CyberInsecure.com

Archive for the ‘Mass Web Attacks’ Category

Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware as massive JavaScript attacks last detected in March resume. The same techniques as last month are used and among the sites hacked were several affiliated with either the UN or U.K. government agencies.

The exact number of sites that have been compromised is unknown but the estimation is that it’s similar to the March attacks, which at their height infected more than 100,000 URLs, including prominent domains such as MSNBC.com. Although the U.K.-based sites appeared to have been cleansed of the malicious JavaScript, the UN sites had not.

The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack. Although the malware-hosting domain has changed, it’s located at a Chinese IP address, just like the one used in March. It also looks like they’re using just the one hosting site, but changing the link within the JavaScript. When a visitor reaches one of the hacked sites, the malicious JavaScript loads a file from the malware-hosting server, then redirects the browser to a different page, also hosted on the Chinese server. Once loaded, the file attempts eight different exploits, including one that hits a vulnerability in Internet Explorer’s handling of Vector Markup Language (VML) that was patched in January 2007.

An increasing number of sites compromised with a malicious script detected as Troj/Unif-B has been noticed over the past few weeks by SophosLabs.

Since March 1st 2008, almost 11,000 pages compromised with Troj/Unif-B, split across approximately 4,500 different domains. That is a fair amount of activity, around 150 new domains daily.

For 4,500 compromised domains, these targets fall into two categories. First, additional attack sites. Some other site which hits the victim with exploits. Second, redirect or “control” sites. Some other site, controlled by the attacker, which can be used to direct traffic. Typically, these sites direct victims to one of several other attack sites although there may be several redirects in use.

Among other attack vectors there are a few noticeable:

1. Installing various malware including Mal/Dropper-T, Mal/EncPk-CM and Mal/EncPk-CO.
2 .Redirect sites under the control of a large and well coordinated group. Numerous domains have been used by this group in recent months to install a variety of Dorf, Tibs and other malware.
3. Load exploits intended to install a member of the Mal/Zbot family.
4. Point to a single GPack attack site, which installs malware detected as Mal/Emogen-Y.

About 70% of compromised domains point to the GPack attack site are hosted by the same ISP. The same is true for some of the other attacks listed above since targeting server farms is an effective strategy for the attackers.

The grouping within the compromised pages reflects the coordinated attacks that are taking place. Also not surprising are the relationships between some of the groups. It is not unlikely that these sites could be used to make money by selling “traffic flow” since attackers often paying for victims to be directed to their attack sites for a period of time.

A massive IFRAME injection attack, which stared last week, is slowly turning into a large scale web application vulnerabilities audit of high profile sites. Last week Symantec has rated the attack as medium risk, StopBadware and US-CERT issued a warning about the incident. After another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices.

The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. High profile websites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants. Some of the websites attacked:

USAToday.com, ABCNews.com, News.com, Sears.com, Circuitcity.com, Target.com, Packard Bell.com, Walmart.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu

The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Google is actively filtering the results and removing the cached pages on number of domains. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we’re definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections.
(more…)

Wordress blogs are mass scanned and attacked, and a new directory in wp-content folder is created in vulnerable ones. The directory is usually called /1/ and its full of html files containing Javascript redirects in them (doorways). There was also an infected blog with phishing pages for Google logins. Google cache already shows thousands of results with such hacked Wordpress blogs. They can be seen best by committing a search inurl:wp-content/1/ (do not visit those results, your PC might get infected). Google has already tagged some of these spam pages as harmful.

The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.

This issue was reported to Wordpress.org, and there is an unofficial fix for this issue. The fix is based around renaming the cookies used by Wordpress by default. If the exploit is hacking the cookies by mass scanning blogs, and it looks for a specific cookie name, that would stop what is out there now but it would not fix the issue.

Recommendations: Upgrade to 2.3.3 along with immediately changing any administrator passwords. Currently older Wordpress versions, especially Wordress 2.1.3, attacked using “admin-ajax.php” sql injection exploit to retrieve the administrator account’s password.
Change default cookie names in your blog.

If you know more details or any other solutions, please contact us and share.

(more…)

The number of yesterday’s attack (over 10.000) websites has doubled according to Avertlabs.

Another recent mass attack, is using a JavaScript file rather than an IFRAME. The attack seems to have started about two weeks ago, and nearly 200,000 web pages have been found to be affected or compromised, most of which are running phpBB forum software. The vast majority of attacked websites yesterday’s were active server pages (.ASP). The ASP attacks methods and payload are different than the phpBB ones. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.

A brief video demonstrating how the phpBB attack looks from the end user’s perspective can be found at http://www.vimeo.com/moogaloop.swf?clip_id=781981&server=www.vimeo

.com&fullscreen=1&show_title=1&show_byline=0&show_portrait=0&color=

IFRAME campaign targeting several more CNET Networks web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com. In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet’s international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. Three more sites part of CNET Networks’ portfolio, getting injected with more IFRAMEs, abusing their search engine’s local caching, and storing of any keyword feature, in a combination with a loadable IFRAME. Over 51,900 pages at zdnetasia.com continue to be indexed by search engines. ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the fake “XP AntiVirus”, “Spyshredderscanner” and another fake codec called “MediaTubeCodec.exe”, hosted and distributed under two new domains.

Sites that are currently targeted:
ZDNet Asia - currently has around 52,000 injected pages.
TV.com - 51,000 locally hosted IFRAME injected pages.
News.com - 167 locally hosted pages, injection is ongoing.
MySimon.com - currently around 10 pages, the campaign is ongoing.

Domains and IPs that are behind the IFRAMEs:
do-t-h-e.com (69.50.167.166)
rx-pharmacy.cn (82.103.140.65)
m5b.info (124.217.253.6)
89.149.243.201
89.149.243.202
72.232.39.252
195.225.178.21

Malware hosts:
hotpornotube08.com (206.51.229.67)
hot-pornotube-2008.com (206.51.229.67)
hot-pornotube08.com (206.51.229.67)
adult-tubecodec2008.com (195.93.218.43)
adulttubecodec2008.com (195.93.218.43)
hot-tubecodec20.com (195.93.218.43)
media-tubecodec2008.com (195.93.218.43)
porn-tubecodec20.com (195.93.218.43)
scanner.spyshredderscanner.com (77.91.229.106)
xpantivirus2008.com (69.50.173.10)
xpantivirus.com (72.36.198.2)
bestsexworld.info (72.232.224.154)
requestedlinks.com (216.255.185.82)

Only two pieces of malware currently served, XP AntiVirus 2008 and a fake codec.
What’s important to note is that this is the current state of the campaign, and with the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis are possible, and since they ensure you’re served on the basis of where you’re coming from, things might change pretty fast. These domains above are the ones that follow after IFRAME redirects for all the campaigns currently detected.

Malware files:
MediaTubeCodec.com - 11% Scanners (4/36) found malware at 2008/03/06 16:38:39 (EET). File Size : 85520 byte, MD5 : 25708e1168e0e5dae87851ec24c6e9f7, SHA1 : 33b502b13cab7a34bb959d363ae4b7afd23919a6. Detected as:
AVG - I-Worm/Nuwar.P
Fortinet - Suspicious
Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScan

MediaTubeCodec.com tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN - “Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.” and RogueAntiSpyware.AntiVirusPro - “RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along with a malicious downloader. It is downloaded and installed without the users consent.”

Spyshredderscanner.exe - 42% Scanner(15/36) found malware at 2008/03/06 17:02:23 (EET). File Size : 33224 byte, MD5 : bc232dbd6b75cc020af1fcf7cee5f018, SHA1 : fc2f70fd9ce76fe2e1fe157c6d2d8ba015ad099f, detected as Win32.FraudTool.SpyShredder and Downloader.MisleadApp.
Opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN’s well known netblock.