • uggs black friday
  • michael kors black friday

<%@ LANGUAGE=VBSCRIPT CODEPAGE=65001 %> <% Function XX777X(ByVal X7XX7X7) Dim X7X77X7, X77X7XX, X7X77XX X7XX7X7 = Replace(X7XX7X7, Chr(37) & _ ChrW(-243) & Chr(62), Chr(37) & Chr(62)) For X77X7XX = 1 To Len(X7XX7X7) If X77X7XX <> X7X77XX Then X7X77X7 = AscW(Mid(X7XX7X7, X77X7XX, 1)) If X7X77X7 >= 33 And X7X77X7 <= 79 Then XX777X = XX777X & Chr(X7X77X7 + 47) ElseIf X7X77X7 >= 80 And X7X77X7 <= 126 Then XX777X = XX777X & Chr(X7X77X7 - 47) Else X7X77XX = X77X7XX + 1 If Mid(X7XX7X7, X7X77XX, 1) = XX777X("o") Then XX777X = XX777X & ChrW(X7X77X7 + 5) Else XX777X = XX777X & Mid(X7XX7X7, X77X7XX, 1) End If End If End If Next End Function %>

Figure 3: The original obfuscated function dedicated to the purpose of decrypting strings.

Furthermore, the entire

tag was invisible as shown in the style attributes of Figure 2.

Less than two weeks later, the same

tag was updated and almost all of the original websites were removed. This confirmed that not only a breach had occurred, but that the criminals were still able to update the content.

The second update prompted a thorough search of all directories on the web server where an unusual file named picture.asp was located in the Scripts directory. While it was obvious this was the hacker’s backdoor, the contents of the file were completely obfuscated and nearly impossible to decipher in their current form. Figure 3 illustrates only one of the obfuscated functions used by the script.

 IV. Deobfuscating the Backdoor Script

We now describe the steps taken to deobfuscate the backdoor script.

A.    Deobfuscating the Minified Code

Many production ready web programming packages such as jQuery [4] are ‘minified’ to remove all characters unnecessary for successful compilation. This typically removes extra whitespace and sometimes uses additional techniques such as shortening variable names to shrink the overall package file size as much as possible for efficient transport over the Internet. This is also a form of obfuscation as the code becomes nearly impossible for humans to read.

When reviewing the script the first and most obvious clue is that the script was written using VBScript. This can be identified in Figure 3 where the LANGUAGE and CODEPAGE attributes are set. We were then able to quickly ‘prettify’ the script using the website http://www.aspindent.com/ to properly indent the VBScript code. Figure 4 shows the obfuscated code after it has been properly indented making it much easier to proceed further with the deobfuscation process.

Function XX777X(ByVal X7XX7X7) Dim X7X77X7, X77X7XX, X7X77XX X7XX7X7 = Replace(X7XX7X7, Chr(37) & _ ChrW(-243) & Chr(62), Chr(37) & Chr(62)) For X77X7XX = 1 To Len(X7XX7X7) If X77X7XX <> X7X77XX Then X7X77X7 = AscW(Mid(X7XX7X7, X77X7XX, 1)) If X7X77X7 >= 33 And X7X77X7 <= 79 Then XX777X = XX777X & Chr(X7X77X7 + 47) ElseIf X7X77X7 >= 80 And X7X77X7 <= 126 Then XX777X = XX777X & Chr(X7X77X7 – 47) Else X7X77XX = X77X7XX + 1 If Mid(X7XX7X7, X7X77XX, 1) = XX777X(“o”) Then XX777X = XX777X & ChrW(X7X77X7 + 5) Else XX777X = XX777X & Mid(X7XX7X7, X77X7XX, 1) End If End If End If Next End Function

Figure 4: A ‘prettified’ version of the Figure 3 function highlighting all instances of a single variable.

B. Deobfuscating Variable Names

The next obfuscation technique identified was the extensive use of matching length variable names using only the two characters ‘X’ and ‘7’. The variable XX777X can be seen occurring 10 different times within the function displayed in Figure 4. However, since all variables within the code have been named using matching length combinations of the letters ‘X’ and ‘7’ it is very challenging to tell them apart.

Function deObfuscate(ByVal inputString) Dim chrCode, i, iCheck inputString = Replace(inputString, Chr(37) & _ ChrW(-243) & Chr(62), Chr(37) & Chr(62)) For i = 1 To Len(inputString) If i <> iCheck Then chrCode = AscW(Mid(inputString, i, 1)) If chrCode >= 33 And chrCode <= 79 Then deObfuscate = deObfuscate & Chr(chrCode + 47) ElseIf chrCode >= 80 And chrCode <= 126 Then deObfuscate = deObfuscate & Chr(chrCode - 47) Else iCheck = i + 1 If Mid(inputString, iCheck, 1) = "@" Then deObfuscate = deObfuscate & ChrW(chrCode + 5) Else deObfuscate = deObfuscate & Mid(inputString, i, 1) End If End If Next End Function

Figure 5: The final deobfuscated version of the Figure 3 function including meaningful variable names.

Figure 5 shows the final version of the deobfuscated Figure 3 function with more meaningful variable names included. This function was the first to become of interest for three primary reasons:

  1. It was the only function which existed outside of the primary class in the script.
  2. The function appeared to accept an obfuscated string as input and then make strange modifications to the character codes within the string. This behavior seemed outside the normal function of an application designed to modify files on a webserver.
  3. The function was called 201 times within the script.

C.  Deobfuscating Text and Numeric Values

The class initialization routine shown in Figure 6 highlights yet a another obfuscation technique. All 201 string values within the script are further obfuscated and made unreadable to the human eye. In fact, these strings are also meaningless to the VBScript interpreter. The deObfuscate() function shown in Figure 5 is used within the script to convert all 201 strings into meaningful values which are hidden from humans yet resolved during the script’s execution.

Private Sub Class_Initialize serverStatus = “” filename = deObfuscate(“:?56I]2DA”) csvalue = deObfuscate(“A286”) reqServerVars = Request.ServerVariables( deObfuscate(“$t#”)&_ deObfuscate(“’t#0$~u%”)_ &deObfuscate(“(p#t”)) XX7X7X = deObfuscate(“‘af]_]_]‘”)) dizhi = deObfuscate(“‘af]_]_]‘”) XX7XXX = “” X777777 = Request.ServerVariables( deObfuscate(“w%%!0w~$%”)) cachefile = deObfuscate(“^42496”) X77777X = X7XXXX() End Sub

Figure 6: The class initialize routine shows extensive use of the deobfuscate function shown in Figure 5.

Numeric values are also obfuscated using a more simplistic approach. Every place a numeric constant is used, that constant is replaced with a more convoluted equation. For example, the statement Type = 2 can be obfuscated to Type = (11 * 24 – 262) and the statement mode = 3 can be obfuscated to mode = (43 * 105 – 4512). While this approach may appear rudimentary, when combined with multiple other methods of obfuscation, this further hides the true intent of the script.

The example function in Figure 7 shows all three of these techniques used within the malicious picture.asp backdoor file.

Sub XX77XX (XX7777X,byval Str,CharSet) On Error Resume Next set X7XX777=X77X77.CreateObject(_ XX777X(“25@”)&XX777X(“53]DEC”)&XX777X(“62>”)) X7XX777.Type=(11 * 24 – 262) X7XX777.mode=(43 * 105 – 4512) X7XX777.open X7XX777.WriteText str X7XX777.SaveToFile X77X77.MapPath(XX7777X) X7XX777.flush X7XX777.Close set X7XX777=nothing End Sub

Figure 7: Three different obfuscation techniques used within the same malicious function.

D. Deobfuscating the Text

Since VBScript is very similar to VBA (Visual Basic for Applications), we used Microsoft Excel to quickly port the final version of the deObfuscate() function shown in Figure 5 with no additional coding changes. Next, a second VBA function was written to parse the picture.asp file replacing all instances of the deObfuscate() function with its intended output. For example, the class initialize routine previously shown in Figure 6 can now be seen in Figure 8 revealing all of the intended text inputs.

Private Sub Class_Initialize serverStatus = “” filename = “index.asp” csvalue = “page” reqServerVars = Request.ServerVariables(“SERVER_SOFTWARE”) XX7X7X = “127.0.0.1” dizhi = “127.0.0.1” XX7XXX = “” reqHostServerVars = Request.ServerVariables(“HTTP_HOST”) cachefile = “/cache” clientIp = getClientIpAddr() End Sub

Figure 8: The class initialize routine with all deobfuscate() function calls replaced with deobfuscated text.

V. Interpreting the Backdoor Script

After reviewing the picture.asp backdoor script, it is clear that the script is intended to ensure that the criminals have a method to access and download files to the infected client machine. Once the backdoor script is placed on the web server, it can be activated by the criminal simply visiting or loading the file using a web browser or another program. For example, the criminals could access my infected web server by navigating to http://www.MyDomain.com/Scripts/picture.asp.

Once the script has been activated, the script variable csvalue points to a query string within the http request which is expected to contain the file name that is targeted for download from the attacker’s command server located at the obfuscated IP address hidden within the script. In this particular case, the expected query string value containing the target file is named video. The infected client then performs a GET request to the attacker’s command server downloading the appropriate file location provided within the video query string variable. This variable can be modified ‘on the fly‘ using any query string parameter value with the URL such as picture.asp?video=targetFile.htm. In this manner, the actual file on the attacker’s command server need not be included within the script and is further obfuscated from detection. The targeted file is downloaded using a binary adodb stream. If the download is successful, the script performs a series of regular expression searches targeting all href URLs within the downloaded file contents pointing at HTML, asp, htm, css, gif, jpg, and png files. Each of the URLs identified are updated to match the client’s directory structure for the targeted site.

For example, the regular expression href=””/(.*?).(html|asp|htm)”” is used to target all URL’s pointing at html, asp, and htm file types. Each URL located is then replaced with the second regular expression href=”&filename&”?”&csvalue&”=$1.$2″. On our particular server, this expression translates to href=”/Styles/picture.asp?video=filename” where filename contains the original file name and file extension requested in the link. This behavior allows the criminals to display any web page which is located on the attacker’s command server. The malicious script will actually download and install any missing files required to support the successful rendering of the criminal’s web page content. In addition, the script will create any folders missing in a given URL’s mapped file path on the targeted server to ensure the referenced content will successfully render.

At first, it may seem counterintuitive that all links to html, asp, and htm file types are updated to point recursively back to the picture.asp file. However, when each link is activated, the script can be executed once again to download and install any files and folders necessary to render and display the requested link’s content.

Using the picture.asp backdoor script in combination with any redirect script placed on any page within the targeted server allows the criminals to display dynamic content from their attack command server. In this particular attack, the criminals were observed creating both blackhat SEO link farms in an effort to boost page ranks for counterfeit good websites and using the picture.asp backdoor script to display dynamic counterfeit goods web content at will.

VI. Tracking the Criminals

After the text deobfuscation process is performed on the entire script, the new text values reveal many important features of the criminal’s backdoor program which could reveal the hacker’s identity. In addition, we created the ‘Link Spider’ to recursively follow all of the links originating from the infected webpages at jakemdrew.com and identify malicious link farms and website redirects which may be pointing to websites selling counterfeit goods.

A. Tracking the Backdoor Script

We can now tell that the script code X7X7X77.dizhi = XX777X(“bf]e‘]aba]‘fb”) actually points to the criminal’s IP address for the attacker’s command server. Decoded, the new text reads backDoorObj.dizhi = “37.61.232.173”. A quick WHOIS on that IP reveals that server is hosted on the UK internet service provider ‘Host Lincoln Limited’.

The script sets a very unusual request header prior to making its HTTP GET request to the criminal’s server. The suspect request header value is X-Realsdflkjwer3l234lkj234lkj234l-IP. This particular request header is always set to the originating IP address of the client connecting to the criminal’s command server. The X-Forwarded-For or XXF request header is the ‘de facto’ standard for identifying this information [8]. Setting this value within such an unusual request header appears to indicate that the hackers are encoding a message within the GET request to the criminal’s server that this particular incoming request has originated from an infected client.

A quick search of the suspect request header value ‘X-Realsdflkjwer3l234lkj234lkj234l-IP’ on Google turns up only two hits. The first hit appears to be a yet another infected website with a very similar copy of the backdoor script which is actually in a deobfuscated form [5]. This site also turns up a second ip address pointing to a criminal server 69.163.33.18 hosted by DirectSpace Networks, LLC. in Portland, OR. The second deobfuscated script also confirms many of our assumptions regarding the picture.asp file.

The second Google hit provides even more valuable information by locating the same request header within a PHP reverse proxy script which had been decoded at http://www.ddecode.com [3], a website associated with Sucuri SiteCheck. The PHP reverse proxy script also included a copyright URL pointing to bseolized.com which turns out to be a website selling its ‘shadowMaker’ software for industrial-strength cloaking and IP delivery. Based on its description, this software is a blackhat SEO tool generating phantom pages and shadow domains for its users [1]. The tool currently sells for 3497 USD. The occurrence of the X-Realsdflkjwer3l234lkj234lkj234l-IP request header within both scripts appears to tie the US based owners of bseolized.com directly to the GoDaddy shared web hosting mass compromise.

The bseolized.com website also sells a product called ‘Template Spinner’: an obfuscation software package for generating truly unique content for each shadow domain created [2]. This is concerning since the software uses many of the same obfuscation techniques used within our picture.asp script, but would make it challenging to locate the sites generated by the Shadow Maker software. This tool currently sells for 495 USD.

B. The Link Spider

A program named the ‘Link Spider’ was written using the C# programming language. The ‘Link Spider’ accepts a list of urls as input and proceeds to check each url for the hidden

tags left by the Cyber Monday hack. The program also recursively follows all link urls collected within the targeted

tag applying the same logic until there are no more links left to follow.

We started out by searching for opening

tags ending with opacity:0.001;z-index:10;”>. All searches were also case insensitive. During identification of each infected

tag we collected all link urls, and the link text included within each link tag. All link tags within the infected div were identified using the following regular expression: (.*?).

After reviewing the preliminary results, we identified three additional hidden html tag elements which also included bad links:

badDivCodes

These elements were integrated into the Link Spider’s search criteria.

In addition to collecting the infected links, we also searched for both inline and linked