[SecurityRatty] tag: indexes

Smells Like a Copycat SQL Injection In the Wild

Mon, 28 Jul 2008 01:51:23 +0000

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.

Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :

down.goodnetads .org
ads.goodnetads .org
real.kav2008 .com
hk.www404 .cn
err.www404 .cn
mx.content-type .cn
sun.63afe561 .info
ads.633f94d3 .info
ads.1234214 .info
ad.50db34d5 .info
ads.50db34d5 .info
ad.8d77b42a .info
web.adsidc .info
free.idcads .info
free.cjads .info
ads.adslooks .info
list.adslooks .info
ad.5iyy .info

The SQL injected domains :
ads.633f94d3.info/day .js
ad.8d77b42a.info/day .js
ad.5iyy.info/day .js
free.idcads.info/day .js
efreesky.com/day .js
v.freefl.info/day .js

The internal structure :
free.idcads.info/f/index .htm
free.idcads.info/014 .htm
free.idcads.info/real11 .htm
free.idcads.info/real10 .htm
free.idcads.info/lz .htm
free.idcads.info/bf .htm
free.idcads.info/kong .htm
free.idcads.info/f/swfobject .js
ad.50db34d5.info//rm%5C/rm .exe

Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :
ftp.gggjjj .info
live.ads002 .net
log.goodnetads .org
dat.goodnetads .org
root.51113 .com
sun.update999 .cn
abb.633f94d3 .info
up.50db34d5 .info
web.cn3721 .org
dat.goodnetads .org
cs.rm510 .com
sb.sb941 .com
k.sb941 .com
info.sb941 .com
day.sb941 .com
post.ad9178 .com
v.91tg .net

Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.

Related posts:
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

The Malicious ISPs You Rarely See in Any Report

Mon, 30 Jun 2008 05:31:08 +0000

The recently released badware report entitled “May 2008 Badware Websites Report" lists several Chinese netblocks tolerating malicious sites on their networks. As always, these are just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org used for the purposes of their report. In the long term however, with the increasing prelevance of fast-fluxing, a country's malicious rating could become a variable based on the degree of dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, forwarding the risk and the malicious infrastructure to malware infected hosts, and exploited web servers, creates a "twisted reality" where the countries with the most disperse infrastructure act as a front end to the countries abusing it, ones that make it in any report, since they are the abusers.

The report lists the following malicious netblocks, a great update to a previous post on "Geolocating Malicious ISPs" :

- CHINANET-BACKBONE No.31,Jin-rong Street
- CHINA169-BACKBONE CNCGROUP China169
- CHINANET-SH-AP China Telecom (Group)
- CNCNET-CN China Netcom Corp.
- GOOGLE - Google Inc.
- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
- SOFTLAYER - SoftLayer Technologies Inc.
- THEPLANET-AS - ThePlanet.com Internet Services, Inc.
- INETWORK-AS IEUROP AS
- CHINANET-IDC-BJ-AP IDC, China

With some minor exceptions though, in the face of the following ISPs you rarely see in any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that the "the whole is greater than the sum of it's parts", in this case, the parts represent RBN's split network. Since it's becoming increasingly common for any of these ISPs to provide standard abuse replies and make it look like there's a shutdown in process, the average time it takes to shut down a malware command and control, or a malicious domain used in a high-profile web malware attack is enough for the campaign to achieve its objective. The evasive tactics applied by the malicious parties in order to make it harder to assess and prove there's anything malicious going on, unless of course you have access to multiple sources of information in cases when OSINT isn't enough, are getting even more sophisticated these days. For instance, the Russian Business Network has always been taking advantage of "fake account suspended notices" on the front indexes of its domains, whereas the live exploit URLs and the malware command and controls remained active.

And while misconfigured web malware exploitation kits and malicious doorways continue supplying good samples of malicious activity, we will inevitable start witnessing more evasive practices applied in the very short term.

Related posts:
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

The "E" word

Mon, 23 Jun 2008 20:00:00 +0000

I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection. They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...

Sensitive Columbia University student information exposed for 16 months

Sun, 15 Jun 2008 19:32:25 +0000

Technorati Tag: Security Breach

Date Reported:
6/12/08

Organization:
Columbia University

Contractor/Consultant/Branch:
None

Victims:
Current and former students

Number Affected:
5,000

Types of Data:
Housing information including Social Security numbers

Breach Description:
"On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website."

Reference URL:
New York, The Sun
The BWOG
Columbia Housing & Dining SSN Security Breach petition

Report Credit:
The BWOG

Response:
From the online sources cited above:

On June 3, Columbia University's Housing and Dining department was informed that one archival database file containing the housing information of approximately 5,000 current and former undergraduate students was found on a Google-hosted website.
[Evan] Columbia University was informed by an alumna. The URL for the information was code.google.com/p/cu-super-hw2/downloads/list. To see how the page looked on 5/23/08, see here (this is a cached site that does not allow for any disclosure of information, and may not be available for long).

Google removed this file, at our request, that same day.
[Evan] Some students reported that some of the personal information was available in cached indexes for some time.

Columbia Public Safety investigators have concluded that this security breach was unintentional.

No financial data was included in the file in question, and we have no evidence of wrongdoing or identity theft.

It appears that the file was inadvertently posted by a former student employee in February 2007.
[Evan] The question people are asking is why did a student have access to such sensitive information and what kind of training was provided for handling confidential information. Obviously mistakes are much more common in situations where people are not well trained.

Columbia would not identify the student, saying only that the person had worked in the university's housing office.

it is important for you to be aware that your name and Social Security Number were included in the file.

We are very sorry for this occurrence.

Columbia University is continually strengthening its measures to protect Social Security Numbers where they are required in our systems.

Housing & Dining manually eliminated Social Security Numbers from its online room
selection process and contracts in April 2007.
[Evan] This was a good move in my opinion. Social Security numbers shouldn't be required for housing selection at college.

Further, in spring 2008, Columbia Housing and Dining implemented a new software system to manage and improve the housing assignment, contract, and billing processes which also does not use Social Security Numbers.
[Evan] Another good move. Automated processes are much less error prone.

Columbia has arranged for you to receive a free two-year subscription to a credit monitoring service

We sincerely apologize for the inconvenience this has caused you.

If you should have any questions or comments, please contact us by calling 1(888) 882-7331 or by emailing studentservices-assist@columbia.edu (mailto:studentservices-assist@columbia.edu).

Several students yesterday created an online petition and posted it to the main campus Web log, demanding that the university investigate the former employee and issue a report explaining how security will be increased.
[Evan] The petition site is located at this URL: www.petitiononline.com/breach/petition.html

style="font-weight: bold;">Commentary:
The cause of this breach seems obvious. It seems that a poorly trained, part-time student-employee posted confidential information online and probably gave little thought to any potential security implications. Poorly trained, part-time employees will probably make more mistakes than well trained, full-time employees. Makes sense. It's probably not a good idea to allow poorly trained, part-time employees to handle sensitive information.

I am glad to read that Columbia University Housing & Dining services no longer uses Social Security numbers in "online room selection process and contracts" or "housing assignment, contract, and billing processes".

I suggest that readers take a look at the comments on The BWOG article.

Past Breaches:
April, 2007 - "three databases containing students' addresses and Social Security numbers were online" according the The Sun story (referenced above)

Former NYU personal information exposed at Duke University

Wed, 21 May 2008 10:27:07 +0000

Technorati Tag: Security Breach

Date Reported:
5/20/08

Organization:
New York University

Contractor/Consultant/Branch:
Duke University, Fuqua School of Business

Victims:
Former NYU students

Number Affected:
273

Types of Data:
Names and Social Security numbers

Breach Description:
"DURHAM, N.C. - Duke University’s Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008."

Reference URL:
The News & Observer
NBC Channel 17 News

Report Credit:
Eric Ferreri, The News & Observer

Response:
From the online sources cited above:

DURHAM - Duke University's Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008.
[Evan] The information was public and went unnoticed by school, IT, and information security officials for nine months.

The NYU students were part of a 1997 class taught by a professor who now teaches at the Duke business school
[Evan] Why would a professor ever need access to Social Security numbers? NYU may use or might have used Social Security numbers as student numbers. Many schools are migrating away from this practice due to obvious (hopefully) privacy implications. It is troubling that a former professor was allowed to leave NYU with confidential information belonging to students.

The professor is not identified

The personal data included student names and Social Security numbers, and was contained in the faculty member’s NYU research records.
[Evan] Did the professor not notice that he/she had Social Security numbers as part of his/her research records?

There has been no indication of any unauthorized access or use of the personal information

Duke’s Internet security team has ascertained that the information could have been accessed only if searched by specific student names, along with a search code for Social Security numbers.
[Evan] I suppose we could take them at their word although it would be very difficult to state this claim with certainty. Search algorithms are very closely guarded secrets by Google, Yahoo, et. al.

The personal information was removed from Fuqua's public drives within 30 minutes of the school becoming aware of the problem on April 30.
[Evan] The ability to post information for public consumption must be closely monitored by organizations, and those with permissions must be properly trained.

Within hours, all major search engines had cleared their caches and indexes of the student information

Fuqua began notifying the former NYU students immediately after receiving addresses from NYU

Fuqua officials have undertaken a thorough review of the school’s electronic accounts to ensure no personal information is subject to unauthorized access.

No former or current Fuqua students were affected.

Commentary:
Most of my commentary is remarked above. What do the schools plan to do in order to reduce the chances of this happening again?

Past Breaches:
Unknown

Stealing Sensitive Databases Online - the SQL Style

Sun, 11 May 2008 21:13:00 +0000

In a perfect world from a malicious SQL-ers perspective, mom and pop E-shops filling market niches and generating modest but noticeable revenue streams, have their E-shops vulnerable and exploitable to web application vulnerabilities, with their SQL databases available for extraction in an unencrypted form.

In reality, reconnaissance through search engine's indexes to build a hit list of E-shops with a higher probability for exploitation, is what malicious attackers who lack the skills and capacity to build a botnet, even invest money into renting one on demand and collecting the output in the form of credit cards numbers and accounting data, have been doing for the past of couple of years. Moreover, as I've already pointed out and provided relevant examples, it's perhaps even more disturbing to see the automated process of building such hitlists, verifying that they're exploitable, remotely exploiting them by embedding malicious links within their pages, and of this made possible through the use of botnets.

The whole is greater than the sum of its parts, and while some are putting time and efforts into figuring out whether or not a specific vulnerability is exploited, and through the use of which hundreds of thousands web sites again end up injected with automatically loading links to malicious domains, the bad guys are keeping it simple, sometimes way too simple to end up with the most successful and efficient ways to achieve their objectives. Furthermore, waging verbal warfare on whether or not XSS are a greater security risk than currently perceived, is definitely making a lot of malicious attackers out there enjoy the lack of situational awareness of those who are supposed to have a better grasp of what they're up to, not what they might be up to.

The bottom line - from a malicious economies of scale perspective, are massive SQL injections attacks serving malware to a speculated number of hundreds of thousands susceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the bad guys are trying to obtain, access to as many infected hosts as possible to be later on used for phishing, spamming, stepping stones, hosting and distribution of malware and conducting OSINT for corporate espionage by segmenting the infected population into organizations of importance, or access to "the whole" benefits package coming with having a complete access over an Internet connected host.

Fake Directory Listings Acquiring Traffic to Serve Malware

Tue, 29 Apr 2008 23:17:00 +0000

Malicious parties are known to deliver what the unsuspecting and unaware end user is searching for, by persistently innovating at the infection vector level in order to serve malware or redirect to live exploit URLs in an internal ecosystem that not even a search engine's crawlers would bother crawling. What's the trick in here? Using image files as bites to malware binaries, and acquiring traffic by generating fake directory indexes with hundreds of thousands of popular or segment specific keywords in the filenames, while attempting to trick the impulsive leecher by forcing a direct loading of anything malicious? Creative, at least according to someone who's released such a fake directory listing, and is what looks like planning to come up with an automated approach for doing this.

Inside a non-malicious download.php file :

$file = "sexy.gif"; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-Disposition: attachment; filename=\"".basename($file)."\""); readfile("$file"); ?>

Spammers, phishers, malware authors, and of course, black hat search engine optimizers, are known to have been using technique for enforcing downloads, loading live exploit URls, or plain simple redirection to a place where the malicious magic happens.

A fake directory listing of images, where the images themselves load image files of the icon to make themselves look like images - trying saying this again, and consider this attack tactic as SEO 1.0, where the 2.0 stage has long embraced GUIs and all-in-one anti-doorway detection techniques for blackhat SEO-ers to take advantage of.

Malware filters bad for business

Thu, 10 Apr 2008 20:00:00 +0000

Up to 80% of Web sites flagged as malicious by antivirus and search engine indexes are legitimate businesses, according to security experts.

Experience The Benefits Of Intel® vPro™ Technology	Advertisement
Get Built-In Security And Remote Management Capabilities. Meet Critical Business Challenges.

UNICEF Too IFRAME Injected and SEO Poisoned

Tue, 01 Apr 2008 03:42:20 +0000

The very latest, and hopefully very last, high profile site to successfully participate in the recently exposed massive SEO poisoning, is UNICEF's official site. In fact the campaign is so successful, where successful means that each and every poisoned result loads the injected IFRAME using UNICEF.org as a doorway to pharmaceutical spam and scams, that one of the most prolific domains within the IFRAMES (highjar.info) is already returning "Bandwidth Limit Exceeded. The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later" messages.

This is the perfect moment to point out that as of yesterday's afternoon the search engines that were indexing the SEO poisoned pages have implemented filters so that the malicious pages no longer appear in their indexes, thereby undermining the critical success factor for this campaign - hijacking search traffic. Case closed? At least for now, and even though the black hat SEO is taken care of the last time I checked, some of the sites originally mentioned, and many others still need to take care of the web application vulnerabilities.

Tracking this campaign in a detailed manner inevitably results in a quality actionable intelligence data, in between the added value out of the historical preservation of evidence. The malicious parties behind this know what they're doing, they've been doing it in the past, and will continue doing it, therefore it's extremely important to document what was going on at a particular moment in time. It's all a matter of perspective, some care about the type of vulnerability exploited, others care who's hosting the rogue security applications and the malware, others want to establish the RBN connection, and others want to know who's behind this. Virtual situational awareness through CYBERINT is what I care about.

Let's close the case by assessing UNICEF.org's IFRAME injection state as of yesterday's afternoon. What is highjar.info/error (75.127.104.26) anyway? Before it felt the "UNICEF effect" in terms of traffic, it used to be a "Easy SEO | A Coaching Site For BEGINNING webmasters". And the last time it was active, the injected redirect was forwarding to ravepills.com/?TOPQUALITY (69.50.196.63) and RavePills is what looks like a "legal alternative to Ecstasy" :

"On the other hand, Rave is the safest option available to you without the fear of nasty side-effects or a long time in jail. Rave gives you the same buzz that the illegal ones do but without any proven side-effects. It's absolutely non-addictive & is legal to possess in every country. Rave gives you the freedom to carry it anywhere you go as it also comes in a mini-pack of 10 capsules."

IFRAMES injected within UNICEF.org :

highjar.info (75.127.104.26)
viagrabest.info (81.222.139.184)
pharmacytop.net (216.98.148.6)
grabest.info

Now that the entire campaign received the necessary attention and raised awareness on its impact, let's move onto the next one(s), shall we?

The Pseudo "Real Players"

Mon, 14 Jan 2008 15:12:00 +0000

What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.

Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time.