111 replies to this topic

[AplusWebMaster]

FYI...

SQL injection attacks hit 57K sites
- http://www.theregist..._web_infection/
24 August 2009 - "Malicious hackers have managed to infect about 57,000 web pages with a potent exploit cocktail that targets a variety of vulnerable applications to surreptitiously install malware on visitor machines. The exploits install an assortment of nasty software, including Gologger, a keystroke logging trojan, and a backdoor that attempts to connect to a website hosted in China, according to Mary Landesman, a researcher at ScanSafe, a company that protects end users from malicious websites. The attackers were able to plant a malicious iframe in the pages by exploiting SQL injection vulnerabilities. Once in place, the script silently pulls down javascript from a0v .org** that silently runs while people are visiting one of the infected websites... SQL injection attacks exploit weaknesses in web applications that fail to adequately scrutinize text that users enter into search boxes and other web fields. The attacks have the effect of passing powerful commands to the website's back-end database. Landesman's report is available here*."
* http://blog.scansafe...t-cocktail.html
August 21, 2009

> http://www.threatexp...7e577fd1b45805c
16 August 2009 - "... The following Internet Connection was established:
Server Name
qirueixzz. 3322 .org ..."

> http://www.virustota...4194-1249319276
File ae563af77535163a1562cc1106ddf342- received on 2009.08.03 17:07:56 (UTC)
Result: 6/41 (14.63%)

> http://www.virustota...1b12-1249741982
File mam.exe received on 2009.08.08 14:33:02 (UTC)
Result: 26/41 (63.41%)

** http://centralops.ne...ainDossier.aspx
Country: CN

Edited by AplusWebMaster, 25 August 2009 - 06:39 AM.

[AplusWebMaster]

FYI... [Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.]

Following the Injection - a0v .org
- http://securitylabs....Blogs/3465.aspx
08.26.2009 - "... The site that has been injected in this campaign is a 35-day-old domain called a0v.org. The injection is in plain text, non-obfuscated script tags... There is no mercy shown with the frequency of the injections, which confirms that this injection is an automated process, as most injections are... Once a user browses to an infected Web site, the user is redirected to execute the injected script at hxxp ://a0v .org/ x.js... the first takes the user to exploit sites just down the chain, and the second takes the user to a log server established by the baddies... The next stop in the exploit chain is hxxp ://game163 .info/oday/index .html... game163.info is also a fresh domain, registered just 23 days ago. Its source goes to even further redirects in the same site. But before it decides where to go, it checks whether the user's browser is Microsoft Internet Explorer 7, using a hex-represented string for "msie 7"... Following is a summary of all the exploits used, from the last one discovered to the oldest:
• Adobe Flash, Acrobat Reader CVE-2009-1862
• Microsoft Office Web Components CVE-2009-1136
• Microsoft Internet Explorer XML Parsing CVE-2008-4844
• Microsoft DirectShow (msvidctl.dll) CVE-2008-0015 - Suspected\Disabled
• Microsoft Data Access Components (MDAC) CVE-2006-0003
The exploits are served from multiple replicated Web sites, bearing the exact same code and structure as game163 .info... The newest exploit used in the chain is Adobe Flash and Acrobat Reader CVE-2009-1862 -- alerted on at the end July, and the most troublesome one, due to two facts:
1) Today, most users don't bother to update their versions of Flash/Acrobat.
2) We've recently received reports (in the middle of August) showing almost the same exploit code (with only minor variations in syntax) with an embedded malicious Flash file exploiting CVE-2009-1862 and holding only 2/42 and 0/42 detection rates by vendors, respectively. The results for the malicious Flash file exploiting this vulnerability in this attack are still very low, with only 5/41*, and the related exploit page with only 4/41**. Combine those two facts together, and you have a major breach that allows the attackers to do a great deal of damage. Similar mass injections happen around the clock, capitalizing on the latest exploits that rely on the two facts listed above, and holding different obfuscated source codes and payloads. Those facts can only suggest the large number of infected users from such mass compromises."
* http://www.virustota...0744-1251148350
File xp-swf.txt received on 2009.08.24 21:12:30 (UTC)
Result: 5/41 (12.20%)

** http://www.virustota...3303-1251295435
File ex1.txt received on 2009.08.26 14:03:55 (UTC)
Current status: finished
Result: 4/41 (9.76%)

[AplusWebMaster]

FYI...

Another mass compromise attack
- http://blog.trendmic...ass-compromise/
Aug. 28, 2009 - "Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report. This incident is a painful reminder of the persisting risk of unprotected Web-surfing. In this particular case, the malicious scripts injected in the legitimate sites lead to other sites that eventually resolve to the download of the following backdoor programs and components:
• axa0727.exe-1 (BKDR_REFPRON.FH)
• d.binaxa072776988 (TROJ_REFPRON.FI)
• ms.binaxa0727588773 (TROJ_REFPRON.FJ)
• so.binaxa0727737721 (BKDR_REFPRON.FH)
The backdoors drop other components and connect to other IP addresses to download other malware with further the risk for users... As of this writing, searching for the offending script yields 99,000 results."

[AplusWebMaster]

FYI...

2009 - Top Cyber Security Risks
- http://www.sans.org/...security-risks/
September 2009 - "Two risks dwarf all others, but organizations fail to mitigate them... attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis... current data - covering March 2009 to August 2009 - from appliances and software in thousands of targeted organizations to provide a reliable portrait of the attacks being launched and the vulnerabilities they exploit...
Executive Summary
Priority One: Client-side software that remains unpatched.
Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites...
Priority Two: Internet-facing web sites that are vulnerable.
Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience..."
(Charts available at the URL above.)

- http://securitylabs....Blogs/3476.aspx
09.15.2009 - "... Websense Security Labs identified a 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth over the last year..."

Edited by AplusWebMaster, 15 September 2009 - 01:54 PM.

[AplusWebMaster]

FYI...

Gumblar attacks surge again
- http://www.pcworld.c...urge_again.html
October 20, 2009 - "... In May, thousands of Web sites were found to have been hacked to serve up an iframe, which is a way to bring content from one Web site into another. The iframe led to the "gumblar.cn" domain. Gumblar would then try to exploit the user's PC via software vulnerabilities in Adobe Systems products such as Flash or Reader and then deliver malicious code. Gumblar has also now changed its tactics. Rather than hosting the malicious payload on a remote server, the hackers are now putting that code on compromised Web sites, vendors IBM and ScanSafe say. It also appears Gumblar has been updated to use one of the more recent vulnerabilities in Adobe's Reader and Acrobat programs, according to IBM's Internet Security Systems Frequency X blog*. The hackers know that it's only a matter of time before a malicious domain is shut down by an ISP. The new tactic, however, "gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world," IBM said... The hackers behind Gumblar have also taken to forcibly injecting a malicious iframe into forums, according to a blog post from ScanSafe***. It means that people become victim to a so-called drive-by attack, where they are instantly exposed to malicious content from elsewhere when visiting a legitimate site..."
* http://blogs.iss.net...arReloaded.html
October 19, 2009 - "... Coverage for the updated Trojan is still very low according to an analysis done through VirusTotal**..."
** http://www.virustota...9362-1255712244
File 1952405D00EE6FBD3E0000E9F4250F00643110CC.exe received on 2009.10.16 16:57:24 (UTC)
Result: 6/41 (14.63%)

*** http://blog.scansafe...net-awakes.html
October 15, 2009

- http://google.com/sa...ite=gumblar.cn/
"... last time suspicious content was found on this site was on 2009-10-22... this site has hosted malicious software over the past 90 days. It infected 6674 domain(s)..."
"... last time suspicious content was found on this site was on 2009-10-26... this site has hosted malicious software over the past 90 days. It infected 6381 domain(s)..."

Edited by AplusWebMaster, 26 October 2009 - 08:05 AM.

[AplusWebMaster]

FYI...

6 million pwnd - Mass web infections spike
- http://sunbeltblog.b...-6-million.html
October 27, 2009 - "Dasient web security firm of Palo Alto, Calif., published some dismal numbers on its blog today. The number of infected pages on the web increased significantly in the third quarter and more than a third of infected sites that are fixed are quickly reinfected, they said. The company said its malware analysis platform found more than 640,000 infected sites with a total of 5.8 million pages in the quarter. They compare that to the three million infected pages that Microsoft reported in the first quarter of the year.
The attacks:
-- JavaScript (54.8%)
-- iFrame (37.1%)
-- "other" (8.1%)
... with that preponderance of JavaScript malware, if you haven’t updated your Adobe Reader and Acrobat installations recently, you might do so. Dasient blog here*."
* http://blog.dasient....nd-dasient.html
October 27, 2009

- http://www.theregist...promises_spike/
27 October 2009

[AplusWebMaster]

FYI...

Media-servers.net compromised
- http://securitylabs....lerts/3500.aspx
11.05.2009 - "Websense... has detected that the site media-servers.net has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It's important to note that media-servers.net serves advertising content from ad.media-servers.net, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites... The exploits associated with this attack are:
• Microsoft DirectShow CVE-2008-0015
• Microsoft Snapshot Viewer CVE-2008-2463
• Microsoft Data Access Components (MDAC) CVE-2006-0003
• AOL ConvertFile() remote buffer overflow exploit
There is also an autoloading malicious PDF file that holds the next vulnerabilites:
• Adobe Reader and Acrobat 8.1.1 buffer overflow CVE-2007-5659
• Adobe Acrobat and Reader 8.1.2 buffer overflow CVE-2008-2992 ...
If the user's browser is successfully exploited, a malicious file is downloaded and run in the user's Windows home directory from another collaborated exploit site. The malicious file (SHA1: 6776489a0ed889fbabb317763c7c913fdc782631) has an extremely low AV detection rate* at the time the file was checked..."
* http://www.virustota...7c84-1257416198
File file.exe received on 2009.11.05 10:16:38 (UTC)
Result: 2/40 (5.00%)

(Screenshot available at the Websense URL above.)

[Doug]

Happily, anyone protected by MVPS Hosts File already blocks ad.media-servers.net

There's no place like 127.0.0.1

[AplusWebMaster]

FYI...

87% of web apps - "serious vulnerabilities..."
- http://sunbeltblog.b...d-with-web.html
November 10, 2009 - "If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is. Security firm Cenzic* has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities. Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks. They said 87 per cent of web applications their researchers looked at "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions"..."
* http://www.cenzic.co...equired_trends/
Q1-Q2 2009
http://www.cenzic.co..._Q1-Q2-2009.pdf

[AplusWebMaster]

FYI...

303,000+ hit by SQL injection
- http://www.net-secur...rld.php?id=8604
10 December 2009 - "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports* that the injected iframe loads malicious content from 318x .com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009..."
* http://blog.scansafe...ims-125000.html
"... Detection of the trojan is spotty, with 22/40 antivirus vendors detecting the variant according to this VirusTotal report**..."
** http://www.virustota...3f2a-1260300034
File 8ad31d8d6fc4cb12c9beec93d62d340e received on 2009.12.08 19:20:34 (UTC)
Result: 22/40 (55.00%)

- http://blog.scansafe...r-on-yahoo.html
December 10, 2009 - "... a Yahoo search on the 318x iframe reveals a considerably higher number of hits. Does this mean Google is capping the SERPs at some arbitrary point? Curently, Yahoo is showing 303,000 on my end while a Google search on the 318x iframe is showing 159,000 (up from 125,000 yesterday and 132,000 earlier today)."

- https://www.sans.org...issue=97#sID300
December 10, 2009 - "... A newly-detected SQL injection attack has infected nearly 300,000 web pages with an invisible iframe that gathers malicious code from a series of web sites. The malware seeks vulnerable versions of Adobe Flash, Internet Explorer (IE) and other applications on users' computers and then installs malware that steals online banking credentials."

- http://google.com/sa...?site=318x.com/
"... last time Google visited this site was on 2009-12-15, and the last time suspicious content was found on this site was on 2009-12-15. Malicious software includes 5853 trojan(s), 3423 scripting exploit(s), 1 exploit(s)..."

Edited by AplusWebMaster, 17 December 2009 - 07:31 AM.

[AplusWebMaster]

FYI...

Automated SQL injection attacks...
- http://www.darkreadi...cleID=223100129
Feb. 22, 2010 - "SQL injections top plenty of lists as the most prevalent means of attacking front-end Web applications and back-end databases to compromise data... analysis of the Web Hacking Incidents Database* (WHID) shows SQL injections as the top attack vector, making up 19 percent of all security breaches examined by WHID. Similarly, in the "Breach Report for 2010" (PDF) released by 7Safe* earlier this month, a whopping 60 percent of all breach incidents examined involved SQL injections... criminals are increasingly using automated SQL injection attacks powered by botnets to hit vulnerable systems... the purpose of those attacks is really to inject JavaScript redirectors into Web pages so that legitimate Web pages end up redirecting their users to exploit toolkits..."
* http://webappsec.pbw...cident-Database

** http://7safe.com/bre...report_2010.pdf

Edited by AplusWebMaster, 23 February 2010 - 10:48 AM.

[AplusWebMaster]

FYI...

WordPress injection attack
- http://securitylabs....Blogs/3577.aspx
03.09.2010 - "... Websense... has been monitoring the latest WordPress injection attack for over 2 weeks and has found over 250,000 injections occurring in the past half month. Moreover, over 37,000 URLs in the wild are still being injected according to our observations... the daily stats go up and down a few times and always end up higher, so we believe the hackers are still continuing their attack... WordPress is so widely used all over the world that every version of it is studied and exploited by hackers, even the latest version (2.9.2, released on December 18, 2009)... The ultimate purpose of the attack is all about making money, as Sophos has already investigated*... These attacks probably happened due to SQL injection via some known and unknown WordPress vulnerabilities... Injection is not the only way for hackers to utilize those vulnerabilities; compromising a site is also a good option. It has often been reported that compromised Web sites are used for Blackhat SEO to push rogue AVs. Novirusthanks has a great analysis here**, and more investigation indicates that the compromise behind the attack is connected to WordPress vulnerabilities... WordPress users should be very familiar with the injection or compromise attack since it has been used frequently in the past. Although WordPress has 2-3 releases every year and has 3 releases planned this year as usual, it has proved to be not enough: we still can see many victimized sites with the latest 2.9.2 installation...:

(More detail and screenshots available at the Websense URL above.)

* http://www.sophos.co...hoslabs/?p=8498

** http://blog.novirust...t-seo-strategy/

[AplusWebMaster]

FYI...

Mass Infection of IIS/ASP Sites
- http://isc.sans.edu/...ml?storyid=8935
Last Updated: 2010-06-09 19:01:51 UTC - "Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script. A quick Google today indicates that there are currently 111,000 sites still infected. It appears that this is only impacting websites hosted on Windows servers. The situation is being investigated. For those who are hosting there websites on Windows IIS/ASP you may find more information here:
- http://blog.sucuri.n...-robint-us.html
June 8, 2010 - "... sites have been hacked in the last day with a malware script pointing to
http ://ww.robint .us/u.js. Not only small sites, but some big ones got hit as well..."

- http://nsmjunkie.blo...-infection.html

Update: Paul at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.
- http://www.sophos.co...hoslabs/?p=9941

SQL injection attacks...
- http://www.theregist...webpage_attack/
9 June 2010 - "... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out..."

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
- http://www.shadowser...lendar/20100609
9 June 2010

- http://blog.scansafe...injections.html
June 8, 2010

Edited by AplusWebMaster, 15 June 2010 - 06:51 AM.

[AplusWebMaster]

FYI...

Adobe 0-day used - mass injections
- http://community.web...injections.aspx
11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."

(Screenshots and video available at the Websense URL above.)

Flash v10.1.53.64 update
* http://forums.whatth...=...st&p=659226

- http://www.theregist...webpage_attack/
11 June 2010 - "... The latest SQL injection attack pulls down a malicious javascript from 2677.in, which according to anti-virus firm Symantec*, downloads a serious threat dubbed “HTTP Microsoft IE Generic Heap Spray BO.” 2677.in was still active at time of writing..."
* http://safeweb.norto...ow?name=2677.in

- http://blog.sucuri.n...inyahoo-js.html
June 11, 2010

- http://google.com/sa...c?site=2677.in/
"... The last time Google visited this site was on 2010-06-13, and the last time suspicious content was found on this site was on 2010-06-13. Malicious software includes 8 scripting exploit(s), 1 trojan(s), 1 exploit(s)... this site has hosted malicious software over the past 90 days. It infected 185 domain(s)..."

- http://ddanchev.blog...ed-malware.html
June 15, 2010 - "... Where's the mass SQL injection attack connection? Within AS42560*... part of the campaign... Detection rate: - urchin.js - Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76%)... AS49087, Telos-Solutions-AS..."
* http://stopbadware.o...ports/asn/42560
AS 42560 - BA-GLOBALNET-AS GlobalNET Bosnia
** http://stopbadware.o...ports/asn/49087
AS 49087 - TELOS-SOLUTIONS-AS Telos Solutions LTD

- http://blog.webroot....-drops-trojans/
June 14, 2010

Edited by AplusWebMaster, 15 June 2010 - 11:59 AM.

[AplusWebMaster]

FYI...

Mass infection of websites
- http://techblog.avir...of-websites/en/
August 24, 2010 - "Drive-by-downloads that use exploits to infect the visitor of a website are a very popular distribution method for malware authors. In the last days we detected thousands of websites which are infected with a hidden, invisible iframe. Searching for similar iframe infections shows that Google lists about 47,300 hits. The target server and script this iframe points to are currently offline; the injection scripts of the malware authors may be inactive at present. Some of these infected sites had a more than one iframe injected into them though. They were infected with three or more scripts which all point to Russian servers. This looks like a mass infection of websites which are created with a certain content management system (CMS). Usually, such mass infections are done with so-called SQL injections through security holes in these CMSes. Website administrators should always take care to have the latest version of their CMS and the needed scripting languages like PHP and Perl installed so that such mass SQL injections don’t have a chance. The malware authors didn’t take the effort to properly track their infections, as the observation of multiple injections with the same iframe show..."