Thousands of sites infected - archive

[AplusWebMaster]

FYI... (It appears the hacks have been busy - CYA)

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowserver.org/wiki/upl...l-inj-list.txt
Last Updated: 01/29/09 14:02:09 -0700

[AplusWebMaster]

FYI...

- http://www-935.ibm.com/services/us/i...cntxt=a1030786
02 Feb 2009 - "... Web sites have become the Achilles' heel for corporate IT security. Attackers are intensely focused on attacking Web applications so they can infect end-user machines. Meanwhile, corporations are using off-the-shelf applications that are riddled with vulnerabilities; or even worse, custom applications that can host numerous unknown vulnerabilities that can't be patched. Last year more than half of all vulnerabilities disclosed were related to Web applications, and of these, more than 74 percent had no patch. Thus, the large-scale, automated SQL injection vulnerabilities that emerged in early 2008 have continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen this summer...
Although attackers continue to focus on the browser and ActiveX controls as a way to compromise end-user machines, they are turning their focus to incorporate new types of exploits that link to malicious movies (for example, Flash) and documents (for example, PDFs). In the fourth quarter of 2008 alone, IBM X-Force traced more than a 50 percent increase in the number of malicious URLs hosting exploits than were found in all of 2007. Even spammers are turning to known Web sites for expanded reach. The technique of hosting spam messages on popular blogs and news-related websites more than doubled in the second half of this year..."

[AplusWebMaster]

FYI...

Kaspersky USA site hacked...
- http://www.theregister.co.uk/2009/02...romise_report/
8 February 2009 - "A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger*, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users, activation codes, lists of bugs, admins, shop, etc." Kaspersky has declined to comment... The Register will be updating this story as warranted..."
* http://hackersblog.org/2009/02/07/us...sql-injection/

[AplusWebMaster]

FYI...

500,000 Websites Hit By New Form Of SQL Injection In '08
- http://www.darkreading.com/shared/pr...leID=214600046
Feb. 25, 2009 - "...An automated form of SQL injection using botnets emerged as the popular method of hacking Websites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Website's customers rather than the sensitive information in the site's database... Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report... Government, security, and law enforcement organizations represented the biggest sector suffering from these attacks (32 percent), but that may, in part, be due to their more stringent disclosure rules, the report says. Next were information services (13 percent), finance (11 percent), retail (11 percent), Internet (9 percent), and education (6 percent)..."
* http://www.breach.com/resources/whit.../2008WHID.html

[AplusWebMaster]

FYI...

DNS redirect attack - Puerto Rico
- http://news.cnet.com/8301-1009_3-10228436-83.html
April 27, 2009 - "... A group calling itself the "Peace Crew" claimed that they used a SQL injection attack to break into the Puerto Rico registrar's management system... While the sites that visitors were -redirected- to were obviously not the legitimate sites, DNS redirects could be used to send unsuspecting Web surfers to phishing sites pretending to be banks where they would be prompted to provide sensitive information. People should use the SSL (Secure Sockets Layer) protocol for encrypting communications with sensitive sites and use anti-phishing technology in the browser that colors part of the URL address bar green or red based on the safety level of the site being visited..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

SQL injections through Search Engine reconnaissance...
- http://ddanchev.blogspot.com/2009/04...gh-search.html
April 29, 2009 - "From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of, for instance, the ASProx botnet. The process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots... A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw... Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site. Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it
... The window of opportunity for abusing a particular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time. The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use."

[AplusWebMaster]

FYI...

Mass Injection Compromises More than Twenty-Thousand Web Sites
- http://securitylabs.websense.com/con...erts/3405.aspx
05.29.2009 - "Websense... has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites. This mass injection attack does -not- seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign... The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate*..."
* http://preview.tinyurl.com/lphk6r
File sysCF.tmp.exe received on 2009.05.29 17:04:04 (UTC) - Virustotal.com
Result: 4/39 (10.26%)

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2009/05...web_infection/
30 May 2009 - "... has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot. The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor's machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software..."

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...logs/3408.aspx
06.01.2009 - "... Mass compromises... regularly take place, because attackers commonly use server-side vulnerabilities in an automated way to infiltrate legitimate Web sites and inject them with malicious code... The malicious code injected in the Beladen attacks* uses an obfuscation method that starts with the initialization of a long, obfuscated string parameter. This gets de-obfuscated and then executed by the browser. This kind of obfuscation can employ many levels of obfuscation - where obfuscated code leads to more obfuscated code, and so on... the malicious URL name redirects to a site with a name very similar to the Google Analytics service (this service exists at 'google-analytics.com'). Once redirection occurs, the user is redirected again to the exploits payload site, Beladen. Beladen uses wildcarded subdomains, so each time Beladen is used by the intermediate redirecting site, a different subdomain is used... Beladen is the exploit site where several exploits try to compromise the redirected browser. Beladen means loaded in German - a suitable name because the site is loaded with exploits. Once the browser is redirected to Beladen, there is another internal redirect check that verifies the referrer, to subvert any direct mining attempts to the site's obfuscated exploit code... the hosting malicious site was located at the IP subnet block of 58.65.238.0/24, which was part of the Russian Business Network (RBN). The threat this time comes from the IP block of 91.207.61.0/24, which is part of AS48031 NOVIKOV located in the Ukraine. According to our log data, this autonomous system has been quite busy spreading malicious code using Scareware, Rogue Antivirus software, and exploit sites (including the latest PDF exploits). The IP address hosting the specific attack we described holds yet another typosquatt Google-like domain..."
* http://securitylabs.websense.com/con...erts/3405.aspx

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3412.aspx
06.04.2009 - "... the payload site for the mass compromise known as Beladen, has changed from Beladen to Shkarkimi. The new site is hosted on the same IP address as Beladen and the exploits it serves are the same. The obfuscated typosquatting domain of Google-Analytics leading to the exploit site Shkarkimi is still massively injected. We can confirm that, as of the time of writing, around 30,000 Web Sites are injected with code that eventually leads to Shkarkimi. For more details about this attack, please see our blog on Beladen*..."
* http://securitylabs.websense.com/con...logs/3408.aspx
... shkarkimi has a very similar network topology to Beladen. Yesterday, Google Security Team posted a list of the top ten malware domains which included googleanalystlcs.net [ note the typosquatt ] as one of the top 10 malware sites**..."
** http://googleonlinesecurity.blogspot...are-sites.html

(Screenshots available at the first URL above.)