Posts filed under 'Exploits'
May 7th, 2008 by Macky Cruz (Technical Communications)
Our researchers “followed the bouncing Web threat” in this newly discovered spate of hacked legitimate Web sites. Advanced Threats Researcher Paul Ferguson posted about this mass compromise on the blog yesterday, when it was still a “developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.”
It appears that several thousand Web sites have been compromised — via SQL injection — with embedded malicious JavaScript that redirects users to two major malicious URLs (winzipices.cn and bbs.jueduizuan), both of which are now gaining quite the reputation as fellow researchers scramble to determine the “end game” in this extraordinarily convoluted attack.
Here is a general diagram illustrating basically what happens on the user side:
The Web site compromises were accomplished in a similar manner as were other recent mass compromises –- through poor .asp and asp.net configuration that allow exploitation via SQL injection.
WINZIPICES.CN
Legitimate, yet compromised, Web sites found to be hosting the (embedded) JS_DLDR.AW redirected visitors to an .ASP script which, in turn, redirects to any one of three URLs.
These redirections happen instantaneously, without the user knowing it. Some of these redirections lead to URLs that randomize an image in the Web page, a definitive routine that is used for advertisements. It also uses cookies to determine the TTL of the image and possibly change the image once the TTL expires.
However, a more dangerous path, of which the user has no way of determining (let alone stopping), ends in the download of JS_DLOADER.AEHM and TROJ_REALPLAY.BR. Both download TROJ_AGENT.AKVP on the infected system. This Trojan drops a copy of itself and downloads a file containing a list of malicious sites.
As one of our researchers closely followed on the heels of the 2.asp path, we have found yet more executables, including an autorun malware detected by our patterns as WORM_AUTORUN.CBZ.
While some of the involved files look harmless by themselves, closer investigation into their relationships with one another reveal a possible attempt at information theft.
For instance, a file named stat.htm includes the browser version, system language, and platform of the infected PC and then attempts to upload these statistics to a remote location. We have also stumbled upon a possible signature or marker in one of the files, a certain (graffiti) “Power by Cnzz.”
BBS.JUEDUIZUAN
This is another malicious URL than can be seen in various compromised sites (~1,510 pages). The redirection path in this case is found below:
JS_AGENT.ALIP is the offending script in this attack. Compromised sites found hosting this script have been modified to contain an iFrame detected as HTML_IFRAME.AAK.
The following malicious files are downloaded on the user’s system upon visiting (and being redirected from) compromised sites:
DAMAGE COUNT
The number of Web sites affected have reached as of 19:50 PDT is at ~9,000, among them several legitimate medical, educational, government, and entertainment sites all over the world.
A survey of the site locations already includes India, UK, Canada, France, and China. This observation suggests that instead of a Webserver compromise or a heavily targeted attack, this attack could have been the work of an automated tool programmed to search through Web sites for vulnerabilities.
Here are screenshots of a couple of the compromised sites:
Our researchers believe this is similar to the attacks earlier this year involving uc8010.com, ucmal.com, rnmb.net, etc., which appear to be related output of a certain Chinese language hacking tool (see image below):
Also, we have been informed that a new version of this tool has very recently appeared, and unfortunately, it is now free for public download (as well while the latest one) and is posted up for availability to anyone who wants to download it.
The resulting package — once all the hacker selected options have been selected — creates the same .html file that has been used to launch various exploits.
In particular (matching the snapshot of the kit), options in this kit reveal interesting translations such as “PPS Overflow” — which translates roughly to PowerPlayer Control exploit; “Thunder 0day” — which translates to XunLei Thunder Player exploit; “Real 0day” — which is most probably pertinent to the RealPlayer exploit, and so on.
Correlating the code snippets and the exploits which are used, this points to being the same gang that perpetuated nihaorr1.com on April 29th and which came live sometime Monday.
There have been similar attacks using older tools but it appears to be that using less files and less redirection has helped lend a hand in the growing number of affected sites. The fact that an updated version was just released last week doesn’t make next week’s forecast clear of this current style of attack either.
Consolidated findings of the Advanced Threats Research Team and Web Threat Protection team at TrendLabs
May 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.
Notable Malware
TROJ_AGENT.AMAL
This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a uscourts.com email address, which may seem authentic to unsuspecting recipients of the message.
TROJ_SPAMBOT.AF
TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.
TROJ_AGENT.AZZZ
Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.
WORM_NUWAR.JQ
TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.
Exploits and Vulnerabilities
BKDR_POISONIV.QI and EXPL_NEVAR.B
A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).
Web Incidents
JS_DLOADER.TVP and JS_IFRAME.US
Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.
That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.
March 31st, 2008 by Jake Soriano (Technical Communications)
Massive iFrame attacks on top Web sites still threaten online searches. The threat is not just continuing but, according to independent Internet security researcher Dancho Danchev, is getting bigger as well.
Trend Micro has recently reported two high-traffic sites that were iFramed earlier this month. The said attack relied on popular search terms that were not validated in search engines. Interestingly, this previous attack came less than a week after search results of popular Web sites ZDNet Asia and TorrentReactor were also found to have been iFramed.
Danchev says that the current poisoning also leads users to several redirection posts. He again lists what he believes are poisoned sites. These include the following:
- USAToday.com
- ABCNews.com
- News.com
- Target.com
- Packard Bell.com
- Walmart.com
- Rediff.com
- MiamiHerald.com
- Bloomingdales.com
- PatentStorm.us
- WebShots.com
- Sears.com
- Forbes.com
Trend Micro Threat Response engineers analyzed the said pages and found no traces of an ongoing compromise. The sites may have been already fixed by the time of our engineers’ verification. However, the threat in general continues to persist, as it would be very possible to encounter iFrame injections in some future time. Security researchers have yet to close in on a foolproof way to lock down a site from being compromised.
March 9th, 2008 by Joseph Cepe (Threats Analyst)
XLS files specially designed to exploit a currently unpatched vulnerability in Microsoft Excel (identified as CVE-2008-0081) are reportedly being sent as email attachments in the wild.
The attachments, which arrive either as OLYMPIC.XLS or SCHEDULE.XLS are capable of dropping and executing Windows binary executables. This Trojan also drops a non-malicious Excel file and opens it upon execution to trick the user that it is the attached Excel file. Below are screenshots of the dropped Excel files of OLYMPIC.XLS and SCHEDULE.XLS respectively.
Both OLYMPIC.XLS and SCHEDULE.XLS are observed to use similar exploit templates and even allow malware writers to customize the exploit to perform other routines.
With the release of a security patch from Microsoft still a week away, malware authors are using this window of opportunity to infect a large number of computers. More information on this exploit can be found on this Microsoft Security Advisory.
Trend Micro advises users to be wary of opening unsolicited email messages, much more of files attached to them. Trend Micro already detects the above files as TROJ_MDROP.AH as of Control Pattern 5.136.12.
March 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
February started off with some compromised tour sites, one about Thailand and the other about the Pyrenees Mountains in Spain. As Valentine’s Day approached, numerous mailboxes probably received spammed messages containing a link where NUWAR’s latest variant could be downloaded. The rest of the month was filled with spammed messages, uncovered exploits and compromised Web sites and towards the last few days of February we witnessed another wave of the Italian Job. Here is last month’s malware roundup.
Notable Malware
TSPY_LDPINCH.FE
This malware is the one behind the compromise of Udiya Northern Thailand Tours Web site. Early in February, several pages in the Web site have been compromised. When a link on the landing page of the Web site is clicked, the user’s browser is redirected to a series of URLs, eventually leading to a download of this LDPINCH variant. On a similar note, the same technique is also used in the compromise of this Pyrenees Mountain tours Web site, only a different malware family is involved.
JS_IFRAME.HX
This is a malicious Javascript that downloads a variant of ZLOB. The malicious code is present in a PHP page that is returned as a Google search result when a use enters the search string “Japanese schoolgirls.” Hentai has been previously seen as a social engineering technique, particularly around October last year, when a Trojan detected as TROJ_PUSHDO.AD was received via spammed email messages bearing a Hentai image.
WORM_NUWAR.AR
As expected, the infamous Storm worm (Nuwar) made its appearance once again shortly before Valentine’s Day. The malicious link contained in its spammed email messages led to a copy of the worm variant. It seems that this particular Nuwar variant contained routines bypass heuristic detection mechanisms of antivirus software. Upon close inspection of its code, Nuwar contained references to bogus API functions, clearly a ruse to avoid detection.
BKDR_AGENT.AKJZ
On February 18, a lunar eclipse occurred. Unfortunately this astronomical event was taken advantage of by malware authors to lure users into downloading a malware into their systems. A spammed email message spread around during this time, with a link to a video of the eclipse. Of course, clicking on the link brings no video but downloads a copy of BKDR_AGEN.AKJZ instead.
RTKT_PUSHU.AC
This rootkit is a component of the malware families of WORM_NUWAR, TROJ_PUSHDO and TROJ_PANDEX. The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.
Web Incidents
For February there were more than 10 web threat incidents that were reported. 43% of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 20% of the reported incidents are related to entertainment.
Exploit
EXPL_PIDIEF.O
Discovered by iDefense Labs researcher Greg McManus, this exploit was initially reported to Adobe in October 2007 but remained unacknowledged. SANS Internet Storm Center reported that the flaw remained unfixed, only to be patched three weeks after the first report of an exploit was found in an Italian forum. Served up through banner ads or spammed through email, the malicious PDF file designed to exploit this vulnerability connects to a certain IP address to download possibly malicious files.
Myspace Exploit
A vulnerability in the image uploader used by MySpace and Facebook was recently discovered by security researchers, bringing about issues of the possibility of exploits and malicious users gaining access to affected systems. Aurigma’s Image Uploader Control Library was found to have a buffer overflow vulnerability that could be exploited by an unknown user to compromise systems. MySpace and Facebook use the application for their image uploading functions.
That’s all for today. What’s in store for March? As of this writing, we’ve just received reports of an email message being spammed around, apparently containing news of Fidel Castro’s death. The link contained in the message supposedly leads to a backdoor … More of this on next month’s malware roundup.
Previous Posts
