CyberInsecure.com

Archive for the ‘Software’ Category

Security researchers warn that a significant number of WordPress websites have been compromised recently as part of what looks to be a money-generating affiliate scheme. The header.php template files are being injected with obfuscated JavaScript code.

“Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be Wordpress. One user report suggests that the malicious script is being added to the header.php template script used by Wordpress,” Fraser Howard, principal virus researcher at Sophos, writes on the company’s blog.

The obfuscated script is inserted right after the tag and its purpose is to load additional content via an IFrame and to pass visitors through a series of silent redirects. One of these 302 redirects pass the affiliate account of the attacker to a remote script, probably for remuneration purposes.

According to Mr. Howard’s analysis, a cookie for a domain name rich-traffic.com is set in the visitors’ browsers, this site being a Russian affiliate network allowing users to sell or to buy IFrame traffic. “We sell only high quality iframe traffic for your various needs!” is written on the main page. Apparently, this offer refers to huge amounts of unique visitors spread across a wide variety of countries.

The issue of header.php files being modified without authorization has also been discussed in the support forums over at wordpress.org, with users suggesting that compromised FTP accounts might be the cause. This is consistent with the Sophos researcher’s conclusion, who writes that, “In this particular attack however, an out of date Wordpress installation does not appear to be the root cause – many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).”

It is worth noting that TechCrunch, one of the most popular technology blogs on the Internet, has recently faced several attacks, which resulted in its home page being altered. At least in one particular attack, the header.php file was modified to include a rogue message.

Credit: Softpedia.com News

Two Firefox add-ons available for months on Mozilla’s website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed.

The add-ons, available on an experimental section of Mozilla’s official add-on download site carried trojans that have been detected since 2008 by commercial anti-virus products. And yet they weren’t removed until late January and earlier this week because a scanning tool used to vet add-ons during upload failed to catch the malicious files.

“If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan,” a note on Mozilla’s add-on blog stated. “Uninstalling these add-ons does not remove the trojan from a user’s system.”

Instead, infected users will need to thoroughly scan their machines with an anti-virus program. Or better yet, use multiple scanners, or simply reinstall the operating system to be on the safe side.

This isn’t the first time Mozilla has served malware-laced add-ons to its loyal base of users. In May 2008, a Vietnamese language pack for Firefox 2 contained a viral infection that resulted in users seeing unwanted ads. The add-on was downloaded almost 17,000 times before it was pulled.

In the most recent case, version 4 of the Sothink Web Video Downloader add-on installed a password sniffer dubbed Win32.LdPinch.gen and was downloaded about 4,000 times between February 2008 and May 2008. A separate add-on called Master Filer was laced with a backdoor trojan known as Win32.Bifrose that was downloaded 600 times between September 2009 and January of this year.

Mozilla removed Master Filer on January 25 and nixed Sothink on Tuesday.

The blog post said Mozilla added two new scanners to its validation chain. It was this change that allowed the organization to detect version 4 of the Sothink Web Video Downloader.

Versions greater the 4.0 of the video downloader add-on were not infected, Mozilla’s blog post stated. Both infections affected only Windows users of the open-source browser.

Credit: The Register

Apple’s iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they’re protected by the SSL, or secure sockets layer, protocol, a security researcher said.

The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization’s IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.

“If the user accepts, the attacker can make changes to the phone’s configuration which can cause harm,” Miller explained.

The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author’s rogue update.mobilconfig file was accepted and executed.

The author claimed the hack could be used to change an iPhone’s proxy settings, a change that would allow attackers to do much more nefarious deeds such as funnel traffic to servers under their control. Miller said he wasn’t sure such an attack was possible, but he didn’t rule it out, either.

“It definitely allows them to change the trusted certs which means that you can’t trust SSL anymore,” Miller wrote. “I don’t have the cert the guy generated to really confirm things on my own. I’m very confident that it can do a lot though.”

In addition to changing trusted certificates, Miller said, a rogue configuration file could be used to disable Safari or other iPhone apps or block access to particular websites that can be accessed.

For an exploit to work, an attacker would have to apply a fair amount of social engineering. First, a user would have to be tricked into clicking on an email attachment or visiting a website hosting the configuration file. The user would then be presented with a window saying the update has been “verified” and would have to click OK to install it.

The most serious consequence Miller could confirm was the ability to spoof SSL-protected pages, but given the difficulty of the attack, he wasn’t sure how useful that would be.

“If you can get someone to install this thing AND go to your phishing site, the guy probably would have fallen for it without SSL,” he said.

Credit: The Register

Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.

Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.

“Huge numbers of users of the Freenode network ended up getting banned themselves because they would click the link and then they would join the network and flood the network,” one of the hackers, who goes by the moniker Weev, said. “We get his huge rollover effect.”

He added: “We got the the people who run Freenode to actually k-line each other,” a reference to the process of banning a user from an IRC server for spamming or other inappropriate actions.

The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers, Weev said.

IRC channels such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.

“While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site,” a note on Freenode’s website read. Representatives of the network didn’t respond to an email seeking comment.

Security researchers have long known that it’s possible to abuse features designed to make browsers work seamlessly with other internet applications. Web security expert Robert “RSnake” Hansen calls the technique “interprotocol exploitation.”

“It’s the first time I’ve actually seen it used in the wild,” he said. “We’ve been theorizing this attack was possible for some time. Browsers absolutely should not be able to connect to ports unrelated to HTTP.”

Hansen said other internet technologies, such as the Sip protocol for voice over IP, are also ripe for abuse.

Credit: The Register

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies - even empty hashes of passwords.

This isn’t the first time security researchers at Core have identified security weaknesses in IE. The company issued this advisory in 2008 and this one in 2009, each identifying specific links in the chain that could potentially be abused by an attacker.

“Every time we reported this to Microsoft, they were fixing just one of the features,” Medina said in a telephone interview from Bueno Aires. “Every time they [fixed] it, we managed another way to build the attack again.”

Medina said he has fully briefed Microsoft on his latest attack, which he plans to demonstrate at next month’s Black Hat security conference in Washington, DC. Microsoft’s “rapid response team” didn’t reply to an email, but a statement sent to other news outlets said the company is investigating the vulnerability and isn’t aware of it being exploited in the wild.

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

Based on Medina’s characterization, it appears that fixing the weakness will require changes in a Windows network sharing technology known as SMB, or server message block, as well as the way Windows makes file caches available to a wide variety of applications.

“The things we are reporting are not bugs, they are features,” Medina said. “They are needed for many applications to work, so [Microsoft] can’t simply remove or truncate” them.

IE suffers from at least one other long-standing security bug that can enable attacks against people browsing websites that are otherwise safe to view. It can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Microsoft has said it’s unaware of this vulnerability being exploited.

Core’s previous advisories contain a number of workarounds, including setting the security level for the internet and intranet zones to high to prevent IE from running scripts or ActiveX controls.

Credit: The Register

The first hacker to successfully jailbreak the iPhone says he has pulled off yet another modding marvel, this time penetrating the previously impervious PlayStation 3 gaming console.

The hack by 20-year-old George Hotz, aka geohot, is significant because the PS3 was the only game console that hadn’t been hacked, despite being on the market for more than three years. The feat greatly expands the functionality of the box by allowing it to run unrestricted versions of Linux and a wide range of games that are currently forbidden. The hardware and software designer said it took him five weeks to develop the hack using a combination of modifications to the console’s hardware and software.

“Basically, I used hardware to open a small hole and then used software to make the hole the size of the system to get full read/write access,” he said in an interview. “Right now, although the system is broken, I have great power. I can make they system do whatever I want.”

The first three weeks were spent trying attacks to directly access memory of the console. He eventually settled on his current approach after realizing software approaches alone were insufficient.

A dropout of the Rochester Institute of Technology, geohot said he is declining to provide details to prevent Sony from introducing changes that would stymie the modifications. But a blog post announcing the accomplishment makes clear the hack gives users unprecedented control over their systems.

“I have read/write access to the entire system memory, and HV level access to the processor,” geohot wrote. “In other words, I have hacked the PS3.”

The hack will allow PS3 users for the first time to run unrestricted versions of Linux that have full access to the system’s central processing unit and graphical processing unit. That will greatly expand the kinds of things users can do with the console. For starters, they could use the mod to run emulators that will play PS2 games on the machine, something Sony strictly forbids. It could also allow programs like the VLC media player to run much more robustly. The hack also opens the door to pirated games on the console, although geohot said that’s an activity he’s not interested in pursuing.

Geohot said he doesn’t plan to release the software used to unlock the box until he can make it more reliable. It currently takes about 15 minutes to run and frequently fails to work properly. “If I posted what I have now, people would get fed up with it,” he said.

He praised the PS3 as a “pretty secure system,” that was harder to hack than many hardware systems he has penetrated.

While hacks of the Xbox and the iPhone have led to thriving developer communities that release custom applications for the modded devices, geohot said the challenge of overcoming the security overshaddows those more practical outcomes.

“Personally, it’s a win for me just to do it,” he said. “It’s just cool to have it cracked.”

Credit: The Register

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm Win32/Zimuse.A and Win32/Zimuse.B has achieved worldwide notoriety. It is a type of threat that overwrites MBR (Master Boot Record) of all available drives with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90% of all infections. Presently, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

There is a widely held suspicion that the worm was intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region, however, it has spread beyond this target group once it started attacking company networks. What’s more, the infiltration was reminiscent of the well-known OneHalf threat in the worm’s behavior, the country of origin (both originating in Slovakia), and the inflicted damage – causing the total paralysis of the system it attacks.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk, instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives. It emulates the old-time threats in that it is timed to go off – in this case in 40 days since the infiltration.

Credit: ESET.eu

A technique used to get complete listings of files and directories from illegal installations of vBulletin has been revealed on a Romanian hacking forum. This vulnerability is generated by a file included in many cracked versions of the forum platform.

vBulletin (vB) is a commercial-only Internet forum software written in PHP and using MySQL as a database backend. Since its release in 2000, the platform has gained a lot of popularity due to its unique set of features and professional support. Searching for “powered by vBulletin” on Google reveals a staggering 1.6 billion results.

Most of these results correspond to legit installations made by people who paid a license fee in order to use the software. However, there are many installs, which are rogue, because similarly to all popular programs, vBulletin is pirated too.

vB versions with their copyright protection mechanism subverted are called “nullified” and one of the most prominent providers of such releases is a group called DGT. It seems that this team of crackers is in the habit of including a file called validator.php in all of its illegal vBulletin packages.

According to the release notes, this file can be used to verify that files included in the package have not been altered by third parties. It is also noted in the instructions that this file should be removed after installation, but obviously most users never read them.

Left on the server, the validator.php file can be executed via the browser by virtually anyone. This is certainly not desirable as it will output the full path of all files within the installation directory and can lead to sensitive information being exposed.

For example, a section in the vBulletin administration interface allows creating database backups, which get saved in a writable directory. It’s safe to assume that people who do not bother deleting validator.php are not likely to delete these backups either. Knowing the exact names of these files would make it trivial for an attacker to steal them.

Given the nature of this vulnerability, it is very likely that it has been known for quite some time in restricted hacking circles.

This should serve as a lesson for people who choose to run pirated copies of commercial software - you can never be certain that illegally downloaded code is safe. Nevertheless, if are running a “nullified” vBulletin distribution, check if there is a validator.php file in your installation directory and remove it immediately. Also, remove any potentially sensitive files that you are currently hosting inside that folder.

Credit: Softpedia.com News

The University of Exeter in South West of England experienced serious problems with its computer network earlier this week due to a virus outbreak. Systems running Microsoft Windows Vista with Service Pack 2 seem to have been particularly affected by the unnamed malware.

The problems started on Monday when a computer virus was introduced onto the network. “Experience of dealing with data corrupting viruses elsewhere indicates that it is essential to shut down the network ASAP to avoid so many machines and files being corrupted that it takes weeks to recover. Therefore, although this is a PC rather than a network problem, we had to shut down the network to isolate the virus,” announced David Allen, the university’s registrar and deputy chief executive.

The exact name of the virus has not been disclosed, but ZDNet cites insider sources according to which, it exploits the vulnerability described in Microsoft’s MS09-050 Security Bulletin. “This is a completely new virus and we are the only organisation in the world to experience it. None of the mainstream virus software suppliers have seen this virus, and as such, there is no fix,” a leaked internal e-mail from the IT department allegedly reads.

Mr. Allen also pointed out that a security expert had been called on site to assist with the cleaning efforts. Apparently, this malware has only been detected on computers running Windows Vista and the specialized staff plans to check all such systems. This would suggest that the “virus” can spread from one computer to another, which would technically make it a computer worm.

“University campuses are, of course, complex beasts and the IT teams who secure them can have a tough job. The problem is compounded by having a massive userbase of students who may plug their own devices into the network, or may show little care for the security of a communal computer and put it at unnecessary risk,” notes Graham Cluley, senior technology consultant at antivirus vendor Sophos.

The network is slowly being brought back online, beginning with buildings that do not use Windows Vista computers. Several services such as Outlook Web Access and the MyExeter Web portal remain functional, but other network-dependent equipment like VoIP telephones or interactive teaching boards are unusable.

The University of Exeter has almost 16,000 students and three campuses, two in Exeter and one in Cornwall. The Cornwall campus is shared with the University College Falmouth and was isolated from the affected network immediately after the threat was discovered.

Credit: Softpedia.com News

Scareware distributors are hijacking vulnerable osCommerce websites in order to launch their blackhat SEO campaigns. The attacks leverage a publicly disclosed vulnerability and drop several rogue scripts on the compromised servers.

The vulnerability is known since at least August 31, 2009, when a working exploit was publicly released on Milw0rm. In a security advisory, published by vulnerability management company Secunia, the flaw is described as “an error in the authentication mechanism [which] can be exploited to bypass authentication checks and gain access to the administrative interface in the ‘/admin’ folder.”

According to a report from Unmask Parasites, upon successful exploitation, several rogue PHP scripts will be uploaded on the servers. These are mm.php, sh1.php, betty.php and lname.php.

The betty.php script has the purpose of generating bogus URLs of the form http://compromised_domain.com/bety.php?q=keywords, which get indexed by search engines and poison search results for certain terms. The script also creates HTML landing pages and stores them in a “.cache” directory.

The lname.php script handles the redirection of visitors to the malicious sites that push fake antivirus programs. The scareware distributed through this campaign is fairly new and has a very low AV detection rate on VirusTotal.

Meanwhile, mm.php is used to upload files to the compromised server and sh1.php is a PHP Web shell. Finding any of these files on a Web server is a clear indication of infection. Unmask Parasites also points out that, “Google Webmaster Tools can help you detect this attack. Their ’search queries’ report has also proven to reveal many other security problems, so it’s a good idea to use GWT at least once a week.”

The vulnerability has not yet been patched and affects the latest stable version of osCommerce, 2.2 RC2a. However, this attack can be prevented by restricting access to the /admin directory, through .htaccess or some other way. Renaming this directory and removing the abused file-manager.php script can also enhance the security of your osCommerce website.

Credit: Softpedia.com News