Exploit Prevention Labs

New blog

2008-09-01T06:45:00.000-07:00

Hi folks,

please visit and bookmark my new blog at http://thompson.blog.avg.com/

Cheers

Roger

Riddle us this, Batman

2008-05-27T11:59:00.000-07:00

Hi folks,

Normally, we provide answers here, but today we have a question.

If you whois xpantivirus2008.com, it shows that the registrar is ESTDOMAINS (the actual owner is hidden, as usual).

If you look up the IP address of xpantivirus2008.com, it shows as 72.14.207.99.

If you whois 72.14.207.99, _that_ shows as GOOGLE!

The question is .... why? All we can think of is that they have a sense of humor.

Cheers

Roger

Here's a whoopsie to start the day

2008-05-16T04:44:00.000-07:00

Hi folks,

One of the rolling headlines on AOL.com this morning is this ...

"Disgraced 'Oprah' Author Is Back",

and if you click on the link, you're taken to this page...

Attentive readers of this blog will immediately recognize that as being a probable fake codec, but not everyone is an attentive reader of this blog, and if you click the link, you're rewarded with this screen...

Folks, the rule is this ... if ever you have to install a codec to watch a vid, DON'T!!!. It's just not worth the risk. Btw, these guys frequently target MAC users too. It's increasingly common for them to look at your OS platform and offer up a MAC binary instead of Windows.

Btw, I know that AOL takes security seriously, so if they can get caught, anyone can get caught with this trick.

And shout-outs to Bruce for noticing this one.

Keep safe folks!

Roger

Well, there goes the Montana option

2008-03-31T12:32:00.000-07:00

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...

Looks innocent enough, but a view of the source reveals a chunk of escaped javascript ...

Aha! That looks suspicious.... And a look at our debug tool shows a call out to a gpack exploit site...

The web cams are actually pretty interesting, but we can't find any way to contact the site owner to tell him, so we thought we'd post it here.

Cheers

Roger

This might be the ultimate irony

2008-03-30T18:30:00.000-07:00

Hi folks,

Today we found what might be the ultimate irony... a spyware product where the home page has been hacked, and is installing someone else's rootkit!

The product is one of those spy-on-your-spouse/kids/employees things that says it's stealthy (in other words, _it's_ supposed to be a rootkit itself), and the home page has a chunk of escaped javascript

that calls out to a Neosploit site that's installing a rootkit.

And it's the new Neosploit too.

We're trying to contact the site owner to tell them, but the "contact me" page crashes.

Oh well... we'll keep trying.

Cheers

Roger

GPack

2008-03-28T15:25:00.000-07:00

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,

A new exploit framework, called Gpack, has been popping up on our radar for a while now. We couldn't find much information on it, so we thought we'd better write some.

The first interesting thing about it is that the external, obfuscated wrapping script is a mix of vbscript and javascript. In other words, some of it is interpretted by the vbscript engine, and then the result of that is used to interpret the javascript portion. The idea here is to make it hard to decrypt and hard for av engines to follow it. To some extent they're successful with this, as the un-obfuscated code is seriously ugly and hard to follow.

The second interesting point is that there is nothing new in it. They've gone to a lot of trouble to obfuscate some really old and common exploits.

The third interesting thing is the number of innocent websites that have been hacked by someone pointing back at this kit. There are lots and lots of them... mostly mom and pop shops, but _lots_. We haven't figured out what the common thread between them is so far, but there clearly is one, for so many to be hacked.

The fourth interesting thing is that while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar.

By the way, the exploit set seems to be:

MDAC/ MS06-014
MDAC variant - MS06-042
QuickTime
SetSlice
WinZip
VML

These are very common, and we can assume the author simply lifted them from the public domain, and put most of his effort into the obfuscation.

Nothing new here folks, except that it's being quite widely adopted.

Cheers

Roger

New Exploit Targets Corporate Users of CA Apps

2008-03-28T09:59:00.000-07:00

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.

Secondly, the vulnerability is likely to be quite widespread, simply because of CA's size and spread within the corporate market.

Thirdly, the exploit will likely soon also be quite widespread, simply because it is Neo, and Neo is quite popular as an exploit package.

Fourthly, corporate clients should probably be pretty nervous, because their firewall is unlikely to protect them against this. Remember, web traffic is usually permitted to go right thru the firewall, because it _starts_ from a trusted place ... _inside_ the firewall.

Another contributing factor to corporate nervousness is that they rarely allow automatic patching. This is an example where they probably should.

The current list of exploits is therefore:-

Mdac/ MS06-014
SuperBuddy
CaListCtrl
NctAudio
GomWebCtrl
SetSlice
DaxCtle

In other words, they've added the CaListCtrl exploit, and dropped the Yahoo Jukebox and Microsoft xVoice exploits, presuambly because they were not productive.

Folks, this appears to be one for the corporates rather than consumers, but it highlights that the Bad Guys are still thinking hard and probing hard.

Natuarally, LinkScanner and AVG 8 users have little to fear, as we detect it and block it just fine (which is how we noticed it in the first place)

Cheers

Roger

Arthur C Clark dies, and Space.com gets hacked!

2008-03-23T18:24:00.000-07:00

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript

that turns out to be a simple and venerable MS06-014 exploit.

It's not an exploit pack, so it's just a single exploit, and it's tracking IPs, so it'll only come once, but it's there.

And the exploit is only an MS06-014, but the point is that if the website is vulnerable enough to have a mouldie old exploit injected, it could have something much newer and fiercer. Space.com needs to fix their website, and we've sent them an email about it. Hopefully they will, because they get an awful lot of visitors each month.

Cheers

Roger

Something new tonight

2008-03-20T17:17:00.000-07:00

Hi folks,

Tonight we found something new in an exploit pack coming from a site in China. Well, the exploit is actually from May 2007, but this is the first time we've seen it in use. This indicates two things... the first is that the Bad Guys are apparently combing older exploit announcements looking for appropriate samples. When you think about it, any exploit that allows remote code execution, and for which there is no forced or automatic upgrade of the vulnerable program is useful to them. Remember, they don't _want_ to catch everybody. They couldn't manage 100k victims. They don't want to cut down the apple tree, but rather just shake it, and pick up the fruit that falls off. What this means is that old exploits are still valuable when there is no automatic patch mechanism.

Btw, the exploit in question is a buffer overflow in something called Zenturi ProgramChecker, and is described nicely here ... http://www.kb.cert.org/vuls/id/603529.

The second interesting thing is that it is obviously Yet Another Exploit Pack. It has all the common ones that we've come to love and expect with Mpack/IcePack/Neosploit, and the obfuscation scheme is very similar to the one in use with Mpack/ IcePack, so this probably means that someone has bought or stolen a copy of Mpack/ IcePack, and has modified it with the addition of the Zenturi exploit, and is now selling it as their own work.

GASP... no, there's no honor among thieves, and Copyright means when you copy it, it'll be right, and all that stuff.

The full list of exploits is ...

Zenturi ProgramChecker
MDAC/MS06-014
VML/MS07-004
Yahoo Webcam Image Uploader
Yahoo Webcam Viewer
Winzip
QuickTime
and
MSXML/MS06-067

By the way, the exploit site is in China (no surprise there), but the lure site is in the USA, and is quite interesting. We might write about that tomorrow.

Cheers

Roger

Unfortunate hack at tax time

2008-03-13T13:50:00.000-07:00

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...

Looks pretty innocent, doesn't it? If you're good at html, and you make a point of looking at page source, you might notice something weird at the top of the page ...

but you probably won't, because no one looks at source much anyway. ;-)

If you have a Really Useful Tool (tm) like our Browser Helper Object, you'll probably notice that it's reaching out to a funny looking site ...

That's because the funny looking javascript s actually a Neosploit obfuscation that decrypts to a call to an attack script at 78.47.147.188. This site is currently 404, but it might come back to life at any time, so be careful.

We've told the very nice folks at the revenue website, so it should be cleaned up soon. It's just a particularly unfortunate website to be hacked at tax time.

Cheers

Roger

Something interesting

2008-03-02T11:20:00.000-08:00

Hi folks,

hat-tip to Ståle Fagerland of Norman for noticing this article...

http://joongangdaily.joins.com/article/view.asp?aid=2886846

To save you _having_ to read it, the story is about a CEO of a Korean software company being arrested for foisting fake anti-spy software on unsuspecting victims. (entering sarcasm mode) Gosh, who`d have thought it? (leaving sarcasm mode) Apparently, not only would the software lie about detecting problems on the system, and try really hard to get victims to pony up a payment to register the software, sometimes it made the victims re-buy the software every month!

Now, arresting theses guys is not a bad idea in itself, but that`s not the most interesting aspect of the story. In fact,if the article is correct, there are two stunning revelations.

The first is that they made $10m doing this over two or three years!!! Another couple of years at that rate, and before you know it, you`re talking real money. No wonder we see so much of this stuff!

The second astonishing thing is that, according to the article, there are over 200 anti virus companies in Korea! If that is correct, that is simply amazing for an industry that`s 20 years old!

That would seem to indicate...

(1) that the US and European companies have not dominated and rationalized the market there, and
(2) none of the local companies have managed to dominate either.

It must also mean that there`s an awful lot of av guys not making much money, so it`s not entirely surprising that people are tempted to initiate frauds like this.

And if there are that many in Korea, how many must there be in China!?

Cheers

Roger

google defames saints ... bolts of lightning fall

2008-02-25T14:09:00.000-08:00

I'm kidding, I'm kidding!!!!!!!

Update number 2: Feb 26, 2008, 6:30am est

Dang, that was quick. Some of the sites, such as St Kilda, and the Geelong Cats sites, are now correctly marked as clean. They're not all correct though ... the Brisbane Lions site is still incorrectly marked as dangerous, for example, but that was still quick for the others, and we hope that all will shortly be corrected. Shout-outs to google for reacting quickly!

Update number 1:

Some of our team in the Australian office noticed that it wasn't just the Saints, but also the Victorian based clubs of North Melbourne Kangaroos, Carlton Blues, Geelong Cats, Hawthorn Hawks, Melbourne Demons and Richmond Tigers, plus Port Adelaide Power (South Australia), Sydney Swans (New South Wales) and Brisbane Lions (Queensland) all being blocked by Google the same way. Shout-outs to the guys down-unda!

-----------------------------------------------------------------

Hi folks,

What I'm really talking about is that if you search for "saints football club", the number 3 organic search result is the famous (to Australians) St Kilda Football club. The "defamation" bit is that google has one of its "This site may harm your computer" messages against it.

(If you look at the screen snapshot, you'll notice that LinkScanner assesses the site to be clean... the correct result)

This means that it is not possible for anyone to click thru a google search and get to the St Kilda website... you have to deliberately cut and paste the url back into your browser bar.

The reason that they're doing it is that, probably, at some point the website was hacked, and was infecting people, but ....GOOGLE-GUYS!!! IT'S CLEAN NOW!!! TAKE THE BLOCK OFF, PLEASE!!! (I feel like saying "Mr Google! Tear down this wall!", but I wouldn't be so bold.)

What this really underscores is the concept that a centralized database is useless at detecting web issues... the problem is simply too transient.

This happens quite a bit, and I must admit that I'm surprised that no one has accused google of damaging their brand. I'm sure regular readers of my blog will remember the case of k1-usa.net. They used to be the number one organic result when people searched for k1. They were hacked for about 10 days, and then cleaned, but in the mean time, they had earned the "This site maye harm your computer label", and over the next 12 months, before the label was removed, their rating slipped, and slipped, until finally it was nowhere on the first three pages.

I can't imagine St Kilda taking it lying down if their ratings start to slip, and I can't imagine google meaning that to happen. It just shows how difficult it is to keep up.

Cheers

Roger

Another gov site hacked

2008-02-22T08:24:00.000-08:00

Hi folks,

Who can see what's wrong with this picture?

Looks pretty reasonable, doesn't it? Here's what you see if you have a suitable monitoring tool...

Enquiring Minds will wonder why a county government site is reaching out to pepato.org.

And here's what you see on a vulnerable pc, _if_ you're running another suitable monitoring tool...

And here's the offending code in the page source ...

Yes, it's hacked. Bit hard to tell without some tools, though, eh? We've told the county, so we expect it'll get cleaned up very quickly, but be careful in the mean time.

Cheers

Roger

This is kind of funny

2008-02-21T19:55:00.000-08:00

Hi folks,

We've been following up on the new Neosploit that we reported last night. This was actually a pretty high-profile site, so we wanted to notify them. We couldn't find a contact point on the hacked domain, but we found another subdomain that had an online support chat option, and we gave it a try. The conversation was sufficiently funny that we grabbed a screen capture (anonymized to protect the innocent). You might have to double-click it to read it, but it's worthwhile...

:-)

Fwiw, we eventually found someone who understood, and we got it cleaned up.

Cheers

Roger

New Neo Now

2008-02-20T08:46:00.000-08:00

(Sorry... the alliteration bug bit me)

Hi folks,

Last night, as the title suggests, we found a new version of Neosploit. It has two new exploits, one uses a clsid of EEE78591-FE22-11D0-8BEF-0060081841DE, which appears to be the ActiveVoice ActiveX dll from Microsoft, and the other clsid is 5F810AFC-BB5F-4416-BE63-E01DD117BD6C, which is the Music Jukebox control from Yahoo.

The most recent ActiveVoice exploit seems to be from about June 2007, but the most recent JukeBox exploit is from Feb 2008, so that's kind of interesting.

We'll try to figure out over the next couple of days if these are the ones that indeed match up, but the bottom line is that the Neosploit developers are very active.

Cheers

Roger

Wow... this was quick

2008-02-16T19:30:00.000-08:00

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...

Hmmm... an AOL journal account... that sounds plausible for a personal page... click...

Yep ... still looks plausible ... let's click the name ... click...

WAAAAIT A MINUTE!!!!! That ain't no Hank William's song! (Pop culture reference to Bob, of Bob's Country Bunker in the Blues Brothers, where Bob suddenly realizes that that the boys aren't really a country and western band, and that he's been had.)

Attentive readers will instantly notice that this is a Fake Codec, and will close the browser. Non-attentive readers will attempt to install the codec, and will be rewarded with a rootkit.

But how quick was that? We only noticed that the guy had been arrested and named today, and yet they not only managed to get their lure in place on AOL, but they also managed to get their site the Number One organic result on Google if you search for David Tarloff! And on the weekend at that! These boys are on the ball. We're grudgingly impressed.

Be careful folks, it's a tricky world out there.

Cheers

Roger

MalwareAlarm

2008-02-07T14:35:00.000-08:00

Hi folks,

MalwareAlarm is so common now, we decided to give it it's own vid. Remember, it's not really scanning your pc, it's just pretending to, but it does a very good job of pretending. Enjoy...

Cheers

Roger

UK .gov site hacked

2008-02-06T05:39:00.000-08:00

Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
http://www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/

Sorry John! :-)

Hi folks,

Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.

This decoded to an iframe that called to 88.255.90.130 (careful about going there, folks)...

This, in turn, loaded one of the current Neosploit exploit package (we have a full write-up on Neo a little further down this blog). If you're patched, or running LinkScanner, you're ok, but if not, you probably got a rootkit, so if you visited that website in the last couple of days, you might like to run an anti-root and an anti virus over your system. AVG has a free one here ... http://free.grisoft.com .

One of the most interesting aspects of this is that inside the full Neosploit download was an attempt to load bbc.com.uk , presuamably after the infection, presumably to hide what had happened a little bit. That's no big deal in itself, but a hacked uk gov website, pointing to the bbc afterwards makes us think it was not a random hack, but something more deliberate. Interesting times, folks.

Looks like they cleaned the site this morning, although the google cache is still infective, so be careful.

Cheers

Roger

Return of Innocent Searches

2008-02-02T14:11:00.000-08:00

Hi folks,

I keep getting requests offline for more innocent searches, so here are some from the last couple of days. Enjoy...

coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac
carolina theater - mpack/ icepack

Stay safe folks,

Roger

A transient hack

2008-01-30T19:06:00.000-08:00

Hi folks,

A few days ago, we were looking at a website that was being blogged about (on Jan 21st) as being hacked, but when we looked (on Jan 21st) it was already clean. What we normally do in such cases is go to the google cache, and that usually gets us a copy of the exploit, but in this case, it was clean in the cache as well, so... what gives???

The google bots went past three days earlier, so we wondered if there was a different result from the other search engine caches, and lo and behold, the yahoo cache was still infective. :-)

Now, yahoo doesn't show the date that they went by, but a quick email exchange with the blog author confirmed that it was definitely infective on the 21st.

What this means is that it was clean on the 18th, but hacked after that, and then cleaned on the 21st.

Just for fun, we made this vid about it...

Keep safe folks

Roger

Pigs fly... oh, and another 0-day ... ho hum

2008-01-13T18:43:00.000-08:00

Hi folks,

In a previous entry I suggested that we'd probably never know how the uc8010.com mass hack occurred unless one of the website victims told us, and that the chances of that were about the same as flying pigs. Guess what ... it turns out that some people do have the right combination of nerve, public spirit, and willingness to share about security matters... so... pigs _can_ fly, and now we know how it happened. I _did_ promise it was off the record, so we can't share it further, but at least we know. Bravo to that person!

And why ho-hum about a 0-day? It only affects users of a product called QVOD Player, which seems to be a popular Chinese media player, but which is probably only on Chinese user's machines.

The exploit code is coming from a Chinese website, so that makes sense, and it is obfuscated by flipping all the high-order bits in the javascript, to make it harder to read and notice.

Fortunately, this appears unlikely to be taken up by the gangs targeting Western PCs and the kit developers, so it's probably not going to be a major problem.

The real message, of course, is that the Bad Guys are still thinking.

Cheers

Roger

So this is kind of interesting...

2008-01-05T18:09:00.000-08:00

Hi folks,

This domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains.

So the first point is that this was a pretty good mass-hack, and it wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.

The second point is that some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages. The exploit must have been pretty new. I wonder if any of the website operators will have the nerve to own up and tell us how they got nailed? Pigs might fly too.

The third point is how fast the victims are being cleaned up. If you google for uc8010(dot)com, you still get about 50k hits, but if you are running something like LinkScanner (something that can check out each of those sites in real time by crawling to them), you will see that although the google snapshot still shows them infected, LinkScanner shows that the majority of them are already clean. (Btw, what this means is that the cached copy is probably still infective, so don't go testing it out yourself unless you know what you're doing)

The fourth interesting point is that the only exploit we were able to coax out of them was the venerable MS06-014 (MDAC) patched in September 2006. What this means is that they went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a mouldy old client exploit. It's almost a dichotomy.

Stay safe folks!

Cheers

Roger
Chief Research Officer
AVG/ Grisoft

Neosploit January 2008

2008-01-03T15:25:00.000-08:00

Hi folks,

Welcome to 2008. Let's hope it's a safer year than last.

Given that Neosploit seems to be gaining in popularity, and seems to be being modified fairly often, we thought it would be worthwhile to take a bit of a snapshot of it, for posterity's sake, if nothing else.

Here's what we're seeing in January 2008: (Props to Glenn Jordan of AVG/ Grisoft, and Nick FitzGerald for their Most Excellent help with decryption and analysis)

First there's a sort of pre-amble... typically there is a launcher script whose job it is to simply redirect to the exploit script. We say "simply" with our tongue firmly in our cheek because the launch scripts are typically encoded twice with Neosploit to make it hard for crawl-bots (but not a browser) to follow, and it appears that they might be encoded with the ip of victim, so that the exe is hard to get (except for a victim).

Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...

(1) first is the venerable MDAC (MS06-014). It's old, (worked up to Sep 2006), but it works like a charm if you're not patched.
(2) second is one of the many QuickTime exploits. It's not easy to determine which version it is, but it's probably one of last years.
(3) three is AOL's SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On (tm))
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.

Interestingly the previously-popular WinZip exploit has been dropped.

The payload, or the exe that gets delivered, of course varies from website to website.

It will be interesting to see how long it takes to update it with the current RealPlayer exploit.

Keep safe folks!

Roger

Storm is b-a-a-a-a-ack

2007-12-24T11:25:00.000-08:00

Hi folks,

As you've probably noticed, Storm is back for Christmas. There are only two noteworthy points about it.

The first is that they've added another fairly new exploit to it, and that is for something called GomPlayer, or the Gretech Online Movie Player, which is apparently very popular in South Korea.

The exploit is from October 2007, and is explained here, http://www.milw0rm.com/exploits/4579, but the key point is that if you're using GomPlayer, you're potentially vulnerable.

The second point is that 3rd party dlls continue to provide the attack points for new exploits. This is kind of interesting, and either means that Microsoft is patching faster than the exploits are coming out, or 3rd parties are not patching fast enough, or perhaps both.

Of course, this also highlights that the Bad Guys don't want or need a massive number of infections... they couldn't handle that... all they want is enough to make a profit. Folks, they're farming the Internet.

Cheers

Rog

In the news today... December 19, 2007

2007-12-19T18:14:00.000-08:00

Hi folks,

Things have been quiet for a few weeks now, and we've been patiently waiting for the other shoe to drop, especially given that it's the run-up to Christmas, but four fairly notable things have happened today...

First is that the DollarRevenue guys have been fined $1m euros for dodgy practises, with the full story here.

Shout-outs to OPTA, although a bigger fine would have been even better.

(Props: Larry @ Spamhaus)

Second is that the authors of the popular Pinch trojan have been arrested in Russia, full story here.

(Props: Kaspersky Labs and Ferg)

Surely those two events will serve to make perpetrators think twice.

Third is that, seemingly overnight, there was a web worm on Orkut, which seemingly lived, infected 400k computers, and died again overnight due to google being quick to react (shout-outs to google for that). Basic story is that any place where 3rd parties can post to a website, such as scrapbook entries on Orkut, represent an issue. If the 3rd party can post javascript, there's a good chance they can do something malicious, so all such inputs are supposed to be sanitized against that, but in this case the perp found a way to disguise the javascript enough to get past the validation/ sanitization process, and voila .... a webworm. It's a wonder we don't see more of them. Fuller story here.

(Props: Ryan)

The fourth thing is that one of our goat machines we got a virus today from a website. A really, truly virus called Cekar! Cekar is not particularly new, having been around the early part of 2007, and its main function is to steal passwords from a Chinese chat program called QQ (according to McAfee ... http://vil.nai.com/vil/content/v_141463.htm), and this makes sense, because it came in from a Chinese exploit server. The exploit that delivered it was old too... an MDAC (MS06-014), but it was interesting to watch it infect the system. It was a fast infector too... instead of waiting for a program to execute before infecting, it hit the whole disk, and all visible network drives in one pass. Quite took us back to the Old Days of the early 90's when fast infectors were the problem du jour.

This really underscores two points... (1) it's way better to keep these things off your disk in the first place, because a fast infector messes you big time, and (2) we are _always_ going to need good antiviruses, just for the times when they manage to get in.

Cheers

Roger

Grisoft acquires XPL

2007-12-06T18:20:00.000-08:00

Hi folks,

Sorry for not writing something sooner... it's been a busy few days. We're pleased to announce that we've been acquired by Grisoft, the developer of AVG. Nearly all the tech and marketing folk, including me and the other researchers from XPL are joining Grisoft, and we're all very excited about it.

AVG is a great little anti virus program, with a huge number of users, and we're looking forward to adding our software to their product. I expect that standalone LinkScanner will continue to exist as long as there are users for it.

The web continues to be the primary attack vector for those who would build their botnets and pwn other people's computers, and real time evaluation of incoming web-pages continues to be the best way to prevent the attacks.

Cheers

Roger

Innocent searches for Nov 26 2007

2007-11-26T19:06:00.000-08:00

Hi folks,

Our friends at Sunbelt have blogged about a massive push of malware here ... http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

We agree. This is the same stuff we talk about when we talk about innocent searches, mostly anyway, and it must be working because there's a huge push at the moment. Please bear in mind that we see this nearly every day, but here are today's innocent searches...

Please also bear in mind that most of these come on the first page of google results, so be careful... the wrong choice lands you in trouble.

"john cougar mellancamp scarecrow torrent" - exploit site/ rootkit
"Microsoft Access linked Outlook field names" - exploit site/ rootkit
"kings hyundai" - exploit site/ rootkit
"harbour fitness" - exploit site
"craigslist medford" - exploit site/ rootkit
"Vinegar draw silver" - exploit site/ rootkit
"hacking a samsung c417" - exploit site/ rootkit
"bose 701 wiring diagram" - exploit site/ rootkit
"Grove Haven" NC" - rootkit
"el camino real restaurant universal city texas" - exploit site/rootkit
"youtube snl robert deniro" - exploit site/ rootkit
"spray tanning pelham alabama" - exploit site/ rootkit
"ditripan" - exploit site/ rootkit
"kaye jewelers" - rootkit
"1997 dodge dakota" & "ignition switch" - exploit site / rootkit
"batteria acer travelmate 212tx" - exploit site/ rootkit
"rhyl credit union" - mdac exploit
"epson cx7000 driver download" - exploit site/ rootkit
"Baseball Gloves" - mdac exploit
"rival crock pot replacement parts" - exploit site/ rootkit
"1990 mazda protoge bluebook" - exploit site/ rootkit
"career fairs , new york" - exploit site/ rootkit
"sam's club torrance" - you guessed it
"oakland tn commercial lease" - and again
"somerville tn commercial lease" - and again
"texasworksource" - ditto
"automobile battery marietta ignition" - sigh

That's about half for today. The list goes on and on, but you get the idea.

Cheers

Roger

Innocent searches for Nov 21 2007

2007-11-21T18:12:00.000-08:00

Hi folks,

Here are some of the Innocent Searches that might get you into trouble from just today. There are rather a lot of them...

AREA MEASUREMENT - wrong choice gets a link to a known exploit site
recipe for bine turkey - what's a bine turkey? anyway, wrong choice gets a rootkit
currency converter - rootkit
americanexpress/activate - rootkit
sixth avenue electronics - rootkit
deltashuttle - rootkit
blue licenses holding - rootkit
office depot links paper templates - rootkit
knitted or crocheted dachshund patterns - rootkit
fishing site - rootkit
avolon grand cancun,mexico - mdac exploit
demising - rootkit
radio blog club - mdac exploit
hp csn - rootkit
LEGO DUPLO Block-o-dile - rootkit
degrassi fan fiction - rootkit
ASA 5510 throttling - rootkit
durrants auctions - WebAttacker/MPack
cluck u chicken - link to known exploit site
define scupper - rootkit
nfl picks - link to known exploit site
gary senner myspace - trojan installer
laundromat franchises - link to known exploit site

Two interesting things... (1) most of the rootkits are being installed by social engineering tricks and (2) we're seeing about this many "Innocent searches" turning up malicious sites every day, which is a big increase from what we used to see.

Cheers

Roger

Big hack today

2007-11-19T14:51:00.000-08:00

Hi folks,

It seems that company.monster.com suffered some sort of iframe injection attack today. Our SearchShield prevalence data has detected multiple brands affected, including Eddie Bauer, GMAC Mortgage, BestBuy, Toyota Financial, Tricounties Bank as hacked and iframing out to an exploit server.

It was probably just today, as it wasn't showing up yesterday, and was not in any search engine cache that we could see.

Monster has already taken the pages offline. Yay, Monster.

We detect it as the Neosploit exploit package. It is fairly well encrypted, so it's not yet clear exactly what exploits are in use. We'll post more information as we figure that out.

It is also not clear how many pages were affected, but it is likely that the attack was the same for all companies on the website, which _might_ turn out to be a pretty good set of Fortune 500.

A couple of individual researchers noticed it at about the same time we did, but I'm not sure if they can be mentioned / want to be mentioned, so I'll reserve that for the moment.

Cheers

Roger

Just for grins...

2007-11-18T17:41:00.000-08:00

Hi folks,

Just for grins, I thought I'd list some more innocent searches from the last two of days...

"crash bandicoot warped iso" gets a rootkit via social engineering
"The Hartford" wrong choice gets a WebAttacker/ Mpack
"sock monkeys" wrong choice gets a link to a rootkitter
"chinese bamboo fountain" wrong choice gets a rootkit
"free dachshund sweater patterns online" wrong choice gets a rootkit ... whatever
"woodhaven cellars" - rootkit
"wwww.mapquest.com" - rootkit
"table legs" - rootkit
"car parts search toronto %22sun visor%22 honda" - rootkit
"michigan christmas walpaper" - rootkit
"cincinati model railroads" - rootkit
"1978 trans ams for sale" - rootkit
"workwear boots in lake street, minneapolis" - rootkit
"irish gifts annapolis" - rootkit
and last but not least
"TRAMPOLINE cakes" - rootkit.

Whatever!

Cheers

Roger

Hacked .gov websites _still_

2007-11-18T05:29:00.000-08:00

Hi folks,

Over the last _three_ months, Alex Eckelberry has blogged multiple times about hacked .gov websites here

Two months ago, we blogged about it here, and and made this video... .

You'd think they'd be fixed by now, wouldn't you?

Some are, but alas, here is a list from the last two days. Please be careful if you decide to look. You should expect exploits and social engineering.

http://burbankil.gov/_themes/inf/0/2077.html
http://csm.ca.gov/bios/_vti_cnf/inf/0/2968.html
http://7.z.cityofplainville-ks.gov/7/586.html

Some are hosting the code, and some are hacked dns.C'mon guys ... FIX them.

Cheers

Roger

120mb of lures

2007-11-15T19:19:00.000-08:00

Hi folks,

This is kind of interesting. Last night, our researchers found an infective, hacked site similar to the .gov that we documented here By itself, that's really common, but the neat thing about this was that it was all open and readable, and we were able to download all the lure files.

That turned out to be a stunning 1999 files, totaling 120mb of keywords. The idea is that the search bots find and index these pages, and after a week or two, they change the the lure pages out to a simple redirect to a fake codec or an exploit site.

So, this is not earth shattering or anything, but it provides a useful insight into how the Bad Guys set their traps.

Cheers

Roger

Banner ads from major sites

2007-11-13T16:43:00.000-08:00

Hi folks,

Ok, we all know that infective banner ads are not new, but this is more interesting than most because they're currently fairly common from both mlb.com and nhl.com.

These are really hard to track down, because they don't happen every time you visit a site ... it took us hours to get our first capture... but it was both interesting and instructive that when _we_ got a capture, one of our researchers on the other side of the world got one at about the same minute. Now, it was a different fake scanner, and a different path thru the ad network, but it was a startlingly similar style and almost the same time. We don't believe in coincidences.

Here's the chain for mlb.com ...

mlb.mlb.com/index.jsp calls to ad.doubleclick.net
ad.doubleclick.net calls to newbieadguide.com
newbieadguide.com calls to fixthemnow.com - this is where the code comes from
fixthemnow.com calls to bsa.safetydownload.com

and here's the chain from nhl.com ...

www.nhl.com calls to m1.2mdn.net
m1.2mdn.net with a parameter of ad.doubleclick.net calls to adtraff.com
adtraff.com calls to blessedads.com
adtraff.com calls also to prevedmarketing.com (which is the same ip as blessedads.com)
one of those two does a 302 (temporary redirect) to scanner2.malware-scan.com, which does the fake scan.

Full URLs are available to appropriate interested parties.

Here's a vid for anyone who'd like to watch it in action...

Cheers

Roger

whoops - sorry Chris

2007-11-09T11:32:00.000-08:00

Hi folks,

Evidently I owe Chris Boyd an apology.

Here's what happened. About a week ago, our prevalence network, independently of any other input, detected the Alicia Keys MySpace hack, because of the link to the fake codec, and we started trying to make a video about it.

I recalled Alex Eckelberry making a post about a couple of different MySpace hacks over the last week or so, and in fact credited them as we made the video. When I checked with Alex to find a blog to link to, he told me it was Chris and not his guys. It was too late to change the vid, but I intended to mention it in the blog, and simply forgot.

To be fair to Chris, he was first, although when I looked at the link Alex gave me, it mentioned the Passarounders, and when I found Alex's original message, it mentioned a band called greementsoffortune ... not Alicia Keys, which was much bigger news to me. It was the same Bad Guys, but, truly, _we found it independently_.

So Chris... I apologize ... I didn't steal any of your work, and didn't mean to steal your thunder.

Everyone knows you do good work, and I clearly owe you at least one beer sometime.

Cheers

Roger

Ok, now this is pretty funny...

2007-11-08T20:00:00.000-08:00

Hi folks,

So as we reported, Alicia Keys' myspace page was hacked, with a background image linking out to co8vd.cn. Within a couple of hours of releasing our blog and vid, myspace had fixed the page... Yay MySpace!!! (which had been hacked for at least three or four days earlier, because that's when we first noticed it... and someone just reminded me that PaperGhost over at http://www.vitalsecurity.org/2007/11/myspace-band-hacks-continue_05.html had noticed it for some other bands separately at a similar time or even earlier time), but here's the funny bit.

It looks like it's hacked again!!!

The original hack was an href image reference to co8vd.cn/s/ and while that's now out of the html, there's now an href image reference to acilot.cn/s/ .... see any similarities there??? :-)

Now, to be fair, acilot.cn is currently 404, but it _might_ still be coming online, and it sure looks suspicious.

Hacked... clean for a couple of hours... hacked again... pretty funny.

Cheers

Roger

Alicia Keys MySpace page is hacked

2007-11-08T13:51:00.000-08:00

Hi folks,

Attacks on MySpace seem to be on the rise. First, at the end of October, there were a number of links added as friend-comments that went via MySpace's open-redirector (MSPlinks) to exploit sites in China. This was reported publicly on the FunSec mailing list. (All myspace friend-comments _seem_ to automatically redirect thru MSPlinks, probably as a way to try to filter out spam and phishing, but a downside is that the URL is base64 encoded, and is thus impossible for a human being to eyeball, and therefore possibly reject ... the effect of the well-intentioned msplinks is thus to make an open-redirector)

Now, we keep finding MySpace pages that have had some sort of image-background link injected, that are reaching out to a different site in China that is both throwing exploits and using social engineering to install rootkits and (probably) dns-changers.

The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size ... 8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site.

The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra.

This could easily be the same group that recently started watching for Mac users, and offering a Mac trojan as needed, and if that's so, will also add to the effectiveness of the attack.

What's not clear at this point is how they're doing it, and how widespread it is. Neither google nor myspace seems to be indexing the critical bit of html. If you search for the exploit site (co8vd.cn), the only results seem to be victims, or people talking about victims.

I guess we'll have to wait for MySpace to tell us what happened.

Here's a vid that shows a bit more...

Cheers

Roger

and the _other_ shoe drops

2007-11-07T19:01:00.000-08:00

Hi folks,

There are two important things happening at the moment, and one shoe dropping. One is that we have the feeling that the Bad Guys are re-grouping... moving countries, and reorganizing.

The second is that the pre-packaged exploits like MPack and Icepack have largely disappeared...replaced by social engineering tricks which are being used _extensively_.

The other shoe that's dropped is that the Storm boyz have been relatively quiet for a while, which is never a good sign. Our respected colleague, Nick FitzGerald pointed out tonight that they've added two new exploits to their exploit package. One seems to be for AOL's SuperBuddy, and the other is the NCTAudioFile2 dll, used with lots of widely adopted packages, such as Movavi. CERT has a nice write-up here ... http://www.kb.cert.org/vuls/id/292713.

Now, we have to stress that neither of these is 0-day... SuperBuddy seems to be from March 2007, and NCTAudioFile2 seems to be from January, but these dlls are probably not part of a systematic upgrade, so there are likely to be enough unpatched systems around to make it worth their while. And it may not even be new for Storm, but we've only just noticed, so there's a good chance it is new for them. They keep using the same encryption/ obfuscation routines so it looks enough like Storm, that we've been detecting it anyway.

Anyway, I certainly feel that this is the _other_ shoe dropping for Storm, and explains why they've been quiet for a while.

Cheers

Roger

And the other shoe drops ...

2007-10-17T19:33:00.000-07:00

Hi folks,

Our respected colleague, Joe Stewart, has noticed that Storm is now using encryption (albeit trivial) to communicate with its peers. What this means is that Storm bots can only communicate with other Storm bots that know that key. He speculates that this might be a precursor to selling off chunks of the botnet!

This fits perfectly with what we noticed, whereby Storm had been ... vigorous... but was now quiet. It felt, to us, that they were planning/ changing something, and this would make perfect sense.

What this means to everyone is that we can look forward to even _increased_ Storm botnet activity, as other groups try to use it for their various and nefarious purposes.

Interesting times, folks.

Cheers

Roger

Waiting for the other shoe to drop

2007-10-05T15:12:00.000-07:00

Hi folks,

This has been a really busy couple of weeks with hacked websites, new exploits, and improved encryption all over the place... we see most of the different groups working hard with the exception of the Storm guys.

Given how active they've been in the past, creating new lure pages every few days, sending huge amounts of spam, and sometimes creating new versions of their bots every few minutes, one has to wonder where they are?

It'd be nice to think they've given up, and got legit jobs, but one has to wonder if this is simply the proverbial calm before the (new) Storm.

Cheers

Roger

Cisrt hack

2007-10-03T12:52:00.000-07:00

Hi folks,

The most interesting part of this story has been poorly reported, as far as we can see, and that is that at least two of the many exploits being fired by the exploit servers in this hack are brand new! (0-days by some definitions, but probably more correctly Undercover Exploits)

One exploit impacts the Baidu Soba searchbar, (Apparently Baidu is a popular Chinese search engine, and they make a searchbar) which isn't going to impact non-Chinese users too much, but given that CISRT is the Chinese Internet Security Response Team, there's a fair chance it got a bunch of local victims before it was cleaned up.

The second new exploit seemingly targets another third-party toolbar. It's not 100% clear at this point, but the clsid seems to be the OcSearchAssistant (spyware) searchbar. This is kind of funny, because it means it was targetting stuff that was probably installed by slightly nefarious means in the first place. I thought there was honor among thieves.

These bring to four the number of new 3rd party dll exploits in use for the first time, in just about one month. It seems an idea that is Catching On (tm).

The third under-reported side to this is the sheer complexity of the encryption being used to obfuscate the exploits. We have still not decrypted some of them, so there could well be more surprises to be found.

Cheers

Roger

More google stuff

2007-10-02T19:22:00.000-07:00

Hi folks,

Here is a video we made some time ago, and only recent decided to publish it, mostly because some other folk have noticed it too. It's called Playing Bait and Switch with the search engines. Basically what happens is that the Bad Guys create a new website and load it up with pages of keywords ... some porno, some startlingly innocent. They give it a week or so to allow all the search bots to find and index them, and then switch it out to either an exploit or a social engineering trick.

The result is that really innocent searches take unwary users to really dangerous places.

Cheers

Roger

Not just US .gov websites

2007-09-30T13:03:00.000-07:00

Hi folks,

It's fairly well understood now that there are bunches of US .gov websites that are either directly hacked, or at least have compromised DNSs, but over the last few days, we have seen .gov for both the Philippines and Saudi Arabia exhibiting the same symptoms. I suspect the Kingdom would be very upset if they knew what they were hosting, or at least said to be hosting.

And at least one Syrian Embassy website is also hacked, with an invisible iframe link to an Esthost (Russian) exploit server. That server is currently not talking to anyone, but it can be brought online at any minute.

It's nice to know that website security is not limited to US gov.

Cheers

Roger

And another 0-day ITW

2007-09-26T12:22:00.000-07:00

Hi folks,

Today we have found yet another 0-day ITW. ITW stands for In The Wild, and means that the exploit has been found alive on a website, and actually trying to install real malware, as opposed to ITZ. ITZ stands for In The Zoo, and refers to those exploits which are proofs of concept only, and which are not actually in use.

Anyway, today we found another one.

It's another activex buffer overflow in a Chinese product called Baofeng Storm. NIST has a write-up here... http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4816.

We're not really sure what that is, because the website is in Chinese only, and that makes it a bit hard to read for those of us who only speak English. :-) The good news is that this probably means it is unlikely to be on too many computers outside China.

The bad news is that this seems to have only been announced in the middle of Septmeber, so it again shows that the Bad Guys are being really vigilant.

Naturally, we detect it anyway. :-)

Cheers

Roger

0-day ITW... but relax

2007-09-23T15:42:00.000-07:00

Hi folks,

Today we've found a 0-day ITW, but it's probably not going to affect too many people, so it's not a huge worry.

The issue is a buffer overflow in the PowerPlayer.dll ActiveX control in PPStream, CVE reference CVE-2007-4748. PPStream is a Chinese P2P video streaming application. As far as we know, there is no English version, but it probably won't affect too many people outside China.

It shows that the Bad Guys are still thinking and watching.

By the way, they teased us a bit because they also had an exploit named ms07-042, which would have been much more "interesting", but when we decrypted it, it turned out to just be another VML.

Cheers

Roger

Storm in September 07

2007-09-21T11:38:00.000-07:00

Hi folks,

Just for grins we made a small vid of a mid-September 07 Storm lure. Their websites have evolved from simple text based "Click-here-to-view-your-ecard" type things to content rich, impressive websites with animated gifs.

There's nothing startling about it, but it's impressive for a pure lure.

Cheers

Roger

Ad vendor serving exploits thru Facebook

2007-09-14T12:52:00.000-07:00

Hi folks,

Last night I was reading a friend's blog on FaceBook, and IE popped up a message saying that the webpage was trying to start RDS (Remote Data Services) services, and would I allow it. I clicked "No", and then thought "Hang on... it shouldn't have been starting RDS!" (It was late and I was a bit slow), so I opened up a goat machine, retraced my steps, and about a minute later.... blam... programs dropped and executed on my machine.

No rootkit, and no detection from any avs that I had access to, but after a reboot, I found that now, when I started IE and went to my home page, I got extra copies of the browser starting, and ads being served.

It’s hard to sort out, but here’s the critical sequence of connections …
Facebook calls to bannerconnect
208_67_70_3 Referer: http://ads.ak.facebook.com/ads [snip] ,Host: ad.bannerconnect.net
bannerconnect calls to yieldmanager
208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com 208_67_70_3 Referer: http://ad.bannerconnect.net/st?ad_t [snip] ,Host: ad.yieldmanager.com
yieldmanager calls to valuead
69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com 69_63_219_104 Referer: http://ad.yieldmanager.com/iframe3? [snip] ,Host: reduxads.valuead.com
valuead calls to megapromition, which throws an exploit (MS06-014), which runs an adware installer85_17_161_17 Referer: http://reduxads.valuead.com/test?pi [snip] ,Host: www.megapromition.net
After reboot, an Internet Explorer launch that should just show google looked like this …

It might well be an old exploit, but adware vendors shouldn't be doing it.

Cheers

Roger

A new exploit this weekend

2007-09-08T13:43:00.000-07:00

Hi folks,

It looks like there's a new version of IcePack, and it's pretty interesting. As well as the venerable but trusty MDAC and SetSlice exploits that we've come to love and expect, it also contains some new stuff.

The newest, and most interesting, is a buffer overflow in a DirectX dll. The vulnerability was announced in August 2007, and is documented here http://www.kb.cert.org/vuls/id/466601. As far we have found, there is not yet a patch for it, which can make things .... interesting. The best mitigator is that the vulnerable DLL is probably not in standard XP or Vista, and therefore is probably not massively available as a target. The problem with that is that it's not clear what packages it _is_ included with, so if you're not running something like LinkScanner, there's an element of Russian Roulette here.

The next interesting thing is that it contains not one, but two yahoo IM exploits. One is a control stack buffer overflow for Yahoo! Widgets Plugin, also announced in August 2007, and the second is a Yahoo! Webcam exploit from June 2007.

Just to round things out it also contains...

VML - MS07-004
MDAC/RDS - MS06-014 (patched in April 2006, but this version works up until September 2006)
SetSlice
WinZip

oh, and a Firefox exploit that appears to be the venerable WMplayer exploit from a couple of years ago.

They tend to keep things that work, reasoning that they don't don't need to exploit every box on the internet ... just enough for them to make money, so the mix of old and new exploits is to be expected, but three new ones in one update is pretty impressive.

Cheers

Roger

Hacked .gov websites

2007-09-07T10:45:00.000-07:00

Hi folks,

A couple of days ago, our SearchShield intelligence network noticed a
bunch of .gov sites serving malware via drive-by downloaded exploits and
social engineering. The front pages of the .gov sites are seemingly not
hacked themselves, but they're hosting pages that serve it. We've
identified about a dozen poisoned sites so far, though we expect there
are many more related to this hack. The first dozen or so seem to be city governments such as lasalle, il and frenchsettlement-la.

The attacking pages seem to try one of three things. First they try an
exploit to install their malware, and if that doesn't work, they try to
trick you into installing a fake codec, and if that doesn't work, they
run a fake antispy scan, and try to convince you that your machine is
already compromised, but their software can fix it... just click the
install button.

We've made a video about it, and it's at youtube here ...

with a hires .mov here...

These particular pages were detected with adult/XXX type queries, but many innocent searches also return the sites.

We'll add more details in this blog as we go.

Cheers

Roger

Bank of India hack update

2007-09-01T15:26:00.000-07:00

Hi folks,

This is a round-up of the latest news on the Bank Of India hack.

As of 10:15pm est on Saturday September 1st 2007, the bank website is still disabled, with a note saying it's undergoing maintenance, and asking for patience.

This is a good thing, because it means they're examining all their pages for intrusions, and with appropriate care they'll also correct the vulnerabilities that allowed the site to be hacked in the first place. This is an important step, because we see entirely too many sites that get hacked, then are cleaned, and then they get hacked again because the holes have not been plugged.

Now that the dust has cleared, it is apparent that the attacking servers fired at least two different exploit sets. One was a simple MS06-042, which was essentially cut and pasted from the original Milw0rm proof of concept. The second exploit set was an as yet unidentified exploit package, along the lines of mpack/icepack/webattacker.

It contained a vml exploit, probably MS07-004, another MS06-042, a WinZip, a QuickTime, and a SetSlice. This would be very similar to mpack/icepack except that it is missing an ANI (MS07-017), and it contains instead the VML.

The real difference, however, is that it had machine generated variable and function names. In other words, the server side script was generating the scripts in order to try to defeat scanners. For a variety of reasons that I won't go into here, this fails to defeat the scanners, especially LinkScanner, but it's an interesting step.

Btw, we now have an edited version of the video. Hires .mov can be found here and a youtube vesion here .

Cheers

Roger

Compromised bank website

2007-08-30T16:43:00.000-07:00

Hi folks,

Props to our clever colleagues at Sunbelt for noticing this one.

It seems that the official website of the Bank of India has been compromised and is serving exploits. It's not clear when it was compromised, but the google cache seems to show that it was clean on the 29th August, and we saw it as dirty on the 30th August, so that narrows it down a little bit, timezones notwithstanding.

Please note that the bank did _not_ do this deliberately, and is as much a victim as anyone else. Undoubtedly it'll be cleaned up as soon as the bank's IT staff comes in to work, so here's a video to preserve it for posterity.

The vid's a bit rough at the moment, and some of the bits are currently unreadable, but we'll be editing it as we go, so clearer versions will soon be available, but it's still interesting.

UPDATE: It's been cleaned. Good job by the bank staff for the quick reaction.

Also, I've had a few questions off-list about whether LinkScanner Pro blocked it already, and the answer is yes... it was using standard Mpack/Icepack stuff. We blocked it fine. There was no new exploit. The interesting bit was that even a professional, commercial website can be a victim too.

Cheers

Roger

Snoop Dog, Eagles, Beyonce ... is nothing sacred?

2007-08-29T18:31:00.000-07:00

Apparently not.

The Storm botnet has switched from fake youtube vids to early previews of new music videos. Here's a sample pitch...

Snoop Dog filmed the most amazing new video.

See the version before MTV airs it. Click the link to play it:

and

Eagles just filmed their new video.

Get it before it comes out. Click the link to play it:

So, no, nothing is sacred, and there's still no such thing as a free lunch. If the deal looks to good to be true, it probably isn't true.

Btw, there are still no new exploits in the package, and LinkScanner detects it just fine. Keep safe, folks.

:-)

Roger

Poor Lindsay

2007-08-28T17:06:00.000-07:00

She just gets out of the jail thing, and a website using her name turns out to be infective! To be accurate, there's no reason to believe that the website has anything to do with her, other than use her name, but it's infective, none-the-less. I guess it's showing up because people are searching for her a little more often, but I guess she can't catch a break.

By the way, I've been getting _lots_ of requests off-list for more Dangerous Searches, so here are a few from the last couple of days...

Hymn to Red October - Wrong choice gets you a fake codec
Portsmouth boat adjustment table - fake codec
Power Wrestling - wrong choice gets a WebAttacker/ MPack
traditional sparrow tattoos - gets a search engine hijack.

Cheers

Roger

Storm twist

2007-08-25T19:42:00.000-07:00

Hi folks,

There has been a slightly interesting development with the massive storm botnet today, in that they are referencing a youtube video.

This is typical email text ...

"You can see your face right in the video. its all over the web dude. this is the link to it."

followed by what seems to be a youtube link.

At first we thought they'd done something cunningly bad to youtube, but it's just an email/ html trick. ALl they're doing is displaying an html link, which in fact takes you directly to a Storm node, which in turn tries to use a Q406 Rollup package to infect you.

What this all means is that LinkScanner sees thru all their subterfuge just fine, but lots of non-LinkScanner users will be tempted to view the youtube video (which are always safe, aren't they?)

Cheers

Roger

Russian Attack Imminent

2007-08-13T19:52:00.000-07:00

I'm kidding... I'm kidding!!! Despite the views of some of our esteemed competitors, we just can't see it. Are there lots of Russian sites launching exploits? Sure, but not that many more than usual. We think what people are seeing is a by-product of the combination of the increasing number of pre-packaged exploit sets like MPack and IcePack together with improvements in the ability of the Bad Guys to mass-infect webfarms.

In fact, we think everything is exceptionally quiet at the moment, which suits us all just fine. Let's hope it's not a calm before the storm kind of thing.

Cheers

Roger

WebAttacker2

2007-08-08T21:13:00.000-07:00

Ok .... now we really think we've seen one. Let us explain...

The original WebAttacker was a set of exploits sold as a package. The idea was to allow would-be evil WebMeisters to add drive-by downloads to their websites for whatever reason they might have. The original developers would release a new version every other month or so. As new exploits were discovered, the WA authors would add them to their package. All went well (for them) until about September 2006, when they tried to add one of the September 0-days, and their implementation was buggy. It just didn't work. The next couple of months saw them trying to add a couple more exploits-du-jour, and unforch, they didn't work either. Their user base abandoned them for other packages (which we now now to be MPack, IcePack and Neosploit) which _did_ work, and they lost their market share. WebAttacker went the way of any software package that doesn't work.

This weekend, however, it seems that they've re-surfaced. Our researchers have noticed URLs being spammed out, with exploit packages that look similar to Mpack/ Icepack but different, and very reminiscent of the original WebAttacker... exploit urls are reminiscent... launcher scripts are reminiscent, even to the point of determining if they are running on the archiac Windows 98 (but then doing nothing with that information). Nothing newer than ANI (MS07-017), but it doesn't include Winzip and Quicktime, which again makes it different from MPack/ Icepack.

It looks like they're ba-a-a-ack!

Cheers

Roger

New (ish) Chinese exploit in the wild

2007-07-28T19:01:00.000-07:00

Hi folks,

We are able to confirm that some Chinese websites are now using a WebThunder ActiveX exploit.WebThunder appears to be a Chinese P2P networking application that is quite popular there, but we think everyone else is pretty safe.

The main point is to be aware that the Bad Guys are still thinking and probing.

Cheers

Roger

Catching up

2007-07-20T19:26:00.000-07:00

Hi folks,

Firstly, let us apologize for not blogging more frequently. The last couple of weeks have been tumultuous with some things we can discuss, and some we cannot.

Here's a summary...

(1) Dangerous searches still abound. Here are a few examples from the last day or two...

Robert Cleridge women's shoes - wrong choice gets a link to a known rootkitter

Wallpapers - wrong choice gets a WebAttacker

Janet Jackson photos - duh!

download constrained regression nonlinear - one might argue that a query that geeky deserves an exploit, except that we're all proud geeks here, so we cannot.

(2) The Storm botnet attacks have been unfolding in relentless waves. We cannot talk too much about that at the moment, except to say they've been very interesting and quite impressive.

(3) There are now at least six different exploit packs being sold ala WebAttacker. It seems to be an idea that is Catching On (tm). We'll write more about them over the next week or so.

Cheers

Roger

IE 0-day today

2007-07-10T10:33:00.000-07:00

Hi folks,

Thor Larholm announced an IE 0-day today, which works like a champ. See his write-up here... http://larholm.com/2007/07/10/internet-explorer-0day-exploit/ ...

We have added a sig for it, so our users should be well-protected.

So far this is not in the Wild, but it is entirely too easy to modify for the Bad Guys to ignore.

I'm betting about 24 hours.

Cheers

Roger

Dangerous searches - July 1st, 2007

2007-07-02T18:38:00.000-07:00

Hi folks,

I've had a few folks ask off-list how to find these "dangerous searches". The tongue-in-cheek answer is "It's really hard", unless you're running LinkScanner, and then it's still a bit hard. Nearly all the searches that we list here come up on the first or second page of search results, but _sometimes it depends on which search engine you're using_! It's a bit surprising, but even the google searches depend on which countries version of the engine you're searching.

Never the less, here are some of the entertaining "Dangerous searches" for the last few days...

"domestic warthog" ... i kid you not
"used building supplies georgia"
"penders grove primary school" ... MDAC exploit - the kids have been hacked
"akai 42 plasma tv review" ... this one can get you a fake codec ... usually a ZLOB rootkit downloader
"kittens" ... still nothing sacred
and
"plane tickets"

Cheers

Roger

Dangerous searches - June 27, 2007

2007-06-27T20:19:00.000-07:00

Hi folks,

It been a few days, and I thought I'd post the highlights. Over the last few days, it's been dangerous to search for such diverse things as ...

"music without voice" - WebAttacker2/ Mpack

"famous cubists" - WebAttacker/ MPack

"what is the regulation height of a dartboard" - believe it or not, this can get you a fake codec. Is nothing sacred?

"travel line buses sheffield" - MDAC

"polly pocket" - MDAC - no, nothing is sacred

"florida baptist churches" - nope, nothing.

"blank paper invitation pockets" - WebAttacker2/MPack

"web counter that works on myspace" - MDAC

and we don't usually care about p0rno queries, but this one is too funny to ignore...

"looney toon porn" .... whatever!

Cheers

Roger

Dangerous searches - June 23, 2007

2007-06-23T19:15:00.000-07:00

Hi folks,

The overall state of play is that there are still two significant attack waves happening. The ecard guys out of the .hk domains have cleaned up their English and prettied up their email a bit. It's now downloading 2mb of something. We're not sure what it is at this point, but it's probably not friendly, and there are still lots of compromised Italian sites launching MPack/ WebAttacker2.

Here are some of the more interesting (and unexpected) dangerous search terms from the last couple of days...

"Firefox" ... ! Fortunately, that's only dangerous if you're using Internet Explorer to search for it.

"watch movies for free" ... wrong selection gets you a WebAttacker2/ Mpack.

"wallpaper" ... webattacker2/mpack

"blue book" ... is still dangerous. That's been about a week now, which is unusual. Most of these get cleaned up quite quickly.

"stem cell research"... that's a bit mean

"bulgarian mp3 music download" ... that's too easy (JUST KIDDING!)

and "radio blogs" ... wrong choice gets an MDAC.

Cheers

Roger

Dangerous searches - June 20, 2007

2007-06-20T19:19:00.000-07:00

Hi folks,

I'd stopped tracking this stuff because I thought no one cared, but emails I've had off-list have convinced me otherwise. I think it's _really_ interesting to see what innocent searches can get you into trouble, and we're happy to share. I've also had the question off-list "Does this mean you track all your user's queries?" to which the answer is "Heck no!", but we do track the queries that result in exploit attempts. This is what we _do_. We couldn't care less who _you_ are and what queries _you_ make, but we sure want to know who tries to bite you! This is our job!

Here are the most interesting dangerous searches for the last few days...

"go karts" - wrong selection gets an MDAC exploit

almost any national park in the southwest is still dangerous, rattlesnakes not withstanding

"texas tea slots online" - wrong selection gets an MDAC

"insurance australia" - clearly that's dangerous ;-) ... the wrong result looks to be just an Orphaned Lure, but you can never be sure about Orphans.

"cannot find server" - clearly _that's_ dangerous! ... wrong selection gets a WebAttacker/ Mpack.

"top wallpapers" gets an MDAC

"free lottery" gets an Orphaned Lure

As someone famous once said "There's a million of them"

Of course, there are also _lots_ of Italian references which we don't understand, but which are hitting WebAttacker/ Mpacks.

Cheers

Roger

Two pretty good attack waves

2007-06-18T13:11:00.000-07:00

Hi folks,

At the moment,it appears there are two determined but separate waves of attack underway. One involves a large number of hacked websites, seemingly in Italy, which are iframed and reaching back to an MPack/ WebAttacker exploit server (or servers), and the second is the continuing wave of allenged greeting cards, mostly from .hk domains. This second one is the one we blogged about over the weekend that uses an ani together with a circa-2005 exploit... sort of a sublime and a ridiculous thing simultaneously.

Of course, LinkScanner detects it all just fine.

Cheers

Roger

New attack underway

2007-06-16T19:39:00.000-07:00

Hi folks,

There is a significant attack run underway over the weekend. It involves a spam run telling people they have a Greeting Card, not that this is a new tactic, but it involves a seemingly large number of .hk domains. If you click the link to view the card, it throws an ANI exploit, which is new-ish (patched in April 2007), and ms06-042, which is old-ish (patched in October 2006), and an ms05-052!!! I have no idea when that was patched except that it was 2005 sometime, and if someone has not patched since then... well... they have a name for people like that... serially pwned.

If it manages to nail you, it installs a downloader for which av detection is low, and it, in turn, downloads a rootkit for which av detection is _very_ low.

What this all means is that the weird thing is the use of a two year old exploit, that we have not seen in use anywhere else until now. Go figure.

If you're patched, or are running LinkScanner, all is well.

Cheers

Roger

Dangerous searches June 14th 2007

2007-06-14T19:04:00.000-07:00

Hi folks,

Today it's dangerous to search for

atlas mountains country ... (wrong result gets you a WebAttacker 2 or MPack)

rotweiller rescue

North Padre Island (WebAttacker 2 or Mpack)

arches national park (WebAttacker 2 or MPack)

canyonlands national park (in fact, lots of National Parks in that part of the world ... the Badlands can still be dangerous)

and the mass lottery

Keep safe

Roger

Dangerous searches

2007-06-13T19:05:00.000-07:00

Hi folks,

Today it's dangerous to search for

air disasters in Florida (wrong answer will get you a WebAttacker 2)

cd key windows xp profesional (that's another 'duh!')

and

batmobile for sale (does that need a comment?)

Mostly, it's a quiet day folks. Works for us.

:-)

Roger

Dangerous searches

2007-06-12T17:36:00.000-07:00

Hi folks,

Today it's dangerous to search for ...

victoria's secret (duh! the wrong website here gets you a fake codec)

pokemon ruby gamesharks (I couldn't make this stuff up)

blue book (wrong website gets you an mdac exploit)

bulletin boards in norwich, ct (that'll get you an Orphaned Lure which might not be an orphan)

and .... music! (webattacker 2 or mpack)

:-)

Cheers

Roger

Dangerous searches

2007-06-11T18:09:00.000-07:00

Hi folks,

Today it's dangerous to search for IBM stock, pallet fire (what's that???), Nigerian economic and financial crimes (there's a shock), and/ or to find out who's a rat.

It's left as an exercise to the Attentive Reader (tm) to find the exploitive websites. Anyone running the SearchShield function of LinkScanner should find it easy.

:-)

Cheers

Roger

A cunning rootkit

2007-06-11T13:49:00.000-07:00

Ok, I see what they're doing now.

First some background ... Most rootkits _hide_ themselves from Windows api, and the anti-rootkits _find_ them by looking first with the normal Windows api, and then making another pass of the disk making calls directly to the kernel, and then comparing the lists. If they find a file in the second list that's not in the first, they report it as a hidden and there's a good chance it's a rootkit. This method is far from foolproof, because, for example, files might be legitimately created, say by a Browser, in between passes, and it will look like a hidden file, but it's good enough to provide a clue anyway.

What's happening with this one is that it is _not_ hidden. It sits in plain sight, and when the cross-viewing anti rootkits compare their lists, they get no differences, and therefore no hidden files, and most declare there to be no rootkit on the system.

Why is it a rootkit then? Instead of hooking the file list functions, they're hooking the _file open_ functions. If you try to view, or scan, or copy the contents of the rootkit, you get a "file does not exist" error!!! What this means is that even if your scanner has a signature for that rootkit, it probably won't be able to open the file anyway.

I dunno about you but I think that's pretty cunning!

Cheers

Roger

They swapped it out

2007-06-10T15:41:00.000-07:00

That's interesting .... the St Petersburg Iframers have swapped out the new rootkit for something old and mouldy that everyone can detect!

One wonders when the new one will come back.

Cheers

Roger

Yahoo exploit In The Wild

2007-06-10T07:14:00.000-07:00

Hi folks,

Recently a couple of exploits were announced for Yahoo Messenger Webcam dlls, and today there are websites actively using it to install malcode. We don't expect this to be an important or widespread outbreak, but we do expect it to be adopted by the rest of the malicious webmeisters over the next few weeks.

Naturally, we've added detection for it to LinkScanner.

Cheers

Roger

Keep those rootkits out

2007-06-09T19:58:00.000-07:00

Hi folks,

The St Petersburg iframers have a new rootkit. None of the scanners that I have access to can put a name to it so far, and none of the generic cross-viewers that I have can see it, with the exception of GMER, and GMER isn't sure about it.

That these guys would have something new and difficult is not really surprising... they were using Rustock variants for a long time, which gave most anti virus/ anti spy products a hard time by storing themselves in an Alternate Data Stream and then hiding the ADS, but lots of av/as products can now see in the ADS. It's reasonable to assume they'd move to something newer.

Somewhat amusingly, they're still using the same exploits to plant it, so if you're patched and/or running LinkScanner, you have nothing to fear, but if you're not ... you don't want to get this one on your system.

Trust me ... it's better to keep them out than to try to remove them once they're in!

Cheers

Roger

At least they're honest about ripping you off...

2007-06-07T14:59:00.000-07:00

Hi folks,

One of our users brought this to our attention. A bunch of websites are offering free web-counters. -start channeling Homer- Free? How could I go wrong? I'd have to be an idiot to pass that up. - end channeling Homer-

Well, if you read the Terms and Conditions, it contains this gem...

"Possible uses includes (but to are not limited to)
to directory of the sites using our service, the purpose situated
scripts inserted in your web can be used by us for every of profit,
general promotional uses, any purpose of profit, activx, pay Internet,
Dialer, Premium Number, redirect, etc."

Disregarding the poor English, at least they're telling you what they plan to do to you and your customers!

Read those EULAs folks!.

Cheers

Roger

You've got to like it ...

2007-06-06T18:55:00.000-07:00

when you find the Bad Guys development sites. :-)

In the last three days, our researchers have found two such sites. We've already added sigs for their efforts. :-)

Seriously though, I'm fairly confident that we're going thru a quiet period, where the various groups are re-organizing themselves. Some good exploits have surfaced in the last couple of days, and some of them will find their way to websites in the next few weeks.

We'll be watching, and will keep you posted.

Cheers

Roger

Exploit-y news

2007-06-02T08:30:00.000-07:00

Hi folks,

Thare are two developments worth mentioning.

First is that we are detecting increased usage of MS07-027. (MS07-027 patched several vulnerabilities, but the one we're seeing in use involves a dll called MDSAUTH which apparantly allows arbitrary file writing). The critical think about this is that it was only patched on May 8th, however, and the proof of concept code was released and available almost immediately, and it is certainly being used by the Chinese gangs. These guys have a habit of hacking large numbers of innocent websites and turning them into unwitting lures.

The second is that we are seeing _lots_ of activity involving the MPack exploit package (what we used to call WebAttacker 2). There are clearly large numbers of hacked websites involved here, and the exploit code works really well. This is the package that we've talked about before, and which contains lots of different exploits. The most dangerous are probably WinZip, because there is no automatic upgrade path for WinZip, and many people will still be using a vulnerable version, and the April 2007 animated cursor exploit, simply because it's so new. Many corporates will not be patched to April.

Cheers

Roger

Everyone knows the Internet is for porn...

2007-05-31T17:46:00.000-07:00

but did you know our EDUs are too? This is either funny or sad, depending on your point of view, but sooooooo many EDUs turn up in our prevalence data, that you could just about make the case that EDUs are the biggest identifiable segment for porn hosting.

Here are a few examples of the charming subject matter that we regularly detect in EDUs...

/incest-porn.html
/porn-videos.html
/mature-porn.html
/ladyboys.html
/teen-sex.html

Now, the fact that we keep seeing the same directory names on _geographically_ diverse EDUs actually means that the students and EDU's are not doing this deliberately, but rather that it's a deliberate and systematic hacking by some group. These directories are typically full of exploits, and fake codecs, so they're a good place to avoid anyway, but very often they have probable child pornography (LinkScanner is often able to detect kiddie porn by analyzing the html on the page, and preemptively blocks those pages) on them, so they're probably dangerously illegal as well as malicious.

As much as I'd like to think that EDUs might rise up en masse, and evict all this stuff, and fix their security, I don't like our chances, and I anticipate that they're part of the exploit infrastructure of the web forever.

Cheers

Roger

One mystery solved - it's MPACK not WebAttacker2

2007-05-30T08:12:00.000-07:00

Hi folks,

For ages now, we've been seeing certain patterns of exploits, wrapped in distinctive patterns of obfuscation. We saw them start at a particular site in Russia, and gradually spread to _many_ other places, and it was obvious to us that it was being sold as a package. So obvious, in fact, that we blogged about it with the title "WebAttacker is dead, Long live WebAttacker". In other words, there was clearly at least one new kid on the pre-packaged exploit block, but we didn't know what to call it.

Today we do... it's called MPACK (Thanks to Symantec and Panda for figuring that out).

It's been interesting to watch the development of this one, as they've added exploits, and changed their encryption. Like WebAttacker, they track the visitors IPs and won't serve the exploits a second time. They used to say "Sorry! You ip is blocked." but now they just display a grumpy face if you come back for a second look.... like this ... :[ .

At least they have a sense of humor.

We've seen a real uptick in hacked legit sites pointing to other servers that have been hacked and are now MPACK exploit servers, so everyone should be careful for a bit.

Cheers

Roger

And I thought I was patched!

2007-05-17T20:36:00.000-07:00

Hi folks,

We got all excited today because one of our fully-patched goat pcs got nailed by a website. (The fact that we got all excited tends to show how sad malware researchers are in general, but that's another matter)

"0-day!", we thought, but as we examined the packets from our sniffers, we sadly realized that we weren't really fully patched. Turns out we had an old copy of WinZip (yes, licensed!), and this particular website had a WinZip exploit, along with several others.

This got us to thinking and wondering, however, how many other machines have some third party software that is not patched? Windows is ubiquitous, some third-party software is _almost_ so, and an exploit for a third party package is likely to be just as productive as a windows 0-day.

The moral of the story, folks, is keep _all_ your software up to date.

Remember, the Bad Guys don't want to shut down the Internet any more... they don't want to cut down the tree... they just shake it from time to time, and see what apples fall off.

Cheers

Roger

Three bags full

2007-05-14T19:39:00.000-07:00

Hi folks,

The title actually bears little relationship to the story... it merely reflects that I have little kids and have been reading too much Mother Goose.

There are three items I'd like to share though.

The first is this excellent article by Didier Stevens. See here

The nub of this matter is that Didier conducted an experiment where he registered adwords and waited to see how many clicks he'd get. The adwords were variations of "drive by download" and for $23 his ad was displayed 259,723 times over six months, and clicked on 409 times. It's a great article and well worth a read.

The second item I wanted to share was that the iframecash boyz have now started using .hk domains. It will be interesting to see how this pans out.

The third item is that, overall, things are pleasantly quiet in the web-based exploit world. We sincerely hope that it's not calm-before-storm stuff.

Cheers

Roger

So, Cinco de Mayo is dangerous

2007-05-05T18:36:00.001-07:00

Hi folks,

Of course, you could have called that in from your couch. It turns out that these guys, http://freewebcards.com have been hacked. Let me stress that they are not deliberately doing this, but they are now an Innocent Lure. We first noticed them on April 26th, and they fixed it almost immediately, and noted that they were trying to address the problem.

Today, however, it turned up on SearchShield results. If you search for "what is cinco de mayo" in google, it shows up on the second page with an MDAC injection. See here.

The webpage looks like

this

and a source view shows a chunk of obfuscated javascript like this.

Now, these guys are obviously trying to be careful. See this message from 26th April, where they acknowledged that people were getting at them, and they trying to sort it out, so if these guys can get nailed again within a couple of weeks, _anyone_ can get nailed.

Cheers

Roger

Nope, they're victims too

2007-05-01T13:17:00.000-07:00

Hi folks,

Over the last few days, I've had lots of people asking me questions about the targetted sites, such as Better Business Bureau, with some people thinking mistakenly that the BBB is actually serving exploits to them. That is not the situation at all. BBB (and all the other websites targetted by the scam) had nothing to do with it, and didn't even know their name was being used.

I've also had lots of people asking me what they can do to stay safe from this sort of thing, and the short answer is (1) patch and (2) install LinkScanner (shameless plug). It's actually worth installing LinkScanner even if you do patch because it's nice to know if a website _tried_ to bite you, even if you were not vulnerable.

LinkScanner scans all webpages returned by search engines when you do a query, and the Pro version also scans all tcpip traffic in real time anyway. What this means is that even if a bad web page is cunning enough to wait until you actually try to surf to it to launch the exploit, LinkScanner will still see it and block it.

By the way, we've found some more interesting sponsored links (not google this time), and as soon as we finish documenting them, we'll write about it here.

Cheers

Roger

A video

2007-04-27T15:27:00.000-07:00

Hi folks,

We were fortunate enough to capture some video of the google / BBB / SmartTrack issues. Here is a link if you'd like to watch it.

and there's a hi-res version here

Cheers

Roger

Google sponsored links not safe?

2007-04-24T11:20:00.000-07:00

Hi folks,

We've been watching an interesting puzzle for a couple of weeks now, and last night the last couple of pieces fell into place. Since the 10th April, our community intelligence network has been finding exploit detections _seemingly_ at household name sites like the Better Business Bureau and
cars.com but are actually coming from a place called smarttrack.org
masquerading as one of the legit sites.

Google searches such as the phrase BetterBusinessBureau OR "Florida Business
Opportunity Law" or "Modern cars airbags required" will turn up these
dangerous sites (more on that below). Last night our researchers discovered that one of these rogue links was the number 1 sponsored link when people entered the phrase BetterBusinessBureau. See here. It looks safe, but a mouse-over our red verdict reveals the truth.

It sure looks like it will take you to a BBB website, and that's where you end up. Here's a screensnap of the result.

First, however, it takes the unwary traveler through smarttrack.org, which uses a modified MDAC exploit to try to install a backdoor and a post-logger on your system. The post-logger is specifically targeting about 100 banks from around the world, by injecting extra html into those banks response pages, to try to coax extra information out of the victim. (Although it specifically targets those 100, it is an equal-opportunity logger and happily logs all user ids and passwords for any webpage.)

Also, because the post logger is a browser helper object, it is part of the end-point of any SSL transaction, and can see everything in plain text, instead of encrypted.

Now, lots of links in any search engine point to infective sites, so that's not really a surprise, but this does highlight a significant issue. When you move the mouse over a normal, organic search result, google shows the url you are about to navigate to if you click. See here.

If, however, you mouse-over a sponsored result, no URL preview is shown! This means that a user has no clue where she is about to navigate to. See here. Savvy search engine users will know that often these sponsored links will take you through a
'Click-manager' or other advertising service and so seeing your browser pass
through smarttrack.org will appear benign enough.

Fortunately, google seems to have terminated that account as of about 11am est, but we detected about 20 different search strings that resulted in links to smarttrack.org, so it is not yet clear if all the links have been cleared up, but LinkScanner and SearchShield will surely reveal that over the next few days.

Cheers

Roger

A real knockout website

2007-04-22T19:04:00.000-07:00

Hi folks,

One of the most entertaining features of our product is SearchShield. LinkScanner is able to fold into both Internet Explorer and Firefox and is able to pre-scan search results for google, yahoo and msn. It takes a little bit longer, because it physically has to go fetch all the webpages and scan them, but it's so much fun to watch it's worth installing it just for the entertainment value. Exploitive websites are really hard to find, but they pop up when they are entirely unexpected (which is why databased solutions can never keep up with a programmatic solution). Time after time, you'll be searching for something innocent, and bam!... something unexpectedly gets marked with our famous red X.

For example, a simple google for K1 turns up an exploitive site as the first result.
(WARNING! Don't go to any of these sites unless you really know what you're doing)

It seems that K1 is shorthand for a form of Ultimate Fighting, and this one, www.k-1usa.net, is infected by the Chinese WoW hackers.

There's some irony in real martial artist warriors being impacted by virtual reality World Of Warcraft players.

I can't help but feel that the K1 guys would like five minutes with the World of Warcraft guys.

Cheers

Roger

WebAttacker is dead, long live WebAttacker

2007-04-20T16:10:00.000-07:00

Hi folks,

Anyone who has read my blog knows that I thought WebAttacker was an interesting bit of software. For those who haven't read my blog, WebAttacker was a Russian-built canned-exploit package. For a few hundred bucks, you too Mr Lamer could be a Malicious Webmeister by adding WebAttacker to your website. Each month, the WA authors would add the best new exploits to their package, and provide an update to their clients. The wheels started to fall off for them in September 2006, when their attempt to add the vml 0-day failed miserably, and they failed again the next month to add the October 0-day (XML exploit, from memory). They made no attempt that I could find to release an update after that, and I decided that they went the way of all software developers whose products failed.

At about the same time, we began to find what we called the Q4-06 Exploit Rollup Package. This was a javascript containing all the nifty exploits from September and October 2006 (SetSlice, VML, MS06-042, XML, Daxctle), sometimes in plain text, and sometimes encrypted. Being available as plain javascript, it was free, easy to modify and was quickly and widely adopted.

There was one version, however, that stood out from the others, principally because it was well encrypted, _and_ it tracked visiting ips, ala WebAttacker. If you came back to the same exploit website,from the same machine, it would refuse to re-serve the exploit, and would instead display "Sorry! You ip is blocked." (Yes, bad grammer and all). We have long seen that specific error message associated with a particular exploit hub in Russia (Stela-something ... those who know, know who we mean) , and it was no surprise to see them upgrade to the newest exploits, but the kicker is this...

We now see that exact error message coming from _many_ exploit websites. That means that the backend part of this is finding its way to other websites. That's significant. You can easily copy the client portion, but you cannot get hold of the server part unless someone wants you to. Either the Stela folks have been hacked themselves... or _they're_ selling the package, perhaps to fill the void left by the WebAttacker departure! Hence WebAttacker is dead, long live WebAttacker.

These are interesting days folks.

Cheers

Roger

The world is changing

2007-04-17T19:54:00.000-07:00

Hi folks,

A couple of months ago, someone asked me what was happening in the malicious website world, and I replied that I thought it was all changing, but I wasn't sure how.

It has changed, but it's still not clear how much, but here's what we're seeing.

The first notable change is geographic. A year ago, we would have said that 90% of the malicious website activity was Russian based. Today, those guys are still there, but we now have huge activity from China, Morocco, Brazil and France as well, and the Russian component is probably less than 30%.

The second change is the sheer volume of attacks. If you don't believe me, go google for .cn/1.js, and see how many results are returned. (WARNING!!! Don't go to any of the result websites, unless you're well protected by LinkScanner, or you're patched). Today, you get about 60,000 hits, and a week ago, it was about 120,000. Now, this is not _proof_ of anything, because some of the returned results are now clean, and some have never been infected in the first place, but it does give an indication of the scope of the problem because 1.js is just one example of one of the recent Chinese attack scripts, and there are _lots_ of other ones.

The third change is the reduction of adware. I guess there's still lots of it, but it doesn't seem to figure as prominantly in the malicious website equation. It used to be that the first thing a malicious website did when it nailed you was to install 20mb of adware (usually the variety that paid commissions per install), followed by keylogger/ rootkit, and a pitch for a fake antispy to remove it all (for just $49.95). Now we just see the keylogger/ rootkit, and sometimes the pitch for the fake antispy.

In other words, the whole idea of malicious websites seems to be Catching On (tm), and the payloads are less innocent, and more overtly criminal.

Cheers

Roger

An orphan no longer

2007-04-13T19:11:00.000-07:00

Hi folks,

One of the more interesting ideas that we monitor is that of an Orphaned Lure. That's where you have some site that has been hacked, and made into an Innocent Lure, but then the exploit server is offline. The Lure is now an orphan, but in a macabre parody of a B-grade horror movie the exploit serves can come back to life, and start serving exploits again.

This has happened tonight.

One of the common hacks that we see is an injection of some unescaped code that starts like this ...

< s c ript language="j a vascript"> document.write( unescape( '%3C%69%66%72%61%6D etc

When you decrypt this, it resolves to something like this ...

< iframe src=hxxp:// 81.95.nnn.nn/index.html

where nnn.nn is a substitute to save people from accidently hurting themselves.

This ip has been offline for at least a month, maybe two, but tonight it is live again, and serving stuff.

The moral of the story is that you cannot trust a hacked site. The lure in this case is a hairdressing salon.

Cheers

Roger

ANI and WoW stuff

2007-04-11T19:08:00.000-07:00

Hi folks,

I've had a flurry of emails and instant messages that have caused me to realize that I have not explained something properly. The thing that I have not explained is that, almost certainly, the ANI exploit was discovered by some Chinese college student who wanted to steal World Of Warcraft passwords, (That must surely narrow it down to a mere half a million suspects, so he must be almost caught now ;) ) and these are the same guys that earlier hacked the Superbowl website, and who have been using the very effective RDS version of MDAC (infective up to and including August 2006 patch) and the January 2007 version of the VML exploit. In other words, these guys are kids, but exceptionally smart and exceptionally dangerous. (And, yes, we're fairly sure we know who he is, but that's another matter)

Now, of course, all the Serious Bad Guys on the Internet have gone "Whoa... this works great! I'll have one of those!" and have adopted the ANI exploit for reasons far more nefarious than simple WoW password stealing, but that does nothing to change the fact that the most dangerous exploit to be released on the Internet so far in 2007 was discovered by someone whose sole intent was stealing passwords for some online game.

Is this a great Internet, or what???

Cheers

Roger

ASUS again???

2007-04-10T19:02:00.000-07:00

Hi folks,
Ok .... that's weird .... asus.com.tw and several other asus web sites have been unavailable for at least two hours now. That's strange, to say the least. I wonder why?
Cheers
Roger

An interesting hacked site + a couple of hours

2007-04-10T16:03:00.000-07:00

Hi folks,

"Shout outs" to the webmeisters at http://www.pocketpcmag.com... their website is now clean. They responded to our notification email almost immediately and found and cleaned up the problem within a couple of hours.

This is a stark contrast to most of these events where the webmeisters not only ignore our notifications, but (or perhaps because of that) remain infective for weeks or even months. _Anyone_ can get hacked... the issue then becomes _responding_ appropriately.

Well done and cheers

Roger

An interesting hacked site

2007-04-10T10:45:00.000-07:00

Hi folks,

On the heels of the asus.com.tw hack, here is another example of how even an obviously well designed and well used website can be hacked.

At least two of the pages on hxxp://www.pocketpcmag.com (the website owner has been notified) are hacked with iframes pointing to some of the well known Chinese exploit servers. Interestingly, it seems like it's a recent hack, because the google cache of the now-infected pages shows them as clean on Apr 3rd 2007.

If you thought you were safe because you never visited Chinese websites, think again. :-)

Cheers

Roger

ANI - Monday Apr 9th

2007-04-09T18:27:00.000-07:00

Hi folks,

Things seem to have settled down in that all the major exploitive web groups seem to have picked up the ANI exploit, and it's now part of the general exploit fabric of the web.

By this we mean that there probably won't be any more surprises with this one, and it will now follow the pattern that we see with the other web exploits... major bad guys will continue trying to find ways to hide their use of it, minor bad guys will continue to adopt it as they figure it out... spammers and malicious e-carders will continue to send it out for whatever it produces for them. Anyone who's patched or is running something like LinkScanner is pretty safe.

Interestingly, these guys (spammers and ecarders) will now mostly catch corporate victims because corporates tend not to patch automatically.... they break too many mission-critical systems with automatic patching. They rely instead, on their corporate av and firewalls to protect them, and the bad guys know how to bypass av any time they like, and firewalls are no protection against web exploits, because the browser creates an instant tunnel right thru them.

A lot of people do their online banking at work (not to mention checking their MySpace or Hotmail accounts), exactly because they think they're safer at work protected by the corporate av and firewall, only to find out that it was not so. Given the predilection of the recent Chinese gangs for installing rootkits and network sniffers, that cannot be a happy outcome for a corporation.

Cheers

Roger

ANI - Sunday morning - Phax Phishing continues

2007-04-08T06:11:00.000-07:00

Hi folks,

We've now received some more reports of Phax Phishing (that's where they send you a fax and try to convince you to visit an exploitive URL on your pc), and while we find it highly amusing, I guess it must work at least a bit or the Bad Guys wouldn't keep doing it. What this means is ... watch out for faxes. :-)

ANI-serving websites continue to pop up all over, but the Chinese websites deserve a special mention because of the convoluted nature of the hacks. When we find hacked websites, it's quite common to find they've been hacked multiple times, usually by different gangs, but sometimes multiple times by the same gang (which is also amusing, as well as instructive, because it proves that the hacks are automated .... human beings are not doing it by hand), but the hacked Chinese websites are _impressively_ cross hacked.

They're all using the same exploit combination... MS06-014 (modified to infect up to and including an August 2006 patch), MS07-004, and the ANI exploit... so the cross-hacks don't raise the danger much as far as regular web surfers are concerned, but do they make it difficult for researchers to categorize and understand. We can typicially figure out who we're dealing with by examining which exploit combinations are being used, together with how they're encrypted, together with the payload, but the cross-hacks, with their sheer volumes, make it really tough going, albeit _very_ interesting.

Cheers

Roger

ANI - Friday afternoon

2007-04-06T12:53:00.000-07:00

Hi folks,

Two interesting things have happened today.

First, is (and probably lots of people already know this, but ) that sometime in the last few days, it appears that the Taiwanese site for ASUS was hacked, and an iframe to an ANI inserted. Fortunately, the site where it was trying to download the exe from is now offline, but the iframe is still in the ASUS site, so one needs to be careful. It's now officially an Orphaned Lure.

Second is that I've now heard of a second target being phished by fax! The victim has to read the fax, and go type a URL into a browser. The URL has the same version of the exploit package that I wrote about a few days ago in association with the Britney Spears spam run... an ANI, a SetSlice, a winzip, a quicktime, an MS06-042, and a VML. It's a bit like a Moron Virus (that's where you have to copy the virus onto each file yourself, because the virus writer was too dumb to do it programatically)

Cheers

Roger

ANI -Thursday evening ... late

2007-04-05T20:05:00.000-07:00

Hi folks,

Although the number of infected websites is continuing to grow, we feel we have the outbreak contained, at least as far as our users are concerned, and we're starting to look at the many and varied payloads.

The most interesting thing we've seen so far is one that is a genuine virus (in other words, it infects other files really well). That is unusual enough, but it also installs a network packet sniffer, _and_ it installs a copy of the Microsoft Platform SDK... 14,500 files over 1.1gb. At this point, we have absolutely no idea why they would do that. It just doesn't make sense.

You could understand making something viral, and you could understand why the virus might also install a network sniffer, but then to download 1.1gb of SDK is hardly subtle, and tends to give the game away a bit. Also interesting is that some of the infected files call _frequently_ to a url containing MsnPortalHome, which _looks_ like adware. All very odd.

We'll post more as we find out!

Cheers

Roger

ANI - Thursday morning

2007-04-05T11:56:00.000-07:00

Hi folks,

Overnight we discovered that the group that we call TriModers (so called, be cause when we first noticed them, they were using a package of three exploits), is now attempting to use an ANI exploit. Their vesion is currently broken, and I'm not going to tell them how to fix it, but I expect they'll get it working soon, and we can add their farms to the list of villains using it.

Cheers

Roger

ANI Wed evening

2007-04-04T17:24:00.000-07:00

Hi folks,

Well, the official patch is out, but the use of the ANI exploit continues to grow. Significant numbers of exploit servers and their lures continue to be found, mostly in China and Russia.

On a slightly different note, someone asked me recently how to measure the importance of a web-based exploit problem, and I thought it was a fair question. When you have a network worm or mass-mailing worm, it's fairly easy to guage the size of the outbreak, simply by watching your firewall logs, or by looking at what comes into your InBox.

Web-based stuff is much more subtle. They rarely come looking for you, but rely on their network of Lures to draw you in. For example, a single exploit server I looked at recently had fifty IP addresses that called directly to it. Each of those fifty (which were under the direct control of the owner of the exploit server) had about 300 domains on it. If you assume that each of those domains had just ten external links in, from open blogs, or hacked sites, that made 150,000 ways to be drawn to the exploit, with just a couple of unwary surfs. If they could create 100 first generation links in, that would be 1.5m. It mounts up quickly.

Not only that, but a frequent target of the exploiters is to hack into an unwitting small business website, like a resaurant or a mortgage broker. They're always poorly defended, but the owner is usually canny enough to try to create many links into her website. Some potential diner tries to find out what's on the menu, and gets a belly full of rootkit instead.

Cheers

Roger

ANI Tues afternoon+10 minutes

2007-04-03T15:17:00.000-07:00

Hi folks,

I just swung by some iframer lures, and guess what .... they're now infective with the ANI 0-day. Not sure what that payload is yet, but they usually install a Rustok rootkit. They have a strong and large system of Lures, so this is a pretty good escalation of events. Good thing the patch came out today.

Naturally, LinkScanner users have little to fear, as it detects all the variants so far.

Cheers

Roger

ANI Tuesday afternoon

2007-04-03T10:11:00.000-07:00

Hi folks,

It's Tuesday afternoon about 6pm est. It's been an exceptionally busy day, but here are the main points so far.

(1) ANI exploits continue to be spammed out, mostly disguised as Britney pictures, mostly installing spam engines and backdoors.

(2) There are quite large numbers of hacked websites, mostly Chinese, installing a considerable variety of payloads, some of which are viral. We're analysing them now.

All very interesting.

Roger

ANI last entry for Monday

2007-04-02T19:32:00.000-07:00

We now have some more details about the payload of this exploit spam run. It downloads a 36k progam called 200.exe. When run, 200.exe writes itself back out as Winlogon.exe, and adds itself to HKCU... CurrentVersion\Run to ensure it gets into the execution cycle on reboot.

When it runs, it emails out to a hotmail account, presumably to announce that the victim has been 0wned, and then calls out to a different server on port 80 every five minutes, presumably looking for commands. In other words, it's a bot / backdoor. Oh, and it's a rootkit.

Cheers

Roger