Thousands of sites infected - archive

Injected sites - Shadowserver - Full list - updated...

FYI... (It appears the hacks have been busy - CYA)

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Last Updated: 01/29/09 14:02:09 -0700


:fear::mad::fear:
 
SQL injection attacks jump 30 times initial numbers...

FYI...

- http://www-935.ibm.com/services/us/index.wss/summary/imc/a1030961?cntxt=a1030786
02 Feb 2009 - "... Web sites have become the Achilles' heel for corporate IT security. Attackers are intensely focused on attacking Web applications so they can infect end-user machines. Meanwhile, corporations are using off-the-shelf applications that are riddled with vulnerabilities; or even worse, custom applications that can host numerous unknown vulnerabilities that can't be patched. Last year more than half of all vulnerabilities disclosed were related to Web applications, and of these, more than 74 percent had no patch. Thus, the large-scale, automated SQL injection vulnerabilities that emerged in early 2008 have continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen this summer...
Although attackers continue to focus on the browser and ActiveX controls as a way to compromise end-user machines, they are turning their focus to incorporate new types of exploits that link to malicious movies (for example, Flash) and documents (for example, PDFs). In the fourth quarter of 2008 alone, IBM X-Force traced more than a 50 percent increase in the number of malicious URLs hosting exploits than were found in all of 2007. Even spammers are turning to known Web sites for expanded reach. The technique of hosting spam messages on popular blogs and news-related websites more than doubled in the second half of this year..."

:fear::spider::mad:
 
Kaspersky USA site hacked...

FYI...

Kaspersky USA site hacked...
- http://www.theregister.co.uk/2009/02/08/kaspersky_compromise_report/
8 February 2009 - "A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger*, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing "users, activation codes, lists of bugs, admins, shop, etc." Kaspersky has declined to comment... The Register will be updating this story as warranted..."
* http://hackersblog.org/2009/02/07/usakasperskycom-hacked-full-database-acces-sql-injection/

:fear:
 
500,000 Websites Hit By New Form Of SQL Injection In '08

FYI...

500,000 Websites Hit By New Form Of SQL Injection In '08
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=214600046
Feb. 25, 2009 - "...An automated form of SQL injection using botnets emerged as the popular method of hacking Websites, according to a newly released report from the Web Hacking Incidents Database (WHID), an annual report by Breach Security and overseen by the Web Application Security Consortium (WASC). The report also found that attackers increasingly are targeting a Website's customers rather than the sensitive information in the site's database... Mass SQL Injection Bot attacks basically automate the infection process; the Nihaorr1 and Asprox botnets both deployed this method last year, according to the report... Government, security, and law enforcement organizations represented the biggest sector suffering from these attacks (32 percent), but that may, in part, be due to their more stringent disclosure rules, the report says. Next were information services (13 percent), finance (11 percent), retail (11 percent), Internet (9 percent), and education (6 percent)..."
* http://www.breach.com/resources/whitepapers/2008WHID.html

:fear::mad::fear:
 
DNS redirect attack - Puerto Rico

FYI...

DNS redirect attack - Puerto Rico
- http://news.cnet.com/8301-1009_3-10228436-83.html
April 27, 2009 - "... A group calling itself the "Peace Crew" claimed that they used a SQL injection attack to break into the Puerto Rico registrar's management system... While the sites that visitors were -redirected- to were obviously not the legitimate sites, DNS redirects could be used to send unsuspecting Web surfers to phishing sites pretending to be banks where they would be prompted to provide sensitive information. People should use the SSL (Secure Sockets Layer) protocol for encrypting communications with sensitive sites and use anti-phishing technology in the browser that colors part of the URL address bar green or red based on the safety level of the site being visited..."

(Screenshot available at the URL above.)

:fear::spider:
 
SQL injections through Search Engine reconnaissance...

FYI...

SQL injections through Search Engine reconnaissance...
- http://ddanchev.blogspot.com/2009/04/massive-sql-injections-through-search.html
April 29, 2009 - "From the lone Chinese SQL injectors empowered with point'n'click tools for massive SQL injection attacks, to the much more efficient and automated botnet approach courtesy of, for instance, the ASProx botnet. The process of automatically fetching URLs from public search engines in order to build hit lists for verifying against remote file inclusion attacks and potential SQL injections, remains a commodity feature in a great number of newly released malware bots... A recently released malware bot is once again empowering the average script kiddie with the possibility to take advantage of the window of opportunity for each and every remotely exploitable web application flaw... Moreover, the IRC based bot is also featuring a console which allows manual exploitation or intelligence gathering for a particular site. Some of the features include:
- Remote file inclusion
- Local file inclusion checks ()
- MySQL database details
- Extract all database names
- Data dumping from column and table
- Notification issued when Google bans the infected host for automatically using it
... The window of opportunity for abusing a particular web application flaw is abused much more efficiently due to the fact that reconnaissance data about its potential exploitability is already crawled by a public search engine - often in real time. The concept, as well as the features within the bot are not rocket science - that's what makes it so easy to use."

:fear::spider::fear:
 
20,000+ websites compromised/injected...

FYI...

Mass Injection Compromises More than Twenty-Thousand Web Sites
- http://securitylabs.websense.com/content/Alerts/3405.aspx
05.29.2009 - "Websense... has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites. This mass injection attack does -not- seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign... The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate*..."
* http://preview.tinyurl.com/lphk6r
File sysCF.tmp.exe received on 2009.05.29 17:04:04 (UTC) - Virustotal.com
Result: 4/39 (10.26%)

:fear::mad::fear:
 
Now up to 30,000 sites compromised...

FYI...

- http://www.theregister.co.uk/2009/05/30/mass_web_infection/
30 May 2009 - "... has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot. The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor's machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software..."

:fear::mad:
 
Mass compromise - forensic analysis

FYI...

- http://securitylabs.websense.com/content/Blogs/3408.aspx
06.01.2009 - "... Mass compromises... regularly take place, because attackers commonly use server-side vulnerabilities in an automated way to infiltrate legitimate Web sites and inject them with malicious code... The malicious code injected in the Beladen attacks* uses an obfuscation method that starts with the initialization of a long, obfuscated string parameter. This gets de-obfuscated and then executed by the browser. This kind of obfuscation can employ many levels of obfuscation - where obfuscated code leads to more obfuscated code, and so on... the malicious URL name redirects to a site with a name very similar to the Google Analytics service (this service exists at 'google-analytics.com'). Once redirection occurs, the user is redirected again to the exploits payload site, Beladen. Beladen uses wildcarded subdomains, so each time Beladen is used by the intermediate redirecting site, a different subdomain is used... Beladen is the exploit site where several exploits try to compromise the redirected browser. Beladen means loaded in German - a suitable name because the site is loaded with exploits. Once the browser is redirected to Beladen, there is another internal redirect check that verifies the referrer, to subvert any direct mining attempts to the site's obfuscated exploit code... the hosting malicious site was located at the IP subnet block of 58.65.238.0/24, which was part of the Russian Business Network (RBN). The threat this time comes from the IP block of 91.207.61.0/24, which is part of AS48031 NOVIKOV located in the Ukraine. According to our log data, this autonomous system has been quite busy spreading malicious code using Scareware, Rogue Antivirus software, and exploit sites (including the latest PDF exploits). The IP address hosting the specific attack we described holds yet another typosquatt Google-like domain..."
* http://securitylabs.websense.com/content/Alerts/3405.aspx

:devil::mad::fear:
 
Malware payload site changes to Shkarkimi

FYI...

- http://securitylabs.websense.com/content/Alerts/3412.aspx
06.04.2009 - "... the payload site for the mass compromise known as Beladen, has changed from Beladen to Shkarkimi. The new site is hosted on the same IP address as Beladen and the exploits it serves are the same. The obfuscated typosquatting domain of Google-Analytics leading to the exploit site Shkarkimi is still massively injected. We can confirm that, as of the time of writing, around 30,000 Web Sites are injected with code that eventually leads to Shkarkimi. For more details about this attack, please see our blog on Beladen*..."
* http://securitylabs.websense.com/content/Blogs/3408.aspx
... shkarkimi has a very similar network topology to Beladen. Yesterday, Google Security Team posted a list of the top ten malware domains which included googleanalystlcs.net [ note the typosquatt ] as one of the top 10 malware sites**..."
** http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html

(Screenshots available at the first URL above.)

:fear::mad::fear:
 
Another mass compromise - IFRAME redirects

FYI...

- http://blog.trendmicro.com/another-wave-of-mass-compromises-serve-info-stealers/
June 6, 2009 - "Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code. Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A. TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals account information related to the following applications: This spyware steals user names, passwords, and other account and installation information of the following applications:
• INETCOMM Server
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian
Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:
* Vulnerability in Windows Explorer Could Allow Remote Execution MS06-057
- http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx
* Buffer overflow in Apple QuickTime 7.1.3
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015
* Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6884
* Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution - MS06-014
- http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
* Microsoft Internet Explorer 7 Memory Corruption Exploit - MS09-002
- http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx "

:fear::mad::fear:
 
48,000 compromised domains...

FYI...

- http://www.securityfocus.com/brief/970
2009-06-08 - "The drive-by-download threat, Grumblar, continues to cause widespread infection, through the number of Web sites compromised with the malicious code appears to have declined since late May, according to Web security firm Websense. The multi-stage threat, which first compromises Web sites to install malicious code that is then used to infect visitors' PCs, rocketed eight-fold in mid-May, according to an update posted to Websense's research blog on Friday*. Attackers use stolen FTP credentials to embed the first stage of the attack on legitimate Web sites. Gary Warner, a professor of digital forensics at the University of Alabama, document an investigation he and his students performed on a compromised Facebook group. The group, which boasted 40,000 members, contained a link to a malicious site that attempted to infect visitors with Grumblar... A malicious PDF file uploaded to victim's systems by Grumblar contains the phrase, "Boris likes horilka," according to Warner's blog**. Horilka is the Ukrainian word for vodka. The software steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software."
* http://securitylabs.websense.com/content/Blogs/3414.aspx
06.05.2009
** http://garwarner.blogspot.com/2009/06/gumblars-48000-compromised-domains.html
June 06, 2009 - "... 48,000 compromised domains..."

:fear::mad::fear:
 
60,000 compromised sites...

FYI...

- http://windowssecrets.com/comp/090611#story1
2009-06-11 - "Going by such names as Gumblar, JSRedir-R, Martuz, and Beladin, a new generation of malware has managed to surreptitiously place malicious JavaScript code on tens of thousands of popular Web sites. The hacker scripts try to infect site visitors and then attempt to use their compromised PCs to spread the infection to yet other sites. Over the past month, the security services ScanSafe* and Sophos** have reported infections on such major Web sites as ColdwellBanker.com, Variety.com, and Tennis.com. Niels Provos reported in the Google security blog*** on June 3 that sites infected with Gumblar numbered about 60,000. Visitors became susceptible to infection simply by opening the sites in Internet Explorer..."
* http://blog.scansafe.com/journal/2009/5/8/google-serps-redirections-turn-to-bots.html
May 8, 2009

** http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web/
May 14th, 2009

*** http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html
June 3, 2009 - "... malware researchers reported widespread compromises pointing to the domains gumblar .cn and martuz .cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen .net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites..."

- http://blog.trendmicro.com/stolen-ftp-credentials-key-to-gumblar-attack/
June 10, 2009 - "Analysts of the recent Gumblar attack that compromised thousands of legitimate websites stated that the unauthorized modifications in the websites were possibly executed not only through SQL injection. The compromise was also reportedly done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. The infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes user names and passwords. Analysts believe that through TSPY_KATES.G Gumblar was able to compromise more sites than when it initially launched the attack. SQL injections only work on certain conditions (if the website is vulnerable enough to allow such injections), and give cybercriminals a limited access to the targeted webpage. Obtaining FTP credentials however grant the cybercriminals the same level of access as what the website administrator has, regardless of any security measures used..."

:fear::mad::fear:
 
Last edited:
Nine-Ball - mass injection, malicious site, malicious code...

FYI...

Nine-Ball - mass injection, malicious site, malicious code
- http://securitylabs.websense.com/content/Alerts/3421.aspx
06.16.2009 - "Websense... has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine... If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the the final landing page containing the exploit code (the redirection path is shown below). The final landing page records the visitors's IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the benign site of ask.com... After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate*. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate**..."
* http://www.virustotal.com/analisis/...c5c1604aa37e4f866036a1e94c35cc68f7-1245137075
File l.php ... Result: 7/40 (17.50%)

** http://www.virustotal.com/analisis/...2165fd8ac157fa46c955a5e35112aad894-1245160253
File PDF.php ... Result: 3/41 (7.32%)

(Screenshot available at the Websense URL above.)

:fear::mad::fear:
 
Last edited:
40,000 sites compromised - more...

FYI...

- http://preview.tinyurl.com/nz8pu2
2009-06-17 E-week.com - "... "We are not releasing the names of the sites compromised," said Stephan Chenette, manager of threat research at Websense. "We've attempted to contact a subset of the compromised sites to let them know that they've been infected … No particular vertical was targeted"... in a bid to sniff out security researchers, the compromised sites are set to check if they have been visited more than once by the same IP address. If a visitor has been to the site more than once, he or she will be directed to ask.com instead of to the attack site. While Nine-Ball is the third mass Website compromise report to make headlines in recent weeks, Chenette said it appears to be distinct from the others. "The Nine-Ball mass compromise is not related to either Beladen or Gumblar, but like the previous mass compromises, many of the machines owned by the attacker are located in the Ukraine," Chenette said..."

:fear::fear:
 
Nine-Ball attack analysis...

FYI...

- http://securitylabs.websense.com/content/Blogs/3422.aspx
06.22.2009 - "... Nine-Ball attack compromised over 40,000 legitimate Web sites in an ongoing campaign... By analyzing the tens of thousands of Web sites compromised in this attack we can see that the majority of infected sites are in the United States (71%)... A confusing factor for most who attempt to analyze this attack is that there is no clear single malicious redirection path. Users who visit an infected site are silently taken through a series of varied redirectors and the final landing page is not always the same... The valid string, in the Nine-Ball attacks, is an iframe. When this iframe is interpreted by the browser, the browser silently visits the iframe location... Once exposed to a Nine-Ball exploit site, several exploits will be delivered to the user's browser. Among them are:
• MS06-014 (MDAC)
• CVE-2006-5820 (AOL SuperBuddy)
• CVE-2007-0015 (QuickTime)
• Adobe Acrobat Reader,
The exploit code that targets Acrobat Reader will download a malicious PDF file from the exploit site. The PDF file integrates 3 vulnerabilities:
• CVE-2008-1104
• CVE-2007-5659
• CVE-2009-0927 ..."

(Screenshots available at the URL above.)

:fear::mad::fear:
 
More on Nine-ball...

More on Nine-ball...

- http://blog.trendmicro.com/another-messy-mass-compromise-emerges/
June 22, 2009 - "... Trend Micro was alerted of the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar, only that this time, the Nine Ball domain is only one of hundreds of landing pages users can be redirected to... the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in Ukraine. The chain ends when the user’s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat, Adobe Shockwave... Both PDF and SWF files lead to binary payload that look similar to a new kind of information stealer detected as TSPY_SILENTBAN.U. TSPY_SILENTBAN.U installs itself as a Browser Helper Object (BHO) on the affected system and monitors Internet activity. Gathered information are then sent to a remote user using HTTP POST. Note that as of the writing, the binary payload retrieved from the attack uses this spyware. It is more likely that in future attacks, other payloads can be used... Information on the vulnerabilities exploited in this attack can be found on the following pages:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927
Last revised:04/28/2009
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5659
Last revised:11/25/2008
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2496
Last revised:11/15/2008 ..."

:fear::fear::fear:
 
Cold Fusion sites compromised

FYI...

Cold Fusion sites compromised
- http://isc.sans.org/diary.html?storyid=6715
Last Updated: 2009-07-03 09:35:14 UTC ...(Version: 2) - "There have been a high number of Cold Fusion web sites being compromised in last 24 hours... It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients...
Update: ... It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting. First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations - if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed."

- http://www.ocert.org/advisories/ocert-2009-007.html
2009-07-03 - "... A patch and a new FCKeditor version will be made available on Monday July 6th 16:00 CET, this advisory will be updated with detailed information about the issue and a security patch. In the meantime we strongly recommend to implement the following mitigation instructions:
* removed unused connectors from 'editor\filemanager\connectors'
* disable the file browser in config.ext
* inspect all fckeditor folders on the server for suspicious files that may have been previously uploaded, as an example image directories (eg. 'fckeditor/editor/images/...') are well known target locations for remote php shells with extensions that match image files
* remove the '_samples' directory
Affected version: FCKeditor <= 2.6.4
(version 3.0 is unaffected as it does not have any built-in file browser)
Fixed version: FCKeditor >= 2.6.4.1 (to be released on 2009-07-06 16:00 CET) ..."
___

- http://www.fckeditor.net/download
Current Release - 2.6.4.1
July 6, 2009

- http://secunia.com/advisories/35712/2/
Release Date: 2009-07-07
Critical: Highly critical
Solution: Update to version 2.6.4.1...

> http://www.us-cert.gov/current/index.html#fckeditor_releases_version_2_6

- http://blogs.adobe.com/psirt/2009/07/potential_coldfusion_security.html
July 3, 2009

:fear:
 
Last edited:
Gumblar invades Best Buy

FYI...

Gumblar invades Best Buy
- http://blog.trendmicro.com/gumblar-invades-best-buy/
July 2, 2009 - "Earlier today, Trend Micro... spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp ://pics. bubbled.cn/gallery/hardcore/?23c4f60c1b9f604d6ffb21cba599301f
(hxxp = http, and without the spaces). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page... The WHOIS screenshot of the .CN site states that it has been created just last June 4, 2009 by the same old criminals.
Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again. Best Buy has been informed of the said URL redirections and is resolving the matter as of this writing..."

(Screenshots and more detail at the TrendMicro URL above.)

:fear::mad::fear:
 
SQL injection attacks exploit MS OWC vuln

FYI...

(MS Office Web Components) OWC exploits used in SQL injection attacks
- http://isc.sans.org/diary.html?storyid=6811
Last Updated: 2009-07-16 08:38:21 UTC - "... The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code... they are injecting a script code pointing to f1y .in, which is a known bad domain. This script contains links to two other web sites (www .jatrja.com and js.tongji. linezing .com [DO NOT VISIT]) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability. The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link*) – only 15 AV programs detecting it, luckily, some major AV vendors are there. If you haven't set those killbits** yet, be sure that you do now because the number of sites exploiting this vulnerability will probably rise exponentially soon."
* http://www.virustotal.com/analisis/...dfb56268bfc7833968a1b26675376dda0a-1247733262

** http://support.microsoft.com/kb/973472#FixItForMe

- http://blog.trendmicro.com/massive-sql-injection-ensues/
July 17, 2009

:fear::mad::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top