WordPress 2.3.3 Invaded by Wily JavaScript

March 31st, 2008 by Jovi Umawing (Technical Communications)

Scores of reports flooded the Internet about Wordpress 2.3.3 being hacked and exploited by a certain automated JavaScript (JS) that led users to links to various sites, which also contain the script.

WordPress users and visitors reported to have encountered a phishing attempt (a wily one, too) wherein users were prompted to register to the blog first as a requirement before they could leave a comment. Note though that most of these sites do not require any registration. And such sites with open registration in their WordPress blogs were very much vulnerable as these are purported to be the very target of this exploit.

Once the vulnerability has been exploited, the script then creates the folder named 1 in the users wp-contents folder. This script then populates the created folder with a list of various spammy Web page links that are mostly related to adult sites and gambling sites. The page links were found to contain the JS script, as well.

In this blog post, the author made an analogy on the g.js script file, which was common to all affected pages. The body of the said .JS code contained the following strings:

Figure 1

Upon closer inspection, one can easily make out the Web site address http://www.preservesitecolorado.org. As of this writing, the site looked bare (see Figure 2), unlike the one described in the blog where the site showed a brief overview about the company/organization and contact information. PreserveSiteColorado.Org was purported to be hosted in China (1)(2)(3)(4)(5).

Figure 2

Hackers also flooded affected pages with links pointing to other infected sites in the comments section of the blog, consequently defacing the page itself. Below is a screenshot sample of the said defacement:

Figure 3

I attempted to search for affected pages myself with Google using the search string inurl:wp-content/1/ (see Figure 4). To date, there are now 21,800 pages purportedly affected by the exploit. If using the search string allinurl:wp-content/1 (see Figure 5), there are now 22,500 pages…and possibly rising. Note also that Google does not flag these pages as something that could potentially harm a system. Though that is the case, not clicking on any of them is still the wise course of action.

Figure 4

Figure 5

As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.

It Takes Two Minutes to Hack A Mac!

March 31st, 2008 by Aileen Clemente (Technical Communications)

The Mac world is shaken. IDG News Service’s Robert McMillan reports that Charlie Miller and two other security researchers from Independent Security Evaluators have hacked the wickedly slim Apple MacBook Air in a fleeting two minutes and walked away with $10,000 cash prize, the gorgeous laptop, and tons of bragging rights in CanSecWest PWN to OWN 2008 contest held in Vancouver. Miller’s earlier claim to fame was in being one of the researchers who first hacked the iPhone last year. That must make him Apple’s most favorite person in the whole world!

This contest, other than giving hackers an opportunity to win big money, aims to present new vulnerabilities in certain systems so that the affected vendors can address them. Open for attack were a Sony VAIO VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1, and as mentioned, a MacBook Air running OSX 10.5.2. As of this writing, the VAIO and Fujitsu are still standing strong.

Miller’s team was able to expose MacBook Air’s vulnerability by “tricking” the judges into visiting a Web site where they have already set up an attack code. According to the sponsor’s Web site TippingPoint DVLabs blog, a newly discovered vulnerability in Safari, the browser that comes pre-installed in Air, was used to gain control of the system. Understandably, the more detailed method cannot be made public as previously agreed in a contract signed by the contestants.

Zero-Day Exploits Target Microsoft Jet Flaw

March 27th, 2008 by JM Hipolito (Technical Communications)

Investigations are currently being conducted as reports of targeted attacks through an unpatched security flaw in Microsoft’s Jet Database Engine has surfaced.

This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.

The mentioned Word file also drops files that Trend Micro detects as the following:

The following sofware are vulnerable to this attack:

On the other hand, systems running under Windows Server 2003 Service Pack 2, Windows Vista, and Windows Vista Service Pack 1 are not affected by this vulnerability as they include a version of the Microsoft Jet Database Engine that is no longer vulnerable to this issue.

More information regarding this vulnerability can be found on this advisory from Microsoft:

The Microsoft Jet (Joint Engine Technology) Database Engine is the underlying building block of Microsoft’s databases (collections of information structured in a certain way) allowing the manipulation of relational database via a single interface.

Users are advised to keep their scan engines, applications and operating systems updated and to avoid clicking on attachments in spammed email messages.

February Malware Roundup

March 6th, 2008 by Jasper Pimentel (Advanced Threats Researcher)

February started off with some compromised tour sites, one about Thailand and the other about the Pyrenees Mountains in Spain. As Valentine’s Day approached, numerous mailboxes probably received spammed messages containing a link where NUWAR’s latest variant could be downloaded. The rest of the month was filled with spammed messages, uncovered exploits and compromised Web sites and towards the last few days of February we witnessed another wave of the Italian Job. Here is last month’s malware roundup.

Notable Malware

TSPY_LDPINCH.FE
This malware is the one behind the compromise of Udiya Northern Thailand Tours Web site. Early in February, several pages in the Web site have been compromised. When a link on the landing page of the Web site is clicked, the user’s browser is redirected to a series of URLs, eventually leading to a download of this LDPINCH variant. On a similar note, the same technique is also used in the compromise of this Pyrenees Mountain tours Web site, only a different malware family is involved.

JS_IFRAME.HX
This is a malicious Javascript that downloads a variant of ZLOB. The malicious code is present in a PHP page that is returned as a Google search result when a use enters the search string “Japanese schoolgirls.” Hentai has been previously seen as a social engineering technique, particularly around October last year, when a Trojan detected as TROJ_PUSHDO.AD was received via spammed email messages bearing a Hentai image.

WORM_NUWAR.AR
As expected, the infamous Storm worm (Nuwar) made its appearance once again shortly before Valentine’s Day. The malicious link contained in its spammed email messages led to a copy of the worm variant. It seems that this particular Nuwar variant contained routines bypass heuristic detection mechanisms of antivirus software. Upon close inspection of its code, Nuwar contained references to bogus API functions, clearly a ruse to avoid detection.

BKDR_AGENT.AKJZ
On February 18, a lunar eclipse occurred. Unfortunately this astronomical event was taken advantage of by malware authors to lure users into downloading a malware into their systems. A spammed email message spread around during this time, with a link to a video of the eclipse. Of course, clicking on the link brings no video but downloads a copy of BKDR_AGEN.AKJZ instead.

RTKT_PUSHU.AC
This rootkit is a component of the malware families of WORM_NUWAR, TROJ_PUSHDO and TROJ_PANDEX. The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.

Web Incidents

For February there were more than 10 web threat incidents that were reported. 43% of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 20% of the reported incidents are related to entertainment.

Exploit

EXPL_PIDIEF.O
Discovered by iDefense Labs researcher Greg McManus, this exploit was initially reported to Adobe in October 2007 but remained unacknowledged. SANS Internet Storm Center reported that the flaw remained unfixed, only to be patched three weeks after the first report of an exploit was found in an Italian forum. Served up through banner ads or spammed through email, the malicious PDF file designed to exploit this vulnerability connects to a certain IP address to download possibly malicious files.

Myspace Exploit
A vulnerability in the image uploader used by MySpace and Facebook was recently discovered by security researchers, bringing about issues of the possibility of exploits and malicious users gaining access to affected systems. Aurigma’s Image Uploader Control Library was found to have a buffer overflow vulnerability that could be exploited by an unknown user to compromise systems. MySpace and Facebook use the application for their image uploading functions.

That’s all for today. What’s in store for March? As of this writing, we’ve just received reports of an email message being spammed around, apparently containing news of Fidel Castro’s death. The link contained in the message supposedly leads to a backdoor … More of this on next month’s malware roundup.

VMWare Bug Provides Escape Hatch

February 28th, 2008 by Macky Cruz (Technical Communications)

VMWare is one of the more popular virtualization software these days. Its home page describes virtualization as a technology bound to change the IT landscape, as it allows one to “transform hardware into software.” By “virtualizing” hardware resources including the CPU, RAM, etc., multiple virtual machines can share resources without interfering with one other. It has thus proven to be a handy tool for intensive security research as well for the creation and use of test environments without harming the actual system.

However, Core Security Technologies has very recently reported of a bug that allows malicious users to escape the virtual environment to actually penetrate the host system running it. The bug exists in the shared folder feature of the Windows client-based virtualization software. VMWare has, for the meantime, advised users to disable shared folders. The company has also made clear that the vulnerability was not present in its server line, and that in newer versions the user must actually turn on the feature to become susceptible to this attack.

VMWare discloses this vulnerability on this page.

Core Security Technologies has a full disclosure on this page. The vulnerability ID for this finding is CVE-2008-0923 at the National Vulnerability Database.

Trend Micro researchers are bent on giving you the freshest information on the latest threats. We are posting our findings in real-time, so please stand by for updates as we uncover more details on this particular threat.