Well, there goes the Montana option

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...



Looks innocent enough, but a view of the source reveals a chunk of escaped javascript ...



Aha! That looks suspicious.... And a look at our debug tool shows a call out to a gpack exploit site...



The web cams are actually pretty interesting, but we can't find any way to contact the site owner to tell him, so we thought we'd post it here.

Cheers

Roger

This might be the ultimate irony

Hi folks,

Today we found what might be the ultimate irony... a spyware product where the home page has been hacked, and is installing someone else's rootkit!

The product is one of those spy-on-your-spouse/kids/employees things that says it's stealthy (in other words, _it's_ supposed to be a rootkit itself), and the home page has a chunk of escaped javascript



that calls out to a Neosploit site that's installing a rootkit.




And it's the new Neosploit too.

We're trying to contact the site owner to tell them, but the "contact me" page crashes.



Oh well... we'll keep trying.

Cheers

Roger

GPack

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,

A new exploit framework, called Gpack, has been popping up on our radar for a while now. We couldn't find much information on it, so we thought we'd better write some.

The first interesting thing about it is that the external, obfuscated wrapping script is a mix of vbscript and javascript. In other words, some of it is interpretted by the vbscript engine, and then the result of that is used to interpret the javascript portion. The idea here is to make it hard to decrypt and hard for av engines to follow it. To some extent they're successful with this, as the un-obfuscated code is seriously ugly and hard to follow.

The second interesting point is that there is nothing new in it. They've gone to a lot of trouble to obfuscate some really old and common exploits.

The third interesting thing is the number of innocent websites that have been hacked by someone pointing back at this kit. There are lots and lots of them... mostly mom and pop shops, but _lots_. We haven't figured out what the common thread between them is so far, but there clearly is one, for so many to be hacked.

The fourth interesting thing is that while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar.

By the way, the exploit set seems to be:

MDAC/ MS06-014
MDAC variant - MS06-042
QuickTime
SetSlice
WinZip
VML

These are very common, and we can assume the author simply lifted them from the public domain, and put most of his effort into the obfuscation.

Nothing new here folks, except that it's being quite widely adopted.

Cheers

Roger

New Exploit Targets Corporate Users of CA Apps

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.

Secondly, the vulnerability is likely to be quite widespread, simply because of CA's size and spread within the corporate market.

Thirdly, the exploit will likely soon also be quite widespread, simply because it is Neo, and Neo is quite popular as an exploit package.

Fourthly, corporate clients should probably be pretty nervous, because their firewall is unlikely to protect them against this. Remember, web traffic is usually permitted to go right thru the firewall, because it _starts_ from a trusted place ... _inside_ the firewall.

Another contributing factor to corporate nervousness is that they rarely allow automatic patching. This is an example where they probably should.

The current list of exploits is therefore:-

Mdac/ MS06-014
SuperBuddy
CaListCtrl
NctAudio
GomWebCtrl
SetSlice
DaxCtle

In other words, they've added the CaListCtrl exploit, and dropped the Yahoo Jukebox and Microsoft xVoice exploits, presuambly because they were not productive.

Folks, this appears to be one for the corporates rather than consumers, but it highlights that the Bad Guys are still thinking hard and probing hard.

Natuarally, LinkScanner and AVG 8 users have little to fear, as we detect it and block it just fine (which is how we noticed it in the first place)

Cheers

Roger

Arthur C Clark dies, and Space.com gets hacked!

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),



and launching a encrypted javascript




that turns out to be a simple and venerable MS06-014 exploit.

It's not an exploit pack, so it's just a single exploit, and it's tracking IPs, so it'll only come once, but it's there.

And the exploit is only an MS06-014, but the point is that if the website is vulnerable enough to have a mouldie old exploit injected, it could have something much newer and fiercer. Space.com needs to fix their website, and we've sent them an email about it. Hopefully they will, because they get an awful lot of visitors each month.

Cheers

Roger

Something new tonight

Hi folks,

Tonight we found something new in an exploit pack coming from a site in China. Well, the exploit is actually from May 2007, but this is the first time we've seen it in use. This indicates two things... the first is that the Bad Guys are apparently combing older exploit announcements looking for appropriate samples. When you think about it, any exploit that allows remote code execution, and for which there is no forced or automatic upgrade of the vulnerable program is useful to them. Remember, they don't _want_ to catch everybody. They couldn't manage 100k victims. They don't want to cut down the apple tree, but rather just shake it, and pick up the fruit that falls off. What this means is that old exploits are still valuable when there is no automatic patch mechanism.

Btw, the exploit in question is a buffer overflow in something called Zenturi ProgramChecker, and is described nicely here ... http://www.kb.cert.org/vuls/id/603529.

The second interesting thing is that it is obviously Yet Another Exploit Pack. It has all the common ones that we've come to love and expect with Mpack/IcePack/Neosploit, and the obfuscation scheme is very similar to the one in use with Mpack/ IcePack, so this probably means that someone has bought or stolen a copy of Mpack/ IcePack, and has modified it with the addition of the Zenturi exploit, and is now selling it as their own work.

GASP... no, there's no honor among thieves, and Copyright means when you copy it, it'll be right, and all that stuff.

The full list of exploits is ...

Zenturi ProgramChecker
MDAC/MS06-014
VML/MS07-004
Yahoo Webcam Image Uploader
Yahoo Webcam Viewer
Winzip
QuickTime
and
MSXML/MS06-067

By the way, the exploit site is in China (no surprise there), but the lure site is in the USA, and is quite interesting. We might write about that tomorrow.

Cheers

Roger

Unfortunate hack at tax time

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...



Looks pretty innocent, doesn't it? If you're good at html, and you make a point of looking at page source, you might notice something weird at the top of the page ...



but you probably won't, because no one looks at source much anyway. ;-)

If you have a Really Useful Tool (tm) like our Browser Helper Object, you'll probably notice that it's reaching out to a funny looking site ...



That's because the funny looking javascript s actually a Neosploit obfuscation that decrypts to a call to an attack script at 78.47.147.188. This site is currently 404, but it might come back to life at any time, so be careful.

We've told the very nice folks at the revenue website, so it should be cleaned up soon. It's just a particularly unfortunate website to be hacked at tax time.

Cheers

Roger

Something interesting

Hi folks,

hat-tip to Ståle Fagerland of Norman for noticing this article...

http://joongangdaily.joins.com/article/view.asp?aid=2886846

To save you _having_ to read it, the story is about a CEO of a Korean software company being arrested for foisting fake anti-spy software on unsuspecting victims. (entering sarcasm mode) Gosh, who`d have thought it? (leaving sarcasm mode) Apparently, not only would the software lie about detecting problems on the system, and try really hard to get victims to pony up a payment to register the software, sometimes it made the victims re-buy the software every month!

Now, arresting theses guys is not a bad idea in itself, but that`s not the most interesting aspect of the story. In fact,if the article is correct, there are two stunning revelations.

The first is that they made $10m doing this over two or three years!!! Another couple of years at that rate, and before you know it, you`re talking real money. No wonder we see so much of this stuff!

The second astonishing thing is that, according to the article, there are over 200 anti virus companies in Korea! If that is correct, that is simply amazing for an industry that`s 20 years old!

That would seem to indicate...

(1) that the US and European companies have not dominated and rationalized the market there, and
(2) none of the local companies have managed to dominate either.

It must also mean that there`s an awful lot of av guys not making much money, so it`s not entirely surprising that people are tempted to initiate frauds like this.

And if there are that many in Korea, how many must there be in China!?

Cheers

Roger