View Full Version : Alerts - Q4-2006-Q1-2007c
More phish than viruses now... per MessageLabs
Monthly Report: January 2007 ~ "Top line results of this report include:
Spam – 75.8% in January (an increase of 1.5% since December)
Viruses – One in 119.9 emails in January contained malware (an increase of 0.08% since December)
Phishing – One in 93.3 emails comprised a phishing attack (an increase of 0.55% since December)
For the first time, MessageLabs noted that the proportion of phishing attacks in email has now overtaken the threat from virus or Trojan attacks..."
The file that is downloaded is a NsPack-packed Trojan keylogger/backdoor, providing the attacker with full access to the compromised computer. The filename is w1c.exe and its MD5 is ad3da9674080a9edbf9e084c10e80516
We have notified the owner's of the site, but the site is currently still malicious.
Please do not visit the site until it has been cleaned.
(Site screenshot available at the Websense URL above.)
Last Updated: 2007-02-02 18:41:53 UTC
"...As of now (~1820 GMT 02-FEB-2007) the site still has the injected redirect, but the site hosting the malicious code is not responding...
Bleedingthreats.net has a signature available:
Last Updated: 2007-02-02 19:53:51 UTC
"...UPDATE: The first reported site has been repaired (for now?). Other sites have been identified using some googledorking and are in the process of being informed."
Last Updated: 2007-02-03 16:11:29 UTC
McAfee has released updated signatures to detect Backdoor-DKT:
Other AV vendors should have specific signatures by now as well.
A similar (identical?) exploit is served by the following domains. At this point, the best defense (after patching) is to block these domains and monitor DNS requests for them. Infected machines will try to call home to them.
w1c.cn, dv521.com, natmags.co.uk, bc0.cn, 137wg.com, newasp.com.cn
dv521.com was the domain used in the dolphinstadium.com defacement. Thanks to the cooperation from Xin-Net, the domain is no longer resolving. But there is always a chance that it will come back..."
Super Bowl Infection - More Sites
Last Updated: 2007-02-04 21:17:53 UTC
"On Friday we reported that the Dolphins Stadium (home of the 2007 Super Bowl) was infected with a scripted pointer to malware that exploited two patchable Microsoft Windows vulnerabilities. While doing research on that issue, we uncovered many more sites that contain similar references. Here is a list of the some of the ones we found, many have already been cleaned up but many have not. System administrators might want to check their network flow logs for any traffic to these sites, and for any traffic to the five sites that hosted the hostile Java script.
It looks like the "1.js" intrusions happened around the first of January while the "3.js" intrusions occured near the end of January. We cannot find any evidence of a "2.js" or "4.js" script...
(Referenced sites shown at the URL above)
A common theme seems to be an attack on hospital or medical care sites, although that is not completely the case. We checked to see if this was a mass attack on one service provider but other than a lot of *.squizzle.com sites it does not appear to be this type of attack."
UPDATE 5 Feb 07 2032Z ~ "More logs were sent to us showing activity as far back as mid-November. Note the swing from 137wg.com to bc0.com to dv521.com (the site that was involved in the Dolphins Stadium incident)..."
(Log detail shown at the URL above.)
Last Updated: 2007-02-06 22:55:53 UTC
"We have discovered more defacements / code-injection similar to the superbowl site defacement. If you google for script 8.js you will find that 1.js and 3.js were not the only java script’s used in this fashion. This version appears to have been targeted a bit at gaming sites although there are a few medical sites including an “anonymous expert HIV/AIDS counseling” site with this defacement... The concept of a website having additional content or having portions of the content replaced was usually looked at as embarrassing but not a major threat. In my opinion with the recent trend to perform “silent defacements” with malicious code injection, world writable content areas should be treated as a threat. The only malicious version of 8.js I have seen so far is hosted on 001yl.com ... The stuff I pulled from 001y.com is very similar to the 3.js defacement we discussed in the dolphinstadium site write-ups. 8.js uses a hidden iframe to hide its reference to qq.htm... qq.htm uses several hidden iframes to call happy1.htm, happy2.htm, happy3.htm from 001yl.com , h.js from zj5173.com and a counter at s102 .cnzz .com. Each happy1.htm (and 2 and 3) had pointers to zj5173.com/2.exe - h.js injects zj5173.com/3.js into a cookie. - 3.js uses another hidden iframe to call zj5173.com/1.htm -
1.htm uses a VML overflow from hackwm.com to run some shell code.
2.exe is not currently well detected by the virus scanning engines at virus total..."
(More detail at the ISC URL above.)
Last Updated: 2007-02-07 18:52:55 UTC ...(Version: 3)
[See the updates (dtd. 2/7/2007)]
Last Updated: 2007-02-07 21:41:45 UTC ~ "We've received information that the likely common vector for how the web sites were compromised appears to be through the use of Dreamweaver. There is not a flaw in Dreamweaver that was exploited. It was a case of lazy programming on the parts of site developers who did not do a good job of "input validation" so attackers were able to do "sql injection" attacks."
Last Updated: 2007-02-08 16:58:49 UTC ~ "...UPDATE4:
Updating our earlier update :-), the 3.js off the Natmags site downloads an ad.htm file which is clearly an exploit, as can be shown with a little PERL-fu to make it readable:
cat ad.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'
The corresponding www .exe is no longer available on the server though (or doesn't download)."
:fear: :spider: :fear:
Last Updated: 2007-02-06 23:40:41 UTC ~ "...News of the attacks against the DNS root servers. We are aware of the attacks, and have been waiting to wade through the FUD before publishing anything more concrete. I am posting this now just to let our readers know that we are aware of the story and that we are trying to get more information about it...
The main story is featured here:
Here are some graphs showing the traffic rates to the root servers here:
> http://tinyurl.com/2yr8fj ..."
2/6/2007 ~ "Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002. Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.... Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea. The attacks appeared to target UltraDNS, the company that operates servers managing traffic for Web sites ending in "org" and some other suffixes, experts said. Officials with NeuStar Inc., which owns UltraDNS, confirmed only that it had observed an unusual increase in traffic. Among the targeted "root" servers that manage global Internet traffic were ones operated by the Defense Department and the Internet's primary oversight body... Crain said Tuesday's attack was less serious than attacks against the same 13 "root" servers in October 2002 because technology innovations in recent years have increasingly distributed their workloads to other computers around the globe."
February 6, 2007 ~ "...It is likely that the traffic is Distributed Denial of Service (DDOS) related. At approximately 0001 GMT on 6 Feb 2007, several root-level DNS servers began receiving a large volume of malformed DNS queries. This initial attack appears to have been a warm-up for a much larger attack that began at 1000 GMT. DNS servers G (U.S. DOD Network Information Center), L (Internet Corporation for Assigned Names and Numbers), and M (WIDE Project) appear to have been the most severely impacted although none were ever unreachable. The servers were operational and reachable even with the high volume of traffic. US-CERT has been in contact with the various groups affected to ensure that appropriate actions are being taken..."
:fear: :spider: :fear:
Last revised: 2/23/2007
CVSS Severity: 10.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation
Last Updated: 2007-02-24 20:27:15 UTC ...(Version: 3)
"...A .reg file for setting the killbits can be downloaded*, use at your own risk..."
Date Last Updated: 02/23/2007
The SupportSoft ActiveX controls contain multiple buffer overflow vulnerabilities, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
SupportSoft provides multiple ActiveX packages that are used by third party vendors to provide remote assistance and other technical support functions. The controls are commonly used by internet service providers (ISPs) and PC manufacturers. The SupportSoft ActiveX control packages contain multiple buffer overflow vulnerabilities. Many of these buffer overflows can be used to overwrite the process Structured Exception Handler (SEH) or otherwise overwrite the contents of the EIP (Extended Instruction Pointer) register, thus gaining control of program execution flow.
According to the SupportSoft ActiveX Controls Security Update**, one should search for the tgctlsi.dll file to determine if a system is vulnerable. However, in our testing, any of the following files provide vulnerable ActiveX controls:
(Ed. note: Suggested search: tgctl*.dll on C:\ )
Note that since the vulnerable controls are commonly included with third-party software that is not explicitly packaged as "SupportSoft," searching for the above files is the most effective way to determine if a system is vulnerable.
Vendor Status Date Updated
Bank of America Unknown 21-Feb-2007
BellSouth Vulnerable 20-Feb-2007
Comcast Vulnerable 20-Feb-2007
CSC Unknown 20-Feb-2007
IBM Vulnerable 20-Feb-2007
Verizon Unknown 20-Feb-2007 ...
(Ed. note: Only -some- of -many- vendors affected shown; see the kb.cert URL for complete list.) ..."
February 27, 2007 ~ (Computerworld) "A new variant of the "Storm" Trojan is injecting its come-on into blogs, Web-based message forums and Webmail as part of an effort to spread itself to an ever-widening net of PCs... An initial infection is still carried out via e-mail, which touts a link that when clicked downloads a number of malware components to a victimized machine. Once on a PC, however, the malicious code injects itself into the network stack as a rootkit and analyzes all outbound Web traffic. "It has hooks for boards, e-mail, and blogs," said Alperovitch. When a user on an infected PC posts a message to a forum or blog, or sends a message via popular Web-based mail services such as Hotmail, Gmail, and Yahoo Mail the Trojan adds text to the entry or message. "It inserts 'Have you seen this link?' along with a link to what seems to be a video," Alperovitch said. Anyone clicking on the link will only find their system infected... Secure Computing has seen evidence of the bogus posting on messages forums, including one for Men's Health, as well as "thousands of blog entries," said Alperovitch. The Trojan has been making the rounds since January... Since then, it has been collecting compromised PCs into a botnet of zombies that can be used for sending spam. Other malware downloaded to infected machines tries to steal passwords or uses the PC to launch distributed denial-of-service (DDoS) attacks..."