Not just US .gov websites

Hi folks,

It's fairly well understood now that there are bunches of US .gov websites that are either directly hacked, or at least have compromised DNSs, but over the last few days, we have seen .gov for both the Philippines and Saudi Arabia exhibiting the same symptoms. I suspect the Kingdom would be very upset if they knew what they were hosting, or at least said to be hosting.

And at least one Syrian Embassy website is also hacked, with an invisible iframe link to an Esthost (Russian) exploit server. That server is currently not talking to anyone, but it can be brought online at any minute.

It's nice to know that website security is not limited to US gov.

Cheers

Roger

And another 0-day ITW

Hi folks,

Today we have found yet another 0-day ITW. ITW stands for In The Wild, and means that the exploit has been found alive on a website, and actually trying to install real malware, as opposed to ITZ. ITZ stands for In The Zoo, and refers to those exploits which are proofs of concept only, and which are not actually in use.

Anyway, today we found another one.

It's another activex buffer overflow in a Chinese product called Baofeng Storm. NIST has a write-up here... http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4816.


We're not really sure what that is, because the website is in Chinese only, and that makes it a bit hard to read for those of us who only speak English. :-) The good news is that this probably means it is unlikely to be on too many computers outside China.

The bad news is that this seems to have only been announced in the middle of Septmeber, so it again shows that the Bad Guys are being really vigilant.

Naturally, we detect it anyway. :-)

Cheers

Roger

0-day ITW... but relax

Hi folks,

Today we've found a 0-day ITW, but it's probably not going to affect too many people, so it's not a huge worry.

The issue is a buffer overflow in the PowerPlayer.dll ActiveX control in PPStream, CVE reference CVE-2007-4748. PPStream is a Chinese P2P video streaming application. As far as we know, there is no English version, but it probably won't affect too many people outside China.

It shows that the Bad Guys are still thinking and watching.

By the way, they teased us a bit because they also had an exploit named ms07-042, which would have been much more "interesting", but when we decrypted it, it turned out to just be another VML.

Cheers

Roger

Storm in September 07

Hi folks,

Just for grins we made a small vid of a mid-September 07 Storm lure. Their websites have evolved from simple text based "Click-here-to-view-your-ecard" type things to content rich, impressive websites with animated gifs.

There's nothing startling about it, but it's impressive for a pure lure.

Cheers

Roger

Ad vendor serving exploits thru Facebook

Hi folks,

Last night I was reading a friend's blog on FaceBook, and IE popped up a message saying that the webpage was trying to start RDS (Remote Data Services) services, and would I allow it. I clicked "No", and then thought "Hang on... it shouldn't have been starting RDS!" (It was late and I was a bit slow), so I opened up a goat machine, retraced my steps, and about a minute later.... blam... programs dropped and executed on my machine.

No rootkit, and no detection from any avs that I had access to, but after a reboot, I found that now, when I started IE and went to my home page, I got extra copies of the browser starting, and ads being served.

It’s hard to sort out, but here’s the critical sequence of connections …
Facebook calls to bannerconnect
208_67_70_3 Referer: http://ads.ak.facebook.com/ads [snip] ,Host: ad.bannerconnect.net
bannerconnect calls to yieldmanager
208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com 208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com
yieldmanager calls to valuead
69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com 69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com
valuead calls to megapromition, which throws an exploit (MS06-014), which runs an adware installer85_17_161_17 Referer: http://reduxads.valuead.com/test?pi [snip] ,Host: www.megapromition.net
After reboot, an Internet Explorer launch that should just show google looked like this …



It might well be an old exploit, but adware vendors shouldn't be doing it.

Cheers

Roger

A new exploit this weekend

Hi folks,

It looks like there's a new version of IcePack, and it's pretty interesting. As well as the venerable but trusty MDAC and SetSlice exploits that we've come to love and expect, it also contains some new stuff.

The newest, and most interesting, is a buffer overflow in a DirectX dll. The vulnerability was announced in August 2007, and is documented here http://www.kb.cert.org/vuls/id/466601. As far we have found, there is not yet a patch for it, which can make things .... interesting. The best mitigator is that the vulnerable DLL is probably not in standard XP or Vista, and therefore is probably not massively available as a target. The problem with that is that it's not clear what packages it _is_ included with, so if you're not running something like LinkScanner, there's an element of Russian Roulette here.

The next interesting thing is that it contains not one, but two yahoo IM exploits. One is a control stack buffer overflow for Yahoo! Widgets Plugin, also announced in August 2007, and the second is a Yahoo! Webcam exploit from June 2007.

Just to round things out it also contains...

VML - MS07-004
MDAC/RDS - MS06-014 (patched in April 2006, but this version works up until September 2006)
SetSlice
WinZip

oh, and a Firefox exploit that appears to be the venerable WMplayer exploit from a couple of years ago.

They tend to keep things that work, reasoning that they don't don't need to exploit every box on the internet ... just enough for them to make money, so the mix of old and new exploits is to be expected, but three new ones in one update is pretty impressive.

Cheers

Roger

Hacked .gov websites

Hi folks,

A couple of days ago, our SearchShield intelligence network noticed a
bunch of .gov sites serving malware via drive-by downloaded exploits and
social engineering. The front pages of the .gov sites are seemingly not
hacked themselves, but they're hosting pages that serve it. We've
identified about a dozen poisoned sites so far, though we expect there
are many more related to this hack. The first dozen or so seem to be city governments such as lasalle, il and frenchsettlement-la.

The attacking pages seem to try one of three things. First they try an
exploit to install their malware, and if that doesn't work, they try to
trick you into installing a fake codec, and if that doesn't work, they
run a fake antispy scan, and try to convince you that your machine is
already compromised, but their software can fix it... just click the
install button.

We've made a video about it, and it's at youtube here ...

with a hires .mov here...

These particular pages were detected with adult/XXX type queries, but many innocent searches also return the sites.

We'll add more details in this blog as we go.

Cheers

Roger

Bank of India hack update

Hi folks,

This is a round-up of the latest news on the Bank Of India hack.

As of 10:15pm est on Saturday September 1st 2007, the bank website is still disabled, with a note saying it's undergoing maintenance, and asking for patience.

This is a good thing, because it means they're examining all their pages for intrusions, and with appropriate care they'll also correct the vulnerabilities that allowed the site to be hacked in the first place. This is an important step, because we see entirely too many sites that get hacked, then are cleaned, and then they get hacked again because the holes have not been plugged.

Now that the dust has cleared, it is apparent that the attacking servers fired at least two different exploit sets. One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as yet unidentified exploit package, along the lines of mpack/icepack/webattacker.

It contained a vml exploit, probably MS07-004, another MS06-042, a WinZip, a QuickTime, and a SetSlice. This would be very similar to mpack/icepack except that it is missing an ANI (MS07-017), and it contains instead the VML.

The real difference, however, is that it had machine generated variable and function names. In other words, the server side script was generating the scripts in order to try to defeat scanners. For a variety of reasons that I won't go into here, this fails to defeat the scanners, especially LinkScanner, but it's an interesting step.

Btw, we now have an edited version of the video. Hires .mov can be found here and a youtube vesion here .

Cheers

Roger