111 replies to this topic

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/qlr9ba
05-19-2009 Symantec Security Response Blog - "The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains. The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing... We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up..."

- http://isc.sans.org/...ml?storyid=6403
Last Updated: 2009-05-19 13:02:01 UTC - "... the dropbox for this trojan, gumblar .cn has been offline since last friday, but a successor has come online, martuz .cn..."

- http://blog.scansafe...cn-is-down.html
May 19, 2009
- http://blog.scansafe...no-gumblar.html
- http://blog.scansafe...d-websites.html

- http://www.us-cert.g...ack_circulating
May 18, 2009

Edited by AplusWebMaster, 20 May 2009 - 04:37 AM.
Added ISC, Scansafe, and US-Cert links...

[AplusWebMaster]

FYI...

Gumblar/Martuz/Geno attack
- http://isc.sans.org/...ml?storyid=6430
Last Updated: 2009-05-21 19:29:48 UTC - "... client side analysis* and writeup of recent gumblar malware attacks..."
* http://preview.tinyurl.com/pc26gr
May 21, 2009 InfoSec from the trenches - "... Once compromised by the Gumblar/Martuz/Geno, victims will have many pieces of malware loaded onto their machines, this malware does the following:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjacks Google search queries
• Disables security software
The exploits used are for Adobe Acrobat and Adobe Flash Player...
...this is a very large attack encompassing many malicious payloads..."

[AplusWebMaster]

FYI...

Mass Injection Compromises More than Twenty-Thousand Web Sites
- http://securitylabs....lerts/3405.aspx
05.29.2009 - "Websense... has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites. This mass injection attack does -not- seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign... The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate*..."
* http://preview.tinyurl.com/lphk6r
File sysCF.tmp.exe received on 2009.05.29 17:04:04 (UTC) - Virustotal.com
Result: 4/39 (10.26%)

[Shadab]

So how are the webpages getting compromised in the first place ? Directly exploiting the server ? Webmasters unknowingly uploading infected pages ? (less possibility)

[AplusWebMaster]

So how are the webpages getting compromised in the first place? Directly exploiting the server?...

Typically, a hack takes place against a server/OS with a known vulnerability that has not yet been patched - 'much easier for an announced vulnerability/patch to be reverse engineered and attacked.
Keeping up with patches is quite a chore, and most need to be tested to be certain they don't conflict with the other applications in use - that's what causes most delays in getting all the patches installed promptly .
In this case, it appears the forensic analysis of the hack is incomplete, so we'll have to wait for that to know exactly -how- it was done.

Other examples:
- http://www.informati...cleID=217700619
May 28, 2009

- http://www.verizonbu...isk/databreach/
• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners

Edited by AplusWebMaster, 31 May 2009 - 06:13 AM.
Added InfomationWeek and Verizon report links...

[AplusWebMaster]

FYI...

- http://www.theregist..._web_infection/
30 May 2009 - "... has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot. The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor's machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software..."

[AplusWebMaster]

FYI...

- http://securitylabs....Blogs/3408.aspx
06.01.2009 - "... Mass compromises... regularly take place, because attackers commonly use server-side vulnerabilities in an automated way to infiltrate legitimate Web sites and inject them with malicious code... The malicious code injected in the Beladen attacks* uses an obfuscation method that starts with the initialization of a long, obfuscated string parameter. This gets de-obfuscated and then executed by the browser. This kind of obfuscation can employ many levels of obfuscation - where obfuscated code leads to more obfuscated code, and so on... the malicious URL name redirects to a site with a name very similar to the Google Analytics service (this service exists at 'google-analytics.com'). Once redirection occurs, the user is redirected again to the exploits payload site, Beladen. Beladen uses wildcarded subdomains, so each time Beladen is used by the intermediate redirecting site, a different subdomain is used... Beladen is the exploit site where several exploits try to compromise the redirected browser. Beladen means loaded in German - a suitable name because the site is loaded with exploits. Once the browser is redirected to Beladen, there is another internal redirect check that verifies the referrer, to subvert any direct mining attempts to the site's obfuscated exploit code... the hosting malicious site was located at the IP subnet block of 58.65.238.0/24, which was part of the Russian Business Network (RBN). The threat this time comes from the IP block of 91.207.61.0/24, which is part of AS48031 NOVIKOV located in the Ukraine. According to our log data, this autonomous system has been quite busy spreading malicious code using Scareware, Rogue Antivirus software, and exploit sites (including the latest PDF exploits). The IP address hosting the specific attack we described holds yet another typosquatt Google-like domain..."
* http://securitylabs....lerts/3405.aspx

[AplusWebMaster]

FYI...

Malware payload site changes to Shkarkimi
- http://securitylabs....lerts/3412.aspx
06.04.2009 - "... the payload site for the mass compromise known as Beladen, has changed from Beladen to Shkarkimi. The new site is hosted on the same IP address as Beladen and the exploits it serves are the same. The obfuscated typosquatting domain of Google-Analytics leading to the exploit site Shkarkimi is still massively injected. We can confirm that, as of the time of writing, around 30,000 Web Sites are injected with code that eventually leads to Shkarkimi. For more details about this attack, please see our blog on Beladen*..."
* http://securitylabs....Blogs/3408.aspx
... shkarkimi has a very similar network topology to Beladen. Yesterday, Google Security Team posted a list of the top ten malware domains which included googleanalystlcs.net [ note the typosquatt ] as one of the top 10 malware sites**..."
** http://googleonlines...ware-sites.html

(Screenshots available at the first URL above.)

[AplusWebMaster]

FYI...

- http://blog.trendmic...-info-stealers/
June 6, 2009 - "Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code. Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A. TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals account information related to the following applications: This spyware steals user names, passwords, and other account and installation information of the following applications:
• INETCOMM Server
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian
Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:
* Vulnerability in Windows Explorer Could Allow Remote Execution MS06-057
- http://www.microsoft...n/ms06-057.mspx
* Buffer overflow in Apple QuickTime 7.1.3
- http://cve.mitre.org...e=CVE-2007-0015
* Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
- http://cve.mitre.org...e=CVE-2006-6884
* Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution - MS06-014
- http://www.microsoft...n/MS06-014.mspx
* Microsoft Internet Explorer 7 Memory Corruption Exploit - MS09-002
- http://www.microsoft...n/MS09-002.mspx "

[AplusWebMaster]

FYI...

- http://www.securityfocus.com/brief/970
2009-06-08 - "The drive-by-download threat, Grumblar, continues to cause widespread infection, through the number of Web sites compromised with the malicious code appears to have declined since late May, according to Web security firm Websense. The multi-stage threat, which first compromises Web sites to install malicious code that is then used to infect visitors' PCs, rocketed eight-fold in mid-May, according to an update posted to Websense's research blog on Friday*. Attackers use stolen FTP credentials to embed the first stage of the attack on legitimate Web sites. Gary Warner, a professor of digital forensics at the University of Alabama, document an investigation he and his students performed on a compromised Facebook group. The group, which boasted 40,000 members, contained a link to a malicious site that attempted to infect visitors with Grumblar... A malicious PDF file uploaded to victim's systems by Grumblar contains the phrase, "Boris likes horilka," according to Warner's blog**. Horilka is the Ukrainian word for vodka. The software steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software.
* http://securitylabs....Blogs/3414.aspx
06.05.2009
** http://garwarner.blo...ed-domains.html
June 06, 2009 - "... 48,000 compromised domains..."

[AplusWebMaster]

FYI...

- http://windowssecret...p/090611#story1
2009-06-11 - "Going by such names as Gumblar, JSRedir-R, Martuz, and Beladin, a new generation of malware has managed to surreptitiously place malicious JavaScript code on tens of thousands of popular Web sites. The hacker scripts try to infect site visitors and then attempt to use their compromised PCs to spread the infection to yet other sites. Over the past month, the security services ScanSafe* and Sophos** have reported infections on such major Web sites as ColdwellBanker.com, Variety.com, and Tennis.com. Niels Provos reported in the Google security blog*** on June 3 that sites infected with Gumblar numbered about 60,000. Visitors became susceptible to infection simply by opening the sites in Internet Explorer..."
* http://blog.scansafe...rn-to-bots.html
May 8, 2009

** http://www.sophos.co...are-threat-web/
May 14th, 2009

*** http://googleonlines...ware-sites.html
June 3, 2009 - "... malware researchers reported widespread compromises pointing to the domains gumblar .cn and martuz .cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen .net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites..."

- http://blog.trendmic...gumblar-attack/
June 10, 2009 - "Analysts of the recent Gumblar attack that compromised thousands of legitimate websites stated that the unauthorized modifications in the websites were possibly executed not only through SQL injection. The compromise was also reportedly done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. The infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes user names and passwords. Analysts believe that through TSPY_KATES.G Gumblar was able to compromise more sites than when it initially launched the attack. SQL injections only work on certain conditions (if the website is vulnerable enough to allow such injections), and give cybercriminals a limited access to the targeted webpage. Obtaining FTP credentials however grant the cybercriminals the same level of access as what the website administrator has, regardless of any security measures used..."

Edited by AplusWebMaster, 11 June 2009 - 05:47 AM.
Added Trendmicro link...

[AplusWebMaster]

FYI...

Gumblar invades Best Buy
- http://blog.trendmic...vades-best-buy/
July 2, 2009 - "Earlier today, Trend Micro... spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp ://pics. bubbled.cn/gallery/hardcore/?23c4f60c1b9f604d6ffb21cba599301f
(hxxp = http, and without the spaces). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page... The WHOIS screenshot of the .CN site states that it has been created just last June 4, 2009 by the same old criminals.
Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again. Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing..."

(Screenshots and more detail at the TrendMicro URL above.)

[AplusWebMaster]

FYI...

(MS Office Web Components) OWC exploits used in SQL injection attacks
- http://isc.sans.org/...ml?storyid=6811
Last Updated: 2009-07-16 08:38:21 UTC - "... The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code... they are injecting a script code pointing to f1y .in, which is a known bad domain. This script contains links to two other web sites (www .jatrja.com and js.tongji. linezing .com [DO NOT VISIT]) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability. The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link*) – only 15 AV programs detecting it, luckily, some major AV vendors are there. If you haven't set those killbits** yet, be sure that you do now because the number of sites exploiting this vulnerability will probably rise exponentially soon."
* http://www.virustota...da0a-1247733262

** http://support.micro...3472#FixItForMe

- http://blog.trendmic...jection-ensues/
July 17, 2009

Edited by AplusWebMaster, 10 November 2009 - 04:55 PM.

[AplusWebMaster]

FYI...

MS OWC vuln used in site compromise
- http://securitylabs....lerts/3451.aspx
07.27.2009 - "Websense... has discovered that the Center for Defense Information (CDI) Web site has been compromised. The site is injected with a JavaScript code that exploits the latest Microsoft Office Web Components Control vulnerability... The vulnerability is in the Internet Explorer ActiveX control used to display Excel spreadsheets (CVE-2009-1136)... The exploit code pushes a Trojan from hxxp ://vicp .cc/. The Trojan has more than 50% detection*. Note that Microsoft provides a workaround for the problem in their Fixit** program..."

* http://www.virustota...138c-1248724806
File solar.exe received on 2009.07.27 20:00:06 (UTC)
Result: 24/41 (58.54%)

** http://support.micro...3472#FixItForMe

[AplusWebMaster]

FYI...

Multiple JS site injections/compromises...
- http://securitylabs....Blogs/3461.aspx
08.14.2009 - "Recently, since Microsoft released information about new vulnerabilities in MS Office and DirectShow in July, attacks spreading through the infection of thousands of legitimate Web sites have increased sharply in the wild... The script redirects to four malicious pages which capitalize on different vulnerabilities. Their targeting vulnerabilities are:
• Firefox Corrupt JIT state after deep return from native functionHeap (MFSA 2009-41);
• Microsoft DirectShow(msvidctl.dll) vulnerability (MS09-032);
• Microsoft Office Web Components Spreadsheet ActiveX vulnerability (MS09-043);
• Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927).
The third feature of the injection campaign is the constantly evolving injection codes. It seems that the attackers use a randomizer to generate this kind of JavaScript, but ultimately they all point to similar exploits... obfuscated JavaScript is the most important means of injection, taking up over 50 percent of the total. In summary, all of these injection methods are easy to implement for attackers and difficult to detect for users, meaning that more and more innocent users are involved in this injection campaign. This campaign not only targets mass college Web sites, but is also spreading widely in other sites in China. At the moment, the number of compromised college sites is still very high, maintaining a level of around 800 sites..."