Thursday, August 30, 2007

Compromised bank website

Hi folks,

Props to our clever colleagues at Sunbelt for noticing this one.

It seems that the official website of the Bank of India has been compromised and is serving exploits. It's not clear when it was compromised, but the google cache seems to show that it was clean on the 29th August, and we saw it as dirty on the 30th August, so that narrows it down a little bit, timezones notwithstanding.

Please note that the bank did _not_ do this deliberately, and is as much a victim as anyone else. Undoubtedly it'll be cleaned up as soon as the bank's IT staff comes in to work, so here's a video to preserve it for posterity.

The vid's a bit rough at the moment, and some of the bits are currently unreadable, but we'll be editing it as we go, so clearer versions will soon be available, but it's still interesting.

UPDATE: It's been cleaned. Good job by the bank staff for the quick reaction.

Also, I've had a few questions off-list about whether LinkScanner Pro blocked it already, and the answer is yes... it was using standard Mpack/Icepack stuff. We blocked it fine. There was no new exploit. The interesting bit was that even a professional, commercial website can be a victim too.




Wednesday, August 29, 2007

Snoop Dog, Eagles, Beyonce ... is nothing sacred?

Apparently not.

The Storm botnet has switched from fake youtube vids to early previews of new music videos. Here's a sample pitch...

Snoop Dog filmed the most amazing new video.

See the version before MTV airs it. Click the link to play it:


Eagles just filmed their new video.

Get it before it comes out. Click the link to play it:

So, no, nothing is sacred, and there's still no such thing as a free lunch. If the deal looks to good to be true, it probably isn't true.

Btw, there are still no new exploits in the package, and LinkScanner detects it just fine. Keep safe, folks.




Tuesday, August 28, 2007

Poor Lindsay

She just gets out of the jail thing, and a website using her name turns out to be infective! To be accurate, there's no reason to believe that the website has anything to do with her, other than use her name, but it's infective, none-the-less. I guess it's showing up because people are searching for her a little more often, but I guess she can't catch a break.

By the way, I've been getting _lots_ of requests off-list for more Dangerous Searches, so here are a few from the last couple of days...

Hymn to Red October - Wrong choice gets you a fake codec
Portsmouth boat adjustment table - fake codec
Power Wrestling - wrong choice gets a WebAttacker/ MPack
traditional sparrow tattoos - gets a search engine hijack.




Saturday, August 25, 2007

Storm twist

Hi folks,

There has been a slightly interesting development with the massive storm botnet today, in that they are referencing a youtube video.

This is typical email text ...

"You can see your face right in the video. its all over the web dude. this is the link to it."

followed by what seems to be a youtube link.

At first we thought they'd done something cunningly bad to youtube, but it's just an email/ html trick. ALl they're doing is displaying an html link, which in fact takes you directly to a Storm node, which in turn tries to use a Q406 Rollup package to infect you.

What this all means is that LinkScanner sees thru all their subterfuge just fine, but lots of non-LinkScanner users will be tempted to view the youtube video (which are always safe, aren't they?)



Monday, August 13, 2007

Russian Attack Imminent

I'm kidding... I'm kidding!!! Despite the views of some of our esteemed competitors, we just can't see it. Are there lots of Russian sites launching exploits? Sure, but not that many more than usual. We think what people are seeing is a by-product of the combination of the increasing number of pre-packaged exploit sets like MPack and IcePack together with improvements in the ability of the Bad Guys to mass-infect webfarms.

In fact, we think everything is exceptionally quiet at the moment, which suits us all just fine. Let's hope it's not a calm before the storm kind of thing.




Wednesday, August 08, 2007


Ok .... now we really think we've seen one. Let us explain...

The original WebAttacker was a set of exploits sold as a package. The idea was to allow would-be evil WebMeisters to add drive-by downloads to their websites for whatever reason they might have. The original developers would release a new version every other month or so. As new exploits were discovered, the WA authors would add them to their package. All went well (for them) until about September 2006, when they tried to add one of the September 0-days, and their implementation was buggy. It just didn't work. The next couple of months saw them trying to add a couple more exploits-du-jour, and unforch, they didn't work either. Their user base abandoned them for other packages (which we now now to be MPack, IcePack and Neosploit) which _did_ work, and they lost their market share. WebAttacker went the way of any software package that doesn't work.

This weekend, however, it seems that they've re-surfaced. Our researchers have noticed URLs being spammed out, with exploit packages that look similar to Mpack/ Icepack but different, and very reminiscent of the original WebAttacker... exploit urls are reminiscent... launcher scripts are reminiscent, even to the point of determining if they are running on the archiac Windows 98 (but then doing nothing with that information). Nothing newer than ANI (MS07-017), but it doesn't include Winzip and Quicktime, which again makes it different from MPack/ Icepack.

It looks like they're ba-a-a-ack!