One of the world’s longest lived malware networks, Eitest network is offline now. But the infection is still active and can affect servers running malicious and vulnerable code.

When the EITest infrastructure was discovered in 2011, it was not foreseen that cyber criminals would start using it as a TDS botnet. Today, we’ll see what is Eitest infection, and how your server can get affected by it.

 

What is Eitest infection?

EITest is one of the oldest and largest infection chains. The malware is distributed via a private exploit kit and was aimed at directing web traffic from infected server to malicious and scam sites.

Hackers install a backdoor on the vulnerable servers and redirect legitimate traffic from the server to malicious websites. To nullify the impact of this infection, researchers came up with a ‘sinkholing’ technique.

Sinkholing this infection, which substituted malicious server with a sinkhole server, helped to disrupt over two million potential malicious traffic per day.

Between March 15, 2018 and April 4, the sinkhole received “44 million requests from roughly 52,000 servers”, most of which were compromised WordPress sites. This shows the impact of the ongoing infection.

It is also an indication and a warning that EITest actors may attempt to regain control of a portion of the compromised websites involved in the infection chain.

From the traffic that reaches it, the sinkhole identifies the botnet type (from the domain used), the IP address of the botnet infection, timestamps and other information.

The CBL (Composite Blocking List) collects IP address from various researchers (sinkholes) and produces blocklists from them. Once an IP address is listed in this CBL, it affects the reputation of that address.

Eitest infection – The consequences that you face

The aftermath of an infection can present itself in diverse forms. It can affect basic services, infiltrate into other websites or network, or even lead to a complete server shutdown.

Recently we were contacted by a server owner, who was facing email delivery issues. While checking the mail logs, we could see that the mails issue was due to IP blacklist.

The logs showed that the mail server IP address was listed in the Spamhaus blacklist.

https://www.spamhaus.org/query/ip/XX.XX.XX.XX

This was also the main server IP address and being in the blacklist was affecting the business credibility and fetching many customer complaints.

Further examination of the blacklist revealed that the IP is listed in the XBL, because it appears in: CBL (Composite Blocking List). CBL is a list of suspected e-mail servers sending SPAM due to virus or malware infections.

A CBL LOOKUP showed that the server IP address was detected and listed 608 times in the past 28 days, and 7 times in the past 24 hours.

This IP address is infected with or NATing for an infection of "Eitest".

The further details in CBL revealed this information:

This IP address is infected with or NATing for an infection of "Eitest". This IP address is probably a web server where one or more virtual hosts have been infected using an exploit kit (eg: angler, empire, RIG) using EItest protocols to download, install and operate malicious code, such as gootkit, dreambot, ramnit, vawtrak, cryptXXX - infostealers, ransomware etc. See the reference links for more details.

The specifications related to the latest detection were also listed:

Detection Information Summary
Destination IP XX.XX.XX.XX
Destination port 80
Source IP XX.XX.XX.XX
Source port 58766
C&C name/domain 04d92810.com
Protocol TCP
Time Fri Apr 27 12:51:06 2018 UTC

As per the logs, too much traffic is going from the source port of source IP (server IP) to the destination port of the destination IP.

Eitest infection – The challenges to handle

Multiple CMS can get infected by EITest, such as:

• WordPress (version 2.9.2 to 4.7.2)
• Joomla
• PrestaShop
• Drupal (7.0)

So, if you are a server owner or a website owner who has one or more instances of such CMS, your server may be at risk for the Eitest infection.

Eitest infections are caused by injecting websites with malicious code. The code is injected into sites via backdoor such as malicious shell or other PHP code present in vulnerable CMS or its plugins.

These infections are rated as a “severe threat” and is a trojan downloader that can download and execute ANY software on the infected server.

For the Spamhaus to delist your IP address and to restore normal functioning of emails, you will need to find and eradicate the infection fast. If the infection persists, there are chances that the IP gets listed again for longer duration.

As the CBL lists down all the details specific to the Eitest infection, it looks easy to detect and remove the malware infection. But, when you dig in to the server, you’ll know things aren’t as easy as it seems.

There will not be a domain by that name in the server, there will not be a process running in that port, and there may not be any traces of the IP address in the logs either.

It is not easy to detect the source of Eitest infection in a server with normal debugging tools or malware scans. That is when we adopt an in-depth server scan to detect the infection.

How to audit and secure your infected server

The first and foremost step to resolve the Eitest infection is to detect the websites that are affected. If you notice this in one website, chances are that there are more websites affected in the server.

However, in a server with multiple websites and software running, it is not easy to pinpoint the problem codes. When server owners come to us with a malware infection, we do a full audit of the server immediately.

Our audit includes identifying the outdated CMS software and plugins and other malicious files and processes in the server. But in the case of Eitest infection, we do a more intensive audit.

This is because, the code that is initiating the network connections to sinkhole IP may not be running always. So by just examining the process list or network connections, it may not be possible to detect any issue.

In such instances, we run a network monitoring script and execute it over a period of time, until the suspect is brought to light. Our 24/7 team of engineers do it using schedulers and background tasks.

When the network monitoring script runs, it will help to identify the processes on the server that are trying to communicate with the sinkhole.

Immediately after the processes are detected, we examine the related code and CMS to find out the malicious scripts and vulnerable plugins, and disable them to avoid further attacks.

Once the infected files are found and quarantined, we do the scan once again to confirm that the network activity to sinkhole has stopped. After confirmation, we request for IP delist from Spamhaus and restore server credibility.

Conclusion – Vaccination against infections

Any infection, major or minor, comes with its own set of difficulties, which can range from website malfunctioning to a server downtime. The key here, is to prevent such infections from hitting your server.

At Bobcares, we have custom server management plans to keep our customers’ servers updated, patched and hardened against all attacks. This helps us to prevent server infections, attacks and the associated hassles in these servers.

If you’d like to get your servers protected from infections and malware, feel free to contact us.