Thousands of sites infected - archive

[AplusWebMaster]

FYI...

- http://blog.trendmicro.com/another-w...info-stealers/
June 6, 2009 - "Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code. Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A. TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals account information related to the following applications: This spyware steals user names, passwords, and other account and installation information of the following applications:
• INETCOMM Server
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian
Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:
* Vulnerability in Windows Explorer Could Allow Remote Execution MS06-057
- http://www.microsoft.com/technet/sec.../ms06-057.mspx
* Buffer overflow in Apple QuickTime 7.1.3
- http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-0015
* Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
- http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-6884
* Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution - MS06-014
- http://www.microsoft.com/technet/sec.../MS06-014.mspx
* Microsoft Internet Explorer 7 Memory Corruption Exploit - MS09-002
- http://www.microsoft.com/technet/sec.../MS09-002.mspx "

[AplusWebMaster]

FYI...

- http://www.securityfocus.com/brief/970
2009-06-08 - "The drive-by-download threat, Grumblar, continues to cause widespread infection, through the number of Web sites compromised with the malicious code appears to have declined since late May, according to Web security firm Websense. The multi-stage threat, which first compromises Web sites to install malicious code that is then used to infect visitors' PCs, rocketed eight-fold in mid-May, according to an update posted to Websense's research blog on Friday*. Attackers use stolen FTP credentials to embed the first stage of the attack on legitimate Web sites. Gary Warner, a professor of digital forensics at the University of Alabama, document an investigation he and his students performed on a compromised Facebook group. The group, which boasted 40,000 members, contained a link to a malicious site that attempted to infect visitors with Grumblar... A malicious PDF file uploaded to victim's systems by Grumblar contains the phrase, "Boris likes horilka," according to Warner's blog**. Horilka is the Ukrainian word for vodka. The software steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software."
* http://securitylabs.websense.com/con...logs/3414.aspx
06.05.2009
** http://garwarner.blogspot.com/2009/0...d-domains.html
June 06, 2009 - "... 48,000 compromised domains..."

[AplusWebMaster]

FYI...

- http://windowssecrets.com/comp/090611#story1
2009-06-11 - "Going by such names as Gumblar, JSRedir-R, Martuz, and Beladin, a new generation of malware has managed to surreptitiously place malicious JavaScript code on tens of thousands of popular Web sites. The hacker scripts try to infect site visitors and then attempt to use their compromised PCs to spread the infection to yet other sites. Over the past month, the security services ScanSafe* and Sophos** have reported infections on such major Web sites as ColdwellBanker.com, Variety.com, and Tennis.com. Niels Provos reported in the Google security blog*** on June 3 that sites infected with Gumblar numbered about 60,000. Visitors became susceptible to infection simply by opening the sites in Internet Explorer..."
* http://blog.scansafe.com/journal/200...n-to-bots.html
May 8, 2009

** http://www.sophos.com/blogs/gc/g/200...re-threat-web/
May 14th, 2009

*** http://googleonlinesecurity.blogspot...are-sites.html
June 3, 2009 - "... malware researchers reported widespread compromises pointing to the domains gumblar .cn and martuz .cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen .net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites..."

- http://blog.trendmicro.com/stolen-ft...umblar-attack/
June 10, 2009 - "Analysts of the recent Gumblar attack that compromised thousands of legitimate websites stated that the unauthorized modifications in the websites were possibly executed not only through SQL injection. The compromise was also reportedly done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. The infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes user names and passwords. Analysts believe that through TSPY_KATES.G Gumblar was able to compromise more sites than when it initially launched the attack. SQL injections only work on certain conditions (if the website is vulnerable enough to allow such injections), and give cybercriminals a limited access to the targeted webpage. Obtaining FTP credentials however grant the cybercriminals the same level of access as what the website administrator has, regardless of any security measures used..."

[AplusWebMaster]

FYI...

Nine-Ball - mass injection, malicious site, malicious code
- http://securitylabs.websense.com/con...erts/3421.aspx
06.16.2009 - "Websense... has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine... If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the the final landing page containing the exploit code (the redirection path is shown below). The final landing page records the visitors's IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the benign site of ask.com... After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate*. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate**..."
* http://www.virustotal.com/analisis/6...8f7-1245137075
File l.php ... Result: 7/40 (17.50%)

** http://www.virustotal.com/analisis/f...894-1245160253
File PDF.php ... Result: 3/41 (7.32%)

(Screenshot available at the Websense URL above.)

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/nz8pu2
2009-06-17 E-week.com - "... "We are not releasing the names of the sites compromised," said Stephan Chenette, manager of threat research at Websense. "We've attempted to contact a subset of the compromised sites to let them know that they've been infected … No particular vertical was targeted"... in a bid to sniff out security researchers, the compromised sites are set to check if they have been visited more than once by the same IP address. If a visitor has been to the site more than once, he or she will be directed to ask.com instead of to the attack site. While Nine-Ball is the third mass Website compromise report to make headlines in recent weeks, Chenette said it appears to be distinct from the others. "The Nine-Ball mass compromise is not related to either Beladen or Gumblar, but like the previous mass compromises, many of the machines owned by the attacker are located in the Ukraine," Chenette said..."

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...logs/3422.aspx
06.22.2009 - "... Nine-Ball attack compromised over 40,000 legitimate Web sites in an ongoing campaign... By analyzing the tens of thousands of Web sites compromised in this attack we can see that the majority of infected sites are in the United States (71%)... A confusing factor for most who attempt to analyze this attack is that there is no clear single malicious redirection path. Users who visit an infected site are silently taken through a series of varied redirectors and the final landing page is not always the same... The valid string, in the Nine-Ball attacks, is an iframe. When this iframe is interpreted by the browser, the browser silently visits the iframe location... Once exposed to a Nine-Ball exploit site, several exploits will be delivered to the user's browser. Among them are:
• MS06-014 (MDAC)
• CVE-2006-5820 (AOL SuperBuddy)
• CVE-2007-0015 (QuickTime)
• Adobe Acrobat Reader,
The exploit code that targets Acrobat Reader will download a malicious PDF file from the exploit site. The PDF file integrates 3 vulnerabilities:
• CVE-2008-1104
• CVE-2007-5659
• CVE-2009-0927 ..."

(Screenshots available at the URL above.)

[AplusWebMaster]

More on Nine-ball...

- http://blog.trendmicro.com/another-m...omise-emerges/
June 22, 2009 - "... Trend Micro was alerted of the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar, only that this time, the Nine Ball domain is only one of hundreds of landing pages users can be redirected to... the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in Ukraine. The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat, Adobe Shockwave... Both PDF and SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST. Note that as of the writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used... Information on the vulnerabilities exploited in this attack can be found on the following pages:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0927
Last revised:04/28/2009
http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-5659
Last revised:11/25/2008
http://web.nvd.nist.gov/view/vuln/de...=CVE-2007-2496
Last revised:11/15/2008 ..."

[AplusWebMaster]

FYI...

Cold Fusion sites compromised
- http://isc.sans.org/diary.html?storyid=6715
Last Updated: 2009-07-03 09:35:14 UTC ...(Version: 2) - "There have been a high number of Cold Fusion web sites being compromised in last 24 hours... It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients...
Update: ... It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting. First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion.com/blog/post.c...ecurity-threat
The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations - if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed."

- http://www.ocert.org/advisories/ocert-2009-007.html
2009-07-03 - "... A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files
* remove the '_samples' directory
Affected version: FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
Fixed version: FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET) ..."
___

- http://www.fckeditor.net/download
Current Release - 2.6.4.1
July 6, 2009

- http://secunia.com/advisories/35712/2/
Release Date: 2009-07-07
Critical: Highly critical
Solution: Update to version 2.6.4.1...

> http://www.us-cert.gov/current/index...es_version_2_6

- http://blogs.adobe.com/psirt/2009/07..._security.html
July 3, 2009

[AplusWebMaster]

FYI...

Gumblar invades Best Buy
- http://blog.trendmicro.com/gumblar-invades-best-buy/
July 2, 2009 - "Earlier today, Trend Micro... spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp ://pics. bubbled.cn/gallery/hardcore/?23c4f60c1b9f604d6ffb21cba599301f
(hxxp = http, and without the spaces). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page... The WHOIS screenshot of the .CN site states that it has been created just last June 4, 2009 by the same old criminals.
Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again. Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing..."

(Screenshots and more detail at the TrendMicro URL above.)

[AplusWebMaster]

FYI...

(MS Office Web Components) OWC exploits used in SQL injection attacks
- http://isc.sans.org/diary.html?storyid=6811
Last Updated: 2009-07-16 08:38:21 UTC - "... The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code... they are injecting a script code pointing to f1y .in, which is a known bad domain. This script contains links to two other web sites (www .jatrja.com and js.tongji. linezing .com [DO NOT VISIT]) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability. The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link*) – only 15 AV programs detecting it, luckily, some major AV vendors are there. If you haven't set those killbits** yet, be sure that you do now because the number of sites exploiting this vulnerability will probably rise exponentially soon."
* http://www.virustotal.com/analisis/0...a0a-1247733262

** http://support.microsoft.com/kb/973472#FixItForMe

- http://blog.trendmicro.com/massive-s...ection-ensues/
July 17, 2009