Innocent searches for Nov 26 2007

Hi folks,

Our friends at Sunbelt have blogged about a massive push of malware here ... http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

We agree. This is the same stuff we talk about when we talk about innocent searches, mostly anyway, and it must be working because there's a huge push at the moment. Please bear in mind that we see this nearly every day, but here are today's innocent searches...

Please also bear in mind that most of these come on the first page of google results, so be careful... the wrong choice lands you in trouble.

"john cougar mellancamp scarecrow torrent" - exploit site/ rootkit
"Microsoft Access linked Outlook field names" - exploit site/ rootkit
"kings hyundai" - exploit site/ rootkit
"harbour fitness" - exploit site
"craigslist medford" - exploit site/ rootkit
"Vinegar draw silver" - exploit site/ rootkit
"hacking a samsung c417" - exploit site/ rootkit
"bose 701 wiring diagram" - exploit site/ rootkit
"Grove Haven" NC" - rootkit
"el camino real restaurant universal city texas" - exploit site/rootkit
"youtube snl robert deniro" - exploit site/ rootkit
"spray tanning pelham alabama" - exploit site/ rootkit
"ditripan" - exploit site/ rootkit
"kaye jewelers" - rootkit
"1997 dodge dakota" & "ignition switch" - exploit site / rootkit
"batteria acer travelmate 212tx" - exploit site/ rootkit
"rhyl credit union" - mdac exploit
"epson cx7000 driver download" - exploit site/ rootkit
"Baseball Gloves" - mdac exploit
"rival crock pot replacement parts" - exploit site/ rootkit
"1990 mazda protoge bluebook" - exploit site/ rootkit
"career fairs , new york" - exploit site/ rootkit
"sam's club torrance" - you guessed it
"oakland tn commercial lease" - and again
"somerville tn commercial lease" - and again
"texasworksource" - ditto
"automobile battery marietta ignition" - sigh

That's about half for today. The list goes on and on, but you get the idea.

Cheers

Roger

Innocent searches for Nov 21 2007

Hi folks,

Here are some of the Innocent Searches that might get you into trouble from just today. There are rather a lot of them...

AREA MEASUREMENT - wrong choice gets a link to a known exploit site
recipe for bine turkey - what's a bine turkey? anyway, wrong choice gets a rootkit
currency converter - rootkit
americanexpress/activate - rootkit
sixth avenue electronics - rootkit
deltashuttle - rootkit
blue licenses holding - rootkit
office depot links paper templates - rootkit
knitted or crocheted dachshund patterns - rootkit
fishing site - rootkit
avolon grand cancun,mexico - mdac exploit
demising - rootkit
radio blog club - mdac exploit
hp csn - rootkit
LEGO DUPLO Block-o-dile - rootkit
degrassi fan fiction - rootkit
ASA 5510 throttling - rootkit
durrants auctions - WebAttacker/MPack
cluck u chicken - link to known exploit site
define scupper - rootkit
nfl picks - link to known exploit site
gary senner myspace - trojan installer
laundromat franchises - link to known exploit site

Two interesting things... (1) most of the rootkits are being installed by social engineering tricks and (2) we're seeing about this many "Innocent searches" turning up malicious sites every day, which is a big increase from what we used to see.

Cheers

Roger

Big hack today

Hi folks,

It seems that company.monster.com suffered some sort of iframe injection attack today. Our SearchShield prevalence data has detected multiple brands affected, including Eddie Bauer, GMAC Mortgage, BestBuy, Toyota Financial, Tricounties Bank as hacked and iframing out to an exploit server.

It was probably just today, as it wasn't showing up yesterday, and was not in any search engine cache that we could see.

Monster has already taken the pages offline. Yay, Monster.

We detect it as the Neosploit exploit package. It is fairly well encrypted, so it's not yet clear exactly what exploits are in use. We'll post more information as we figure that out.

It is also not clear how many pages were affected, but it is likely that the attack was the same for all companies on the website, which _might_ turn out to be a pretty good set of Fortune 500.

A couple of individual researchers noticed it at about the same time we did, but I'm not sure if they can be mentioned / want to be mentioned, so I'll reserve that for the moment.

Cheers

Roger

Just for grins...

Hi folks,

Just for grins, I thought I'd list some more innocent searches from the last two of days...

"crash bandicoot warped iso" gets a rootkit via social engineering
"The Hartford" wrong choice gets a WebAttacker/ Mpack
"sock monkeys" wrong choice gets a link to a rootkitter
"chinese bamboo fountain" wrong choice gets a rootkit
"free dachshund sweater patterns online" wrong choice gets a rootkit ... whatever
"woodhaven cellars" - rootkit
"wwww.mapquest.com" - rootkit
"table legs" - rootkit
"car parts search toronto %22sun visor%22 honda" - rootkit
"michigan christmas walpaper" - rootkit
"cincinati model railroads" - rootkit
"1978 trans ams for sale" - rootkit
"workwear boots in lake street, minneapolis" - rootkit
"irish gifts annapolis" - rootkit
and last but not least
"TRAMPOLINE cakes" - rootkit.

Whatever!

Cheers

Roger

Hacked .gov websites _still_

Hi folks,

Over the last _three_ months, Alex Eckelberry has blogged multiple times about hacked .gov websites here

Two months ago, we blogged about it here, and and made this video... .

You'd think they'd be fixed by now, wouldn't you?

Some are, but alas, here is a list from the last two days. Please be careful if you decide to look. You should expect exploits and social engineering.

http://burbankil.gov/_themes/inf/0/2077.html
http://csm.ca.gov/bios/_vti_cnf/inf/0/2968.html
http://7.z.cityofplainville-ks.gov/7/586.html

Some are hosting the code, and some are hacked dns.C'mon guys ... FIX them.

Cheers

Roger

120mb of lures

Hi folks,

This is kind of interesting. Last night, our researchers found an infective, hacked site similar to the .gov that we documented here By itself, that's really common, but the neat thing about this was that it was all open and readable, and we were able to download all the lure files.

That turned out to be a stunning 1999 files, totaling 120mb of keywords. The idea is that the search bots find and index these pages, and after a week or two, they change the the lure pages out to a simple redirect to a fake codec or an exploit site.

So, this is not earth shattering or anything, but it provides a useful insight into how the Bad Guys set their traps.

Cheers

Roger

Banner ads from major sites

Hi folks,

Ok, we all know that infective banner ads are not new, but this is more interesting than most because they're currently fairly common from both mlb.com and nhl.com.

These are really hard to track down, because they don't happen every time you visit a site ... it took us hours to get our first capture... but it was both interesting and instructive that when _we_ got a capture, one of our researchers on the other side of the world got one at about the same minute. Now, it was a different fake scanner, and a different path thru the ad network, but it was a startlingly similar style and almost the same time. We don't believe in coincidences.

Here's the chain for mlb.com ...

mlb.mlb.com/index.jsp calls to ad.doubleclick.net
ad.doubleclick.net calls to newbieadguide.com
newbieadguide.com calls to fixthemnow.com - this is where the code comes from
fixthemnow.com calls to bsa.safetydownload.com

and here's the chain from nhl.com ...

www.nhl.com calls to m1.2mdn.net
m1.2mdn.net with a parameter of ad.doubleclick.net calls to adtraff.com
adtraff.com calls to blessedads.com
adtraff.com calls also to prevedmarketing.com (which is the same ip as blessedads.com)
one of those two does a 302 (temporary redirect) to scanner2.malware-scan.com, which does the fake scan.

Full URLs are available to appropriate interested parties.

Here's a vid for anyone who'd like to watch it in action...



Cheers

Roger

whoops - sorry Chris

Hi folks,

Evidently I owe Chris Boyd an apology.

Here's what happened. About a week ago, our prevalence network, independently of any other input, detected the Alicia Keys MySpace hack, because of the link to the fake codec, and we started trying to make a video about it.

I recalled Alex Eckelberry making a post about a couple of different MySpace hacks over the last week or so, and in fact credited them as we made the video. When I checked with Alex to find a blog to link to, he told me it was Chris and not his guys. It was too late to change the vid, but I intended to mention it in the blog, and simply forgot.

To be fair to Chris, he was first, although when I looked at the link Alex gave me, it mentioned the Passarounders, and when I found Alex's original message, it mentioned a band called greementsoffortune ... not Alicia Keys, which was much bigger news to me. It was the same Bad Guys, but, truly, _we found it independently_.

So Chris... I apologize ... I didn't steal any of your work, and didn't mean to steal your thunder.

Everyone knows you do good work, and I clearly owe you at least one beer sometime.

Cheers

Roger

Ok, now this is pretty funny...

Hi folks,

So as we reported, Alicia Keys' myspace page was hacked, with a background image linking out to co8vd.cn. Within a couple of hours of releasing our blog and vid, myspace had fixed the page... Yay MySpace!!! (which had been hacked for at least three or four days earlier, because that's when we first noticed it... and someone just reminded me that PaperGhost over at http://www.vitalsecurity.org/2007/11/myspace-band-hacks-continue_05.html had noticed it for some other bands separately at a similar time or even earlier time), but here's the funny bit.

It looks like it's hacked again!!!

The original hack was an href image reference to co8vd.cn/s/ and while that's now out of the html, there's now an href image reference to acilot.cn/s/ .... see any similarities there??? :-)

Now, to be fair, acilot.cn is currently 404, but it _might_ still be coming online, and it sure looks suspicious.

Hacked... clean for a couple of hours... hacked again... pretty funny.

Cheers

Roger

Alicia Keys MySpace page is hacked

Hi folks,

Attacks on MySpace seem to be on the rise. First, at the end of October, there were a number of links added as friend-comments that went via MySpace's open-redirector (MSPlinks) to exploit sites in China. This was reported publicly on the FunSec mailing list. (All myspace friend-comments _seem_ to automatically redirect thru MSPlinks, probably as a way to try to filter out spam and phishing, but a downside is that the URL is base64 encoded, and is thus impossible for a human being to eyeball, and therefore possibly reject ... the effect of the well-intentioned msplinks is thus to make an open-redirector)

Now, we keep finding MySpace pages that have had some sort of image-background link injected, that are reaching out to a different site in China that is both throwing exploits and using social engineering to install rootkits and (probably) dns-changers.

The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size ... 8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site.

The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra.

This could easily be the same group that recently started watching for Mac users, and offering a Mac trojan as needed, and if that's so, will also add to the effectiveness of the attack.

What's not clear at this point is how they're doing it, and how widespread it is. Neither google nor myspace seems to be indexing the critical bit of html. If you search for the exploit site (co8vd.cn), the only results seem to be victims, or people talking about victims.

I guess we'll have to wait for MySpace to tell us what happened.

Here's a vid that shows a bit more...



Cheers

Roger

and the _other_ shoe drops

Hi folks,

There are two important things happening at the moment, and one shoe dropping. One is that we have the feeling that the Bad Guys are re-grouping... moving countries, and reorganizing.

The second is that the pre-packaged exploits like MPack and Icepack have largely disappeared...replaced by social engineering tricks which are being used _extensively_.

The other shoe that's dropped is that the Storm boyz have been relatively quiet for a while, which is never a good sign. Our respected colleague, Nick FitzGerald pointed out tonight that they've added two new exploits to their exploit package. One seems to be for AOL's SuperBuddy, and the other is the NCTAudioFile2 dll, used with lots of widely adopted packages, such as Movavi. CERT has a nice write-up here ... http://www.kb.cert.org/vuls/id/292713.

Now, we have to stress that neither of these is 0-day... SuperBuddy seems to be from March 2007, and NCTAudioFile2 seems to be from January, but these dlls are probably not part of a systematic upgrade, so there are likely to be enough unpatched systems around to make it worth their while. And it may not even be new for Storm, but we've only just noticed, so there's a good chance it is new for them. They keep using the same encryption/ obfuscation routines so it looks enough like Storm, that we've been detecting it anyway.

Anyway, I certainly feel that this is the _other_ shoe dropping for Storm, and explains why they've been quiet for a while.

Cheers

Roger