February 7th, 2008 by Macky Cruz (Technical Communications)
Yet another Web site compromise was discovered by Research Project Manager Ivan Macalintal, this time in Spain.
Spanish tourism and travel site Pyrenees Guide, which provides information on trips to the Pyrenees Mountains, has been discovered to be compromised and serving malicious code.
Examining the source code of the site’s main page, we find the following injected script:
The malicious script serves a URL which leads to yet another URL carrying yet another malicious code, via a hidden iFrame. This leads to one of two malicious URLs — one which attempts to exploit a vulnerability in RealPlayer. Upon initial analysis, the redirection(s) seem(s) to eventually lead to the download of a Trojan, which in turn, downloads a configuration file containing a list of several files that include dozens of MMORPG (Massively Multiplayer Online Role-Playing Game) password stealers (already detected as TSPY_ONLINEG.WN, TSPY_ONLINEG.DTQ, and TSPY_ONLINEG.CZX) and generic packers.
Trend Micro Web Threat Protection protects users from this attack by proactively blocking the related URLs and detecting the files that the attack attempts to download onto the system.
Additional Note: Advanced Threats Researcher Paul Ferguson (a.k.a. “Fergie”) has alerted the domain technical contact (email bounced), the IP owner contact, and the CCN-CERT (Spanish Governmental National Cryptology Center - Computer Security Incident Response Team).
February 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
There have been a couple of very important updates to Adobe Reader and QuickTime within the past couple of days.
First, Adobe patched a major vulnerability that could allow code execution in the Adobe Reader, which in turn could lead to the compromise of a PC.
The patch is included in Adobe Reader 8.1.2 update, which apparently fixes at least one known critical issue which could allow malicious .pdf files to be used in code execution attacks.
Secondly, QuickTime 7.4.1 patches a previously discovered vulnerability for a heap buffer overflow condition in QuickTime’s handling of HTTP responses when RTSP (Real Time Streaming Protocol) is enabled, which could lead to malicious code execution.
Advice: Patch now.
One further note: This highlights the fact that it not only your Operating System or Browser that needs to be updated from time-to-time with regards to security vulnerabilities — every piece of “third-party” software installed on your PC will also eventually need to be updated when vulnerabilities are found.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
February 7th, 2008 by Paul Ferguson (Advanced Threats Researcher)
The importance of good, solid, and reliable contact information is extraordinarily valuable when it comes to investigating compromises, and even more important when attempting to contact someone to alert them of a problem.
Unfortunately, only legitimate domain and IP address owners use correct information (that’s another issue entirely), but more & more we are discovering that this information is increasingly incorrect.
This has been a growing source of concern in area the network security, where the importance of being able to contact someone to notify them of a security breach becomes an “emergency issue” in the scope of minutes – not necessarily hours or days.
The longer a “contaminated” webpage, for instance, is present on the Web, the more the chances that unwitting users can become compromised, and the more users can (for example) be unwittingly be recruited in botnets.
I’d like to take this opportunity to urge each and every individual & organization who may read this to ensure that their technical contact information is up-to-date and accurate – whether it be on your webpage(s) as “contact information” (e.g. webmaster@domain.com) or more importantly, in the domain and RIR (Regional Internet Registry) WHOIS databases.
This is crucial.
When Trend Micro researchers discover an “incident”, we make every effort to contact the owners of the particular domain or IP address block to alert them of the problem. But more often than not, our requests fall on deaf ears. Sometimes we get “bounce” messages in e-mail explaining that (a) the recipient’s mailbox is full, (b) the recipient does not exist, or (c) an automated response explaining that “…we take abuse requests very seriously…” yet the issue never seems to get resolved.
On a lucky day, we get (d), an actual human being who responds and takes care of the problem.
We love when that happens.
On those occasions where we can’t get a satisfactory response from the “responsible” organization, we attempt to contact a regional or national CERT/CSIRT listed or affiliated with FIRST.org (Forum for Incident Response and Security Teams). And unfortunately, we seem to have recently experienced more & more instances where we have to go searching for a CERT contact because we can’t get a response from the affected organization, whether by e-mail or telephone.
And subsequently, we keep our fingers crossed that they (the national or regional CERT) can have more success that we have had in contacting someone who can fix the problem, or clean up the mess, as the case may be.
And sometimes they do – we have had great experiences dealing with several of the national CERTs.
There are other unfortunate occasions when a security incident is so large, so immediate, and so diverse, that it is impossible to contact all of the organizations involved – this is also a good reason to leverage the national & regional CERTs.
The underlying issue here is that security incidents do happen, but the speed and efficacy in which an organization deals with the problem is paramount. But let’s be realistic here — security incidents that are not resolved in a timely manner ultimately negatively reflect upon on your organization’s image, your brand image.
So if you’re a network admin out there reading this, double-check your organization’s contact information in the WHOIS database(s) for both your domain, and your IP address space.
It could save us all a few less headaches.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
