26 09, 2014

6Scan Automatically Blocks Shellshock Attack Vectors



Shellshock is out, and it’s exactly the type of threat that reinforces the importance of real-time, proactive, automated security.

6Scan has developed solutions to protect our customers’ websites against Shellshock attack vectors and we will continue to automatically update our active subscribers as new vectors emerge.

Through our patent-pending automated website security we are able to define common attack vectors and filter out malicious traffic designed to exploit websites that are exposed to this vulnerability. As new attack vectors emerge we will continue to update our security in real-time.

Shellshock details

The vulnerability comes from a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests. The vulnerability is summarized here.

The Guardian website has a good non-jargon write up and, as usual, Krebs on Security  has good coverage including this warning:

“The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.”

Stay safe.

5 08, 2014

6Scan Quarantine Technology Defeats Dynamic DNS Watering Hole Attack

waterhole.drinking wateringhole.attack

At 6Scan we are obsessed with simplifying security. After we figured out how to automatically detect and repair website vulnerabilities we set about doing the same for web-based malware. As 85% of all malicious web-based links are hosted on legitimate sites that have been hacked, solving this challenge would provide an unprecedented level of protection for our community.

We decided that quarantining the code, just as an anti-virus product does with malware on a desktop computer, was the best way to immediately protect the website and customers against malicious re-directs and drive-by downloads. But as we developed this approach we also discovered a powerful benefit: by quarantining the code we could quickly reverse engineer its behavior. This allows us to identify its infection techniques and how it communicates with command and control (C&C) servers. We tested these capabilities during our beta deployment, and were able not only to secure a hacked retail website, but to analyze the activity of its infection.


The customer in this case is a popular online furniture website. They had received sporadic indications of anomalous behavior on their site but were unable to identify any malicious code. They had never been blacklisted by any search engines or browsers, and in fact they had active Google AdWords campaigns running. Despite the continued functioning of their website, they had been infected for the previous 5 months.

After our website scan detected the malware, our agent pinpointed the infection and quarantined the malicious code automatically. This immediate action secured the website and its visitors. Then we analyzed the attack and that’s where it got interesting.

Following Commands

Through log analysis we could see the malware contained a calling script that collects information about each visitor to the website and then sends that information to a C&C server.  The C&C server evaluated the information (user agent, referrer and IP) and directed malware either to launch or not to launch the exploit code. It launched the code only if it was a new visiting IP and the user agent (browser) was Opera or IE 11 or earlier. Browser selection is a common technique to decrease the probability of detection. Considering the site had been infected for 5 months prior to our detection, it turned out to be a highly effective strategy on the part of the hackers.

Hiding in PNG Site

The calling script (the mechanism by which the malicious code on the website communicated with the C&C server) was an encoded PHP function that was embedded in a PNG image on the website. It looked like this:



If the C&C server sent back exploit code it appeared as an obfuscated JavaScriptsnippet that created an iframe to another domain.The novelty in this approach was that the domains were generated dynamically and immediately deactivated after a single use—effectively hiding the hacker’s tracks.  All the domains were available via a free dynamic DNS service.

Here’s a snippet of a decoded PHP code:



So, how was the PHP code extracted from the image data and run?

The following is the malware injection code that ran in the nav menu file. The nav file loaded for every page making this an efficient tactic.


What happens here is that the path to the image file is encoded in the first array (we’ve removed the prefix to keep our client confidential), and then the code is read from the PNG file (which is all chars after the cls::: prefix). The next step is evаl(bаse64_decode which is run to decode the information from the image file, and then the $view, which is where preg_replace is run. As is widely known by PHP coders, running preg_replace with /e flag is effectively equivalent to running the eval() function. The afflicted webserver has been tricked into serving up malicious code to its customers. Because of clever obfuscation the mechanism of the attack is not apparent—at least not until 6Scan quarantined it and analyzed its function.

The Damage Done

Once the obfuscated JavaScript has been loaded onto the site it then probes each visiting browser for vulnerabilities. When a vulnerable application is detected, the C&C server dynamically loads up to 4 exploits which can be used to further compromise the visiting browser as well as the device running it.

Though the obfuscation was rather tough, we managed to decode it to see what exploits are loaded. They included 2 Java exploits, a Flash exploit and an interesting Silverlight exploit  ( ). All of the exploits give the attacker the ability to execute arbitrary code on the victim’s computer.

6Scan Customers Benefit

Our innovative approach to detecting, quarantining, and analyzing malicious code—all in real time—brings benefits to every 6Scan customer. Our automated service puts this power in the hands of even the smallest business and our threat analysis shows how hackers work and enables us to stay one step ahead of the next attack.

29 05, 2014

eBay Security and the “Punching Bag of the Internet”


Percentage of Breaches by Attack Vector from the 2014 Verizon Data Breach Report

Not only has eBay security been undone by their tolerance for what  The Register referred to as “Rubbish Passwords” — now there are reports of multiple Cross Site Scripting (XSS) vulnerabilities on eBay subdomains.

As the 2014 Verizon Data Breach Investigations Report chronicled, web applications were the top attack vector for successful data breaches in 2013. The report went so far as to dub web applications “the proverbial punching bag of the Internet.”

At 6Scan we block millions of attempts to exploit vulnerable applications every month. Currently XSS is the 4th most prevalent attack we see. While XSS does not pose an immediate threat like an SQL injection does, the security implications are highlighted in the XSS attack definition:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”

The significance of the attack is not only in access to the vulnerable application, but malicious access to the trusted relationship between user and a given site (like eBay).  We recently wrote about an NFL team with an active XSS vulnerability -it’s in these situations with powerful brands that XSS vulnerabilities can do the most damage. So while eBay chose to downplay the vulnerability with the comment that it’s “not a new type of web application vulnerability on sites such as eBay,” the reality is that the severity of the threat is directly related to the trust of the brand.

Stay safe.

7 05, 2014

NFL Draft and the Cyber Kill Chain

Tomorrow, the unofficial start of the pro football season kicks off with ESPN’s broadcast of the 2014 NFL Draft. As in the past, hundreds of thousands of people will follow the drama via the Internet. Unfortunately, a vulnerability contained on the website of one NFL franchise may leave that team’s fans blindsided by hackers.

This team’s website includes a Cross Site Scripting (XSS) vulnerability, one that’s used as part of a nearly fool-proof cyber scam.

In these scams, attackers use emails about upcoming events as bait, e.g. “Find out who ‘Team X’ will take #1 in the draft…” These emails contain links directly to the team’s website. Each link is formatted correctly and looks 100% legitimate. Clicking the link executes a browser injection that lets the hacker display a pop-up window on top of the legitimate destination page. Pop-ups can display offers such as discount ticket promotions, new merchandise, etc. All information entered in a pop-up ends up in attackers’ hands.

While significant, the damage in such an attack — to the team’s on-line reputation and the victim’s credit profile — is still manageable. However, as 6Scan Co-founder Nitzan Miron points out, bigger issues are at stake.

“This is not a catastrophic vulnerability in terms of network or database access, but it is a critical link in the cyber kill chain,” Nitzan said. XSS can also be used to phish employees’ credentials, giving attackers direct access to a company’s network. Once inside a network, attackers can leverage advanced threats that are difficult to detect.

“Hacked websites have evolved into the number one attack platform. They are involved in 85% of attacks and have become a critical early link in the cyber kill chain,” Nitzan explained.

XSS scripting – which can only be found by a website or application scan – is one of the top 5 vulnerabilities 6Scan detects. Because such attacks take place at the browser level, website administrators never know they’re happening. This is just one of the threats that drive us to deliver automated scanning and remediation services that any business can deploy regardless of size or security expertise.

Stay Safe.

29 04, 2014

The Reports are in: Hacked Websites are a Big Problem


The big boys have weighed in and both the Cisco’s 2014 Security Report  and the Websense 2014 Threat Report have identified a major contributor to cyber-crime: hacked legitimate websites.  The Cisco report accurately refers to these attacks as High Efficiency Infection Strategies because as the image below illustrates, a single website can attack a variety of devices. Websense re-affirms the popularity of this attack method by pointing out that 85% of malicious links are hosted on hacked legitimate websites.

Websites can launch attacks upon multiple device types 's (image from Cisco's 2014 Security Report)

Websites can launch attacks upon multiple device types ‘s (image from Cisco’s 2014 Security Report)

At 6Scan we see the magnitude of the effort behind these attacks and the damage they can inflict. There is a constant barrage of malicious traffic against the sites we secure. Why? Because using hacked websites to disseminate malware is a high-efficiency infection strategy.  A compromised web site, or web server, is the bad guys’ honeypot — it’s out there just waiting for victims to show up. Many new customers come to us after they have been targeted. Once breached, these sites become platforms for serving malware until inevitably they are blacklisted by browsers or desktop anti-virus. 

In many cases these small businesses have much more to lose than bigger companies. Large firms have insurance, recovery strategies and adequate resources to survive a breach, even one that is large scale and highly visible. Smaller firms, The Fortune 15 Million, don’t always have this cushion. In many cases they stand to lose everything. This is why 6Scan offers a free service to assess website security. It’s also why we focus on fixing vulnerabilities before they become breaches.

Stay safe.


21 04, 2014

Heartbleed’s Long Dangerous Tail


It’s been two weeks since the Heartbleed bug was disclosed, and, here at 6Scan, we’re encouraged that 99% of the sites we scan, and 100% of the sites we protect, are unaffected by this critical vulnerability.

Unfortunately, the 1% of sites we scan that are affected represents thousands of destinations with millions of monthly page views. We’ve researched these sites and grouped them by Alexa rank (see image below). The vast majority are part of the internet’s “long tail” small sites – ranking outside Alexa top 1,000,000 – that serve niche communities and special interests.

It’s tempting to marginalize these vulnerable sites because of their size, but don’t. Left unchecked, these small sites put everyone at risk.

Why? Breaching small sites is an essential part of the black-hat economy. They provide the resources for hosting phishing pages, infecting consumers, avoiding malicious IP black listing, launching DDOS attacks and many other nefarious activities. Protecting these sites, and their visitors, is critical for ongoing viability of the internet.

While Heartbleed had many of us primarily concerned with larger properties and institutions running vulnerable Open SSL versions, it’s important to remember that small sites pose a threat as well.  If you’re concerned about the smaller sites that you visit, there are a variety of tools available that claim to provide information on a website’s Open SSL status, including this one.

The chart below shows the breakdown of effected Heartbleed websites by Alexa rank. 1.3% of the vulnerable sites are within the top 100,000 most trafficked sites on the internet. As a reference point the 100,000 ranked site would average about 25,000 unique page views per month. What makes the long tail so dangerous is than over 90% of the sites still affected are outside the top 1 million.



8 04, 2014

OpenSSL Heartbleed Bug Analysis


Yesterday the security engineers at Codenomicon disclosed a high severity security vulnerability in one of the most used SSL libraries in the world – OpenSSL.

According to advisory published on the vulnerability exists on 1.0.1, 1.02-beta, 1.01f and 1.02-beta1 versions and seems to impact millions of servers, please upgrade to the latest version of openSSL 1.0.1g.

What’s Heartbleed bug?

OpenSSL implements Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols which designed to secure traffic from unauthorized attackers. An extension called Heartbeat is being used to keep connection alive between client and server that use TLS connections, the security vulnerability found in that extension and that’s the reason the researches named the bug as “Heartbleed”.

How the bug behaves

We downloaded the latest version with the security fix (1.0.1g) and one version before (1.0.2-beta1), searched for the function who handles the process of heartbeat extension, and performed a diff between the two versions.



* Comparison between vulnerable OpenSSL 1.0.2-beta1 against the latest fixed version 1.0.1g (Click on the picture above to see it correctly)

From the above comparison we can learn a lot about the heartbleed security bug, on the left you can see the old vulnerable version:

/* Read type and payload length first */

hbtype = *p++;
n2s(p, payload);
pl = p;

The first line, extracts the type of the heartbeat message received, second line extracts from received message the length of the received message, the code doesn’t check if the length given by the remote client is correct.

/* Allocate memory for the response, size is 1 bytes
* message type, plus 2 bytes payload length, plus
* payload, plus padding
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;

/* Enter response type, length and copy payload */
s2n(payload, bp);
memcpy(bp, pl, payload);
bp += payload;
/* Random padding */
RAND_pseudo_bytes(bp, padding);

r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

As we can see later on that function, it allocates memory based on the given unchecked length from the remote client, generates a response and send it back to the remote client. That means we can actually give length up to 65K without providing a message in that size, then the function will build response message and try to copy payload in the size provided by the client, that will cause copy of 65K of memory that may contain important information about the server such as encryption keys, user names password, etc.


We highly recommend for all sys admins to check and verify they have the latest version of openSSL (1.01g), in the near future it seems we’ll have a lot of interesting stories about it, hold tight.

13 03, 2014

Value of a Hacked Website

02hacked_PC01-300x225After our recent Data (In)Security post, we fielded many questions from owners of small sites and blogs that basically boiled down to one common theme – I’m not Target so why would anyone hack my site?

Thanks to news coverage there’s a common misconception that attackers are only after banks, large companies, or critical infrastructure. No doubt we live in a world where big names get big headlines. However, a more accurate account of the assault on small business websites comes from industry reports. Case in point, Verizon 2013 Security Report cited 71% of data breaches affected companies of 100 employees or fewer.

The attacks are driven, in large part, by an ever-growing number of websites. In the past 3.5 years alone, the number of active websites has doubled from 90 to 180 million (according to Netcraft). This rapid increase in the creation of individual and small business websites has produced a threat landscape that mimics that of the late 1990s and early 2000s. It was during this period that broad-band access boomed  – creating millions of new targets (PC owners) with limited time to understand the risks they faced.

In a snapshot, the above image illustrates time-tested reasons why criminals target small websites. The image is based on the infographic Value of a Hacked PC, created by Brian Krebs. If you’re not familiar with his work, check out his website, Krebs on Security. Krebs’ security coverage unwinds cyber-criminal activity in near real time and often reads like a Tom Clancy story.

Unfortunately, the number of ways criminals can monetize your company’s website is too vast to cover in one blog post. Over the coming weeks we will drill down on specific threats. For now, suffice it to say, no site is too small to be victimizied.

I’ll sign off with this friendly piece of advice:  To everyone using a cms, do yourself a favor and update to the latest version!



11 03, 2014

Ask a VC with 6Scan Investor Yoav Leitersdorf

Great recap of RSA from 6Scan board member Yoav Leitersdorf.

24 02, 2014

Data (In)Security


In the world of website content management systems, WordPress is king.  As far back as 2012 Fortune magazine anointed WP  rulers of Web and now their number of installed platforms exceed 70 million. So a logical question is “What does it mean to be one of 70 million in terms of website security?”

Well, in cyber-security as in many industries, Shakespeare’s line “Uneasy lies the head that wears a crown” is often applicable.  So it’s important to recognize that dominant market share makes an inviting target for criminals.  Exploit writers follow the money which, for them, lies in hacking vulnerable website code.  The more vulnerable applications in distribution, the more profit they see.

Hackers use WP sites – revenue-generating and fan-based alike – to carry out criminal activity ranging from malware distribution to data theft and more.  At 6Scan, we see an inordinate number of sites unwittingly inviting attacks with virtual “Hack Me” signs.  Of the WP sites on our scanning platform (as of January 17, 2014) fewer  than 20% were using the current version (3.8) and approximately 25% run versions that are more than one year out of date (see chart for full break out.)  Hackers love out-of-date applications, which they regard as low-hanging fruit, becuase their vulnerabilities are well known and exploit packages are available for purchase. So before doing anything else, 6Scan urges WP site owners and administrators to install the latest version of WP.  Strengthening sites across the board – all types – is good for the individual as well as the WP community in general.