Posts filed under 'Vulnerabilities'
May 7th, 2008 by Macky Cruz (Technical Communications)
Our researchers “followed the bouncing Web threat” in this newly discovered spate of hacked legitimate Web sites. Advanced Threats Researcher Paul Ferguson posted about this mass compromise on the blog yesterday, when it was still a “developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.”
It appears that several thousand Web sites have been compromised — via SQL injection — with embedded malicious JavaScript that redirects users to two major malicious URLs (winzipices.cn and bbs.jueduizuan), both of which are now gaining quite the reputation as fellow researchers scramble to determine the “end game” in this extraordinarily convoluted attack.
Here is a general diagram illustrating basically what happens on the user side:
The Web site compromises were accomplished in a similar manner as were other recent mass compromises –- through poor .asp and asp.net configuration that allow exploitation via SQL injection.
WINZIPICES.CN
Legitimate, yet compromised, Web sites found to be hosting the (embedded) JS_DLDR.AW redirected visitors to an .ASP script which, in turn, redirects to any one of three URLs.
These redirections happen instantaneously, without the user knowing it. Some of these redirections lead to URLs that randomize an image in the Web page, a definitive routine that is used for advertisements. It also uses cookies to determine the TTL of the image and possibly change the image once the TTL expires.
However, a more dangerous path, of which the user has no way of determining (let alone stopping), ends in the download of JS_DLOADER.AEHM and TROJ_REALPLAY.BR. Both download TROJ_AGENT.AKVP on the infected system. This Trojan drops a copy of itself and downloads a file containing a list of malicious sites.
As one of our researchers closely followed on the heels of the 2.asp path, we have found yet more executables, including an autorun malware detected by our patterns as WORM_AUTORUN.CBZ.
While some of the involved files look harmless by themselves, closer investigation into their relationships with one another reveal a possible attempt at information theft.
For instance, a file named stat.htm includes the browser version, system language, and platform of the infected PC and then attempts to upload these statistics to a remote location. We have also stumbled upon a possible signature or marker in one of the files, a certain (graffiti) “Power by Cnzz.”
BBS.JUEDUIZUAN
This is another malicious URL than can be seen in various compromised sites (~1,510 pages). The redirection path in this case is found below:
JS_AGENT.ALIP is the offending script in this attack. Compromised sites found hosting this script have been modified to contain an iFrame detected as HTML_IFRAME.AAK.
The following malicious files are downloaded on the user’s system upon visiting (and being redirected from) compromised sites:
DAMAGE COUNT
The number of Web sites affected have reached as of 19:50 PDT is at ~9,000, among them several legitimate medical, educational, government, and entertainment sites all over the world.
A survey of the site locations already includes India, UK, Canada, France, and China. This observation suggests that instead of a Webserver compromise or a heavily targeted attack, this attack could have been the work of an automated tool programmed to search through Web sites for vulnerabilities.
Here are screenshots of a couple of the compromised sites:
Our researchers believe this is similar to the attacks earlier this year involving uc8010.com, ucmal.com, rnmb.net, etc., which appear to be related output of a certain Chinese language hacking tool (see image below):
Also, we have been informed that a new version of this tool has very recently appeared, and unfortunately, it is now free for public download (as well while the latest one) and is posted up for availability to anyone who wants to download it.
The resulting package — once all the hacker selected options have been selected — creates the same .html file that has been used to launch various exploits.
In particular (matching the snapshot of the kit), options in this kit reveal interesting translations such as “PPS Overflow” — which translates roughly to PowerPlayer Control exploit; “Thunder 0day” — which translates to XunLei Thunder Player exploit; “Real 0day” — which is most probably pertinent to the RealPlayer exploit, and so on.
Correlating the code snippets and the exploits which are used, this points to being the same gang that perpetuated nihaorr1.com on April 29th and which came live sometime Monday.
There have been similar attacks using older tools but it appears to be that using less files and less redirection has helped lend a hand in the growing number of affected sites. The fact that an updated version was just released last week doesn’t make next week’s forecast clear of this current style of attack either.
Consolidated findings of the Advanced Threats Research Team and Web Threat Protection team at TrendLabs
April 14th, 2008 by Macky Cruz (Technical Communications)
Here is yet another case of Patch Tuesday/Exploit Wednesday. While the bounty hunt for software vulnerabilities is still very much an active industry, malware authors have been seen to watch out for (and ultimately prey on) vulnerabilities disclosed by legitimate software vendors. This isn’t as irrational as it looks; malware authors are not looking for massive hits, just the numerous few who do not take care enough to download and install software patches.
A few days after the regulation Patch Tuesday last April 8, our researchers were alerted to an exploit-backdoor tandem that specifically takes advantage of the vulnerability discussed in the Microsoft Security Bulletin MS08-021 (classified as critical). This vulnerability refers to the Graphical Device Interface (GDI) available in Windows operation systems. treats information. The exploatation of this vulnerability allows an attacker to take full control of a computer system.
A file named TOP.JPG has been found to successsfully use this flaw. It was found hosted on sites, and arrives on a system as an executable which is now detected as EXPL_NEVAR.B. Its specific routine connects to an URL for downloading a file named WORD.GIF (which is also detected by Trend Micro, as BKDR_POISONIV.QI). Backdoors perform silent commands on the compromised computer without the user knowing it.
Users should update applications and operating systems the moment patches are available.
April 3rd, 2008 by Jake Soriano (Technical Communications)
After the famous two minutes it took three security researchers to hack the equally famous Apple MacBook Air, Computerworld reports that another security researcher accomplished a similar feat, this time on a Vista notebook.
The said notebook was running on the Windows Vista Ultimate platform and comes with an installed Flash Player from Adobe. A critical vulnerability in Flash was successfully exploited by Shane Macaulay, a consultant at Security Objectives, enabling him to break into a Fujitsu U810 running Windows Vista Ultimate SP1, and making him the owner of the notebook as well. Macaulay and two other researchers also received a cash reward for this.
This would be the second high-profile hacking in “PWN to OWN” — a challenge that seeks to expose vulnerabilities and bugs in PCs and laptops. The contest offers prizes to researchers who successfully unveiled unknown system and software glitches that may be exploited by malicious users in the future.
The challenge requires the winners to remain silent about their hacking method until after the vendors of affected software have provided the necessary patches and solutions.
If it would be any consolation, no one won the “PWN to OWN” first day challenge, which required that laptops be broken into without user interaction and using only remote code execution. The two successful exploits were done by tricking users and by replicating their behaviors.
Tend Micro advises users to consistently update patches of all applications installed to address known vulnerabilities.
March 31st, 2008 by Roderick Ordoñez (Technical Communications)
Sony claims that a possibility of unauthorized access through the PLAYSTATION®Store, a content download service of the PLAYSTATION®Network, may have occurred. This obviously compromises the millions of accounts subscribed to the said network. The full transcript is given here.
However, Sony reassures its customers that only a small percentage of users are affected, and that since PLAYSTATION Network accounts do not display entire credit card numbers, any unauthorized access to a PLAYSTATION Network account is very unlikely to compromise anyone’s credit information.
If you are a Playstation gamer subscribed to this service, it may be time to check your login credentials. “If you can successfully sign in with your pre-set password, your account is not affected by this incident…,” so goes Sony’s statement.
With malware authors also targeting online gaming, where virtual commodities may fetch higher values than their tangible counterparts, this news may come as no surprise. For gamers, online identity is worth its weight in gold, and it would be devastating to see one’s account hacked, and all hard-earned loot stolen, effectively laying all those hours of hard work to waste.
As with any online account, Trend Micro advises caution and compliance to best industry practices. Use strong passwords, change them frequently, and never share them with anyone else. In this regard, a password change is almost mandatory. Nobody wants a real-world “game over.”
March 31st, 2008 by Jovi Umawing (Technical Communications)
Scores of reports flooded the Internet about Wordpress 2.3.3 being hacked and exploited by a certain automated JavaScript (JS) that led users to links to various sites, which also contain the script.
WordPress users and visitors reported to have encountered a phishing attempt (a wily one, too) wherein users were prompted to register to the blog first as a requirement before they could leave a comment. Note though that most of these sites do not require any registration. And such sites with open registration in their WordPress blogs were very much vulnerable as these are purported to be the very target of this exploit.
Once the vulnerability has been exploited, the script then creates the folder named 1 in the users wp-contents folder. This script then populates the created folder with a list of various spammy Web page links that are mostly related to adult sites and gambling sites. The page links were found to contain the JS script, as well.
In this blog post, the author made an analogy on the g.js script file, which was common to all affected pages. The body of the said .JS code contained the following strings:
Figure 1
Upon closer inspection, one can easily make out the Web site address http://www.preservesitecolorado.org. As of this writing, the site looked bare (see Figure 2), unlike the one described in the blog where the site showed a brief overview about the company/organization and contact information. PreserveSiteColorado.Org was purported to be hosted in China (1)(2)(3)(4)(5).
Figure 2
Hackers also flooded affected pages with links pointing to other infected sites in the comments section of the blog, consequently defacing the page itself. Below is a screenshot sample of the said defacement:
Figure 3
I attempted to search for affected pages myself with Google using the search string inurl:wp-content/1/ (see Figure 4). To date, there are now 21,800 pages purportedly affected by the exploit. If using the search string allinurl:wp-content/1 (see Figure 5), there are now 22,500 pages…and possibly rising. Note also that Google does not flag these pages as something that could potentially harm a system. Though that is the case, not clicking on any of them is still the wise course of action.
![Google Index Results for [inurl:wp-content/1/]](http://www.trendmicro.com/vinfo/images/blog/blog_wordpress1.gif)
Figure 4
![Google Index Results for [allinurl:wp-content/1]](http://www.trendmicro.com/vinfo/images/blog/blog_wordpress2.gif)
Figure 5
As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.
Previous Posts
