Thursday, June 29, 2006

iframerz Find New Home

Hi folks,

The iframers have a new ISP for their business site. The background is that in the beginning of June, they started moving their operation from their Ukranian based isp to a new one in Russia. Evidently, they sent spam advertising their new business site, and got shut down almost immediately, although their exploit servers are still operating.

Well, guess what... they've got a new ISP for the business site... in the UK! Anyone want to bet how long it will stay up?

Btw, the new biz site is, and while it seems safe, I wouldn't go there unless you know what you're doing, or unless you're running SocketShield.


Tuesday, June 13, 2006

iframerz Moving Their Operation

Hi folks,

FWIW, the Russian iframerz seem to be moving their operation. Their old websites and domains are becoming inactive, and new seemingly randomly-generated domain names are being brought online. So far, no new exploits seem to be associated with them, but given that Patch Tuesday has just come and gone, we'll keep an eye on them.

Interestingly, their new business site says that their new anti anti virus measures went into effect on May 31st. We have no clue what that means at this point, but we'll figure it out.


Wednesday, June 07, 2006

MDAC ... the new WMF?

(updated 10:46am PDT)

Hi folks,

Last night, our Intelligence Network found a new version of a script
exploiting MDAC, a Windows vulnerability patched in April's Patch Tuesday release (MS06-014).

The first Interesting Thing about this is that, as far as I know, there
has been no published proof of concept for this exploit, so we are now aware of at least three groups that have independently worked out their own exploit, as opposed to their usual m.o. of simply copying someone else's work.

The second Interesting Thing is that this might be regarded as proof
that the Bad Guys have actually started trying to reverse engineer Patch
Tuesday's patches to look for exploit opportunities.

The third Interesting Thing is that this is the third instance of this
exploit we've found since the beginning of June ... just under a week. Not minor variants, but complete rewrites. This is really unusual, and is probably happening because the exploit is not relying on an application crash and buffer overflow, but simply using a feature in MDAC, a la
December's WMF (Windows Meta File) 0-day. What this means is that it's _easy_ to exploit this vulnerability and, if we can get three in a week, we can expect more. WMF was equally easy, and we had lots of variants of that within a few days.

And finally, the fourth Interesting Thing is that, if you're patched
(or running SocketShield, of course), you're safe, but if you're not,
because this is web exploitable, you need to be careful ... your firewall
won't protect you. And if you work in a corporate IT department, you _know_ that patches rarely get applies as soon as they're available - often because of potential inter-operability problems with existing applications.

If there's anyone out there who doesn't yet believe these exploits are a
_real_ problem, how's this for scalability:

Just a few days ago, there was a report that 38,500 web sites had been defaced in a single day by a Turkish hacker. Fortunately, he just defaced the sites, and did so openly and obviously, but if he'd been an exploiter and just added a single i-frame call out to an exploit server, voila .... 38,500 trusted, innocent websites are suddenly malicious.


Thursday, June 01, 2006

An update on the rapidly changing exploit (under) World.

Hi folks,

The WebAttacker site is now down.

Secondly, thanks to AusCERT, the Computer Emergency Response Team for Australia, we now know that the new version of WebAttacker was being heavily advertised in spam, at least in that country, through hacked but otherwise innocent sites.

Each hacked site contains the usual single-line iframe that reaches out to the exploiter. In other words, anyone visiting the hacked site is automatically and invisibly re-directed to the exploiter.

We're not seeing any obvious connection between the hacked sites at this point - they include song lyrics, beauty supplies, a bridal shop, and travel - but we'll continue to look at them to try and find a common thread. The fact is that this exploiter went to a lot of trouble to hack at _least_ 33 lure sites, and then used a brand new version of WebAttacker on them.

We know that the exploitive site first came online in the middle of April, so we might surmise that the exploiter has been preparing the attack since then. In which case, he must be pretty disappointed that he was discovered and shut down within a few hours ...


New WebAttacker Uncovered in the Exploit (under) World

Hi folks,

More interesting events in the exploit (under)world … Last night, our Intelligence Network discovered a new version of WebAttacker, a particularly effective script-kiddie tool. Our users have nothing to fear as we already detect it with our existing signatures, but it's interesting to note the process these guys are following. The driving CGI in this new version is IE0606, which indicates it is intended to be released in June of 2006 (ie today). (The release in January was IE0601, and April’s was IE0604). Fortunately, our Intelligence Network was able to identify it almost immediately upon its release.

The new “feature” in this latest WebAttacker release appears to be the addition of an exploit for MS06-014 (MDAC vulnerability ....
It seems Microsoft patched this in the April release, so if you're patched, you're probably safe (although Microsoft did update their bulletin on May 11th, so you might want to double-check).

It looks as if the WebAttacker folks also pulled out some of the poorer-performing exploits that were evidently not getting enough victims to make it worthwhile. But this version does still include a sploit for a slightly old Firefox.

Like mainstream software companies, the exploit traffickers are constantly revving their product line in order to stay ahead of competing technology and to increase revenue.

The threat continues to evolve and the engine is fueled by profit…