CyberInsecure.com
Daily cyber threats and internet security news alerts
Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites
Friday, July 18th, 2008During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, this might be just the tip of the iceberg for the scope and impact of this attack.
Among the compromised websites Finjan found websites of respectable organizations, governmental institutes, healthcare organizations and other high-ranked websites. The malicious code is still being served by most of the websites and the toolkit is still in use.
Among the many websites that were compromised, there are various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks was atdmt.com, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.
Among compromised legitimate websites (on some of them the malicious code no longer exists) there are government websites:
marysville.ca.us, the official website of the City of Marysville, registered by Marysville Police Department.
www.censocultural.ba.gov.br, the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil.
www.sfgov.org, official website of the government of the City and County of San Francisco.
Compromised healthcare websites:
nhs.uk, the official website of the National Health Service in the UK.
samedical.org, the official website of the South African Medical Association.
Other compromised legitimate websites:
Cocacolabrazil.com
Snapple.com, one of the largest soft drink makers in the US
uci.edu, official website of the University of California
The Baltimore Times Website
BMW official site in Mexico
Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain. These domains are part of a fast-flux network hosted on the botnet itself, a technique widely used by another well-known Storm botnet.
The attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. Each of the 160 different domains hosting .js points to the location of the malicious file which was unique to each and every one of them. The malicious script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation: MDAC Vulnerability, QuickTime rtsp Vulnerability, AOL SuperBuddy ActiveX Control Code Execution Vulnerability. Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.
Sony USA PlayStation Website SQL Injected And Redirects Visitors To Fake Anti-Virus Scam
Wednesday, July 2nd, 2008Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.
The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:
A bogus warning message then displayed, saying that one or more of the following have been detected:
Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings
If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.
After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.
Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.
The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.
Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.
Customers Data Stolen From Compromised Balmar E-commerce Server
Tuesday, June 24th, 2008Maryland State Attorney General was notified by Balmar Incorporated about a breach that occurred between April 4, 2008 and April 30, 2008, in which sensitive customer information was compromised. Balmar is a provider of print and graphic communications services, as well as a regional provider of on-site production and administrative services, recently experienced a data security breach in its e-commerce site server.
Balmar has reason to believe that the personal information of 7 of its online customers who reside in the State of Maryland may have been accessed sometime between April 4, 2008 and April 30, 2008 without proper authorization. The personal information affected may include customer names, addresses, telephone numbers, emails, and credit card information.
Balmar has determined that at least one fraudulent credit card transaction has occurred as a result of this incident. A full analysis of their e-commerce server logs revealed on March 27, 2008, an individual initiated several SQL-injections queries on the main page of Balmar e-commerce website from an IP address in Viet Nam. Random queries were attempted over time through March 31st. By March 31st, the individual had gathered enough information to pipe the queries to a search bot. By April 4th, the search bot was able to access and transfer data from e-commerce server to a web page.
Once discovered, Balmar reported the incident to the Virginia State Police and the FBI; contacted the web page host to demand that the page be disabled; removed all credit card information from the affected area of the database and moved it to a secured area of the database that cannot be accessed by the method used during the incident; installed an additional database security solution to detect and prevent any future attempted security breaches; sent notice to affected customers by letter and e-mail.
Balmar’s investigation of this incident is ongoing. For more information, call 1 (800) 265-2724 or email bseger<at>balmar.com.
-
You are currently browsing the archives for the SQL Injections category.
Categories
- Apple (23)
- BitTorrent (7)
- Botnets (5)
- Breaches And Incidents (50)
- Data Theft (93)
- DDoS (7)
- Google (25)
- Hacked (49)
- Hardware (26)
- Malware (84)
- Mass Web Attacks (26)
- Microsoft (33)
- Mobile (9)
- Offline (10)
- Phishing (28)
- Privacy (84)
- Scams (27)
- Software (78)
- Spam (55)
- SQL Injections (13)
- Targeted Attacks (26)
- Trojans & Worms (63)
- Uncategorized (3)
- Vista (15)
- VoIP (3)
- Vulnerabilities (153)
- Windows (4)
- XSS (9)
Archives
Links
-
Internet Threat Level
Recent Entries
- 12 Security Vulnerabilities Fixed In Apple iPhone OS 2.2 Update
- USB Devices Containing Worms Threaten US Army, All Removable Devices Temporarily Banned
- Software Package Supplied By Lenovo Contained Malware
- Fake Windows XP Activation Steals Credit Cards And Personal Details Including SSN
- McColo Hosting Provider Goes Offline With Around 500,000 Bots But Resurrects Few Days Later To Allow Miscreants To Reorganize
- British National Party (BNP) Members List Leaks Online, Contains Full Details About Members Up To September 2008
- Three London Hospitals Networks Shutting Down After Virus Infection
- Anti Fraud Site Bobbear.co.uk Hit By A DDoS Attack
- Severe VoIP Vulnerabilities In Microsoft Communicator
- Critical Security Vulnerability Patched In Adobe AIR 1.5
Vendor Security Alerts
Subscribe
Members
Posts
Latest Virus Descriptions
- Trojan-Downloader.JS.Small.fi 29 Oct 2008 20:03:00 +030
This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size. - Trojan-PSW.Win32.OnLineGames.sxa 29 Oct 2008 20:01:00 +030
This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\kavo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the… - Trojan-PSW.Win32.OnLineGames.lfi 29 Oct 2008 20:00:00 +030
This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\amvo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the… - Trojan-Downloader_Win32_Agent.nmi 29 Oct 2008 19:59:00 +030
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. The size of infected files can range from 18KB to 47KB. - Trojan-Downloader.Win32.Braidupdate.c 28 Oct 2008 15:54:00 +030
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 79360 bytes in size. It is written in C++. Installation In order to ensure that the Trojan is launched automatically each… - Trojan-Downloader.JS.Agent.sg 28 Oct 2008 15:52:00 +030
This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script. It is 677 bytes in size. - Trojan-GameThief.Win32.OnLineGames.tnys 28 Oct 2008 15:48:00 +030
This Trojan is designed to steal account data from the online game LineAge2. It is a Windows PE EXE file. It is 654848 bytes in size. - Trojan-PSW.Win32.OnLineGames.rlh 28 Oct 2008 15:39:00 +030
This malicious program is a Trojan. It is a Windows PE EXE file. It is 112736 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\kavo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the… - Trojan-Downloader.Win32.Delf.cgx 20 Oct 2008 15:56:00 +030
This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 48128 bytes in size. It is packed using PECompact. The unpacked file is approximately 131KB in size. It is… - Backdoor.Win32.Small.x 20 Oct 2008 15:54:00 +030
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 1087 bytes in size.
CyberInsecure.com - Copyright (c) 2008
Any trademarks or registered trademarks mentioned on this site belong to their respective owners.