Saturday, January 05, 2008

So this is kind of interesting...

Hi folks,

This domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains.

So the first point is that this was a pretty good mass-hack, and it wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.


The second point is that some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages. The exploit must have been pretty new. I wonder if any of the website operators will have the nerve to own up and tell us how they got nailed? Pigs might fly too.

The third point is how fast the victims are being cleaned up. If you google for uc8010(dot)com, you still get about 50k hits, but if you are running something like LinkScanner (something that can check out each of those sites in real time by crawling to them), you will see that although the google snapshot still shows them infected, LinkScanner shows that the majority of them are already clean. (Btw, what this means is that the cached copy is probably still infective, so don't go testing it out yourself unless you know what you're doing)

The fourth interesting point is that the only exploit we were able to coax out of them was the venerable MS06-014 (MDAC) patched in September 2006. What this means is that they went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a mouldy old client exploit. It's almost a dichotomy.

Stay safe folks!

Cheers

Roger
Chief Research Officer
AVG/ Grisoft

Labels:

8 Comments:

At 1:30 PM, Blogger Trygg said...

Any idea if this is only a MSQL exploit? Nice informative blog by the way.

 
At 10:53 PM, Anonymous Schill said...

For what it's worth, looks like there's a ROT15(?)-encoded HTTP URL in the un-UPXed .exe payload (the latter found at c dot uc8010 dot com/0/w.js - the last "eval" tries to create a VB FSObject, download and run an .exe etc.)

Looks like exploits for Y! Messenger, IE TIFF overflow and RealPlayer are also in there. Yikes.

(I find this stuff interesting/disturbing, I'm a web developer/frontend engineer by trade.) Pardon any accidental dupe-posts, also. Not sure if this worked first time. ;)

 
At 7:02 AM, Anonymous srcasm said...

Roger,
There's a good chance that this hack was just to try out some new tricks and it got out of hand. The fact that they used such an old exploit means that they didn't think it would hit too many people -- otherwise they might have worked on something a bit newer or even possibly finding a new one themselves.

 
At 9:34 AM, Anonymous gotHacked said...

My site was one of those exploited. We had some bad code that took querystring parameters and dumped them straight into a SQL query. This was a vulnerability that me and my colleagues have been well aware of for some time. But, we simply missed one little obscure page that was left open.

 
At 1:17 PM, Anonymous robm said...

Hey "gothacked", can you post a bit of the querystring payload?

Also, this sounds similar to the November attack:
http://isc.sans.org/diary.html?storyid=3621

 
At 6:35 PM, OpenID stak said...

Any chance the hackers themselves were the ones doing the cleanup? Looking at it from their point of view, it would be desirable to be able to distribute an exploit via a website, and then remove all traces that it was distributed at all. For that to happen, they would have to undo the hack themselves after the exploit has been exposed to a sufficient number of users. Maybe they went with an old exploit as a dry run?

 
At 12:45 AM, Anonymous Anonymous said...

What about mac browsers and operating systems? Any of these vulnerable? Im not out to start a flame war! i need to know.

 
At 12:11 PM, Anonymous helpmeplz said...

So I believe that my computer was infected by this same virus. Problem is that it is a work computer. I work in wireless sales to government and school district entities across my state. As stated in the computerworld article I read; this virus affected a lot of .gov and .edu sites. Because I did recieve a virus on my work computer it was deemed that I went to inappropriate websites and am written up fairly harshly for the matter. Any way to confirm how my computer got infected or basically to prove my innocence?

 

Post a Comment

<< Home