A transient hack

Hi folks,

A few days ago, we were looking at a website that was being blogged about (on Jan 21st) as being hacked, but when we looked (on Jan 21st) it was already clean. What we normally do in such cases is go to the google cache, and that usually gets us a copy of the exploit, but in this case, it was clean in the cache as well, so... what gives???

The google bots went past three days earlier, so we wondered if there was a different result from the other search engine caches, and lo and behold, the yahoo cache was still infective. :-)

Now, yahoo doesn't show the date that they went by, but a quick email exchange with the blog author confirmed that it was definitely infective on the 21st.

What this means is that it was clean on the 18th, but hacked after that, and then cleaned on the 21st.

Just for fun, we made this vid about it...



Keep safe folks

Roger

Pigs fly... oh, and another 0-day ... ho hum

Hi folks,

In a previous entry I suggested that we'd probably never know how the uc8010.com mass hack occurred unless one of the website victims told us, and that the chances of that were about the same as flying pigs. Guess what ... it turns out that some people do have the right combination of nerve, public spirit, and willingness to share about security matters... so... pigs _can_ fly, and now we know how it happened. I _did_ promise it was off the record, so we can't share it further, but at least we know. Bravo to that person!

And why ho-hum about a 0-day? It only affects users of a product called QVOD Player, which seems to be a popular Chinese media player, but which is probably only on Chinese user's machines.

The exploit code is coming from a Chinese website, so that makes sense, and it is obfuscated by flipping all the high-order bits in the javascript, to make it harder to read and notice.

Fortunately, this appears unlikely to be taken up by the gangs targeting Western PCs and the kit developers, so it's probably not going to be a major problem.

The real message, of course, is that the Bad Guys are still thinking.

Cheers

Roger

So this is kind of interesting...

Hi folks,

This domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains.

So the first point is that this was a pretty good mass-hack, and it wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.


The second point is that some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages. The exploit must have been pretty new. I wonder if any of the website operators will have the nerve to own up and tell us how they got nailed? Pigs might fly too.

The third point is how fast the victims are being cleaned up. If you google for uc8010(dot)com, you still get about 50k hits, but if you are running something like LinkScanner (something that can check out each of those sites in real time by crawling to them), you will see that although the google snapshot still shows them infected, LinkScanner shows that the majority of them are already clean. (Btw, what this means is that the cached copy is probably still infective, so don't go testing it out yourself unless you know what you're doing)

The fourth interesting point is that the only exploit we were able to coax out of them was the venerable MS06-014 (MDAC) patched in September 2006. What this means is that they went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a mouldy old client exploit. It's almost a dichotomy.

Stay safe folks!

Cheers

Roger
Chief Research Officer
AVG/ Grisoft

Neosploit January 2008

Hi folks,

Welcome to 2008. Let's hope it's a safer year than last.

Given that Neosploit seems to be gaining in popularity, and seems to be being modified fairly often, we thought it would be worthwhile to take a bit of a snapshot of it, for posterity's sake, if nothing else.

Here's what we're seeing in January 2008: (Props to Glenn Jordan of AVG/ Grisoft, and Nick FitzGerald for their Most Excellent help with decryption and analysis)

First there's a sort of pre-amble... typically there is a launcher script whose job it is to simply redirect to the exploit script. We say "simply" with our tongue firmly in our cheek because the launch scripts are typically encoded twice with Neosploit to make it hard for crawl-bots (but not a browser) to follow, and it appears that they might be encoded with the ip of victim, so that the exe is hard to get (except for a victim).

Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...

(1) first is the venerable MDAC (MS06-014). It's old, (worked up to Sep 2006), but it works like a charm if you're not patched.
(2) second is one of the many QuickTime exploits. It's not easy to determine which version it is, but it's probably one of last years.
(3) three is AOL's SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On (tm))
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.

Interestingly the previously-popular WinZip exploit has been dropped.

The payload, or the exe that gets delivered, of course varies from website to website.

It will be interesting to see how long it takes to update it with the current RealPlayer exploit.

Keep safe folks!

Roger