19 replies to this topic

[AplusWebMaster]

FYI...

- http://blog.trendmic...serves-malware/
February 28, 2008 - "Sports fan sites being compromised by malicious authors is not unheard of. We’ve seen it happen to a Jets fan site in early January this year, and we’re seeing it again in another fan site – this time of Arsenal, a popular English soccer team. The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be “maliciously active.” STAT* confirmed that the fan site had been injected with malicious code..."
* http://preview.tinyurl.com/ytkm9m
February 22, 2008 (Scansafe blog) - "...STAT discovered the site had been the victim of a code injection compromise. Visitors to the site are subjected to exploits which lead to the initial download of malware ...(hosted in Thailand). That malware then attempts to download additional malicious files ...(hosted in Hong Kong) and ...(another, hosted in Moscow, Russia). Installed malware includes a kernel-mode rootkit, keylogger, backdoor, and a DNS client used for ARP poisoning and DNS spoofing (Man-in-the-Middle attacks). Capabilities of the DNS client include intercepting, interpreting and rerouting of MX (email), NS (specifies authoritative nameservers), A (resolves hostnames to IP address), CNAME (resolves multiple hostnames to a single IP), and PTR (reverse lookups). Detection among traditional antivirus vendors is extremely low with only 8/31 scanners detecting the initially downloaded malware and 4/31 scanners detecting the maliciously installed DNS client used in the man-in-the-middle attacks. The attack itself is silent thus visitors to the site who have been impacted will unlikely be aware that some pretty severe malware has just been foisted onto their system..."

Leading nominee for "Worst 'drive-by download' of the Year"...

Edited by AplusWebMaster, 17 April 2008 - 09:20 AM.

[AplusWebMaster]

FYI...

- http://www.f-secure....s/00001393.html
March 3, 2008 - "...The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object... It is known that the rootkit's main purpose is to act as an ultimate downloader. To be stealthy and effective it is essential that the rootkit does not trigger nor is blocked by personal firewalls... During the weekend our Security Lab started to receive information about multiple drive-by exploit sites spreading the latest version... The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow ...
The downloaded payloads seem to clearly target online banking and other financial systems. We detect the latest MBR rootkit variant as Backdoor.Win32.Sinowal.Y. The exploit site is currently resolving to an IP address of 216.245.195.114 and seems to still be active..."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 17 April 2008 - 09:26 AM.

[AplusWebMaster]

FYI...

- http://www.avertlabs...ttack-underway/
March 12, 2008 - "On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:
* MS06-014
* RealPlayer (ActiveX Control)
* Baofeng Storm (ActiveX Control)
* Xunlei Thunder DapPlayer (ActiveX Control)
* Ourgame GLWorld GlobalLink Chat (ActiveX Control)
This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers. Preliminary research results suggest more than 10,000 pages were affected by this hack attack..."

(Screenshot available at the URL above.)

[AplusWebMaster]

More detail...

- http://preview.tinyurl.com/2l3b99
March 13, 2008 (Computerworld) - "...The Web attack, which appears to be a coordinated effort run out of servers in China, was first noticed by McAfee researchers on Wednesday morning. Within hours, the security company had tracked more than 10,000 Web pages infected on hundreds of Web sites... This same technique was used a year ago, when attackers infected the Web sites of the Miami Dolphins and Dolphins Stadium just prior to the 2007 Super Bowl XLI football game. The attack code takes advantage of bugs that have already been patched, so users whose software is up-to-date are not at risk. However, McAfee warns that some of the exploits are for obscure programs such as ActiveX controls for online games, which users may not think to patch. If the code is successful, it then installs a password-stealing program on the victim's computer that looks for passwords for a number of online games... "

Edited by AplusWebMaster, 13 March 2008 - 07:31 AM.

[AplusWebMaster]

More...

- http://www.theregist...ass_compromise/
13 March 2008 - "...Compromised web pages include travel sites, government websites, and hobbyist sites that have been modified with JavaScript code that silently redirects visitors to a site in China under the control of hackers. Miscreants likely reprogrammed the web pages after scanning the net for insecure servers. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer, and other applications to break into insecure PCs... Components of the malware attempt to steal passwords to online games while others leave a back door that allows the installation of additional malicious programs... A single organisation or small group is likely behind this attack, as the malicious code on all these pages is served up from the same server in China..."

[AplusWebMaster]

Apparently, still in use:

- http://www.finjan.co...nt.aspx?id=1367
(Malicious Page of the Month - synopsis - January 2008)
"...More than 10,000 websites in the US were infected in December by a new variant of (a) crimeware toolkit. The attack, which Finjan has designated 'random js toolkit', is an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan's “master”, a cybercriminal."

- http://www.us-cert.g...exploitation_of
March 13, 2008

Edited by AplusWebMaster, 13 March 2008 - 02:12 PM.

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/39s9kz
March 13, 2008 (Computerworld) - "Antivirus vendor Trend Micro Inc. confirmed Thursday that "some portions" of its site had been hacked earlier this week, but hedged when asked if those pages had been serving up attack code to unsuspecting visitors... The English-language edition of the Yomiuri Shimbun, one of Japan's largest newspapers, said Trend Micro's site was hacked around 9:00 p.m. Sunday, Tokyo time (7:00 p.m. Eastern, on Saturday, in the U.S.)... The alert also said that users could have been infected by accessing one of 11 infected pages on the Japanese site or 20 pages on the English site, or by clicking a link embedded in the malware's name. All the pages were part of Trend Micro's malware encyclopedia, a searchable database of viruses, Trojans and worms. Sweeny, Trend's U.S. spokesman said "about 32" pages were involved, "most of them from the encyclopedia." Other reports speculated that the Trend Micro hack was part of the larger campaign that has infected some 20,000 pages in the past few days. According to researchers at McAfee Inc., those hacks are script-injection attacks that reference JavaScript attack code..."
* http://www.sophos.co...08/03/1186.html
"...According to reports in the Japanese media, a number of webpages on the firm’s Japanese and English-language website were altered by hackers on Sunday 9 March, who used a malicious iFrame exploit to deliver a Trojan horse onto surfers’ computers. Trend Micro is believed to have uncovered the problem on Wednesday 12 March and replaced affected pages with a message saying “This page is temporarily shut down for emergency maintenance”... It is believed that a SQL vulnerability on the site was exploited by the hackers... In a nutshell - what has happened here is a criminal act, and our friends at Trend Micro (and people visiting the hacked pages) are victims of the crime... This isn’t the time or place to make cheap shots against a competitor... Sophos discovers a new infected webpage every 14 seconds..."

Edited by AplusWebMaster, 17 April 2008 - 09:15 AM.

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/3xs996
March 13, 2008 (AvertLabs blog) - "Yesterday we uncovered a newer mass hack affecting over 10,000 web pages. That number has since doubled. Today, I took a look at another recent mass attack, which was similar to those reported by Dancho Danchev, but reference a JS file rather than an IFRAME. The attack seems to have started more than a week ago, and nearly 200,000 web pages have been found to be compromised, most of which are running phpBB. This contrasts yesterday’s attack in that the vast majority of those were active server pages (.ASP). The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...ml?storyid=4139
Last Updated: 2008-03-14 16:28:06 UTC ...(Version: 2)
"Situation:
Over 10,000 legitimate websites [should read "pages"?] have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057 and a number of ActiveX vulnerabilities.. Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.
- Recommended immediate action:
Block 2117966.net at your web proxy
- Recommended follow-up action:
Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175 ( http://www.shadowser...lendar.20080313 ). Search your proxy logs for systems generating those requests and reimage the infected machines.
- Protecting Browsers:
A properly-patched system should not be at-risk from this attack. It is recommened to use a browser that does not support ActiveX..."

Update: Added additional exploit information...

* http://www.shadowser...r.20080313#toc1
"...2117966.net - Please do NOT visit this website, it should be considered dangerous..."

- http://www.us-cert.g...exploitation_of
updated March 14, 2008 at 12:56 pm (EDT)
"...This issue is currently exploiting a variety of vulnerabilities:
* Baofeng Storm ActiveX
* Ourgame GLChat ActiveX
* Microsoft Internet Explorer VML (VU#122084)
* Qvod Player ActiveX
* Microsoft RDS.Dataspace ActiveX (VU#234812)
* RealPlayer playlist ActiveX (VU#871673)
* Storm Player ActiveX
* Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)
* Xunlei Thunder DapPlayer ActiveX ...

- http://isc.sans.org/...ml?storyid=4139
Last Updated: 2008-03-16 14:21:29 UTC ...(Version: 4)
"Update: this was misidentified as an iframe injection when in fact it was a javascript link on the altered ASP* pages."
* Active Server Page(s) (Microsoft web scripting language and file extension)

('Still, block that URL.)

Edited by AplusWebMaster, 16 March 2008 - 11:41 AM.

[AplusWebMaster]

FYI...

The -Other- iframe attack...
- http://isc.sans.org/...ml?storyid=4144
Last Updated: 2008-03-15 17:23:13 UTC - "...The 2117966.net (please, do NOT visit that site) campaign affected approximately 13,800 ASP pages. No php pages.

>>> This -other- attack is reported to have affected around 200,000 phpBB pages. It's a bigger attack and very important, you should read Dancho's blog, it has IP addresses and domains to look for in your logs as well as what traffic an infected system will generate. If you're a website administrator, also take a close read of his 04-MAR-2008 entry:
http://ddanchev.blog...-iframe-ed.html
Pay particular attention to how they're inserting the code into the site (from Dancho's Blog):
"(The sites) themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names."

This is important. It's not obvious to me how to fix the problem..."

[AplusWebMaster]

More...

IFRAME redirects...
- http://www.networkwo...ive-iframe.html
03/16/2008 - "...Danchev* listed more than 20 sites that together account for more than 401,000 IFRAME-injected pages... he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors. Trace it back far enough, and the path leads to the Russian Business Network (RBN)... "What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack"... If users rejected the bogus call to install the codec, the string is broken, and no harm can come to them. Web site operators, on the other hand, can take a number of steps, including properly sanitizing all user input or not caching previous searches..."
* http://ddanchev.blog...e-injected.html
March 12, 2008 - "...a new malware variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines..."

** http://ddanchev.blog...ing-rbn-ed.html
March 10, 2008 - "...The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware..."

Example: http://ca.com/us/sec...px?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."

Edited by AplusWebMaster, 17 March 2008 - 05:17 AM.

[AplusWebMaster]

FYI...

MSNBC is latest victim in mass javascript injection
- http://www.websense....php?AlertID=848
March 18, 2008 - "... the official Web site of MSNBC Sports has been compromised with malicious code. This same attack has compromised dozens of other high-profile sites such as ZDNet, archive.org, wired.com, and history.com. We have notified the owners of MSNBC of the malicious content on their site. This attack has been discussed in our previous blog*. It is important to note that the hub site that is hosting the malicious JavaScript is currently down...
(Other)References:
* http://www.websense.....php?BlogID=179
** http://ddanchev.blog...-iframe-ed.html ..."

(Screenshot available at the Websense URL above.)

Edited by AplusWebMaster, 18 March 2008 - 04:33 PM.

[AplusWebMaster]

Have a look...

Malicious site: MSNBC Sports compromised
1- http://www.websense....php?AlertID=848
March 18, 2008

Spammers using Google ads to redirect users to Malware:
2- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs)

IFRAME redirects...
3- http://www.networkwo...ive-iframe.html
March 16, 2008 - "...Danchev* listed more than 20 sites that together account for more than 401,000 IFRAME-injected pages... he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors. Trace it back far enough, and the path leads to the Russian Business Network (RBN)..."
* http://ddanchev.blog...e-injected.html
March 12, 2008

Shadowserver report: I/P in China serving malicious javascript...
4- http://www.shadowser...r.20080313#toc1
March 13, 2008 - ...in conjunction/coordination with:
4A- http://www.us-cert.g...jection_attacks
updated March 14, 2008
4B- http://www.us-cert.g...exploitation_of
updated March 14, 2008

(Multiple sites) ...getting RBN-ed
5- http://ddanchev.blog...ing-rbn-ed.html
March 10, 2008 - "...The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware..."
Example: http://ca.com/us/sec...px?id=453119651

More to come...

[AplusWebMaster]

FYI...

- http://www.symantec....learnabout.html
(03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients.
- A number of these attacks are currently being carried out. One attack involves a failure to sanitize cached search results, allowing malicious HTML to be injected into search result pages. This has affected a number of high-profile sites and has been thoroughly documented by the researcher who originally discovered the attacks: ( http://ddanchev.blog...e-injected.html )
- Another attack is currently targeting servers running vulnerable ASP scripts that can be exploited through SQL injection to host malicious HTML code. The injected code references a malicious script... which in turn injects an IFRAME into the page to redirect users to a site that tries to exploit various known and patched vulnerabilities. This attack is believed to have affected over 15,000 pages, but the number of unique servers compromised may be far less.
- Yet another large-scale attack involving SQL injection is targeting servers running PHPBB. This attack injects HTML code that loads a malicious JavaScript file from 'free.hostpinoy.com'. Reports indicate that this attack is much more prevalent, perhaps because of the ubiquity of PHPBB. Over 150,000 pages may be affected. Note again, however, that the number of unique servers compromised may be far less. In previously observed cases, over 5000 pages have been affected on a single domain. At the time of writing, most of the sites hosting the exploits or malicious JavaScript are down, but they may come back online at any time. Administrators are advised to audit their web services to ensure that no exploitable flaws exist in the publicly exposed scripts and that the latest versions are installed. Network admins are advised to block access to '2117966.net' and 'free.hostpinoy.com' at the gateway.

Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack:
- Run browser software with the least privileges possible.
- Disable JavaScript, IFRAMEs, and ActiveX controls.
- Enable OS security mechanisms such as Data Execution Prevention (DEP).
- Ensure that browsing software is up to date.
- Filter all web activity through security products such as an Intrusion Prevention system."

EDIT/ADD: http://www.shadowser...lendar.20080320
20 March 2008 - "...In our last post we mentioned the several thousands of websites that were SQL injected to reference malicious JavaScript code on 2117966.net. At the time we were actually just taking an educated guess that this was the result of SQL injection. However, it has since been confirmed... It turns out this is the same IP address that carried out the SQL injection attacks related to the uc8010.com incident*. Not very subtle are they? You might want to keep an eye out for the IP 202.101.162.73"
* http://isc.sans.org/...ml?storyid=3823

(Please do NOT visit any of those IP's in the commentary - they all should be considered dangerous.)

Edited by AplusWebMaster, 20 March 2008 - 12:45 PM.

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/3e5n3v
March 19, 2008 (McAfee Avert Labs) - "Yesterday we received new variants of the StealthMBR rootkit from the field. The basic strategy of overwriting the master boot record and hooking the IRP table of \\driver\disk to protect itself is still the same as we explained in our original StealthMBR blog. However, from the perspective of cleaning this threat, the rootkit has been modified to better protect itself from being removed... A very common self-protection technique exhibited by various malware in user-land is to execute a “watcher” thread that continuously polls its various components, memory, and registry entries for changes by the user or any anti-virus products. StealthMBR has taken this technique into kernel space, where it executes watcher threads in the system processes’ context. StealthMBR’s thread continuously checks for any attempt to restore the original MBR or remove its memory protection hooks. If they are modified, it patches the MBR and hooks right back..."