HOME > CURRENT ACTIVITIES


 CURRENT ACTIVITIES


Trojan Gimmiv.A exploits Microsoft Windows Server Service Vulnerability
Date : October 24, 2008
Updated: November 18, 2008;

It is reported that Trojan Gimmiv.A is exploiting Microsoft Windows Server service vulnerability, which involves improper handling of specially crafted remote procedure call (RPC) requests. Further details of the vulnerability are available in CERT -In vulnerability note CIVN 2008-170 dated 24 th October 2008 .

Successfully exploiting this vulnerability may give an attacker complete control of an affected system and harvest sensitive, personal information from an infected machine.

The Trojan Gimmiv.A is also knows as Generic Dropper [McAfee], Mal/Generic-A [Sophos],TrojanSpy:Win32/Gimmiv.A [Microsoft]

Upon execution the Trojan drops the files winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem. After dropping and loading the aforementioned DLLs, the Trojan will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.

The Trojan also fetches a few files from the following websites:

  • http://summertime.1goku[removed].com
  • http://perlbod[removed].com
  • http://dorado[removed].com

The DLL “basesvc.dll” is responsible for the network propagation of the worm. It starts from probing other IPs from the same network by sending them a sequence of bytes "abcde" or "12345". The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188.T hen binds the SRVSVC interface and sends a maliciously crafted RPC request which leads to a buffer overflow condition.

It is also observed that a commercial malware tool kit customized for Windows versions is available on internet. The attack kit includes the enhanced features like Kernel rootkit, Anti-virus software termination etc.

Some Anti-Vitus vendors detects the toolkit as Exploit-MS08-067 and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

Countermeasures

  • Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-067
  • On Windows Vista and Windows Server 2008, block all RPC requests with the Universally Unique Identifier (UUID) equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188 .
  • Block TCP ports 139 and 445 at the perimeter.
  • Install and maintain an updated anti-virus software at gateway and desktop level.
  • Install and maintain Firewall at Desktop level.

References

http://www.f-secure.com/v-descs/trojan-spy_w32_gimmiv
_a.shtml
http://www.threatexpert.com/report.aspx?uid=a940ad27-
1f2b-4236-8284-8a9f7f99e7de
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://www.threatexpert.com/reports.aspx?find=gimmiv
http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.avertlabs.com/research/blog/index.php/2008/11/
14/exploit-ms08-067-bundled-in-commercial-malware-kit/


Linux systems actively targeted using SSH key attacks
Date : September 03, 2008
It has been reported that attacks are being launched against Linux environments using the compromised SSH keys.

The Secure Shell (SSH) is used to communicate securely between networked machines and uses public key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user.

Attackers are using compromised SSH keys in a local kernel exploit to get into the root system. Once attackers have control of the system, they install a Linux kernel rootkit called ‘phalanx2′.After a Linux server using a weak key is identified and rooted, it sent the keys it uses to connect to other servers. Attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. It is also reported that this is related to the known vulnerability in the OpenSSL’s predictable random number generator provided with Debi an distribution which makes the cryptographic keys guessable.

Phalanx2 a variant of Phalanx , a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides in files, processes and sockets, auto injection on boot, and includes tools for sniffing a tty program and connecting it with a backdoor. Phalanx2 has been updated to systematically steal SSH keys. The files are located in /etc/khubd.p2.

Presence of Phalanx 2 can be identified by

  • ls(list directory )" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd(change directory ) /etc/khubd.p2".
  • "/dev/shm/" may contain files from the attack.
  • Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".

Contents of /etc/khubd.p2 directory is shown below.

drwxrwxrwx    2    root    root 4096      Jul 28 14:29   ./
drwxr-xr-x      94  root    root 12288    Jul 28 15:05   ../
-rw-r--r--        1    root    root 1356     Jul 24 19:58   .p2rc
-rwxr-xr-x      1    root    root 561032  Jul 24 19:58   .phalanx2*
-rwxr-xr-x      1    root    root 7637     Jul 28 15:04   .sniff*
-rw-r--r--       1    root    53746          1063 Jul 24 20 :56 sshgrab.py
(the python file sshgrab.py dumping the .ssh directory for each user to /dev/shm)

If a compromise is confirmed, users are advised to Disable key-based SSH authentication on the affected systems and perform an audit of all SSH keys on the affected systems.

Workarounds

  • Apply appropriate measures and tools as mentioned by Debian
    http://www.metasploit.com/users/hdm/tools/debian-openssl/
  • Make sure that machines require a passphrase to use SSH keys.
  • Review access paths to internet facing systems and ensure that systems are fully patched.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Use data integrity tools like Tripwire or Aide to check for the phalanx2 rootkit.

References

http://www.us-cert.gov/current/#ssh_key_based_attacks
http://isc.sans.org/diary.html?storyid=4937
http://blogs.zdnet.com/security/?p=1803
http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://blogs.techrepublic.com.com/opensource/?p=210
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojphalanx2a.html
http://www.theregister.co.uk/2008/08/27/ssh_key_attacks_warning/


Propagation of Malware via .doc files
Date : August 22, 2008
It has been observed that e-mails containing malicious .doc files are circulating widely. These mails arrive as news mostly related to Beijing Olympics 2008 events to trick the users.

These trojanised doc files (detected as TROJ_MDROPPER.ZT) are exploiting the zero day vulnerability (CVE-2008-2244) in Microsoft word 2000,2002,2003 described in CERT-In vulnerability note CIVN-2008-104.It can also affect other versions of the popular word-processing applications. Patches for this vulnerability have been released in August 2008.

When a user opens malicious attachment, the malware embedded inside the document infects the user’s system.

Some of the malicious files have the following file names:

  • attachment .doc
  • appeal_letter_of_fttj.doc
  • attend_the_opening_ceremony_of_the_29th
    _olympic_games_in_beijing.doclingotto_con
    _fiat.doc
  • tibetan_independence_vs_beijing_olympic.doc

Upon successful exploitation, TROJ_MDROPPER.ZT exploits the MS zero day vulnerability and executes a shell code which executes an embedded file. The embedded file may be any of the following:

  • %System%\msjava.exe - detected by Trend Micro as TROJ
    _ENFAL.AA
  • %System%\dump.exe - detected as TROJ_ENFAL.AA
  • %System%\6to4ex.dll - detected as BKDR_PCCLIEN.AAP
  • %System%\systio.exe - detected as TSPY_KEYLOG.CP
  • %Windows%\spupdsvc.exe - detected as TROJ_PROXY.RI
  • %Windows%\hscancon.dll - detected as TROJ_ZLOB.BPM

This Trojan also drops a copy of itself in %User Temp%

Screenshot of a file is given below:

Countermeasures

  • Apply appropriate patches as mentioned in CERT-In vulnerability
    note (CIVN-2008-104) and Microsoft Security Bulletin MS08-042
  • Do not open or save Microsoft Office files that received from untrusted sources or that received unexpectedly from trusted sources.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Delete e-mails with the above mentioned filenames at the e-mail gateway.
  • Users may install Microsoft Office isolated conversion environment (MOICE) on PC’s
    running Windows and Microsoft applications. This will facilitate isolation of malicious
    MS office documents and prevent execution of malicious code embedded in these documents.
  • Home users may refer to the CERT-In security Guideline “Securing Home Computers

References

http://blog.trendmicro.com/let-the-games-begin/
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_ENFAL.AA
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=BKDR_PCCLIEN.AAP
http://www.trendmicro.com/vinfo/grayware/ve
_graywareDetails.asp?Gname=TSPY_KEYLOG.CP
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_PROXY.RI
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_ZLOB.BPM
http://www.securesynergy.com/securitynews/newsitems/
2008/aug/200808-03.htm
http://economictimes.indiatimes.com/Infotech/Internet_/
Beware_if_your_mail_has_an_invitation_to_Beijing/
articleshow/3380895.cms
http://www.cert-in.org.in/vulnerability/civn-2008-104.htm

Propagation of malware via spam e-mail with the name of MSNBC.com “BREAKING NEWS”
Date : August 14, 2008
It has been observed that a new wave of spam e-mails pretending to be from msnbc.com is circulating widely. These spam e-mails comes with the subject line of current affairs and changing with daily current news items, which takes to the user to malicious websites hosting malicious files such as “ adobe_flash.exe ”. Some of the malicious files are detected as Nuwar Worm.

Sample e-mail is shown below:

msnbc.com: BREAKING NEWS: Preliminary polls for the election
Find out more at http://breakingnews.msnbc.com

Here's a sampling of subject lines:

msnbc.com - BREAKING NEWS US dollar hits 6-year
high further gain expected
msnbc.com - BREAKING NEWS Americans love to
Sue people
msnbc.com - BREAKING NEWS Stock set to fall in
recession
msnbc.com - BREAKING NEWS Buy gold at lowest
price& make immediate profits
msnbc.com - BREAKING NEWS: Mary-Kate Olsen
responsible for Heath Ledger’s death
msnbc.com - BREAKING NEWS: Google launches
free music downloads in China
msnbc.com - BREAKING NEWS: McDonald’s
found to breach FDA regulations, suspended from
trading
msnbc.com - BREAKING NEWS: Obama set to
win presidency

When a user visits any of the link present in e-mail, malicious webpage will generate a fake popup warning message for incorrect Video ActiveX object version and enticing user to download the new as video ActiveX object shown below.

Upon visiting the malicious websites, the file named “adobe_flash.exe” is downloaded on visitor's system.

Some of the Domains involved in hosting of this malicious file are:

  • www dot 3zebras dot net/msn dot html
  • nyinjuryfirm dot net /msn dot html
  • www dot knhospital dot com
  • www dot ebest dot us dot com
  • www dot blazeteck dot com/msn dot html

Users are advised to implement following countermeasures:

  • Block the emails with above mentioned subject lines at Mail Gateway
  • View emails in Plain-text format
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Filter e-mails with abovementioned subject lines and body.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software

References

http://www.securitywatch.co.uk/2008/08/13/msnbccom
-breaking-news-spam/
http://www.sophos.com/pressoffice/news/articles/2008/08/
msnbc.html?_log_from=rss
http://redtape.msnbc.com/2008/08/msnbc-cnn-hit-b.html
http://www.securecomputing.net.au/News/119568,fake-
msnbc-news-alerts-push-spam.aspx
http://www.net-security.org/malware_news.php?id=975

Propagation of malware via spam e-mail with the name of “CNN.com Daily Top 10”
Date : August 07, 2008
It has been observed that a new wave of spam e-mails pretending to be from CNN.com is circulating widely. These spam e-mails comes with the subject line such as “CNN.com Daily Top 10 Stories” and “CNN.com Daily Top 10 Videos ”. E-mail contains URLs in the form of current affairs and changing with daily current news items, which takes to the user to malicious websites hosting malicious files such as “ get_flash_update.exe ”.

Sample email is shown below:

When a user visits any of the link present in e-mail, malicious webpage will generate a fake popup warning message for incorrect Flash Player version and enticing user to download the new flash player as shown below.


Some other fake warning messages luring users to install the same are:

Upon visiting the malicious websites, the file named “get_flash_update.exe” is downloaded on visitor's system.

Some of the Domains involved in hosting of this malicious file are:

  • hxxp: // joogle2 DOT com
  • hxxp: // attomega DOT com
  • hxxp: // borinsrl-store DOT com
  • hxxp: // renderize DOT net
  • hxxp: // cafemarker52 DOT com
  • hxxp: // thediver DOT co DOT il
  • hxxp: // piedrarustica DOT com
  • hxxp: // gracesmarketplace DOT com
  • hxxp: // layber DOT com DOT br

Users are advised to implement following countermeasures:

  • Block the emails with above mentioned subject lines at Mail Gateway
  • View emails in Plain-text format
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Filter e-mails with abovementioned subject lines and body.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software

References

ZDNet
http://blogs.zdnet.com/security/?p=1657

ISC.Sans
https://isc.sans.org/diary.html?storyid=4828

COMPUTERWORLD
http://www.computerworld.com.au/index.php/id;
401302061;fp;16;fpid;1


Malware stealing online game credentials spreading
Date : July 11, 2008
It has been observed that different variants of malware which steals online game credentials are spreading widely. Some of the variants spread as packed executables. These variants steal confidential information such as username and passwords related to the online games and send this information to a remote website by HTTP POST.

Some of the variants also inject their code into Internet Explorer's process to hook the functions send and sendto, and intercept confidential information sent via Internet Explorer to particular URLs. Also these variants download and execute additional malware onto the infected system inorder to update themselves.

The variants capture confidential data for popular online games such as: Rainbow Island , Cabal Online, A Chinese Odyssey, Hao Fang Battle Net, Lineage, Gamania, MapleStory, qqgame, Legend of Mir, World Of Warcraft.

To update themselves these variants communicates to the domain om7890 DOT com.

In view of rapid propagation of the Password Stealing Malwares, users are advised to implement following countermeasures:

  • Block access to domain om7890 DOT com.
  • Install and maintain an updated anti-virus software at gateway and desktop level.
  • Keep up-to-date anti-spyware signatures.
  • Keep up-to-date on patches and fixes on the operating system and application software.

References:

http://www.microsoft.com/security/portal/Entry.aspx?
name=Trojan%3aWin32%2fTilcun.gen!B
http://www.microsoft.com/security/portal/Entry.aspx?
name=PWS%3aWin32%2fCeekat.gen!A
http://www.microsoft.com/security/portal/Entry.aspx?
name=PWS%3aWin32%2fFrethog.AP
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%3aWin32%2fTaterf.gen!C
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm%3aWin32%2fTaterf.A.dll
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm% 3aWin32%2fTaterf.gen!D
http://www.trendmicro.com/vinfo/apac/virusencyclo/
default5.asp?VName=WORM_NSPM.TASH
http://www.sophos.com/security/analyses/viruses-and-spyware/
malbehav204.html

SQL Injection Attacks and Exploitation of Adobe Flash Player Vulnerabilities
Date : June 05, 2008
Updated: June 25, 2008

It has been observed that new wave of SQL injection attacks are launched on websites and further exploiting Adobe flash Vulnerabilities described in CERT-In Vulnerability Note CIVN-2008-68 and CERT-In Advisory CIAD-2008-23. Some of the malicious domains used in these attacks are hosted on fast-flux DNS.

Online gamers seem to be primary target of the attack but payload could be dynamically changed by attackers.

Using SQL injection attack websites have been compromised and injected with malicious scripts. These script redirects user to malicious URL containing ShockWave (SWF) files that are exploiting Adobe Flash Player Vulnerabilities. Successful exploitation downloads Trojans on the vulnerable system.

Infected website checks the victim's browser type in order to drop appropriate exploit.

Recent script injected to the websites through SQL injection is “ hxxp://en-us18 DOT com/b DOT js”

ShockWave files with following names are found on the websites:

  • ie1.swf
  • ie2.swf
  • 1231.swf
  • 1232.swf
  • 4561.swf
  • 4562.swf
  • i1232.swf
  • i1231.swf
  • flash1.swf
  • flash2.swf
  • WIN 9,0,115,0i.swf
  • WIN 9,0,115,0f.swf
  • WIN %209,0,115,0ie.swf
  • WIN %209,0,115,0ff.swf

Websites reported to be exploiting the Adobe flash Player vulnerability are listed below:

         hxxp://www DOT play0nlnie DOT com/pcd/          topics/ff11us/20080311cPxl31/ WIN %209,0,115,0ie.swf
         hxxp://www DOT play0nlnie DOT com/ax DOT exe

         hxxp://www DOT tongji123 DOT org/i1231 DOT swf
         hxxp://www DOT tongji13 DOT org/soc DOT exe

         hxxp://www DOT woai117 DOT cn/ WIN 9,0,115,0i DOT swf
         hxxp://www DOT woai117 DOT cn/117 DOT exe

         hxxp://user1 DOT 12-27 DOT net/flash1 DOT swf
         hxxp://513389 DOT cn/bak DOT css

         www DOT iphone001 DOT com/ie/ WIN 9,0,115,0i DOT swf
         hxxp://qisihuisheng DOT net/swf/sw DOT exe

         hxxp://ageofconans DOT net/ WIN 9,0,115,0i DOT swf
         hxxp://ageofconans DOT net/flash DOT exe

         hxxp://www DOT guccime DOT net/i1231 DOt swf
         hxxp://www DOT guccime DOT net/0 DOT exe

         hxxp://user1 DOT isee080 DOT net/flash1 DOT swf
         hxxp://user1 DOT 12-26 DOT net/bak DOT css

         hxxp://www DOT zuoyouweinan DOT com/exe DOT swf
         hxxp://bb DOT wudiliuliang DOT com/1 DOT exe

         hxxp://www DOT psp1111 DOt cn/test DOt exe
         hxxp://www DOT psp1111 DOT cn/test DOT exe

         hxxp://www DOT lkjrc DOt cn/i1232 DOT swf
         hxxp://www DOT hokia8 DOT com DOT cn/abe DOT exe

In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures

Website administrators:

  • Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
  • Input Filtering: Properly sanitize user input data.
  • Comment out malicious code: any scripting content to be “safely” commented out.
  • Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
  • alert(document.cookie)<script>
  • Output Filtering: Filter user data when it is sent back to the user's browser.
  • Disable client side scripting.
  • Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically
  • Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 :
    http://www.microsoft.com/technet/security/advisory/
    954462.mspx
  • A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
    http://www.communities.hp.com/securitysoftware/blogs/
    spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
    aspx

System Administrators and Users:

  • Apply the patches/updates to address vulnerabilities in Adobe Flash Player as mentioned in CERT-In Vulnerability Note CIVN-2008-68 and CERT-In Advisory CIAD-2008-23.
  • Block access to above mentioned domains.
  • Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
  • Keep up-to-date on patches and fixes on the OS and application software.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Exercise caution even while visiting trusted websites

References:

http://isc.incidents.org/diary.html?storyid=4519
http://isc.incidents.org/diary.html?storyid=4474
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080527
http://www.theregister.co.uk/2008/05/27/new_adobe
_flash_vuln/print.html
http://www.darkreading.com/document.asp?doc_id=155020
&WT.svl=news1_2


Massive SQL Injection Attacks
Date : May 09, 2008
Updated: May 12, 2008; May 22, 2008; June 03, 2008; June 25, 2008;
               July 01, 2008; July 24, 2008; August 01, 2008; August 14,
              2008; September 12, 2008; September 22, 2008; September               29, 2008; November 03, 2008;

It has been observed that SQL Injection Worm spreading in the wild by injecting java scripts or iframe into websites. The Asprox botnet is also launching the SQL Injection attacks. A new shift in SQl injection is reported. Rather than following the traditioan URl based injections,some ASprox variants attempted Cookie-based injections.

Many websites have been found infected with such scripts. Snippet of malicious script code has been shown below.

Websites injected with java scripts are redirecting innocent visitors to malicious website “winzipices DOT cn” which is containing java scripts with numeric names such as 2.js, 4.js. Contents of one such script file has been shown below.

The java script has been coded to take user to the malicious .asp page which in turn takes user to malicious domain “cnzz DOT com” or “51 DOT la”.

The SQL injection worm is seems to be infecting machines using vulnerable Real Player versions.

Malicious domains involved in attacks with SQL worm activity are

cnzz DOT com,
51 DOT la,
51la DOT ajiang DOT net , and
http:// bbs DOT jueduizuan DOT com

Malware downloaded from malicious domain makes continuous outbound request to 61 DOT 134 DOT 37 DOT 15 on port 1800.

Updated

Since 19 th May some new domains have been observed in SQL injection attack. The attackers are inserting redirection tags in the contents of websites.Following snippet shows the inserted java script in genuine websites.


The contents of the java script a.js are shown below . This java script redirects users to domain “http:// hoursebuilds DOT cn”.



Source code of the webpage “hoursebuilds DOT cn SLASH hi DOT htm” is shown below. This website is again redirecting users to the domain “51 DOT la” which is being used for the exploitation of the vulnerable system.


After successful exploitation malware such as downloader Trojans are downloaded to the user's system.

Other domains involved in these SQL injection attack are (Visiting these domains is harmful to user's system):

  • www DOT en-us18 DOT com
  • www DOT nihaorr1 DOT com
  • free DOT hostpinoy DOT info
  • xprmn4u DOT info
  • www DOT nmidahena DOT com
  • winzipices DOT cn
  • sb DOT 5252 DOT ws
  • www DOT aspder DOT com
  • www DOT 11910 DOT net
  • bbs DOT jueduizuan DOT com
  • www DOT bluell DOT cn
  • www DOT 2117966 DOT net
  • s DOT see9 DOT us
  • xvgaoke DOT cn
  • 1 DOT hao929 DOT cn
  • www DOT 414151 DOT com
  • yl18 DOT net
  • www DOTkisswow DOT com DOT cn
  • urkb DOT net
  • c DOT uc8010 DOT com
  • rnmb DOT net
  • www DOT ririwow DOT cn
  • www DOT killwow1 DOT cn
  • www DOT qiqigm DOT com
  • www DOT wowgm1 DOT cn
  • www DOT wowyeye DOT cn
  • 9i5t DOT cn
  • computershello DOT cn
  • www DOT z008 DOT net
  • b15 DOT 3322 DOT org
  • www DOT direct84 DOT com
  • www DOT caocaowow DOT cn
  • www DOT qiuxuegm DOT com
  • firestnamestea DOT cn
  • %61%2E%6B%61%34%37%2E%75%73 (a DOT ka47 DOT us)
  • %61%31%38%38%2E%77%73 (a188 DOT ws)
  • www DOT qiqi111 DOT cn
  • www DOT banner82 DOT com
  • smeisp DOT cn
  • okey123 DOT cn
  • www DOT nihao112 DOT com
  • al DOT 99 DOT vc
  • www DOT chliyi DOT com
  • free DOT edivid DOT info
  • 52-o DOT cn
  • www DOT fucksb DOT net
  • www60 DOT actualization DOT cn
  • d39 DOT 6600 DOT org
  • h28 DOT 8800 DOT org
  • ucmal DOT com
  • t DOT uc8010 DOT com
  • www DOT dota11 DOT cn
  • bc0 DOT cn
  • %33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D (3 DOT trojan8 DOT com)
  • www DOT adword71 DOT com
  • w11 DOT 6600 DOT org
  • usuc DOT us
  • www DOT msshamof DOT com
  • newasp DOT com DOT cn
  • www DOTwowgm2 DOT cn
  • mm DOT jsjwh DOT com DOT cn
  • 17ge DOT cn
  • www DOT adword72 DOT com
  • www DOT 117275 DOT cn
  • vb008 DOT cn
  • www DOT wow112 DOT cn
  • www DOT nihaoel3 DOT com
  • hxxp://updatead DOT com
  • hxxp://upgradead DOT com
  • hxxp://clsiduser DOT com
  • hxxp://dbdomaine DOT com

List of additional malicious domains

In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures

Website administrators:

  • Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
  • Input Filtering: Properly sanitize user input data.
  • Comment out malicious code: any scripting content to be “safely” commented out.
  • Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
    alert(document.cookie)<script>
  • Output Filtering: Filter user data when it is sent back to the user's browser.
  • Disable client side scripting.
  • Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically.
  • Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 :
    http://www.microsoft.com/technet/security/advisory/
    954462.mspx
  • A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
    http://www.communities.hp.com/securitysoftware/blogs/
    spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
    aspx

System Administrators and Users:

  • Block access to domains www DOT en-us18 DOT com, cnzz DOT com, 51 DOT la, yl18 DOT net, www DOT bluell DOT cn, www DOT kisswow DOT com DOT cn, www DOT ririwow DOT cn, 51la DOT ajiang DOT net http:// bbs DOT jueduizuan DOT com, hxxp://updatead DOT com, hxxp://upgradead DOT com, hxxp://clsiduser DOT com and hxxp://dbdomaine DOT com.
  • Block access to IPs 60 DOT 191 DOT 239 DOT 229, 61 DOT 188 DOT 38 DOT 158, 61 DOT 134 DOT 37 DOT 15
  • Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
  • Apply the patches for the above mentioned vulnerabilities.
  • Keep up-to-date on patches and fixes on the OS and application software.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Exercise caution even while visiting trusted websites.

References:

http://isc.sans.org/diary.html?storyid=5092
http://isc.sans.org/diary.html?storyid=4645
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080514
http://isc.incidents.org/diary.html?storyid=4393
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
http://www.cert-in.org.in/virus/Asprox_Botnet.htm



Mass SQL Injection attacks and malicious Java script embedding on websites
Date : March 17, 2008
Updated: May 02, 2008; May 08, 2008; May 12, 2008; June 25, 2008;
              July 01, 2008

It has been observed that various websites have been infected with malicious JavaScript file hosted on domain 2117966 DOT net. Remote attackers are launching a SQL injection attacks against web servers running ASP and embedding a link (www DOT 21179 66 DOT net/fuckjp DOT js) to malicious JavaScript file on these websites. When a user visits the infected websites, the code gets executed onto the user's system. Upon execution it tries to exploit several known vulnerabilities on the victim system to download some password stealing malware. The downloaded malware tries to make outbound connections to IP address 61 DOT 188 DOT 39 DOT 175 on port 2034.

Vulnerabilities exploited by the JavaScript file are:

    • Microsoft Data Access Components Code Execution Vulnerability (CIVN-2006-31)
    • Microsoft Windows Vector Markup Language Code Execution Vulnerability (CIVN-2007-04)
    • Microsoft Internet Explorer "daxctle.ocx" KeyFrame Memory Vulnerability. (CIVN-2006-91)
    • Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability (CIVN-2006-94)
    • RealPlayer Playlist Buffer overflow Vulnerability (CIVN-2007-138)

It has also been reported that mass attacks were launched against websites running phpBB through IFrame Injection redirecting innocent users to malicious websites.

Subsequently mass IFrame and JavaScript injection attacks have been reported using malicious domains www DOT nmidahena DOT com,
www DOT nihaorr1 DOT com, www DOT aspder DOT com , haoliuliang DOT net , winzipices DOT cn, yl18 DOT net, www DOT bluell DOT cn, www DOT kisswow DOT com DOT cn, www DOT ririwow DOT cn, hxxp://updatead DOT com, hxxp://upgradead DOT com, hxxp://clsiduser DOT com and hxxp://dbdomaine DOT com.

In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures:

Website administrators:

  • Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
  • Input Filtering: Properly sanitize user input data.
  • Comment out malicious code: any scripting content to be “safely” commented out.
  • Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
    alert(document.cookie)<script>
  • Output Filtering: Filter user data when it is sent back to the user’s browser.
  • Disable client side scripting.
  • Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically.
  • Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 :
    http://www.microsoft.com/technet/security/advisory/
    954462.mspx
  • A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
    http://www.communities.hp.com/securitysoftware/blogs/
    spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
    aspx

System Administrators and Users:

  • Block access to domains “www DOT 2117966 DOT net”, "www DOT nmidahena DOT com", "www DOT nihaorr1 DOT com", "www DOT aspder DOT com" , " haoliuliang DOT net " , "winzipices.cn", "yl18 DOT net", "www DOT bluell DOT cn", "www DOT kisswow DOT com DOT cn", "www DOT ririwow DOT cn", "hxxp://updatead DOT com", "hxxp://upgradead DOT com", "hxxp://clsiduser DOT com" and "hxxp://dbdomaine DOT com" at gateway.
  • Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
  • Block traffic to and from the IP address 61 DOT 188 DOT 39 DOT 175, 60 DOT 191 DOT 239 DOT 229, 61 DOT 188 DOT 38 DOT 158 and 61 DOT 134 DOT 37 DOT 15
  • Apply the patches for the above mentioned vulnerabilities.
  • Keep up-to-date on patches and fixes on the OS and application software.
  • Install and maintain updated anti-virus software at gateway and desktop level.

References:

http://isc.sans.org/diary.html?storyid=4645

http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080514

http://isc.sans.org/diary.html?storyid=4139

http://isc.sans.org/diary.html?storyid=4144

http://www.avertlabs.com/research/blog/index.php/
2008/03/13/follow-up-to-yesterdays-mass-hack-attack/

http://www.us-cert.gov/current/archive/2008/03/14/
archive.html#website_compromises_facilitating_exploitation_of

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

http://www.sophos.com/security/blog/2008/03/1186.html

http://blog.trendmicro.com/massive-iframe-attacks-continue/

https://isc.sans.org/diary.html?storyid=4331

http://www.computerworld.com/action/article.do?command=
viewArticleBasic&articleId=9079961&source=rss_topic17

 


Propagation of Storm worm variants through Valentines Day greetings
Date : February 14, 2008

It has been observed that new variants of ‘Storm Worm’ are circulating via e-mails pretending to be Valentine’s Day Greetings. These spam e-mails comes with the subject line such as “Valentine’s Day”, “The Love Train” and other Valentine’s Day related phrases. E-mail contains URL in form of IP address, which takes to the user to malicious website hosting malware “valentine.exe”.

The malicious webpage looks as given below:

          

Upon visiting this webpage file “valentine.exe” is downloaded on the visitor’s system.

The subject lines in the e-mail are as follows:

   Valentine’s Day
   The Love Train
   I Love You
   Rockin' Valentine
   You Stay in My Heart
   My Heart For You
   A hearty Wish
   Thinking of U All Day".

Users are advised to implement following countermeasures:

  • Block the emails with above mentioned subject lines
  • It has been observed that the malicious domains such as mentioned above are hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider blocking packets from the nginx/0.5.17 web server through Proxy or set an appropriate alert/rule at IDS/IPS
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Filter e-mails with abovementioned subject lines and body.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software

References:

http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
http://www.cert-in.org.in/currentacts/currentact07.htm#RPSW
http://www.cert-in.org.in/currentacts/currentact07.htm#SWP http://isc.incidents.org/diary.html?storyid=3979
http://www.pcworld.com/article/id,142452-c,viruses/article.html
http://news.softpedia.com/news/Storm-Spreading-Valentine-s-Day-Love-78431.shtml

 

 


Fake Microsoft Windows Update Websites
Date : February 11, 2008

It has been observed that Malicious files are being propagated through fraudulent websites pretending to be providing updates to Microsoft Windows.

Spam emails are being sent to users to trick them to click on link to fraudulent Website. The malicious link directs users to a Webpage asking users to click upon Urgent Install button. As user clicks upon the button an executable file named WindowsUpdateAgent30-x86-x64.exe gets downloaded to the system. This executable file is malware named as Trojan- Dropper:W32/Agent.DYD which then drops another malware, identified as Backdoor:W32/Agent.CVU.

The abovesaid malicious Webpage has a button labelled “Urgent Install” and any of the message mentioned below :

    • Get critical update (obligatory)
    • URGENT: Please intall critical Windows XP/2000/2003/Vista update!

It has to be noted that the word install is misspelled in the message that has been displayed over the fake Windows Update Webpage.

Some of these malicious Websites are on fast-flux DNS. The fraudulent domains are as follows:

    • www8 DOT update microsoft DOT com DOT sec94 DOT in
    • update DOT microsoft DOT com DOT cfm48 DOT com
    • update DOT microsoft DOT com DOT asp63 DOT net

Users are advised to implement following countermeasures:

  • Block the malicious domains mentioned above for both outbound HTTP requests and incoming emails
  • Do not click upon any link embedded inside the untrusted e-mail messages or web pages.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software
  • Follow the guidance provided in the Recognize and avoid fraudulent e-mail to Microsoft customers document from Microsoft.

References:

http://www.f-secure.com/weblog/archives/00001374.html
http://www.cisrt.org/enblog/read.php?230
http://www.us-cert.gov/current/index.html#fraudulent_microsoft_
update_web_sites
http://www.pcmag.com/article2/0,2817,2256892,00.asp

 


ActiveX Vulnerabilities in Yahoo! MediaGrid, YMP Datagrid, Facebook and MySpace
Date : February 08, 2008
Update : April 09, 2008
It has been observed that vulnerabilities in several ActiveX controls are being used to exploit the vulnerable applications such as Yahoo! MediaGrid ActiveX control , YMP Datagrid ActiveX control and image uploader used by Facebook and MySpace.

The vulnerabilities can be used to execute arbitrary code or crash the vulnerable application.

The exploit codes for these vulnerabilities are available on the Internet that could be used by malicious people by creating a specially crafted HTML document and persuading user to open the document (e.g., a web page or an HTML email message or attachment). Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user on a vulnerable system.

Users are advised to implement following countermeasures:

  • Disable the Aurigma ImageUploader ActiveX controls in Internet Explorer by setting the kill bit for the following CLSIDs
    • {104B0A37-AB99-4F06-8032-8BBDC3B77DDB}
    • {17D667BA-5675-4AAB-9221-08B9379384D4}
    • {48DD0448-9209-4F81-9F6D-D83562940134}
    • {55027008-315F-4F45-BBC3-8BE119764741}
    • {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
    • {6E5E167B-1566-4316-B27F-0DDAB3484CF7}
    • {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8}
    • {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4}
    • {AE6C4705-0F11-4ACB-BDD4-37F138BEF289}
    • {B85537E9-2D9C-400A-BC92-B04F4D9FF17D}
    • {BA162249-F2C5-4851-8ADC-FC58CB424243}
    • {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F}
    • {D1EA8D3D-F511-4388-B754-4A0CC14A4778}
    • {F1F51698-7B63-4394-8743-1F4CF1853DE1}
    • {F89EF74A-956B-4BD3-A066-4F23DF891982}
    • {FB90BA05-66E6-4c56-BCD3-D65B0F7EBA39}
  • Alternately use the following GUI tool from SANS to set the killbit:
    http://isc.sans.org/diary.html?storyid=3931
  • Disable ActiveX control in the Internet zone while visiting untrusted websites.
  • Users of Internet Explorer may upgrade to IE7 and use ActiveX opt-in feature to prompt the user before using ActiveX controls that are already installed on the system.

References:

http://isc.sans.org/diary.html?storyid=3929
http://isc.sans.org/diary.html?storyid=3931
http://www.kb.cert.org/vuls/id/340860
http://www.kb.cert.org/vuls/id/101676
http://support.microsoft.com/kb/240797
http://www.computerworld.com/action/article.do?command=view
ArticleBasic&articleId=9061101&pageNumber=1



Websites compromised with malicious JavaScript injection propagating malware
Date : January 23, 2008

 Various websites/domains are reported to be compromised and serving information stealing malware such as Trojan Clampi. These websites are injected with malicious JavaScript file known as “Random JS Toolkit” which is in turn infecting visitors of infected websites. Both the malicious binary and the malicious script are hosted on the same domain and visitors unknowingly get infected.

An excerpt of source code of infected page is indicated below.

The name of the malicious JavaScript file randomly changes because of dynamic embedding of scripts into the webpage. This technique is effectively evading the detection of its hosting on websites. Accordingly a new malicious binary gets dropped onto the user system on every visit.

The compromised webservers are running ‘Apache webserver' on Linux systems and attackers are exploiting dynamic module loading feature of the Apache which is enabled by default.

The malicious JavaScript is exploiting known vulnerabilities mentioned below to download the malware on users' systems:

In view of massive scale of the attack and high damage potential of the malware, website administrators and users are advised to implement the following countermeasures:

Website administrators:

  • Disable dynamic loading in Apache module configurations
  • Apply appropriate patches and updates to the Operating System and Application software
  • Refer to CERT-In Web Server Security Guidelines (CISG-2004-04) .

Users:

  • Follow the countermeasures mentioned in CERT-In Virus alert Trojan Clampi to delete locally stored username and password/credentials/privileges.
  • Keep up-to-date on patches and fixes on the operating system and application software.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain updated anti-spyware software at desktop level.
  • Install and maintain Desktop Firewall and block the ports which are not required.

References:

http://blog.trendmicro.com/e-commerce-sites-invaded/
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan
=1819&lan=3
http://www.securityfocus.com/news/11501
http://www.secureworks.com/research/threats/linuxservers/?
threat=linuxservers
http://www.cert-in.org.in/virus/Trojan_Clampi.htm


 


Propagation of Storm Worm variants through Happy New Year Greetings
 Date : December 26, 2007
Updated: January 02, 2008

 It has been observed that new variants of ‘Storm Worm' are circulating via e-mails purporting to be Happy New Year e-mail Greetings. The email comes with link to malicious domain "uhavepostcard DOT com" or
" happycards2008.com " inside the body of the message. Domain "uhavepost card DOT com." is hosting the malicious file happy-2008 .exe .

It may be noted that storm worm is also spreading through Christmas greeting cards as mentioned earlier but the malicious domain merrychristmasdude DOT com is now hosting malicious file happy-2008.exe .

The Storm Botnet is using Fast-Flux DNS technique to resolve the abovementioned malicious domain to multiple IP addresses distributed globally.

The Storm Worm (also known as Zhelatin, Peacomm, Tibs) which transpired in January 2007, uses various social engineering techniques and spam e-mails to propagate widely and is growing with millions of bots.

The Subject lines of the circulating email messages are:

Happy New Year and someones name
Happy NW (random name).
A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year

It is also observed that another variant of Trojan delf is also spreading through spam emails with attachment Happynewyear DOT exe . This malicious file is hosted on domain lbss DOT 3322 DOT org.

Update: In addition to the domains mentioned above, more malicious domains are being reported. The comple list of malicious domains is as follows:

  • uhave post card DOT com
  • merrychristmasdude DOT com
  • americangreetings DOT b719 DOT cn
  • americangreetings DOT 846123 DOT cn
  • lbss DOT 3322 DOT org
  • happycards2008 DOT com 
  • newyear2008 DOT com
  • newyearcards2008 DOT com
  • newyearwithlove DOT com
  • familypostcards2008 DOT com
  • freshcards2008 DOT com
  • happysantacards DOT com
  • hohoho2008 DOT com
  • happy2008toyou DOT com
  • santapcards DOT com
  • hellosanta2008 DOT com
  • santawishes2008 DOT com

Note: Users are advised to visit this page regularly to get the updated list of malicious domains.

Users are advised to implement following countermeasures:

  • Block the malicious domains mentioned above for both outbound HTTP requests and incoming emails
  • It has been observed that the malicious domains such as mentioned above are hosted by the Storm Botnet mostly using nginx/0.5.17 web server . Consider blocking packets from the nginx/0.5.17 web server through Proxy or set an appropriate alert/rule at IDS/IPS
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Filter e-mails with abovementioned subject lines and body.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software

References:

http://www.f-secure.com/weblog/
http://isc.sans.org/diary.html?storyid=3784
http://www.isc.sans.org/diary.html?storyid=3778
http://www.cisrt.org/enblog/read.php?208
http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
http://www.cert-in.org.in/currentacts/currentact07.htm#RPSW
http://www.cert-in.org.in/currentacts/currentact07.htm#SWP
http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html

 

 


Propagation of Storm Worm variants through Christmas Greetings
 Date : December 24, 2007

 It has been observed that new variants of ‘Storm Worm' are circulating via e-mail purporting to be Christmas Greetings. The email comes with malicious link merrychristmasdude DOT com embedded inside the body of the message. The domain is hosted with malicious binary (stripshow DOT exe). The webpage entices users to click on malicious links to download the malware variants.

The Storm Botnet is using Fast-Flux DNS technique to resolve the abovementioned malicious domain to multiple IP addresses distributed globally.

The Storm Worm (also known as Zhelatin, Peacomm, Tibs) which transpired in January 2007, uses various social engineering techniques and spam e-mails to propagate widely and is growing with millions of bots.

The Subject lines of the circulating email messages are:

I love this Carol!
Santa Said, HO HO HO
Christmas Email
The Perfect Christmas
Find Some Christmas Tail
Time for a little Christmas Cheer

The email body contains:

do you have a min?

This Christmas, we want to show you something you will really enjoy. Forget all the stress for two min and feast your eyes on these. ;-)

http://merrychristmasdude DOT com/

It has also been reported that other domains "americangreetings DOT b719 DOT cn" and "americangreetings DOT 846123 DOT cn" are spreading Storm worm variants like Zhelatin.pe. These websites are tricking users by sending malware in the form of fake Adobe Flash Player.

In view of rapid propagation and high damage potential of the
Storm Worm users are advised to implement following countermeasures:

  • Block the malicious domains “merrychristmasdude DOT com” "americangreetings DOT b719 DOT cn" and "americangreetings DOT 846123 DOT cn" for both outbound HTTP requests and incoming emails.
  • It has been observed that the malicious domains such as mentioned above are hosted by the Storm Botnet mostly using nginx/0.5.17 web server. Consider blocking packets from the nginx/0.5.17 web server through Proxy or set an appropriate alert/rule at IDS/IPS.
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Filter e-mails with abovementioned subject lines and body.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain updated anti-spyware software at desktop level.
  • Keep up-to-date on patches and fixes on the OS and application software.

References:

http://www.isc.sans.org/diary.html?storyid=3778
http://www.cisrt.org/enblog/read.php?208
http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
http://www.cert-in.org.in/currentacts/currentact07.htm#RPSW
http://www.cert-in.org.in/currentacts/currentact07.htm#SWP

 


Information stealing Trojans spreading widely
Date : December 17, 2007

It has been observed that information stealing Trojans such as Nethell, BZub are spreading widely.

These Trojans steal confidential information from the infected system such as user accounts, credit card numbers and passwords used for different applications like email, online transactions and uploads data to remote servers under attacker's control.

The BZub Trojan and its variants spread through spammed email messages. The Nethell Trojan and its variants are downloaded by other malware on the infected system.

These Trojans perform malicious activities such as key logging, capturing screenshots, gathering information from temporary content files used by the browsers, adding malicious BHO's etc. With the help of these features these Trojans gather information when user accesses email, or performs online transactions from the infected system.

In addition to the above, systems infected with these Trojans could become bots and used by the attacker to perform malicious activity
such as spamming, Denial of Service attack etc. These Trojans achieve it
by lowering security settings, installing backdoors, infecting system
files, or spreading to other networked machines. For Further details regarding these Trojans refer respective CERT-In virus alerts at the following links:

http://www.cert-in.org.in/virus/BZub-Trojan.htm
http://www.cert-in.org.in/virus/Nethell_Trojan.htm
http://www.cert-in.org.in/virus/Bankerinfostealer.htm
http://www.cert-in.org.in/virus/Win32_Banker.htm

In view of rapid propagation and high damage potential of these
Trojans, users are advised to follow security best practices and implement following countermeasures:

  • Install and maintain updated anti-virus software at gateway
    and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Install personal firewall
  • Configure client system with least privileges and use Administrator account judiciously
  • Keep up-to-date patches and fixes on the operating system
    and application software
  • Exercise caution while opening unsolicited emails and do not
    click on a link embedded within
  • In case your financial or personal information is compromised, immediately contact your financial institution/ Bank and report the same
  • Follow security guidelines issued by CERT-In:

Securing Home Computers:
http://www.cert-in.org.in/knowledgebase/guidelines/cisg-2005-03.htm

Anti Virus Policy & Best Practices:
http://www.cert-in.org.in/knowledgebase/guidelines/cisg-2003-05.pdf

System Security Guidelines:
http://www.cert-in.org.in/knowledgebase/guidelines/cisg-2003-04.pdf

References:

Symantec
http://www.symantec.com/security_response/writeup.jsp?docid
=2006-041915-4629-99
http://www.symantec.com/security_response/writeup.jsp?
docid=2006-041915-4629-99&tabid=1

SunBelt
http://research.sunbelt-software.com/threatdisplay.aspx?name=
Trojan.Nethell&threatid=55365

Sophos
http://www.sophos.com/security/analyses/trojnethellh.html

F-Secure
http://www.f-secure.com/v-descs/trojan-spy_w32_bzub.shtml
#details

McAfee
http://vil.nai.com/vil/content/v_139621.htm

 


Release of new Apache httpd versions
Date : September 20, 2007

Apache httpd versions 2.2.6, 2.0.61 and 1.3.39 have been released fixing six vulnerabilities viz. CVE-2007-3304, CVE-2007-5752, CVE-2007-1863, CISB-Aug07, CVE-2007-1862, CIVN-2007-124. These vulnerabilities could be exploited by remote unauthenticated attacker to cause denial of service, cross-site scripting attacks on the vulnerable systems.

Users are advised to update to Apache httpd versions 2.2.6, 2.0.61 and 1.3.39 to mitigate the security risks associated with the above vulnerabilities.

Note: System administrators/users are advised to test these released versions before applying to their production servers.

References:

Apache
http://httpd.apache.org
http://www.apache.org/dist/httpd/CHANGES_2.2.6

 


Rapid propagation of Storm worm using various social engineering techniques
Date : August 23, 2007
Updated : September 12, 2007

It has been observed that variants of ‘Storm Worm' are
circulating widely using various social engineering techniques.
Storm worm, also known as Zhelatin started spreading in
January 2007 through email attachments with subject lines related
to European storm video.

Currently Storm worm is spreading through malicious link in the
emails. Email contents and subjects are changing rapidly. Sample
email is shown here:


Clicking on the link takes the user to a web page containing a link.
The web page attempts to exploit certain vulnerabilities and uses
social engineering technique to persuade users to click on the link
to download malicious file as shown here:

 

 

The source code of a malicious web page is shown here:

 


The malicious file is a bot program and relies on deception to
infect target system. Storm Worm has created a large botnet
since January 2007 which is still growing. This botnet uses
Fast-Flux Domain Name Service hosting which make it harder
to take down the botnet.

Storm worm has already been used for Denial of Service attack
and seems to be developing its attacking techniques.

In view of rapid propagation of the Storm worm, users are
advised to implement following countermeasures.

  • Do not click on the link provided in any unsolicited emails.
  • Keep up-to-date on patches and fixes on the operating
    system and application software.
  • Install and maintain updated anti-virus software
    at gateway and desktop level.
  • It has been observed that storm worm is using nginx/0.5.17
    web server. Consider blocking packets from the nginx/0.5.17
    web server through Proxy or set an appropriate alert/rule
    at IDS/IPS.

References:

http://isc.sans.org/diary.html?storyid=3286
http://isc.sans.org/diary.html?storyid=3298 http://isc.incidents.org/diary.html?storyid=3321 http://www.informationweek.com/shared/printable
Article.jhtml?articleID=201800635 http://www.securityfocus.com/news/11482 http://www.securityfocus.com/news/11473 http://isc.sans.org/diary.html?storyid=2071
http://www.cert-in.org.in/currentacts/currentact07.htm#SW http://www.cert-in.org.in/virus/Trojan_strom_worm.htm

 


Propagation of “Storm Worm” variants through Emails
 Date : July 11, 2007

It has been observed that new variants of ‘Storm Worm' are circulating in the wild. The malware propagation is reported via E-mail. The email lures user to install a patch from the embedded link contained in the body. On clicking the link, the malicious executable gets downloaded on the system to make the infection.

The website hosting malware has JavaScript in an attempt to exploit the browser and compromise the system. Once the browser is successfully exploited subsequently system is also compromised and afterwards malicious payload downloaded.

The Subject lines of the circulating email messages are:

Virus Detected!
Trojan Alert!
Worm Alert!
Worm Activity Detected!
Spyware Alert!
Warning!

The email body contains:

Dear customer ,

Our robot has detected an abnormal activity from your IP address on sending e-mails.Probably it is connected with last epidemic of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files and stop email sending,otherwise your account will be blocked.

Postmaster.

In view of rapid propagation of the trojan variants, users are advised to implement following countermeasures.

  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Filter emails with abovementioned subject lines at the gateway.
  • Do not click on the link provided in any unsolicited emails.
  • Keep up-to-date on patches and fixes on the operating system and application software.
  • Monitor traffic for surge on unusual ports.

References:

http://isc.sans.org/diary.html?storyid=3117
http://www.cert-in.org.in/virus/Trojan_strom_worm.htm

 


Malicious tool Mpack Compromises Computers on massive scale
 Date : June 22, 2007

It has been reported that the large number of computers has been compromised using a malware distribution and attack kit known as MPack . Mpack is detected as Trojan.Mpkit!html (Symantec).

MPack was discovered in Dec 2006 and has reportedly compromised thousands of systems in last six months. Major attacks were noticed on Italian websites during the last week.

MPack is a collection of components written in PHP. It runs alongwith a PHP server and a database backend. It has been reported that MPack kit is being sold commercially through underground channels with the name FTP-Toolz Pack.

A typical attack scenario is as follows:

  • Attacker hacks into a legitimate web site and adds the IFRAME snippet into webpage to redirect innocent user to the malicious MPack server. Attackers are also using the typo-squatting techniques to redirect the user to malicious server.
  • MPack server uses the HTTP request headers to know about the operating system and web browser of the user's system. After determining the operating system and web browser, it uses this information to select the appropriate exploit codes to compromise the target system. MPack stores information about the user's computer, exploit code used and country of user.
  • After the compromise, arbitrary (shell) code directs the compromised computer to download malicious files from the MPack server. Once executed on the compromised system this malicious file further downloads other malicious files from different locations.

In view of the rapid exploitation of the vulnerabilities by MPack users are advised to:

  • Deploy appropriate security measures to protect web servers. Users may refer to CERT-In Web Server Security Guidelines