The World Cup 2010 is the most popular event running right now. The cyber criminals didn’t want to lose such “good” opportunity for them and already took advantage in some ways like sending spam leading to phishing sites, to spread malware and so on. All that attacks go through the end-point machines stealing personal information of the users. This is the most common “modus operandi” of the cyber criminals.
However today we found an interesting attack apparently not related to money. The attack was on the Indonesian government Web server. The gang behind the attack put a defacement on the hacked Web server clearly related with the World Cup activities:
If you visit the hacked Web site you will also be listening an official WorldCup song. In the past we saw a lot of cases when the Web servers were hacked based on political, racial and other motivations. Today we see sport related motivations joined by competitive spirit are also an influence on cyber criminals for launching offensive campaigns.
In the time when the cyber criminal’s activity is higher than usual, please pay special attention to your security. If you don’t want to be a victim, just use the following basic security tips:
We have seen quite a few different and controversial comments regarding the recent attack on usa.kaspersky.com/support. People have questions and want answers: what really happened and what risk did the penetration create?
As a member of group dealing with the incident analysis I would like to share our results.
We confirm that the vulnerability existed in the new version of usa.kaspersky.com/support. We analyzed the log files and found requests with SQL injection. There were several attackers with IP addresses from Romanian ISPs. The requests were initially made with an automated tool - the screenshots showed that the hackers used a variant of an Acunetix tool.
Once the initial probes told the attackers that this section was vulnerable they attempted to manually exploit the vulnerability to get data about the structure of the database. They used an Information_Schema database to query existing table names and table columns. After collecting field names the attackers made a few attempts to extract the data from tables. Those queries failed because the attackers specified the wrong database. The attackers stopped after they got only the column and table names from the database and decided to go for glory. No data modification queries UPDATE,INSERT,DELETE... were logged.
After conducting the attack, the attackers decided to show off their ‘great code of ethics’ by sending Kaspersky an email - on a Saturday to several public email boxes. They gave us exactly 1 hour to respond. And posted on their blog without having received a response.
To sum up:
Yesterday we detected the onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.
We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine.
These attacks aren’t yet on the scale of the first attacks which took place in spring this year and which affected more than 1.5 million web resources. But things are still developing, and the similar nature of the malicious programs used in both attacks lead us to think that this new wave of attacks is potentially pretty serious.
It's been a bit of a bumpy ride in the Dutch blogosphere over the last couple of days.
One blog - www.geencommentaar.nl - decided to set up something I like to call a 'web 2.0 honeypot' in the form of a petition. The idea behind this was to attract the attention of the biggest blog in the Netherlands - www.geenstijl.nl - and get GeenStijl readers to comment.
GeenCommentaar logged the IP addresses of users who made offensive comments on the blog and created a database. (A lot of the offensive comments came from GeenStijl users). Other bloggers could then check the database to see if a particular IP address had been tagged as offensive. Supposedly the idea behind this was to make life easy for other site/ blog owners, by offering an automatic way to filter out (probably) unwanted comments/ content.
Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE.
Microsoft disagreed, preferring to call it a 'feature'.
And this is what I saw yesterday - a compromised site containing a modified GIF file which exploits this XSS vulnerability.
The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a 'file not found' error message.)
Here's the GIF:
Clicking "view source" doesn't reveal any malicious code – and this makes a quick analysis of the threat more difficult.
Following this discovery we've contacted Microsoft again – hopefully they'll reconsider their position on this issue.
A few days ago we started getting messages from users saying that their antivirus software had started detecting Trojans in the Flashget directory.
Analysis showed that the problem was affecting Flashget users all over the world. Files called inapp4.exe, inapp5.exe, and inapp6.exe (which are detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.exo, Dropper.Win32.Agent.ezxo, and Trojan-Dowloader.Win32.Agent.kht) appeared on the victim machines.
The strangest thing was the fact that no other Trojans were detected that could have been used for the files shown above to get onto the system. Some affected users had fully patched operating systems and browsers. So how did the malicious programs penetrate their computers?
We've just confirmed multiple reports about asus.com, a very well known hardware manufacturer, being compromised. There's an iframe added which leads to the recent ANI exploit.
The URLs in the exploit variants which we've detected are currently down.
We're trying to get in touch with ASUS. This latest case shows that you can get infected when visiting legitimate sites, so you should always install patches as soon as you can.
There have been numerous unrelated web-sites intrusions lately. The result is that a malicious script (usually a modification of Trojan-Downloader.JS.Psyme) is put on the server in place of the original index* file, so that when a user visits the web-site the script is immediately executed. During the script execution a known/patched Microsoft IE vulnerability is exploited, which leads to the user's PC getting infected with a Trojan spy. Inside the script, links to the Trojan usually (but not always) refer to some "sp.php".
How could the intrusions have been conducted? There are a few possible scenarios:
1. A live hacker intrusion.
The large number of very similar cases reduces the probability of this scenario to zero.
2. Massive automatic exploitation of web-server services.
Some of the logs of infected systems that I’ve had access to show that the malicious scripts are being uploaded via FTP and using existent FTP logins. This means that a hacker (whoever or whatever s/he/it may be) has had access to the server's logins+passwords - at least to some of them. OK, so the password file could be got via a server vulnerability & the passwords could be cracked - given the MD5 algorithm isn’t the most up-to-date thing these days. But this scenario isn’t at all likely - according to the system logs, no tampering with system services have been registered. The only intrusion-related action registered is a direct FTP logon followed by files being uploaded - it may seem like a contradiction in terms, but the intrusion was absolutely legal.
So what are the remaining probable/ possible intrusion scenarios?
Discarding the idea of sniffing, which is very unlikely, the only possibility left is…
3. Passwords stolen from end user machines.
What I’m picturing is a Windows Trojan, which could harvest passwords if it was being run on a website admin's Windows box with FTP passwords stored on it (i.e. in Total Commander). This theory seems even more likely if we think about why the scripts are found where they’re found, on servers for sites ranging from well known media sites to private unindexed sites. There’s no obvious logic in it. But it can be explained by a Trojan, because FTP user/password data is stored in FTP client software along with IP-address data.
If the malicious program has got access to the IP/user/password FTP data, it doesn’t even have to send this data anywhere. It just needs to initiate an FTP session and infect the server with a malicious script - (assuming the user has appropriate FTP privileges, of course).
I strongly believe that #3 is the correct scenario, although I don’t have all the facts to prove it yet.
It may be very boring, but there’s an easy way to stop this epidemic of infected web sites:
- up-to-date MS patches,
- up-to-date AV bases,
- and a firewall.
plus all the common sense anti-virus precautions such as ‘Do not run suspicious programs’, Disable ActiveX in the browser’ etc. etc.
And finally, a specific solution to this particular problem: avoid saving user/password data for FTP services (or, more generally, any user/password data) in Windows clients. The only question is, whose memory is good enough to follow this advice?
We’ve just been contacted by a user who let us know that www.adoronin.ru has been infected with Trojan-Downloader.JS.Agent.bx. This Russian site can be used to book tickets for theatres, concerts, musicals, the circus and sporting events on-line. As there’s a lot of interest in the theatre and sports over here, the site gets pretty busy - a smart choice for a malicious user to infect a lot of systems.
So how did our user realize the site was infected? He clicked on an banner leading to the site. The banner was placed on mail.ru, which is one of Russia’s biggest Internet portals with more than 3 million users. But then his antivirus started to react, as he put it, "strangely". It clearly showed him that the page he was trying to access was infected. It didn’t show the adoronin address though, but an entirely different address. It was clear that code had been injected into the main page of the adoronin site - code that would then download Trojan-Downloader.JS.Agent.bx to the user’s machine.
The Web Anti-virus component of Kaspersky Anti-Virus 6.0 detected the malicious activity and asked the user if he wanted to block it. This prevented his machine from being infected. And it gave us and the site administrator a heads-up - working with us, he was able to clean his site.
Yesterday, one of our users contacted us to tell us about the strange behaviour of his browser. He’d been looking at www.5755.ru - his browser opened a second web page, and his Web anti-virus warned him that a Trojan program was being downloaded.
The user went to this site after he'd seen it advertized on television. He almost fell victim to a malicious attack - the site’s homepage contained a script that downloads Trojan-Downloader.JS.Psyme.ct, which in turn downloads Trojan-Downloader.Win32.Tiny.eo. Of course, the malicious programs placed on the site change from day to day, but happyily, the Web anti-virus module in Kaspersky Anti-Virus 6.0 prevented this user from getting infected.
After investigating this a bit further, it turned out that at least 470 other servers had been subject to the same hacker attack. We found this out by entering a string from the script which had been injected into the site into Google.
All these servers had one thing in common - they were all hosted by Valuehost, the biggest hosting provider in Russia, which offers a home to more than 60,000 Russian web sites. Of course, the Valuehost administrators have been informed of the problem.