Thursday, October 01, 2009

Cyber Security Awareness Month: Day One

The Department of Homeland Security has designated the month of October to be Cyber Security Awareness Month, and we are off with a bang!

ASProx Compromised Webpages



Last night we received word that the ASProx SQL injection attack was back in full swing. After several months of no activity, this botnet is back to its old tricks of attacking vulnerable the ASP pages on IIS Servers trying to add a malicious javascript link to legitimate webpages by manipulating the underlying Microsoft SQL servers.

The main site which is hosting the malicious code right now is "ads-t.ru". Sites which have been hacked by this attack tool will contain a tag which leads to the page "ads-t.ru/ads.js". A quick Google search for this string will currently reveal more thousands of webpages which have had this code injected.

The Javascript causes an IFRAME to be loaded which causes the following file to be loaded:
adtcp.ru/ad/index.php

That domain was registered on September 29th with the email address omit@blogbuddy.ru

I wasn't sure if I should try my malware analysis VM 30,000 feet over Wichita Kansas, but I gave it a shot. The index.php file downloads a hostile Flash Player file:

/ad/spl/files/8628468724.swf

That file is only 797 bytes. VirusTotal has 1 of 41 detects for it, with Symantec calling it "Bloodhound.Exploit.266". The MD5 is 148a8c05fb0b63f036f024e2104a6e4c

The index.php files also causes a malicious PDF file to be downloaded. When the PDF file is opened by an older version of Adobe Reader, the computer becomes infected with one of the "scareware" fake Anti-virus products.

Unfortunately, I don't have a vulnerable copy of Adobe Flash Player handy, so I can't tell you yet what is downloaded by this flash file.


Let's take a search engine agnostic approach for a moment though:

Google.com shows pages injected with:
www.ads-t.ru/ads.js
www.bannert.ru/ads.js
www.bannerdriven.ru/ads.js
www.adtcp.ru/ads.js


Bing.com lists these as the top sites injected with "ads-t.ru":

justcorvettes.com
positiveresults.com
denver.mixliving.com
wirtzrealty.com
leonedirect.com
sandiegomix.com
thepartypeople.com.au
texasmoving.com
pcain.org
s-ecto.com
mpgourmet.com.au
equinehealthcentre.com
specialeducatorsamerica.com

Yahoo! lists only 823 results on ads-t.ru/ads.js with top hits being:
portalhomes.com
pocketlearn.com
justcorvettes.com
positiveresults.com
leonedirect.com
isleofman.com
tccs.org
visittheheart.com
scottsdirectories.com
tccs.org
healthgene.com
artsednj.org
bestpetsupply.com
chargrilled.com.au
healthyhomerecipes.com
lopeor.com
acrosser.com

AOL's search gives a number of results for "ads-t.ru/ads.js". One thing that cracks me up is the "sponsored links"! Can someone possible have bought adwords for that? When I search the path for this hostile Russian hosted javascript attack tool, I am told that:

"Apartments in El Paso, TX" LiveATIndependence.com/FortBliss
and
"TRUE.com The Safest Site in Online Dating" www.TRUE.com
and
"Tv Ads, Create & Run Video Ads Online" www.SpotMixer.com/video

are sponsored links for that search.

The domain names involved in this scam are all Fast Flux hosted, meaning that machines belonging to a botnet are used to resolve the website addresses. The traffic is then proxied from those IP addresses to the "real" criminal server. Here are some recently used IP addresses. If anyone recognizes that botnet, please shoot me an email:

24.17.154.91
24.65.94.114
24.113.68.58
24.151.19.155
24.210.184.44
24.220.226.110
65.189.239.122
66.223.140.55
67.180.252.95
67.185.125.93
67.233.93.235
68.38.133.22
68.40.167.165
69.151.150.145
69.181.182.250
69.245.96.203
70.44.247.207
71.108.37.140
71.121.172.27
71.202.204.125
72.39.29.137
74.130.69.226
74.132.42.47
75.15.183.0
75.34.216.140
75.37.106.134
75.62.36.251
76.87.82.83
76.99.70.115
76.179.209.62
77.86.61.126
81.182.27.22
81.183.112.36
82.126.78.225
82.131.156.180
82.131.217.88
82.131.222.164
83.173.149.63
84.0.96.52
85.67.62.86
86.101.168.70
88.153.34.164
89.200.152.188
91.82.134.228
92.141.150.234
92.249.203.67
94.21.19.98
94.220.214.111
96.245.233.90
96.245.238.218
98.134.46.213
98.150.54.94
128.192.33.6
141.154.188.249
147.134.182.51
147.134.222.113
165.123.143.179
207.168.223.80
207.168.223.92
209.19.94.197
209.55.68.243
216.119.45.147
216.229.86.21



IRS Version of Zeus



I'm actually blogging this using my free trial of Delta's "GoGo" WIFI service as I fly back from San Jose, where I was speaking at the Merchant Risk Council meeting. What is the primary email that I'm downloading this morning? Its still the fake IRS emails which are being used to distribute the IRS version of the Zeus Bot trojan.

So far this flight I've received 330 copies of the current IRS Zeus email. The domain names used in these emails are:

www.irs.gov.hyu111a.com
www.irs.gov.vsdftpp.org
www.irs.gov.vsdftpp.in
www.irs.gov.vsdftpp.mobi
www.irs.gov.vsdftpp.biz
www.irs.gov.msrvtpp103.eu
www.irs.gov.msrvtpp102.eu
www.irs.gov.msrvtpp101.be
www.irs.gov.msrvtpp102.com

The binary its dropping is brand new - I was the first one to have it scanned at VirusTotal. As usual with the new binaries, detection is not very good, 9 of 41 antivirus products are currently detecting it, but at least we do have some of the Big AV Guns on board.

See the VirusTotal Report Here.

Detects from F-Secure, Kaspersky, McAfee, Microsoft, Sophos, Sunbelt, and VBA32 right now.

File size: 96256 bytes
MD5...: 36ac39070d175b21cb2f46e2bdfe668c


Don't Be a Phishing Victim



Today's BBC News quotes Rohyt Belani, the founder and chief executive of Intrepidus Group, a security consultancy:


"Our studies have shown that within the first hour of someone receiving a phishing e-mail, 60% of people click on them. That is not enough time for the security folks to act."


I agree with Rohyt totally, and would urge the consumer message of the day to be "BE CAREFUL with links in your email". If your bank really has an important message for you, go to your bank's website in the way you would normally log in, and do so. If there are important messages from your bank, you should be able to find them there easily.

No comments:

Post a Comment

Turning comments back on. I will censor, so please be polite! If you would like to share information privately, please leave a "Contact Me" post and I will reach out. Thank you!