XSS (Cross-Site Scripting) Very Much Alive and Kicking

We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS), or SQL injection vulnerabilities, or a combination of both.

XSS Holes Endanger Users with Increasing Risks

I want to shed some light again on XSS because although it has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.

XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.

XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.

An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.

Breaches in the Background

XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.

The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of the defenders don’t have).

There are numerous free attack tools available,and worse, the most efficient ones are created by career criminals who happen to be at the disposal of anyone willing to pay for their warez. These tools readily aid in finding these flaws, and are increasing often crafted to inject XSS attacks into a target site.

XSS Vulnerability in Adw95(dot)com Attack

Here’s a closer look at the infection chain launched by the injection of malicious JavaScript into victimized websites:

Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs. Please see our Virus Encyclopedia for further details about the malware in this particular infection chain. Trend Micro users with updated patches are protected from these threats as of Pattern 5.305.00.

(Note: Malware may vary or change at any given time as we are still closely monitoring this incident).

Even though Patch Tuesday is still two weeks from now, crimeware authors are already sending out fake Microsoft “critical updates.” The TrendLabs Content Security Team recently found a hoax purporting to be from Microsoft that urges users to update their computers due to a “critical security issue”.

The email, which has the subject heading Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026), urges recipients to install the latest security update to avoid a successful attack which could result in comprising the recipient’s PC.

If the unlucky victim clicks on the file name, WINDOWS-KB946026-X86-ENU, they won’t be getting any security patch — but rather, malware detected by Trend Micro as PE_VIRUT.XZ.

PE_VIRUT.XZ is a pretty old variant that appends its code to EXE and SCR files, making a pretty big mess depending on where it is executed.

Admittedly, we have been seeing these fake security notifications for a long time (we’ve discussed this in the past here and here). But apparentlty, consumers still seem to fall for this trap anyway.

Always keep your OS, third-party applications, and other associated software updated — this is one sound piece of advice that consumers can bank on.

And also make sure to get those Windows updates only from the source, Microsoft Corporation.

Malware criminals generally revert to old-school social engineering as they continually employ another newsworthy item in their latest ploys.

Just recently, TrendLabs Content Security team discovered spam email messages that rode on interest around the case of Alexandre Nardoni. Nardoni, a law consultant, who was accused of allegedly killing his daughter, Isabella Nardoni, in their apartment in Sao Paulo. Later on, he pleaded not guilty and was released from jail.

The email, which claims to be from Youtube News, tricks users into clicking the malicious link that promises actual footage of Nardoni’s arrest. When users click on the link, a dialog box appears requiring the users to save the executable file. The said file, named VIDEO.EXE, is actually a malware detected by Trend as MAL_BANKER.

This is not the first time (and no doubt the last) that malware criminals employ the popularity of current news as previously blogged here and here. Consumers are always advised to be suspicious when opening email messages from unknown senders. Trend Micro users are already protected from this threat, as we detect both the malware and the spam message that carries it.

It is that month of the year when flowers are in full bloom and people celebrate them in festive events. And it seems that same eventful—but darker—tone can be used to describe the month of May for the security industry. Trend Micro has so far documented several mass compromises of Web sites around the world for this month. Yes, you read it right—the world over.

Here are the highlights of the notable Web site compromises we have seen in the past month:

May 2 - One Year Later, Italian Job Still Working Overtime

It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.

TrendLabs discovered two forms of this compromise: one via an injected obfuscated script that redirects to a certain malicious URL, and the other via a readable iFrame and the same obfuscated script.

May 7 - A Very Convoluted Chinese Gaming-Info-Stealing Campaign

Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.

A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.

May 10 - More of The Same: Another Half Million Web Sites Compromised

Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.

May 19 - Chinese Weekend Compromise

Also on the same date, Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.

May 19 - Yet More Weekend Compromises Reach Other Shores

Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.

May 21 - It’s Not Over: Asian Sites Injected with Nasty Code

Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.

May 22 - Malicious Domains Found in Compromised Japanese Sites

The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.

These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.

These documented compromises appear to be not distinct incidents unto themselves, but rather one big organized attack that just involved different domains. However, it is also very much possible that there are different groups using the same tool, or a big organized group outsourcing to small-time hackers. Until solid evidence is obtained, these scenarios are speculations as of the moment. We are keeping a close watch.

Banks all over the world are fast taking on the challenge (and opportunity) of bringing part of their operations online. Sadly, being spoofed in a phishing attack is one of the risks financial services companies have to continually address via user education. Early this week we were able to catch a phishing attempt targeted at account holders of the National Bank of Kuwait (NBK).

The phishing URL pretends to be a legitimate National Bank of Kuwait official login page:

After entering the required information the next phishing page will ask for your ATM Pin and Civil ID. This may attempt to confuse the users into believing that the phishing Web site is directly related to the legitimate site:

Here is a screenshot of the legitimate National Bank of Kuwait login page (a brilliant copy, yes?):

Note that doing a WHOIS on the actual phishing URL reveals that the attempt seems to have originated from Chile. The attack is directed at users in the Middle East. Phishers typically commit border-crossing crimes to at least hold off immediate entrapment by the law. Trend Micro users need not worry as our URL filters already recognize and block this threat.