A video

Hi folks,

We were fortunate enough to capture some video of the google / BBB / SmartTrack issues. Here is a link if you'd like to watch it.

and there's a hi-res version here

Cheers

Roger

Google sponsored links not safe?

Hi folks,

We've been watching an interesting puzzle for a couple of weeks now, and last night the last couple of pieces fell into place. Since the 10th April, our community intelligence network has been finding exploit detections _seemingly_ at household name sites like the Better Business Bureau and
cars.com but are actually coming from a place called smarttrack.org
masquerading as one of the legit sites.

Google searches such as the phrase BetterBusinessBureau OR "Florida Business
Opportunity Law" or "Modern cars airbags required" will turn up these
dangerous sites (more on that below). Last night our researchers discovered that one of these rogue links was the number 1 sponsored link when people entered the phrase BetterBusinessBureau. See here. It looks safe, but a mouse-over our red verdict reveals the truth.

It sure looks like it will take you to a BBB website, and that's where you end up. Here's a screensnap of the result.

First, however, it takes the unwary traveler through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on your system. The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim. (Although it specifically targets those 100, it is an equal-opportunity logger and happily logs all user ids and passwords for any webpage.)

Also, because the post logger is a browser helper object, it is part of the end-point of any SSL transaction, and can see everything in plain text, instead of encrypted.

Now, lots of links in any search engine point to infective sites, so that's not really a surprise, but this does highlight a significant issue. When you move the mouse over a normal, organic search result, google shows the url you are about to navigate to if you click. See here.

If, however, you mouse-over a sponsored result, no URL preview is shown! This means that a user has no clue where she is about to navigate to. See here. Savvy search engine users will know that often these sponsored links will take you through a
'Click-manager' or other advertising service and so seeing your browser pass
through smarttrack.org will appear benign enough.

Fortunately, google seems to have terminated that account as of about 11am est, but we detected about 20 different search strings that resulted in links to smarttrack.org, so it is not yet clear if all the links have been cleared up, but LinkScanner and SearchShield will surely reveal that over the next few days.


Cheers

Roger

A real knockout website

Hi folks,

One of the most entertaining features of our product is SearchShield. LinkScanner is able to fold into both Internet Explorer and Firefox and is able to pre-scan search results for google, yahoo and msn. It takes a little bit longer, because it physically has to go fetch all the webpages and scan them, but it's so much fun to watch it's worth installing it just for the entertainment value. Exploitive websites are really hard to find, but they pop up when they are entirely unexpected (which is why databased solutions can never keep up with a programmatic solution). Time after time, you'll be searching for something innocent, and bam!... something unexpectedly gets marked with our famous red X.

For example, a simple google for K1 turns up an exploitive site as the first result.
(WARNING! Don't go to any of these sites unless you really know what you're doing)

It seems that K1 is shorthand for a form of Ultimate Fighting, and this one, www.k-1usa.net, is infected by the Chinese WoW hackers.

There's some irony in real martial artist warriors being impacted by virtual reality World Of Warcraft players.

I can't help but feel that the K1 guys would like five minutes with the World of Warcraft guys.

Cheers

Roger

WebAttacker is dead, long live WebAttacker

Hi folks,

Anyone who has read my blog knows that I thought WebAttacker was an interesting bit of software. For those who haven't read my blog, WebAttacker was a Russian-built canned-exploit package. For a few hundred bucks, you too Mr Lamer could be a Malicious Webmeister by adding WebAttacker to your website. Each month, the WA authors would add the best new exploits to their package, and provide an update to their clients. The wheels started to fall off for them in September 2006, when their attempt to add the vml 0-day failed miserably, and they failed again the next month to add the October 0-day (XML exploit, from memory). They made no attempt that I could find to release an update after that, and I decided that they went the way of all software developers whose products failed.

At about the same time, we began to find what we called the Q4-06 Exploit Rollup Package. This was a javascript containing all the nifty exploits from September and October 2006 (SetSlice, VML, MS06-042, XML, Daxctle), sometimes in plain text, and sometimes encrypted. Being available as plain javascript, it was free, easy to modify and was quickly and widely adopted.

There was one version, however, that stood out from the others, principally because it was well encrypted, _and_ it tracked visiting ips, ala WebAttacker. If you came back to the same exploit website,from the same machine, it would refuse to re-serve the exploit, and would instead display "Sorry! You ip is blocked." (Yes, bad grammer and all). We have long seen that specific error message associated with a particular exploit hub in Russia (Stela-something ... those who know, know who we mean) , and it was no surprise to see them upgrade to the newest exploits, but the kicker is this...

We now see that exact error message coming from _many_ exploit websites. That means that the backend part of this is finding its way to other websites. That's significant. You can easily copy the client portion, but you cannot get hold of the server part unless someone wants you to. Either the Stela folks have been hacked themselves... or _they're_ selling the package, perhaps to fill the void left by the WebAttacker departure! Hence WebAttacker is dead, long live WebAttacker.

These are interesting days folks.

Cheers

Roger

The world is changing

Hi folks,

A couple of months ago, someone asked me what was happening in the malicious website world, and I replied that I thought it was all changing, but I wasn't sure how.

It has changed, but it's still not clear how much, but here's what we're seeing.

The first notable change is geographic. A year ago, we would have said that 90% of the malicious website activity was Russian based. Today, those guys are still there, but we now have huge activity from China, Morocco, Brazil and France as well, and the Russian component is probably less than 30%.

The second change is the sheer volume of attacks. If you don't believe me, go google for .cn/1.js, and see how many results are returned. (WARNING!!! Don't go to any of the result websites, unless you're well protected by LinkScanner, or you're patched). Today, you get about 60,000 hits, and a week ago, it was about 120,000. Now, this is not _proof_ of anything, because some of the returned results are now clean, and some have never been infected in the first place, but it does give an indication of the scope of the problem because 1.js is just one example of one of the recent Chinese attack scripts, and there are _lots_ of other ones.

The third change is the reduction of adware. I guess there's still lots of it, but it doesn't seem to figure as prominantly in the malicious website equation. It used to be that the first thing a malicious website did when it nailed you was to install 20mb of adware (usually the variety that paid commissions per install), followed by keylogger/ rootkit, and a pitch for a fake antispy to remove it all (for just $49.95). Now we just see the keylogger/ rootkit, and sometimes the pitch for the fake antispy.

In other words, the whole idea of malicious websites seems to be Catching On (tm), and the payloads are less innocent, and more overtly criminal.

Cheers

Roger

An orphan no longer

Hi folks,

One of the more interesting ideas that we monitor is that of an Orphaned Lure. That's where you have some site that has been hacked, and made into an Innocent Lure, but then the exploit server is offline. The Lure is now an orphan, but in a macabre parody of a B-grade horror movie the exploit serves can come back to life, and start serving exploits again.

This has happened tonight.

One of the common hacks that we see is an injection of some unescaped code that starts like this ...

< s c ript language="j a vascript"> document.write( unescape( '%3C%69%66%72%61%6D etc

When you decrypt this, it resolves to something like this ...

< iframe src=hxxp:// 81.95.nnn.nn/index.html

where nnn.nn is a substitute to save people from accidently hurting themselves.

This ip has been offline for at least a month, maybe two, but tonight it is live again, and serving stuff.

The moral of the story is that you cannot trust a hacked site. The lure in this case is a hairdressing salon.

Cheers

Roger

ANI and WoW stuff

Hi folks,

I've had a flurry of emails and instant messages that have caused me to realize that I have not explained something properly. The thing that I have not explained is that, almost certainly, the ANI exploit was discovered by some Chinese college student who wanted to steal World Of Warcraft passwords, (That must surely narrow it down to a mere half a million suspects, so he must be almost caught now ;) ) and these are the same guys that earlier hacked the Superbowl website, and who have been using the very effective RDS version of MDAC (infective up to and including August 2006 patch) and the January 2007 version of the VML exploit. In other words, these guys are kids, but exceptionally smart and exceptionally dangerous. (And, yes, we're fairly sure we know who he is, but that's another matter)

Now, of course, all the Serious Bad Guys on the Internet have gone "Whoa... this works great! I'll have one of those!" and have adopted the ANI exploit for reasons far more nefarious than simple WoW password stealing, but that does nothing to change the fact that the most dangerous exploit to be released on the Internet so far in 2007 was discovered by someone whose sole intent was stealing passwords for some online game.

Is this a great Internet, or what???

Cheers

Roger

ASUS again???

Hi folks,
Ok .... that's weird .... asus.com.tw and several other asus web sites have been unavailable for at least two hours now. That's strange, to say the least. I wonder why?
Cheers
Roger

An interesting hacked site + a couple of hours

Hi folks,

"Shout outs" to the webmeisters at http://www.pocketpcmag.com... their website is now clean. They responded to our notification email almost immediately and found and cleaned up the problem within a couple of hours.

This is a stark contrast to most of these events where the webmeisters not only ignore our notifications, but (or perhaps because of that) remain infective for weeks or even months. _Anyone_ can get hacked... the issue then becomes _responding_ appropriately.

Well done and cheers

Roger

An interesting hacked site

Hi folks,

On the heels of the asus.com.tw hack, here is another example of how even an obviously well designed and well used website can be hacked.

At least two of the pages on hxxp://www.pocketpcmag.com (the website owner has been notified) are hacked with iframes pointing to some of the well known Chinese exploit servers. Interestingly, it seems like it's a recent hack, because the google cache of the now-infected pages shows them as clean on Apr 3rd 2007.

If you thought you were safe because you never visited Chinese websites, think again. :-)

Cheers

Roger

ANI - Monday Apr 9th

Hi folks,

Things seem to have settled down in that all the major exploitive web groups seem to have picked up the ANI exploit, and it's now part of the general exploit fabric of the web.

By this we mean that there probably won't be any more surprises with this one, and it will now follow the pattern that we see with the other web exploits... major bad guys will continue trying to find ways to hide their use of it, minor bad guys will continue to adopt it as they figure it out... spammers and malicious e-carders will continue to send it out for whatever it produces for them. Anyone who's patched or is running something like LinkScanner is pretty safe.

Interestingly, these guys (spammers and ecarders) will now mostly catch corporate victims because corporates tend not to patch automatically.... they break too many mission-critical systems with automatic patching. They rely instead, on their corporate av and firewalls to protect them, and the bad guys know how to bypass av any time they like, and firewalls are no protection against web exploits, because the browser creates an instant tunnel right thru them.

A lot of people do their online banking at work (not to mention checking their MySpace or Hotmail accounts), exactly because they think they're safer at work protected by the corporate av and firewall, only to find out that it was not so. Given the predilection of the recent Chinese gangs for installing rootkits and network sniffers, that cannot be a happy outcome for a corporation.

Cheers

Roger

ANI - Sunday morning - Phax Phishing continues

Hi folks,


We've now received some more reports of Phax Phishing (that's where they send you a fax and try to convince you to visit an exploitive URL on your pc), and while we find it highly amusing, I guess it must work at least a bit or the Bad Guys wouldn't keep doing it. What this means is ... watch out for faxes. :-)


ANI-serving websites continue to pop up all over, but the Chinese websites deserve a special mention because of the convoluted nature of the hacks. When we find hacked websites, it's quite common to find they've been hacked multiple times, usually by different gangs, but sometimes multiple times by the same gang (which is also amusing, as well as instructive, because it proves that the hacks are automated .... human beings are not doing it by hand), but the hacked Chinese websites are _impressively_ cross hacked.

They're all using the same exploit combination... MS06-014 (modified to infect up to and including an August 2006 patch), MS07-004, and the ANI exploit... so the cross-hacks don't raise the danger much as far as regular web surfers are concerned, but do they make it difficult for researchers to categorize and understand. We can typicially figure out who we're dealing with by examining which exploit combinations are being used, together with how they're encrypted, together with the payload, but the cross-hacks, with their sheer volumes, make it really tough going, albeit _very_ interesting.

Cheers

Roger

ANI - Friday afternoon

Hi folks,

Two interesting things have happened today.

First, is (and probably lots of people already know this, but ) that sometime in the last few days, it appears that the Taiwanese site for ASUS was hacked, and an iframe to an ANI inserted. Fortunately, the site where it was trying to download the exe from is now offline, but the iframe is still in the ASUS site, so one needs to be careful. It's now officially an Orphaned Lure.

Second is that I've now heard of a second target being phished by fax! The victim has to read the fax, and go type a URL into a browser. The URL has the same version of the exploit package that I wrote about a few days ago in association with the Britney Spears spam run... an ANI, a SetSlice, a winzip, a quicktime, an MS06-042, and a VML. It's a bit like a Moron Virus (that's where you have to copy the virus onto each file yourself, because the virus writer was too dumb to do it programatically)

Cheers

Roger

ANI -Thursday evening ... late

Hi folks,

Although the number of infected websites is continuing to grow, we feel we have the outbreak contained, at least as far as our users are concerned, and we're starting to look at the many and varied payloads.

The most interesting thing we've seen so far is one that is a genuine virus (in other words, it infects other files really well). That is unusual enough, but it also installs a network packet sniffer, _and_ it installs a copy of the Microsoft Platform SDK... 14,500 files over 1.1gb. At this point, we have absolutely no idea why they would do that. It just doesn't make sense.

You could understand making something viral, and you could understand why the virus might also install a network sniffer, but then to download 1.1gb of SDK is hardly subtle, and tends to give the game away a bit. Also interesting is that some of the infected files call _frequently_ to a url containing MsnPortalHome, which _looks_ like adware. All very odd.

We'll post more as we find out!

Cheers

Roger

ANI - Thursday morning

Hi folks,

Overnight we discovered that the group that we call TriModers (so called, be cause when we first noticed them, they were using a package of three exploits), is now attempting to use an ANI exploit. Their vesion is currently broken, and I'm not going to tell them how to fix it, but I expect they'll get it working soon, and we can add their farms to the list of villains using it.

Cheers

Roger

ANI Wed evening

Hi folks,

Well, the official patch is out, but the use of the ANI exploit continues to grow. Significant numbers of exploit servers and their lures continue to be found, mostly in China and Russia.

On a slightly different note, someone asked me recently how to measure the importance of a web-based exploit problem, and I thought it was a fair question. When you have a network worm or mass-mailing worm, it's fairly easy to guage the size of the outbreak, simply by watching your firewall logs, or by looking at what comes into your InBox.

Web-based stuff is much more subtle. They rarely come looking for you, but rely on their network of Lures to draw you in. For example, a single exploit server I looked at recently had fifty IP addresses that called directly to it. Each of those fifty (which were under the direct control of the owner of the exploit server) had about 300 domains on it. If you assume that each of those domains had just ten external links in, from open blogs, or hacked sites, that made 150,000 ways to be drawn to the exploit, with just a couple of unwary surfs. If they could create 100 first generation links in, that would be 1.5m. It mounts up quickly.

Not only that, but a frequent target of the exploiters is to hack into an unwitting small business website, like a resaurant or a mortgage broker. They're always poorly defended, but the owner is usually canny enough to try to create many links into her website. Some potential diner tries to find out what's on the menu, and gets a belly full of rootkit instead.

Cheers

Roger

ANI Tues afternoon+10 minutes

Hi folks,

I just swung by some iframer lures, and guess what .... they're now infective with the ANI 0-day. Not sure what that payload is yet, but they usually install a Rustok rootkit. They have a strong and large system of Lures, so this is a pretty good escalation of events. Good thing the patch came out today.

Naturally, LinkScanner users have little to fear, as it detects all the variants so far.

Cheers

Roger

ANI Tuesday afternoon

Hi folks,

It's Tuesday afternoon about 6pm est. It's been an exceptionally busy day, but here are the main points so far.

(1) ANI exploits continue to be spammed out, mostly disguised as Britney pictures, mostly installing spam engines and backdoors.

(2) There are quite large numbers of hacked websites, mostly Chinese, installing a considerable variety of payloads, some of which are viral. We're analysing them now.

All very interesting.

Roger

ANI last entry for Monday

We now have some more details about the payload of this exploit spam run. It downloads a 36k progam called 200.exe. When run, 200.exe writes itself back out as Winlogon.exe, and adds itself to HKCU... CurrentVersion\Run to ensure it gets into the execution cycle on reboot.

When it runs, it emails out to a hotmail account, presumably to announce that the victim has been 0wned, and then calls out to a different server on port 80 every five minutes, presumably looking for commands. In other words, it's a bot / backdoor. Oh, and it's a rootkit.

Cheers

Roger

The Russians are coming, the Russians are coming!

Ok, my tongue is firmly in my cheek with that title, but it has definitely happened. The new ANI is being used in an exploit package from a Russian website, along with SetSlice, VML, MS06-042, WinZip and QuickTime.

Our old friend Nick FitzGerald first noticed this in a big spam run, and alerted us to it, followed fairly quickly by the SpamHaus and WebSense guys.

This is actually the first time that we've seen WinZip and QuickTime used in conjunction with the SetSlice, VML and MS06-042, and together with the still-unpatched ANI exploit is bound to produce a lot of results for them.

Stay tuned and we'll let you know exactly what the payload is, although at a rough guess it's a keylogger. ;-)

Cheers

Roger

ANI Monday report #1

Hi folks,

It's about 5pm EST right now, and so far none of the major exploit hubs have picked up the ANI exploit. Of course, that could change any minute, and we'll continue to monitor closely, and will report any changes in status here.

The major changes for the day are that the number of Chinese sites with the exploit continues to grow, and there are new and improved Proofs of Concept in the usual places.

By the way, I had someone ask me privately if they were safe because they didn't visit Chinese sites, and of course, the answer is a resounding "No!", because while the _exploit_ servers are Chinese, the _Lure_ servers are nearly hacked and innocent, and can be _anywhere_.

Cheers

Roger

Sunday night, and all is quiet

Hi folks,

It's Sunday evening, and so far there have been just a few Russian sites that have picked up the ANI exploit... none of the majors yet. LinkScanner can detect all the released code so far. We'll continue to monitor developments.

Cheers

Roger