 |
 |
 |
|
|
| HOME > CURRENT ACTIVITIES |
|
CURRENT ACTIVITIES
Malware circulating through Christmas E-card
Date : December 26, 2008
Updated : December 31, 2008
It has been observed that new malware is circulating via e-mails pretending to be Christmas day and Holiday Greetings. These spam e-mails come with the subject line such as “"Merry Xmas!" and "Merry Christmas card for you!"” and other Christmas Day related phrases. E-mail contains a URL, which takes the user to malicious website hosting malware “ecard.exe”.
A screenshot of the spam mail is give below:
The subject lines in the e-mail are as follows:
- A Christmas card from a friend
- A special card just for you
- Christmas Ecard Notification
- Christmas Wishes! Christmas Wishes!
- Christmas card for you
- Christmas greetings e-card is waiting for you
- Christmas greetings from your friend, Greeting for you! Greeting for you!
- Happy Christmas! Happy Christmas!
- Have a warm an lovely Christmas! Have a lovely warm an Christmas!
- I made an Ecard for U! I made an Ecard for U!
- I sent you the ecard I sent you the ecard .Joyful Christmas! Joyful Christmas!
- Merry Christmas 'N Happy New Year! Merry Christmas' N Happy New Year!
- Merry Christmas 2009! Merry Christmas 2009!
- Merry Christmas To You! Merry Christmas To You!
- Merry Christmas card for you! Merry Christmas card for you!
- Merry Christmas e-card is waiting for you
- Merry Xmas! Merry Xmas!
- Warmest Wishes For Christmas! Warmest Wishes For Christmas!
- Wish You A Merry Christmas! Wish You A Merry Christmas!
- Xmas card for you Xmas card for you
- You Received an Ecard. You Received an Ecard.
- You have a Christmas Greeting! You have a Christmas Greeting!
- You have a greeting card
Once users click the link embedded in the spam mails, they will be redirected to a bogus e-card website.
Upon clicking the image, the user is prompted to download the file ecard.exe which is dubbed as “Waledac(Symantec) “.
Once installed the worm searches through all files on local and removable drives for e-mail addresses. Once the information has been gathered it is encrypted and forwarded to a remote server hardcoded into the malware. The worm then spams copies of itself to the harvested e-mail addresses.
Some of the reported malicious domains hosting malware are following:
- bestchristmascard DOT com
- blackchristmascard DOT com
- cheapdecember DOT com
- christmaslightsnow DOT com
- decemberchristmas DOT com
- directchristmasgift DOT com
- freechristmassite DOT com
- reechristmasworld DOT com
- freedecember DOT com
- funnychristmasguide DOT com
- holidayxmas DOT com
- itsfatherchristmas DOT com
- justchristmasgift DOT com
- livechristmascard DOT com
- livechristmasgift DOT com
- superchristmasday DOT com
- superchristmaslights DOT com
- whitewhitechristmas DOT com
- yourchristmaslights DOT com
- yourdecember DOT com
The aforementioned websites are setup to exploit the below mentioned vulnerabilities in user machine.
- MS IE7 Exploit MS08-078
- MDAC Exploit
- Adobe PDF Exploit
- Qiucktime RSTP exploit
- Snapshot Viewer exploit
- WebfolderIcon exploit
- NCTAudioFile2 ActiveX exploit
- KingSoft UpdateOcx2.dll SetUninstallName() Heap Overflow Exploit
- Yahoo! Webcam image upload ActiveX Exploit
- Yahoo! Webcam view utilities ActiveX Exploit
- Aurigma ImageUploader ActiveX Exploit
- RealNetworks RealPlayer ActiveX Exploit
- Creative Software AutoUpdate Engine ActiveX stack buffer overflow Exploit
- CA BrightStor ARCserve Backup r11.5 AddColumn() E
In addition to sending its copy as spam mails, the following spam mails are also being sent from the infected machine.
From: "Random Name" <random@email.address>
To: <victim >
Subject: Flexible Hours career_ promotion possibilities for you
Date: Tue, 23 Dec 2008 20:14:11 -0000
Hello
We found your ad of work search. First of all let me introduce.
We are he large financial company. The main types of activity:
securities,exchange services,trading services,broker intermediary.
During the global crisis we have obtain a lot of customers who are
waiting for jump of the basic stock quotes. Most of the newly acquired
customers is in the Canada. Due to features of the legislation we cannot work directly with physical persons.
To do this we need an authorized representative
or official representation. As we did not expect huge
interest from the Canada - the opening of representation is not
included in our plans. In connection with the aforesaid, we are looking
for responsible person for mediation services which will be the official
representative in your region.
In more details we will
tell to you in case of your interest. Send your interest note
ONLY to: [removed]@gmail.com Users are advised to implement following countermeasures:
- Block the emails with above mentioned subject lines.
- Exercise caution while clicking on any link embedded inside
the e-mail message/Instant messages or web pages.
- Block the above malicious domains.
- Filter e-mails with abovementioned subject lines and body.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Install and maintain updated anti-spyware software at desktop level
- Keep up-to-date on patches and fixes on the OS and application software
References
http://isc.sans.org/diary.html?storyid=5557
http://www.f-secure.com/v-descs/email-worm_w32
_waledac_a.shtml
http://www.symantec.com/norton/security_response/
writeup.jsp?docid=2008-122308-1429-99&tabid=2
http://asert.arbornetworks.com/2008/12/another-holiday
-another-e-card-run-waledec/
http://www.itworld.com/security/59801/fake-christmas-holiday
-greetings-spread-new-malware
https://forums.symantec.com/t5/blogs/blogarticlepage/
blog-id/malicious_code/article-id/223
|
Spreading of DNSChanger malware and Rouge DHCP severs
Date : December 17, 2008
Updated : December 26, 2008
It has been reported that variants of “DNSChanger” malware that use “unauthorized DHCP server” attack to change the DNS configuration of the systems in the same local network, are in the wild. This Trojan may be dropped by other malware or may be downloaded unknowingly by a user when visiting malicious Web sites. It is also reported that some variants are able to change the DNS server settings in ADSL modems/routers/cable modems.
This trojan sets up a rogue DHCP server on the victim’s PC and serves bogus DHCP packets to other machines when a new IP configuration is requested. It configures the requested clients with rogue DNS servers which lead the Internet traffic diverted to bogus or otherwise malicious sites.
DHCP is a mechanism commonly used to automatically assign IP addresses as well as parameters including default gateway and DNS servers to computers and other devices on a local network.
Using a malicious DNS server to divert traffic to malicious sites is known as pharming. A pharmed user may type a bank URL directly into the browser but may end up on a fake site designed to capture login details to aid in making fraudulent transactions.
The malware is dubbed as Flush.M (Symantec), a variant of “DNS-changing Trojan”. It then installs a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. When other systems on the LAN make a DHCP request to receive or renew an IP address, the trojan responds with bogus DHCP packets through UDP ports 67 or 68 subsequently attempts to hijack the DNS configuration of the computers on the LAN.
A pictorial representation is given below:
If the requesting system (Clean Machine) receives Infected Machine’s (Flush.M's) response before that of the real DHCP server, it will start using the malicious DNS server(s) rather than those specified by the real network administrator.
A captured packet capture (pcap) send by Flush.M shows the assigned DNS servers IPs
Once the DNS servers are modified, the attacker can redirect a machine to any malicious or phishing website.
In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures.
- Monitor for DHCP offers originating from addresses other than real DHCP servers
- Monitor traffic to the IP address range 85.255.112.0 to 85.255.127.25
- Administrators can try utilities such as listed below to test the running DHCP servers on the network
- Refer Microsoft article on how to detect and prevent rouge DHCP servers on the network. “Preventing Rouge DHCP servers”.
References
https://forums.symantec.com/syment/blog/article?
blog.id=emerging&thread.id=118
http://isc.sans.org/diary.html?storyid=5434
http://www.symantec.com/security_response/writeup.jsp?
docid=2008-120318-5914-99&tabid=1
http://technet.microsoft.com/en-us/library/cc780347.aspx
|
0-day exploit for Internet Explorer in the wild
Date : December 16, 2008
Updated:December 18, 2008
It is reported that exploit for the zero -day vulnerability in Internet Explorer described in CERT -In vulnerability note CIVN 2008-191 is circulating in the wild which involves an invalid pointer reference in the data binding function of Internet Explorer when it attempts to parse XML tags.
By convincing a user to view a specially crafted XML document (e.g., a web page or email message or attachment), an attacker is able to execute arbitrary code with the privileges of the user .
A screen shot of the exploit is depicted below. (Source: SANS)
It is reported that Several websites are operational hosting obfuscated malicious JavaScript's (detected as JS_DLOAD.MD ,Trend Micro) that can exploit the said vulnerability through a Heap Spray on SDHTML.
After a successful exploitation, it triggers a series of redirections to multiple URLs, and then finally connects to one of several different domains — a full list of malicious domains can be found over at ShadowServer.
Once it successfully exploits the vulnerability, it accesses any of the following URLs to download malicious files:
- http://{BLOCKED}u.com/iiee/explore.exe
- http://{BLOCKED}yyy.cn/1.exe
- http://www.{BLOCKED}c.cn/down/ko.exe (detected as RTKT_BUREY.C , TROJ_DROPPER.EYC, TROJ_SMALL.IYS respectively by Trend Micro)
The vulnerable browser may crash when accessing a site that contains the specially-crafted JavaScript code.
It is also reported that MSIE 0-day is Spreading Via SQL Injection by injecting obfuscated JavaScript delivered thorough Cookie based injection. A code snippet is given below:
The 1.js script on the domain links to multiple other HTML documents of
which one is called ie7.htm is the latest zero day exploit.
It is also reported that malicious .DOC files are spreading to exploit the vulnerability. Upon opening the word document the embedded ActiveX control with classid{AE24FDAE-03C6-11D1-8B76-0080C744F389} is instantiated and executed which stores configuration data for the policy setting Microsoft Scriptlet Component.
This control can cause the internet explorer to request the remote site which hosts the exploit without the knowledge or permission of the user.
Countermeasures
References
http://www.cert-in.org.in/vulnerability/civn-2008-191.htm
http://www.microsoft.com/technet/security/advisory/961051.
mspx
http://www.cert-in.org.in/currentacts/currentact07.htm#SIW
http://www.avertlabs.com/research/blog/index.php/2008/12/09/
yet-another-unpatched-drive-by-exploit-found-on-the-web/
http://www.avertlabs.com/research/blog/
http://securitylabs.websense.com/content/Alerts/3259.aspx
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20081210
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20081211
|
Trojan Gimmiv.A exploits Microsoft Windows Server Service Vulnerability
Date : October 24, 2008
Updated: November 18, 2008;
It is reported that Trojan Gimmiv.A is exploiting Microsoft Windows Server service vulnerability, which involves improper handling of specially crafted remote procedure call (RPC) requests. Further details of the vulnerability are available in CERT -In vulnerability note CIVN 2008-170 dated 24 th October 2008 .
Successfully exploiting this vulnerability may give an attacker complete control of an affected system and harvest sensitive, personal information from an infected machine.
The Trojan Gimmiv.A is also knows as Generic Dropper [McAfee], Mal/Generic-A [Sophos],TrojanSpy:Win32/Gimmiv.A [Microsoft]
Upon execution the Trojan drops the files winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem. After dropping and loading the aforementioned DLLs, the Trojan will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.
The Trojan also fetches a few files from the following websites:
- http://summertime.1goku[removed].com
- http://perlbod[removed].com
- http://dorado[removed].com
The DLL “basesvc.dll” is responsible for the network propagation of the worm. It starts from probing other IPs from the same network by sending them a sequence of bytes "abcde" or "12345". The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188.T hen binds the SRVSVC interface and sends a maliciously crafted RPC request which leads to a buffer overflow condition.
It is also observed that a commercial malware tool kit customized for Windows versions is available on internet. The attack kit includes the enhanced features like Kernel rootkit, Anti-virus software termination etc.
Some Anti-Vitus vendors detects the toolkit as Exploit-MS08-067 and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.
Countermeasures
- Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-067
- On Windows Vista and Windows Server 2008, block all RPC requests with the Universally Unique Identifier (UUID) equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188 .
- Block TCP ports 139 and 445 at the perimeter.
- Install and maintain an updated anti-virus software at gateway and desktop level.
- Install and maintain Firewall at Desktop level.
References http://www.f-secure.com/v-descs/trojan-spy_w32_gimmiv
_a.shtml
http://www.threatexpert.com/report.aspx?uid=a940ad27-
1f2b-4236-8284-8a9f7f99e7de
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://www.threatexpert.com/reports.aspx?find=gimmiv
http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.avertlabs.com/research/blog/index.php/2008/11/
14/exploit-ms08-067-bundled-in-commercial-malware-kit/
|
Linux systems actively targeted using SSH key attacks
Date : September 03, 2008
It has been reported that attacks are being launched against Linux environments using the compromised SSH keys.
The Secure Shell (SSH) is used to communicate securely between networked machines and uses public key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user.
Attackers are using compromised SSH keys in a local kernel exploit to get into the root system. Once attackers have control of the system, they install a Linux kernel rootkit called ‘phalanx2′.After a Linux server using a weak key is identified and rooted, it sent the keys it uses to connect to other servers. Attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. It is also reported that this is related to the known vulnerability in the OpenSSL’s predictable random number generator provided with Debi an distribution which makes the cryptographic keys guessable.
Phalanx2 a variant of Phalanx , a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides in files, processes and sockets, auto injection on boot, and includes tools for sniffing a tty program and connecting it with a backdoor. Phalanx2 has been updated to systematically steal SSH keys. The files are located in /etc/khubd.p2.
Presence of Phalanx 2 can be identified by
- ls(list directory )" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd(change directory ) /etc/khubd.p2".
- "/dev/shm/" may contain files from the attack.
- Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".
Contents of /etc/khubd.p2 directory is shown below.
drwxrwxrwx 2 root root 4096 Jul 28 14:29 ./
drwxr-xr-x 94 root root 12288 Jul 28 15:05 ../
-rw-r--r-- 1 root root 1356 Jul 24 19:58 .p2rc
-rwxr-xr-x 1 root root 561032 Jul 24 19:58 .phalanx2*
-rwxr-xr-x 1 root root 7637 Jul 28 15:04 .sniff*
-rw-r--r-- 1 root 53746 1063 Jul 24 20 :56 sshgrab.py
(the python file sshgrab.py dumping the .ssh directory for each user to /dev/shm)
If a compromise is confirmed, users are advised to Disable key-based SSH authentication on the affected systems and perform an audit of all SSH keys on the affected systems.
Workarounds
- Apply appropriate measures and tools as mentioned by Debian
http://www.metasploit.com/users/hdm/tools/debian-openssl/
- Make sure that machines require a passphrase to use SSH keys.
- Review access paths to internet facing systems and ensure that systems
are fully patched.
- Keep up-to-date patches and fixes on the operating system and application
software.
- Use data integrity tools like Tripwire or Aide to check for the phalanx2 rootkit.
References http://www.us-cert.gov/current/#ssh_key_based_attacks
http://isc.sans.org/diary.html?storyid=4937
http://blogs.zdnet.com/security/?p=1803
http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://blogs.techrepublic.com.com/opensource/?p=210
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojphalanx2a.html
http://www.theregister.co.uk/2008/08/27/ssh_key_attacks_warning/
|
Propagation of Malware via .doc files
Date : August 22, 2008
It has been observed that e-mails containing malicious .doc files are circulating widely. These mails arrive as news mostly related to Beijing Olympics 2008 events to trick the users.
These trojanised doc files (detected as TROJ_MDROPPER.ZT) are exploiting the zero day vulnerability (CVE-2008-2244) in Microsoft word 2000,2002,2003 described in CERT-In vulnerability note CIVN-2008-104.It can also affect other versions of the popular word-processing applications. Patches for this vulnerability have been released in August 2008.
When a user opens malicious attachment, the malware embedded inside the document infects the user’s system.
Some of the malicious files have the following file names:
- attachment .doc
- appeal_letter_of_fttj.doc
- attend_the_opening_ceremony_of_the_29th
_olympic_games_in_beijing.doclingotto_con
_fiat.doc
- tibetan_independence_vs_beijing_olympic.doc
Upon successful exploitation, TROJ_MDROPPER.ZT exploits the MS zero day vulnerability and executes a shell code which executes an embedded file. The embedded file may be any of the following:
- %System%\msjava.exe - detected by Trend Micro as TROJ
_ENFAL.AA
- %System%\dump.exe - detected as TROJ_ENFAL.AA
- %System%\6to4ex.dll - detected as BKDR_PCCLIEN.AAP
- %System%\systio.exe - detected as TSPY_KEYLOG.CP
- %Windows%\spupdsvc.exe - detected as TROJ_PROXY.RI
- %Windows%\hscancon.dll - detected as TROJ_ZLOB.BPM
This Trojan also drops a copy of itself in %User Temp%
Screenshot of a file is given below:
Countermeasures
- Apply appropriate patches as mentioned in CERT-In vulnerability
note (CIVN-2008-104) and Microsoft Security Bulletin MS08-042
- Do not open or save Microsoft Office files that received from untrusted
sources or that received unexpectedly from trusted sources.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Keep up-to-date patches and fixes on the operating system and application software.
- Delete e-mails with the above mentioned filenames at the e-mail gateway.
- Users may install Microsoft Office isolated conversion environment (MOICE) on PC’s
running Windows and Microsoft applications. This will facilitate isolation of malicious
MS office documents and prevent execution of malicious code embedded in these documents.
- Home users may refer to the CERT-In security Guideline “Securing Home Computers “
References http://blog.trendmicro.com/let-the-games-begin/
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_ENFAL.AA
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=BKDR_PCCLIEN.AAP
http://www.trendmicro.com/vinfo/grayware/ve
_graywareDetails.asp?Gname=TSPY_KEYLOG.CP
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_PROXY.RI
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_ZLOB.BPM
http://www.securesynergy.com/securitynews/newsitems/
2008/aug/200808-03.htm
http://economictimes.indiatimes.com/Infotech/Internet_/
Beware_if_your_mail_has_an_invitation_to_Beijing/
articleshow/3380895.cms
http://www.cert-in.org.in/vulnerability/civn-2008-104.htm
|
Propagation of malware via spam e-mail with the name of MSNBC.com “BREAKING NEWS”
Date : August 14, 2008
It has been observed that a new wave of spam e-mails pretending to be from msnbc.com is circulating widely. These spam e-mails comes with the subject line of current affairs and changing with daily current news items, which takes to the user to malicious websites hosting malicious files such as “ adobe_flash.exe ”. Some of the malicious files are detected as Nuwar Worm.
Sample e-mail is shown below:
msnbc.com: BREAKING NEWS: Preliminary polls for the election
Find out more at http://breakingnews.msnbc.com
Here's a sampling of subject lines:
msnbc.com - BREAKING NEWS US dollar hits 6-year
high further gain expected
msnbc.com - BREAKING NEWS Americans love to
Sue people
msnbc.com - BREAKING NEWS Stock set to fall in
recession
msnbc.com - BREAKING NEWS Buy gold at lowest
price& make immediate profits
msnbc.com - BREAKING NEWS: Mary-Kate Olsen
responsible for Heath Ledger’s death
msnbc.com - BREAKING NEWS: Google launches
free music downloads in China
msnbc.com - BREAKING NEWS: McDonald’s
found to breach FDA regulations, suspended from
trading
msnbc.com - BREAKING NEWS: Obama set to
win presidency
When a user visits any of the link present in e-mail, malicious webpage will generate a fake popup warning message for incorrect Video ActiveX object version and enticing user to download the new as video ActiveX object shown below.
Upon visiting the malicious websites, the file named “adobe_flash.exe” is downloaded on visitor's system.
Some of the Domains involved in hosting of this malicious file are:
- www dot 3zebras dot net/msn dot html
- nyinjuryfirm dot net /msn dot html
- www dot knhospital dot com
- www dot ebest dot us dot com
- www dot blazeteck dot com/msn dot html
Users are advised to implement following countermeasures:
- Block the emails with above mentioned subject lines at Mail Gateway
- View emails in Plain-text format
- Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
- Filter e-mails with abovementioned subject lines and body.
- Install and maintain updated anti-virus software at gateway and desktop level
- Install and maintain updated anti-spyware software at desktop level
- Keep up-to-date on patches and fixes on the OS and application software
References
http://www.securitywatch.co.uk/2008/08/13/msnbccom
-breaking-news-spam/
http://www.sophos.com/pressoffice/news/articles/2008/08/
msnbc.html?_log_from=rss
http://redtape.msnbc.com/2008/08/msnbc-cnn-hit-b.html
http://www.securecomputing.net.au/News/119568,fake-
msnbc-news-alerts-push-spam.aspx
http://www.net-security.org/malware_news.php?id=975
|
Propagation of malware via spam e-mail with the name of “CNN.com Daily Top 10”
Date : August 07, 2008
It has been observed that a new wave of spam e-mails pretending to be from CNN.com is circulating widely. These spam e-mails comes with the subject line such as “CNN.com Daily Top 10 Stories” and “CNN.com Daily Top 10 Videos ”. E-mail contains URLs in the form of current affairs and changing with daily current news items, which takes to the user to malicious websites hosting malicious files such as “ get_flash_update.exe ”.
Sample email is shown below:
When a user visits any of the link present in e-mail, malicious webpage will generate a fake popup warning message for incorrect Flash Player version and enticing user to download the new flash player as shown below.
Some other fake warning messages luring users to install the same are:
Upon visiting the malicious websites, the file named “get_flash_update.exe” is downloaded on visitor's system.
Some of the Domains involved in hosting of this malicious file are:
- hxxp: // joogle2 DOT com
- hxxp: // attomega DOT com
- hxxp: // borinsrl-store DOT com
- hxxp: // renderize DOT net
- hxxp: // cafemarker52 DOT com
- hxxp: // thediver DOT co DOT il
- hxxp: // piedrarustica DOT com
- hxxp: // gracesmarketplace DOT com
- hxxp: // layber DOT com DOT br
Users are advised to implement following countermeasures:
- Block the emails with above mentioned subject lines at Mail Gateway
- View emails in Plain-text format
- Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
- Filter e-mails with abovementioned subject lines and body.
- Install and maintain updated anti-virus software at gateway and desktop level
- Install and maintain updated anti-spyware software at desktop level
- Keep up-to-date on patches and fixes on the OS and application software
References
ZDNet
http://blogs.zdnet.com/security/?p=1657
ISC.Sans
https://isc.sans.org/diary.html?storyid=4828
COMPUTERWORLD
http://www.computerworld.com.au/index.php/id;
401302061;fp;16;fpid;1
|
Malware stealing online game credentials spreading
Date : July 11, 2008
It has been observed that different variants of malware which steals online game credentials are spreading widely. Some of the variants spread as packed executables. These variants steal confidential information such as username and passwords related to the online games and send this information to a remote website by HTTP POST.
Some of the variants also inject their code into Internet Explorer's process to hook the functions send and sendto, and intercept confidential information sent via Internet Explorer to particular URLs. Also these variants download and execute additional malware onto the infected system inorder to update themselves.
The variants capture confidential data for popular online games such as: Rainbow Island , Cabal Online, A Chinese Odyssey, Hao Fang Battle Net, Lineage, Gamania, MapleStory, qqgame, Legend of Mir, World Of Warcraft.
To update themselves these variants communicates to the domain om7890 DOT com.
In view of rapid propagation of the Password Stealing Malwares, users are advised to implement following countermeasures:
- Block access to domain om7890 DOT com.
- Install and maintain an updated anti-virus software at gateway and desktop level.
- Keep up-to-date anti-spyware signatures.
- Keep up-to-date on patches and fixes on the operating system and application software.
References:
http://www.microsoft.com/security/portal/Entry.aspx?
name=Trojan%3aWin32%2fTilcun.gen!B
http://www.microsoft.com/security/portal/Entry.aspx?
name=PWS%3aWin32%2fCeekat.gen!A
http://www.microsoft.com/security/portal/Entry.aspx?
name=PWS%3aWin32%2fFrethog.AP
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%3aWin32%2fTaterf.gen!C
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%3aWin32%2fTaterf.A.dll
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm% 3aWin32%2fTaterf.gen!D
http://www.trendmicro.com/vinfo/apac/virusencyclo/
default5.asp?VName=WORM_NSPM.TASH
http://www.sophos.com/security/analyses/viruses-and-spyware/
malbehav204.html
|
SQL Injection Attacks and Exploitation of Adobe Flash Player Vulnerabilities
Date : June 05, 2008
Updated: June 25, 2008
It has been observed that new wave of SQL injection attacks are launched on websites and further exploiting Adobe flash Vulnerabilities described in CERT-In Vulnerability Note CIVN-2008-68 and CERT-In Advisory CIAD-2008-23. Some of the malicious domains used in these attacks are hosted on fast-flux DNS.
Online gamers seem to be primary target of the attack but payload could be dynamically changed by attackers.
Using SQL injection attack websites have been compromised and injected with malicious scripts. These script redirects user to malicious URL containing ShockWave (SWF) files that are exploiting Adobe Flash Player Vulnerabilities. Successful exploitation downloads Trojans on the vulnerable system.
Infected website checks the victim's browser type in order to drop appropriate exploit.
Recent script injected to the websites through SQL injection is “ hxxp://en-us18 DOT com/b DOT js”
ShockWave files with following names are found on the websites:
- ie1.swf
- ie2.swf
- 1231.swf
- 1232.swf
- 4561.swf
- 4562.swf
- i1232.swf
- i1231.swf
- flash1.swf
- flash2.swf
- WIN 9,0,115,0i.swf
- WIN 9,0,115,0f.swf
- WIN %209,0,115,0ie.swf
- WIN %209,0,115,0ff.swf
Websites reported to be exploiting the Adobe flash Player vulnerability are listed below:
hxxp://www DOT play0nlnie DOT com/pcd/ topics/ff11us/20080311cPxl31/ WIN %209,0,115,0ie.swf
hxxp://www DOT play0nlnie DOT com/ax DOT exe
hxxp://www DOT tongji123 DOT org/i1231 DOT swf
hxxp://www DOT tongji13 DOT org/soc DOT exe
hxxp://www DOT woai117 DOT cn/ WIN 9,0,115,0i DOT swf
hxxp://www DOT woai117 DOT cn/117 DOT exe
hxxp://user1 DOT 12-27 DOT net/flash1 DOT swf
hxxp://513389 DOT cn/bak DOT css
www DOT iphone001 DOT com/ie/ WIN 9,0,115,0i DOT swf
hxxp://qisihuisheng DOT net/swf/sw DOT exe
hxxp://ageofconans DOT net/ WIN 9,0,115,0i DOT swf
hxxp://ageofconans DOT net/flash DOT exe
hxxp://www DOT guccime DOT net/i1231 DOt swf
hxxp://www DOT guccime DOT net/0 DOT exe
hxxp://user1 DOT isee080 DOT net/flash1 DOT swf
hxxp://user1 DOT 12-26 DOT net/bak DOT css
hxxp://www DOT zuoyouweinan DOT com/exe DOT swf
hxxp://bb DOT wudiliuliang DOT com/1 DOT exe
hxxp://www DOT psp1111 DOt cn/test DOt exe
hxxp://www DOT psp1111 DOT cn/test DOT exe
hxxp://www DOT lkjrc DOt cn/i1232 DOT swf
hxxp://www DOT hokia8 DOT com DOT cn/abe DOT exe
In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures
Website administrators:
- Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
- Input Filtering: Properly sanitize user input data.
- Comment out malicious code: any scripting content to be “safely” commented out.
- Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
- alert(document.cookie)<script>
- Output Filtering: Filter user data when it is sent back to the user's browser.
- Disable client side scripting.
- Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically
- Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 :
http://www.microsoft.com/technet/security/advisory/
954462.mspx
- A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
http://www.communities.hp.com/securitysoftware/blogs/
spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
aspx
System Administrators and Users:
- Apply the patches/updates to address vulnerabilities in Adobe Flash Player as mentioned in CERT-In Vulnerability Note CIVN-2008-68 and CERT-In Advisory CIAD-2008-23.
- Block access to above mentioned domains.
- Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
- Keep up-to-date on patches and fixes on the OS and application software.
- Install and maintain updated anti-virus software at gateway and desktop level
- Exercise caution even while visiting trusted websites
References:
http://isc.incidents.org/diary.html?storyid=4519
http://isc.incidents.org/diary.html?storyid=4474
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080527
http://www.theregister.co.uk/2008/05/27/new_adobe
_flash_vuln/print.html
http://www.darkreading.com/document.asp?doc_id=155020
&WT.svl=news1_2
|
Massive SQL Injection Attacks
Date : May 09, 2008
Updated: May 12, 2008; May 22, 2008; June 03, 2008; June 25, 2008;
July 01, 2008; July 24, 2008; August 01, 2008; August 14,
2008; September 12, 2008; September 22, 2008; September 29, 2008; November 03, 2008;
It has been observed that SQL Injection Worm spreading in the wild by injecting java scripts or iframe into websites. The Asprox botnet is also launching the SQL Injection attacks. A new shift in SQl injection is reported. Rather than following the
traditioan URl based injections,some ASprox variants attempted Cookie-based
injections.
Many websites have been found infected with such scripts. Snippet of malicious script code has been shown below.
Websites injected with java scripts are redirecting innocent visitors to malicious website “winzipices DOT cn” which is containing java scripts with numeric names such as 2.js, 4.js. Contents of one such script file has been shown below.
The java script has been coded to take user to the malicious .asp page which in turn takes user to malicious domain “cnzz DOT com” or “51 DOT la”.
The SQL injection worm is seems to be infecting machines using vulnerable Real Player versions.
Malicious domains involved in attacks with SQL worm activity are
cnzz DOT com,
51 DOT la,
51la DOT ajiang DOT net , and
http:// bbs DOT jueduizuan DOT com
Malware downloaded from malicious domain makes continuous outbound request to 61 DOT 134 DOT 37 DOT 15 on port 1800.
Updated
Since 19 th May some new domains have been observed in SQL injection attack. The attackers are inserting redirection tags in the contents of websites.Following snippet shows the inserted java script in genuine websites.
The contents of the java script a.js are shown below . This java script redirects users to domain “http:// hoursebuilds DOT cn”.
Source code of the webpage “hoursebuilds DOT cn SLASH hi DOT htm” is shown below. This website is again redirecting users to the domain “51 DOT la” which is being used for the exploitation of the vulnerable system.
After successful exploitation malware such as downloader Trojans are downloaded to the user's system.
Other domains involved in these SQL injection attack are (Visiting these domains is harmful to user's system):
- www DOT en-us18 DOT com
- www DOT nihaorr1 DOT com
- free DOT hostpinoy DOT info
- xprmn4u DOT info
- www DOT nmidahena DOT com
- winzipices DOT cn
- sb DOT 5252 DOT ws
- www DOT aspder DOT com
- www DOT 11910 DOT net
- bbs DOT jueduizuan DOT com
- www DOT bluell DOT cn
- www DOT 2117966 DOT net
- s DOT see9 DOT us
- xvgaoke DOT cn
- 1 DOT hao929 DOT cn
- www DOT 414151 DOT com
- yl18 DOT net
- www DOTkisswow DOT com DOT cn
- urkb DOT net
- c DOT uc8010 DOT com
- rnmb DOT net
- www DOT ririwow DOT cn
- www DOT killwow1 DOT cn
- www DOT qiqigm DOT com
- www DOT wowgm1 DOT cn
- www DOT wowyeye DOT cn
- 9i5t DOT cn
- computershello DOT cn
- www DOT z008 DOT net
- b15 DOT 3322 DOT org
- www DOT direct84 DOT com
- www DOT caocaowow DOT cn
- www DOT qiuxuegm DOT com
- firestnamestea DOT cn
- %61%2E%6B%61%34%37%2E%75%73 (a DOT ka47 DOT us)
- %61%31%38%38%2E%77%73 (a188 DOT ws)
- www DOT qiqi111 DOT cn
- www DOT banner82 DOT com
- smeisp DOT cn
- okey123 DOT cn
- www DOT nihao112 DOT com
- al DOT 99 DOT vc
- www DOT chliyi DOT com
- free DOT edivid DOT info
- 52-o DOT cn
- www DOT fucksb DOT net
- www60 DOT actualization DOT cn
- d39 DOT 6600 DOT org
- h28 DOT 8800 DOT org
- ucmal DOT com
- t DOT uc8010 DOT com
- www DOT dota11 DOT cn
- bc0 DOT cn
- %33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D (3 DOT trojan8 DOT com)
- www DOT adword71 DOT com
- w11 DOT 6600 DOT org
- usuc DOT us
- www DOT msshamof DOT com
- newasp DOT com DOT cn
- www DOTwowgm2 DOT cn
- mm DOT jsjwh DOT com DOT cn
- 17ge DOT cn
- www DOT adword72 DOT com
- www DOT 117275 DOT cn
- vb008 DOT cn
- www DOT wow112 DOT cn
- www DOT nihaoel3 DOT com
- hxxp://updatead DOT com
- hxxp://upgradead DOT com
- hxxp://clsiduser DOT com
- hxxp://dbdomaine DOT com
List of additional malicious domains
In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures
Website administrators:
- Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
- Input Filtering: Properly sanitize user input data.
- Comment out malicious code: any scripting content to be “safely” commented out.
- Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
alert(document.cookie)<script>
- Output Filtering: Filter user data when it is sent back to the user's browser.
- Disable client side scripting.
- Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically.
- Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 :
http://www.microsoft.com/technet/security/advisory/
954462.mspx
- A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
http://www.communities.hp.com/securitysoftware/blogs/
spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
aspx
System Administrators and Users:
- Block access to domains
www DOT en-us18 DOT com,
cnzz DOT com, 51 DOT la, yl18 DOT net, www DOT bluell DOT cn, www DOT kisswow DOT com DOT cn, www DOT ririwow DOT cn, 51la DOT ajiang DOT net http:// bbs DOT jueduizuan DOT com, hxxp://updatead DOT com, hxxp://upgradead DOT com, hxxp://clsiduser DOT com and hxxp://dbdomaine DOT com.
- Block access to IPs 60 DOT 191 DOT 239 DOT 229, 61 DOT 188 DOT 38 DOT 158, 61 DOT 134 DOT 37 DOT 15
- Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
- Apply the patches for the above mentioned vulnerabilities.
- Keep up-to-date on patches and fixes on the OS and application software.
- Install and maintain updated anti-virus software at gateway and desktop level
- Exercise caution even while visiting trusted websites.
References:
http://isc.sans.org/diary.html?storyid=5092
http://isc.sans.org/diary.html?storyid=4645
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080514
http://isc.incidents.org/diary.html?storyid=4393
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
http://www.cert-in.org.in/virus/Asprox_Botnet.htm
|
Mass SQL Injection attacks and malicious Java script embedding on websites
Date : March 17, 2008
Updated: May 02, 2008; May 08, 2008; May 12, 2008; June 25, 2008;
July 01, 2008
It has been observed that various websites have been infected with malicious JavaScript file hosted on domain 2117966 DOT net. Remote attackers are launching a SQL injection attacks against web servers running ASP and embedding a link (www DOT 21179 66 DOT net/fuckjp DOT js) to malicious JavaScript file on these websites. When a user visits the infected websites, the code gets executed onto the user's system. Upon execution it tries to exploit several known vulnerabilities on the victim system to download some password stealing malware. The downloaded malware tries to make outbound connections to IP address 61 DOT 188 DOT 39 DOT 175 on port 2034.
Vulnerabilities exploited by the JavaScript file are:
-
Microsoft Data Access Components Code Execution Vulnerability (CIVN-2006-31)
-
Microsoft Windows Vector Markup Language Code Execution Vulnerability (CIVN-2007-04)
-
Microsoft Internet Explorer "daxctle.ocx" KeyFrame Memory Vulnerability. (CIVN-2006-91)
-
Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability (CIVN-2006-94)
-
RealPlayer Playlist Buffer overflow Vulnerability (CIVN-2007-138)
It has also been reported that mass attacks were launched against websites running phpBB through IFrame Injection redirecting innocent users to malicious websites.
Subsequently mass IFrame and JavaScript injection attacks have been reported using malicious domains www DOT nmidahena DOT com,
www DOT nihaorr1 DOT com, www DOT aspder DOT com , haoliuliang DOT net , winzipices DOT cn, yl18 DOT net, www DOT bluell DOT cn, www DOT kisswow DOT com DOT cn, www DOT ririwow DOT cn, hxxp://updatead DOT com, hxxp://upgradead DOT com, hxxp://clsiduser DOT com and hxxp://dbdomaine DOT com.
In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures:
Website administrators:
- Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
- Input Filtering: Properly sanitize user input data.
- Comment out malicious code: any scripting content to be “safely” commented out.
- Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
alert(document.cookie)<script>
- Output Filtering: Filter user data when it is sent back to the user’s browser.
- Disable client side scripting.
- Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically.
- Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 :
http://www.microsoft.com/technet/security/advisory/
954462.mspx
- A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
http://www.communities.hp.com/securitysoftware/blogs/
spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
aspx
System Administrators and Users:
- Block access to domains “www DOT 2117966 DOT net”, "www DOT nmidahena DOT com", "www DOT nihaorr1 DOT com", "www DOT aspder DOT com" , "
haoliuliang DOT net
" , "winzipices.cn", "yl18 DOT net", "www DOT bluell DOT cn", "www DOT kisswow DOT com DOT cn", "www DOT ririwow DOT cn", "hxxp://updatead DOT com", "hxxp://upgradead DOT com", "hxxp://clsiduser DOT com" and "hxxp://dbdomaine DOT com" at gateway.
- Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
- Block traffic to and from the IP address 61 DOT 188 DOT 39 DOT 175, 60 DOT 191 DOT 239 DOT 229, 61 DOT 188 DOT 38 DOT 158 and 61 DOT 134 DOT 37 DOT 15
- Apply the patches for the above mentioned vulnerabilities.
- Keep up-to-date on patches and fixes on the OS and application software.
- Install and maintain updated anti-virus software at gateway and desktop level.
References:
http://isc.sans.org/diary.html?storyid=4645
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080514
http://isc.sans.org/diary.html?storyid=4139
http://isc.sans.org/diary.html?storyid=4144
http://www.avertlabs.com/research/blog/index.php/
2008/03/13/follow-up-to-yesterdays-mass-hack-attack/
http://www.us-cert.gov/current/archive/2008/03/14/
archive.html#website_compromises_facilitating_exploitation_of
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313
http://www.sophos.com/security/blog/2008/03/1186.html
http://blog.trendmicro.com/massive-iframe-attacks-continue/
https://isc.sans.org/diary.html?storyid=4331
http://www.computerworld.com/action/article.do?command=
viewArticleBasic&articleId=9079961&source=rss_topic17
|
Propagation of Storm worm variants through Valentines Day greetings
Date : February 14, 2008
It has been observed that new variants of ‘Storm Worm’ are circulating via e-mails pretending to be Valentine’s Day Greetings. These spam e-mails comes with the subject line such as “Valentine’s Day”, “The Love Train” and other Valentine’s Day related phrases. E-mail contains URL in form of IP address, which takes to the user to malicious website hosting malware “valentine.exe”.
The malicious webpage looks as given below:
Upon visiting this webpage file “valentine.exe” is downloaded on the visitor’s system.
The subject lines in the e-mail are as follows:
Valentine’s Day
The Love Train
I Love You
Rockin' Valentine
You Stay in My Heart
My Heart For You
A hearty Wish
Thinking of U All Day".
Users are advised to implement following countermeasures:
- Block the emails with above mentioned subject lines
- It has been observed that the malicious domains such as mentioned above are hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider blocking packets from the nginx/0.5.17 web server through Proxy or set an appropriate alert/rule at IDS/IPS
- Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
- Filter e-mails with abovementioned subject lines and body.
- Install and maintain updated anti-virus software at gateway and desktop level
- Install and maintain updated anti-spyware software at desktop level
- Keep up-to-date on patches and fixes on the OS and application software
References:
http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
http://www.cert-in.org.in/currentacts/currentact07.htm#RPSW
http://www.cert-in.org.in/currentacts/currentact07.htm#SWP http://isc.incidents.org/diary.html?storyid=3979
http://www.pcworld.com/article/id,142452-c,viruses/article.html
http://news.softpedia.com/news/Storm-Spreading-Valentine-s-Day-Love-78431.shtml
|
Fake Microsoft Windows Update Websites
Date : February 11, 2008
It has been observed that Malicious files are being propagated through fraudulent websites pretending to be providing updates to Microsoft Windows.
Spam emails are being sent to users to trick them to click on link to fraudulent Website. The malicious link directs users to a Webpage asking users to click upon Urgent Install button. As user clicks upon the button an executable file named WindowsUpdateAgent30-x86-x64.exe gets downloaded to the system. This executable file is malware named as Trojan- Dropper:W32/Agent.DYD which then drops another malware, identified as Backdoor:W32/Agent.CVU.
The abovesaid malicious Webpage has a button labelled “Urgent Install” and any of the message mentioned below :
It has to be noted that the word install is misspelled in the message that has been displayed over the fake Windows Update Webpage.
Some of these malicious Websites are on fast-flux DNS. The fraudulent domains are as follows:
- www8 DOT update microsoft DOT com DOT sec94 DOT in
- update DOT microsoft DOT com DOT cfm48 DOT com
- update DOT microsoft DOT com DOT asp63 DOT net
Users are advised to implement following countermeasures:
- Block the malicious domains mentioned above for both outbound HTTP requests and incoming emails
- Do not click upon any link embedded inside the untrusted e-mail messages or web pages.
- Install and maintain updated anti-virus software at gateway and desktop level
- Install and maintain updated anti-spyware software at desktop level
- Keep up-to-date on patches and fixes on the OS and application software
- Follow the guidance provided in the Recognize and avoid fraudulent e-mail to Microsoft customers document from Microsoft.
References:
http://www.f-secure.com/weblog/archives/00001374.html
http://www.cisrt.org/enblog/read.php?230
http://www.us-cert.gov/current/index.html#fraudulent_microsoft_
update_web_sites
http://www.pcmag.com/article2/0,2817,2256892,00.asp
|
ActiveX Vulnerabilities in Yahoo! MediaGrid, YMP Datagrid, Facebook and MySpace
Date : February 08, 2008
Update : April 09, 2008
It has been observed that vulnerabilities in several ActiveX controls are being used to exploit the vulnerable applications such as Yahoo! MediaGrid ActiveX control , YMP Datagrid ActiveX control and image uploader used by Facebook and MySpace.
The vulnerabilities can be used to execute arbitrary code or crash the vulnerable application.
The exploit codes for these vulnerabilities are available on the Internet that could be used by malicious people by creating a specially crafted HTML document and persuading user to open the document (e.g., a web page or an HTML email message or attachment). Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user on a vulnerable system.
Users are advised to implement following countermeasures:
- Disable the Aurigma ImageUploader ActiveX controls in Internet Explorer by setting the kill bit for the following CLSIDs
- {104B0A37-AB99-4F06-8032-8BBDC3B77DDB}
- {17D667BA-5675-4AAB-9221-08B9379384D4}
- {48DD0448-9209-4F81-9F6D-D83562940134}
- {55027008-315F-4F45-BBC3-8BE119764741}
- {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
- {6E5E167B-1566-4316-B27F-0DDAB3484CF7}
- {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8}
- {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4}
- {AE6C4705-0F11-4ACB-BDD4-37F138BEF289}
- {B85537E9-2D9C-400A-BC92-B04F4D9FF17D}
- {BA162249-F2C5-4851-8ADC-FC58CB424243}
- {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F}
- {D1EA8D3D-F511-4388-B754-4A0CC14A4778}
- {F1F51698-7B63-4394-8743-1F4CF1853DE1}
- {F89EF74A-956B-4BD3-A066-4F23DF891982}
- {FB90BA05-66E6-4c56-BCD3-D65B0F7EBA39}
- Alternately use the following GUI tool from SANS to set the killbit:
http://isc.sans.org/diary.html?storyid=3931
- Disable ActiveX control in the Internet zone while visiting untrusted websites.
- Users of Internet Explorer may upgrade to IE7 and use ActiveX opt-in feature to prompt the user before using ActiveX controls that are already installed on the system.
References:
http://isc.sans.org/diary.html?storyid=3929
http://isc.sans.org/diary.html?storyid=3931
http://www.kb.cert.org/vuls/id/340860
http://www.kb.cert.org/vuls/id/101676
http://support.microsoft.com/kb/240797
http://www.computerworld.com/action/article.do?command=view
ArticleBasic&articleId=9061101&pageNumber=1
|
Websites compromised with malicious JavaScript injection propagating malware
Date : January 23, 2008
Various websites/domains are reported to be compromised and serving information stealing malware such as Trojan Clampi. These websites are injected with malicious JavaScript file known as “Random JS Toolkit” which is in turn infecting visitors of infected websites. Both the malicious binary and the malicious script are hosted on the same domain and visitors unknowingly get infected.
An excerpt of source code of infected page is indicated below.
The name of the malicious JavaScript file randomly changes because of dynamic embedding of scripts into the webpage. This technique is effectively evading the detection of its hosting on websites. Accordingly a new malicious binary gets dropped onto the user system on every visit.
The compromised webservers are running ‘Apache webserver' on Linux systems and attackers are exploiting dynamic module loading feature of the Apache which is enabled by default.
The malicious JavaScript is exploiting known vulnerabilities mentioned below to download the malware on users' systems:
In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures:
Website administrators:
- Disable dynamic loading in Apache module configurations
- Apply appropriate patches and updates to the Operating System and Application software
- Refer to CERT-In Web Server Security Guidelines (CISG-2004-04) .
Users:
- Follow the countermeasures mentioned in CERT-In Virus alert Trojan Clampi to delete locally stored username and password/credentials/privileges.
- Keep up-to-date on patches and fixes on the operating system and application software.
- Install and maintain updated anti-virus software at gateway and desktop level.
- Install and maintain updated anti-spyware software at desktop level.
- Install and maintain Desktop Firewall and block the ports which are not required.
References:
http://blog.trendmicro.com/e-commerce-sites-invaded/
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan
=1819&lan=3
http://www.securityfocus.com/news/11501
http://www.secureworks.com/research/threats/linuxservers/?
threat=linuxservers
http://www.cert-in.org.in/virus/Trojan_Clampi.htm
|
Propagation of Storm Worm variants through Happy New Year Greetings
Date : December 26, 2007
Updated: January 02, 2008
It has been observed that new variants of ‘Storm Worm' are circulating via e-mails purporting to be Happy New Year e-mail Greetings. The email comes with link to malicious domain "uhavepostcard DOT com" or
" happycards2008.com " inside the body of the message. Domain "uhavepost card DOT com." is hosting the malicious file happy-2008 .exe .
It may be noted that storm worm is also spreading through Christmas greeting cards as mentioned earlier but the malicious domain merrychristmasdude DOT com is now hosting malicious file happy-2008.exe .
The Storm Botnet is using Fast-Flux DNS technique to resolve the abovementioned malicious domain to multiple IP addresses distributed globally.
The Storm Worm (also known as Zhelatin, Peacomm, Tibs) which transpired in January 2007, uses various social engineering techniques and spam e-mails to propagate widely and is growing with millions of bots.
The Subject lines of the circulating email messages are:
Happy New Year and someones name
Happy NW (random name).
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
It is also observed that another variant of Trojan delf is also spreading through spam emails with attachment Happynewyear DOT exe . This malicious file is hosted on domain lbss DOT 3322 DOT org.
Update: In addition to the domains mentioned above, more malicious domains are being reported. The comple list of malicious domains is as follows:
- uhave post card DOT com
- merrychristmasdude DOT com
- americangreetings DOT b719 DOT cn
- americangreetings DOT 846123 DOT cn
- lbss DOT 3322 DOT org
- happycards2008 DOT com
- newyear2008 DOT com
- newyearcards2008 DOT com
- newyearwithlove DOT com
- familypostcards2008 DOT com
- freshcards2008 DOT com
- happysantacards DOT com
- hohoho2008 DOT com
- happy2008toyou DOT com
- santapcards DOT com
- hellosanta2008 DOT com
- santawishes2008 DOT com
Note: Users are advised to visit this page regularly to get the updated list of malicious domains.
| | | | |