Page 9 of 9 FirstFirst ... 56789
Results 81 to 89 of 89

Thread: Thousands of sites infected - archive

  1. #81
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Multiple JS site injections/compromises...

    FYI...

    Multiple JS site injections/compromises...
    - http://securitylabs.websense.com/con...logs/3461.aspx
    08.14.2009 - "Recently, since Microsoft released information about new vulnerabilities in MS Office and DirectShow in July, attacks spreading through the infection of thousands of legitimate Web sites have increased sharply in the wild... The script redirects to four malicious pages which capitalize on different vulnerabilities. Their targeting vulnerabilities are:
    • Firefox Corrupt JIT state after deep return from native functionHeap (MFSA 2009-41);
    • Microsoft DirectShow(msvidctl.dll) vulnerability (MS09-032);
    • Microsoft Office Web Components Spreadsheet ActiveX vulnerability (MS09-043);
    • Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927).
    The third feature of the injection campaign is the constantly evolving injection codes. It seems that the attackers use a randomizer to generate this kind of JavaScript, but ultimately they all point to similar exploits... obfuscated JavaScript is the most important means of injection, taking up over 50 percent of the total. In summary, all of these injection methods are easy to implement for attackers and difficult to detect for users, meaning that more and more innocent users are involved in this injection campaign. This campaign not only targets mass college Web sites, but is also spreading widely in other sites in China. At the moment, the number of compromised college sites is still very high, maintaining a level of around 800 sites..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #82
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL injection attacks hit 57K sites

    FYI...

    SQL injection attacks hit 57K sites
    - http://www.theregister.co.uk/2009/08...web_infection/
    24 August 2009 - "Malicious hackers have managed to infect about 57,000 web pages with a potent exploit cocktail that targets a variety of vulnerable applications to surreptitiously install malware on visitor machines. The exploits install an assortment of nasty software, including Gologger, a keystroke logging trojan, and a backdoor that attempts to connect to a website hosted in China, according to Mary Landesman, a researcher at ScanSafe, a company that protects end users from malicious websites. The attackers were able to plant a malicious iframe in the pages by exploiting SQL injection vulnerabilities. Once in place, the script silently pulls down javascript from a0v .org** that silently runs while people are visiting one of the infected websites... SQL injection attacks exploit weaknesses in web applications that fail to adequately scrutinize text that users enter into search boxes and other web fields. The attacks have the effect of passing powerful commands to the website's back-end database. Landesman's report is available here*."
    * http://blog.scansafe.com/journal/200...-cocktail.html
    August 21, 2009

    > http://www.threatexpert.com/report.a...e577fd1b45805c
    16 August 2009 - "... The following Internet Connection was established:
    Server Name
    qirueixzz. 3322 .org ..."

    > http://www.virustotal.com/analisis/1...194-1249319276
    File ae563af77535163a1562cc1106ddf342- received on 2009.08.03 17:07:56 (UTC)
    Result: 6/41 (14.63%)

    > http://www.virustotal.com/analisis/5...b12-1249741982
    File mam.exe received on 2009.08.08 14:33:02 (UTC)
    Result: 26/41 (63.41%)

    ** http://centralops.net/co/DomainDossier.aspx
    Country: CN

    Last edited by AplusWebMaster; 2009-08-25 at 15:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #83
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Following the Injection - a0v .org

    FYI... [Please DO NOT visit these domains as they are distributing malware both through the files they are peddling and via exploits.]

    Following the Injection - a0v .org
    - http://securitylabs.websense.com/con...logs/3465.aspx
    08.26.2009 - "... The site that has been injected in this campaign is a 35-day-old domain called a0v.org. The injection is in plain text, non-obfuscated script tags... There is no mercy shown with the frequency of the injections, which confirms that this injection is an automated process, as most injections are... Once a user browses to an infected Web site, the user is redirected to execute the injected script at hxxp ://a0v .org/ x.js... the first takes the user to exploit sites just down the chain, and the second takes the user to a log server established by the baddies... The next stop in the exploit chain is hxxp ://game163 .info/oday/index .html... game163.info is also a fresh domain, registered just 23 days ago. Its source goes to even further redirects in the same site. But before it decides where to go, it checks whether the user's browser is Microsoft Internet Explorer 7, using a hex-represented string for "msie 7"... Following is a summary of all the exploits used, from the last one discovered to the oldest:
    • Adobe Flash, Acrobat Reader CVE-2009-1862
    • Microsoft Office Web Components CVE-2009-1136
    • Microsoft Internet Explorer XML Parsing CVE-2008-4844
    • Microsoft DirectShow (msvidctl.dll) CVE-2008-0015 - Suspected\Disabled
    • Microsoft Data Access Components (MDAC) CVE-2006-0003
    The exploits are served from multiple replicated Web sites, bearing the exact same code and structure as game163 .info... The newest exploit used in the chain is Adobe Flash and Acrobat Reader CVE-2009-1862 -- alerted on at the end July, and the most troublesome one, due to two facts:
    1) Today, most users don't bother to update their versions of Flash/Acrobat.
    2) We've recently received reports (in the middle of August) showing almost the same exploit code (with only minor variations in syntax) with an embedded malicious Flash file exploiting CVE-2009-1862 and holding only 2/42 and 0/42 detection rates by vendors, respectively. The results for the malicious Flash file exploiting this vulnerability in this attack are still very low, with only 5/41*, and the related exploit page with only 4/41**. Combine those two facts together, and you have a major breach that allows the attackers to do a great deal of damage. Similar mass injections happen around the clock, capitalizing on the latest exploits that rely on the two facts listed above, and holding different obfuscated source codes and payloads. Those facts can only suggest the large number of infected users from such mass compromises."
    * http://www.virustotal.com/analisis/f...744-1251148350
    File xp-swf.txt received on 2009.08.24 21:12:30 (UTC)
    Result: 5/41 (12.20%)

    ** http://www.virustotal.com/analisis/6...303-1251295435
    File ex1.txt received on 2009.08.26 14:03:55 (UTC)
    Current status: finished
    Result: 4/41 (9.76%)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #84
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Another mass compromise attack

    FYI...

    Another mass compromise attack
    - http://blog.trendmicro.com/bkdr_refp...ss-compromise/
    Aug. 28, 2009 - "Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report. This incident is a painful reminder of the persisting risk of unprotected Web-surfing. In this particular case, the malicious scripts injected in the legitimate sites lead to other sites that eventually resolve to the download of the following backdoor programs and components:
    • axa0727.exe-1 (BKDR_REFPRON.FH)
    • d.binaxa072776988 (TROJ_REFPRON.FI)
    • ms.binaxa0727588773 (TROJ_REFPRON.FJ)
    • so.binaxa0727737721 (BKDR_REFPRON.FH)
    The backdoors drop other components and connect to other IP addresses to download other malware with further the risk for users... As of this writing, searching for the offending script yields 99,000 results."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #85
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation 2009 - Top Cyber Security Risks

    FYI...

    2009 - Top Cyber Security Risks
    - http://www.sans.org/top-cyber-security-risks/
    September 2009 - "Two risks dwarf all others, but organizations fail to mitigate them... attack data from TippingPoint intrusion prevention systems protecting 6,000 organizations, vulnerability data from 9,000,000 systems compiled by Qualys, and additional analysis... current data - covering March 2009 to August 2009 - from appliances and software in thousands of targeted organizations to provide a reliable portrait of the attacks being launched and the vulnerabilities they exploit...
    Executive Summary
    Priority One: Client-side software that remains unpatched
    .
    Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites...
    Priority Two: Internet-facing web sites that are vulnerable.
    Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits. Web application vulnerabilities such as SQL injection and Cross-Site Scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most web site owners fail to scan effectively for the common flaws and become unwitting tools used by criminals to infect the visitors that trusted those sites to provide a safe web experience..."
    (Charts available at the URL above.)

    - http://securitylabs.websense.com/con...logs/3476.aspx
    09.15.2009 - "... Websense Security Labs identified a 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth over the last year..."

    Last edited by AplusWebMaster; 2009-09-15 at 22:56. Reason: Added Websense report link...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #86
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Gumblar attacks surge again

    FYI...

    Gumblar attacks surge again
    - http://www.pcworld.com/businesscente...rge_again.html
    October 20, 2009 - "... In May, thousands of Web sites were found to have been hacked to serve up an iframe, which is a way to bring content from one Web site into another. The iframe led to the "gumblar.cn" domain. Gumblar would then try to exploit the user's PC via software vulnerabilities in Adobe Systems products such as Flash or Reader and then deliver malicious code. Gumblar has also now changed its tactics. Rather than hosting the malicious payload on a remote server, the hackers are now putting that code on compromised Web sites, vendors IBM and ScanSafe say. It also appears Gumblar has been updated to use one of the more recent vulnerabilities in Adobe's Reader and Acrobat programs, according to IBM's Internet Security Systems Frequency X blog*. The hackers know that it's only a matter of time before a malicious domain is shut down by an ISP. The new tactic, however, "gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world," IBM said... The hackers behind Gumblar have also taken to forcibly injecting a malicious iframe into forums, according to a blog post from ScanSafe***. It means that people become victim to a so-called drive-by attack, where they are instantly exposed to malicious content from elsewhere when visiting a legitimate site..."
    * http://blogs.iss.net/archive/GumblarReloaded.html
    October 19, 2009 - "... Coverage for the updated Trojan is still very low according to an analysis done through VirusTotal**..."
    ** http://www.virustotal.com/analisis/b...362-1255712244
    File 1952405D00EE6FBD3E0000E9F4250F00643110CC.exe received on 2009.10.16 16:57:24 (UTC)
    Result: 6/41 (14.63%)

    *** http://blog.scansafe.com/journal/200...et-awakes.html
    October 15, 2009

    - http://google.com/safebrowsing/diagn...te=gumblar.cn/
    "... last time suspicious content was found on this site was on 2009-10-22... this site has hosted malicious software over the past 90 days. It infected 6674 domain(s)..."
    "... last time suspicious content was found on this site was on 2009-10-26... this site has hosted malicious software over the past 90 days. It infected 6381 domain(s)..."

    Last edited by AplusWebMaster; 2009-10-26 at 16:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #87
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 6 million pwnd - Mass web infections spike

    FYI...

    6 million pwnd - Mass web infections spike
    - http://sunbeltblog.blogspot.com/2009...6-million.html
    October 27, 2009 - "Dasient web security firm of Palo Alto, Calif., published some dismal numbers on its blog today. The number of infected pages on the web increased significantly in the third quarter and more than a third of infected sites that are fixed are quickly reinfected, they said. The company said its malware analysis platform found more than 640,000 infected sites with a total of 5.8 million pages in the quarter. They compare that to the three million infected pages that Microsoft reported in the first quarter of the year.
    The attacks:
    -- JavaScript (54.8%)
    -- iFrame (37.1%)
    -- "other" (8.1%)
    ... with that preponderance of JavaScript malware, if you haven’t updated your Adobe Reader and Acrobat installations recently, you might do so. Dasient blog here*."
    * http://blog.dasient.com/2009/10/new-...d-dasient.html
    October 27, 2009

    - http://www.theregister.co.uk/2009/10...romises_spike/
    27 October 2009

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #88
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Media-servers.net compromised

    FYI...

    Media-servers.net compromised
    - http://securitylabs.websense.com/con...erts/3500.aspx
    11.05.2009 - "Websense... has detected that the site media-servers.net has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It's important to note that media-servers.net serves advertising content from ad.media-servers.net, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites... The exploits associated with this attack are:
    • Microsoft DirectShow CVE-2008-0015
    • Microsoft Snapshot Viewer CVE-2008-2463
    • Microsoft Data Access Components (MDAC) CVE-2006-0003
    • AOL ConvertFile() remote buffer overflow exploit
    There is also an autoloading malicious PDF file that holds the next vulnerabilites:
    • Adobe Reader and Acrobat 8.1.1 buffer overflow CVE-2007-5659
    • Adobe Acrobat and Reader 8.1.2 buffer overflow CVE-2008-2992 ...
    If the user's browser is successfully exploited, a malicious file is downloaded and run in the user's Windows home directory from another collaborated exploit site. The malicious file (SHA1: 6776489a0ed889fbabb317763c7c913fdc782631) has an extremely low AV detection rate* at the time the file was checked..."
    * http://www.virustotal.com/analisis/e...c84-1257416198
    File file.exe received on 2009.11.05 10:16:38 (UTC)
    Result: 2/40 (5.00%)

    (Screenshot available at the Websense URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #89
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 132,000+ hit by SQL injection

    FYI...

    303,000+ hit by SQL injection
    - http://www.net-security.org/secworld.php?id=8604
    10 December 2009 - "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports* that the injected iframe loads malicious content from 318x .com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009..."
    * http://blog.scansafe.com/journal/200...ms-125000.html
    "... Detection of the trojan is spotty, with 22/40 antivirus vendors detecting the variant according to this VirusTotal report**..."
    ** http://www.virustotal.com/analisis/f...f2a-1260300034
    File 8ad31d8d6fc4cb12c9beec93d62d340e received on 2009.12.08 19:20:34 (UTC)
    Result: 22/40 (55.00%)

    - http://blog.scansafe.com/journal/200...-on-yahoo.html
    December 10, 2009 - "... a Yahoo search on the 318x iframe reveals a considerably higher number of hits. Does this mean Google is capping the SERPs at some arbitrary point? Curently, Yahoo is showing 303,000 on my end while a Google search on the 318x iframe is showing 159,000 (up from 125,000 yesterday and 132,000 earlier today)."

    - https://www.sans.org/newsletters/new...ssue=97#sID300
    December 10, 2009 - "... A newly-detected SQL injection attack has infected nearly 300,000 web pages with an invisible iframe that gathers malicious code from a series of web sites. The malware seeks vulnerable versions of Adobe Flash, Internet Explorer (IE) and other applications on users' computers and then installs malware that steals online banking credentials."

    - http://google.com/safebrowsing/diagn...site=318x.com/
    "... last time Google visited this site was on 2009-12-15, and the last time suspicious content was found on this site was on 2009-12-15. Malicious software includes 5853 trojan(s), 3423 scripting exploit(s), 1 exploit(s)..."

    Last edited by AplusWebMaster; 2009-12-17 at 15:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •