<![CDATA[[SecurityRatty] tag: vbs]]> http://securityratty.com/tag/vbs Mon, 10 Mar 2008 11:20:33 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Yet Another Massive SQL Injection Spotted in the Wild]]> http://securityratty.com/article/12b8db5bd43df2b62e54ac712ae9b35b http://securityratty.com/article/12b8db5bd43df2b62e54ac712ae9b35b Another SQL injection attack was spotted in the wild during the last couple of hours, and while it continues remaining active, surprisingly, the malicious domain is not in a fast-flux. As I've already pointed out, the upcoming SQL injection attacks for the next couple of months, will be primarily executed by copycats, where among the few differentiation factors left is increasing the survivability of the domain.

In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com /img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execution (CVE-2006-0003), whose detection rate is 1/32 (3.13%) and is detected as Mal/Psyme-A. Approximately, 8,900 sites have been affected.
]]> Mon, 26 May 2008 06:58:01 +0000 domain domain chliyi attack sql injection attack vbs script attempts chliyi malicious domain sql injection attacks differentiation factors Yet Another Massive SQL Injection Spotted in the Wild <![CDATA[Skype Phishing Pages Serving Exploits and Malware]]> http://securityratty.com/article/4df4197bb1a3121904fb08c91ddfa078 http://securityratty.com/article/4df4197bb1a3121904fb08c91ddfa078 "Please, don't update your account information", at least not on recently spammed phishing pages which will not only aim at obtaining your accounting data, but will also infect with you malware through exploiting MS06-014. These phishing emails are a great example of blended threats, and while we're been witnessing the ongoing consolidation between phishers, spammers and malware authors for the last two years, this particular phishing campaign looks like a lone gunman operation.

Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."

Phishing URL : alertskype.freehostia.com, which is then forwarding to skypealert.ns8-wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx/index/Skype.Members/index.htmls/ where the malware and the exploit are hosted.

Scanners result : Result: 3/31 (9.68%)
VBS/Small.W.1; Exploit-MS06-014
File size: 13569 bytes
MD5...: 4d6a559adf0602f7fd58b884e00894dc
SHA1..: 056f75e0dd94d03daeb04ae83d1b4a1b7476c0f2
SHA256: 3f08427228489edffd57e927db571aea06716c192ec72f91ea8115c0c7f978eb

The phishing page wasn't created, but copied from Skype's original login page. The phisher even left an email within the VBS, in this case - ikbaman@gmail.com. Virtual greed or contact point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite active and leave the curious clicker with a false feeling of security.
]]> Fri, 09 May 2008 03:00:15 +0000 skype account informations account informations account skype account information malware informations original login page result Skype Phishing Pages Serving Exploits and Malware <![CDATA[Wired.com and History.com Getting RBN-ed]]> http://securityratty.com/article/43140f23637e75c4ac1b173b0948fe77 http://securityratty.com/article/43140f23637e75c4ac1b173b0948fe77 Monitoring last week's IFRAME injection attack at high page rank-ed sites, reveals a simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model. So, after "CNET stops IFRAME site attacks - who's next?" in terms of high-profile sites, that is Wired.com and History.com

Key summary points :

- the same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation

- the IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and therefore automatically execute upon accessing the cached page with a popular search query

- many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network

- the main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks

- given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion

- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to

Sites currently affected next to Wired.com and History.com :
fhp.osd.mil
hcc.cc.gatech.edu
buffalo.edu
uninews.unimelb.edu.au
uvm.edu
jurist.law.pitt.edu
bushtorrent.com
torrentportal.com


Newly introduced domains within the IFRAMEs :
f3w.info (74.54.95.242)
chdjzn.info (75.125.181.78)
gmjett.info (75.125.181.89)
yscmps.info (75.125.181.124)
egkjnx.info (75.125.208.242)
qkecep.info (75.125.181.99)
qxdprq.info (75.125.181.113)
yscmps.info (75.125.181.124)
mqghrd.info (75.125.181.82)
yydcaj.info (75.125.181.122)
ecwrhk.info (75.125.181.86)
zdksgj.info (75.125.181.112)
stysqf.info (75.125.181.67)
egyffr.info (75.125.181.112)
prnprn.info (75.125.181.106)
fast-look.com (195.225.176.25)
fami4ka.net (217.20.127.217)
looseais.info (70.47.105.5)
my-ringtones.org (78.108.182.164)
eyzempills.com (81.222.139.184)
leohin.com (58.65.239.10)
is-t-h-e.com (69.50.167.165)
89.149.220.85

Where are the IFRAMEs relocating the visitor to?
search-vip.org/pharmacy/search.php?q= (195.225.178.19)
pharma-cist.com/item.php?id=156 (81.222.139.93)
vip-pharmacy.org (195.225.178.19)
adultfriendfinder.com/go/g665961
gift-vip.net/images/index1.php

Where's the malware?
The malware is loading from gift-vip.net/images/index1.php (195.225.178.19) where upon loading another IFRAME pointing to e.pepato.org/e/ads.php?b=3029 (58.65.238.59) which is using HostFresh proving hosting, dns services courtesy of INTERCAGE-NETWORK-GROUP, or the The Russian Business Network in all of its netblock diversity. It seems that pepato.org, currently hosted on one of RBN's netblocks, also made an appearance at malware embedded attack at a .gov site recently.

Scanner results : 3% Scanner(1/36) found malware!
File Size : 16643 byte
MD5 : 99eae1a189443c1a87681579cb4b5dbd
SHA1 : 89a04c4d06f51aa6d6cb54925a2c84d2bbdba06b
Arcavir - Trojan.HTML.JScript.Freebs.gen.9 under the JS:Feebs family; W32/Feebs-Fam ;JS.Feebs.Gen

Several more currently active internal pages serving variants :
e.pepato.org/e/ads.php?b=3029
e.pepato.org/e/ads_nl.php?b=1006
e.pepato.org/e/ads.php?b=1004
e.pepato.org/e/adsr.php?t=0
e.pepato.org/e/mdqt.php
e.pepato.org/e/e1004.html

Monitoring these connected incidents will continue, particularly the RBN connection, and other high profile sites' susceptibility to their attack methods.

Related embedded malware research :
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Related RBN research :
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network
]]> Mon, 10 Mar 2008 11:20:33 +0000 malware vbs malware malware attack rbn media malware gang iframe injection attack iframe injection malware research high-profile sites Wired.com and History.com Getting RBN-ed