## August 2008 - Posts

### The Summer Storm

Aug19

by Sarah Calaunan (Fraud Analyst)

Photobucket is, by far, one of the largest photo-sharing sites in the world. It is generally used for personal photographic albums, remote storage of avatars displayed on Internet forums, and storage of videos.

Lots of people may opt to keep their albums private, allow password-protected guest access, or open them up to the public. And now this photo-sharing site is being attacked by phishers.

The login page above looks exactly like the original site that lures the users to enter their user name and password.

Once victims enter their credentials, phishers can use them to obtain full access to victims’ Photobucket accounts, and may use the latter’s albums to insert malicious code.

Image-hosting sites have grown intensely popular and are widely used. A report from McCann released in March of this year has stated that a global volume of 63.2% of all active Internet users visit photo-sharing Web sites on a daily basis. So it naturally follows that popular image-hosting sites have become the targets of several attacks:

This particular URL is now blocked by the Trend Micro Smart Protection Network.

### Travel the World without Moving - Literally!

• date 08-19-2008 08:58 AM

Aug17

by Aivee Cortez (Fraud Analyst)

Oi Fotos, a photo storage Web site in Brazil, has been victimized recently by a phishing-spyware combo.

Figure 1: Screenshot of the legitimate Oi Fotos Web site

The bad guys have taken advantage of the mobile service of Oi Fotos. The phishing email contains a notification that the recipient has received photos from a cellular account and offers them an opportunity to view them — and of course, they need to click on the image.

A rough translation of the displayed text is as follows:

"You received a Oi Photos from cellular (0xx) **** - 2981. To see the photos, just click on the image below."

Figure 2: Sample screenshot of the phishing email

Upon clicking as directed, the recipient is directed to a malicious phishing site, which eventually attempts to install a piece of spyware, a program that monitors and gathers user information (e.g. online banking login credentials) from the victim’s machine.

Figure 3: Sample screenshot of the pop-up window that prompts users to download a spyware file on their systems

Trend Micro already detects the file as MAL_BANKER, a heuristics detection name for files that manifest characteristics similar to those of the TSPY_BANCOS and TSPY_BANKER spyware families. These families can steal online banking information.

The URLS are now blocked by the Trend Micro Smart Protection Network.

### Compromised Cpanel Accounts For Sale

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.

SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

China Netcom DNS cache poisoning

Date:08.19.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.

When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.

These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability which we reported on at the start of the month.

The following screenshots show an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:

Unaffected name server:

Poisoned DNS server:

A user querying an unaffected DNS server is taken through to a clean site:

A user querying a poisoned name server is taken to a malicious site under the attacker's control:

The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player.

Websense Messaging and Websense Web Security customers are protected against this attack.

********************************************************************

Title: Microsoft Security Bulletin Re-Releases

Issued: August 26, 2008

********************************************************************

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

* MS07-050 - Critical

Bulletin Information:

=====================

* MS07-050 - Critical

- Reason for Revision: V2.0 (August 26, 2008): Bulletin revised to include Internet Explorer 7 for Windows XP Service Pack 3.

- Originally posted: August 14, 2007

- Updated: August 26, 2008

- Bulletin Severity Rating: Critical

- Version: 2.0

#### More Than a Toolbar

Tuesday August 19, 2008 at 10:50 am CST
Posted by Di Tian

We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.

However, something grabbed my attention during the installation. Besides the 2ebaytoolbarsetup.exe process, the program also created the wscript.exe process and ran .vbs files–that is not common for the toolbar installation. So I looked into every file dropped by the installer. Then something caught my eye. Besides the dozens of legit eBay toolbar components, there was a file named startup.exe. Unlike the toolbar components, this file had no version information. So I ran it in my test environment, and it generated a few batch and Visual Basic script files. The image below shows one of the generated .vbs files.

This file silently opens TCP port 3389, which is by default the port for Terminal Services. It creates a new account–”eBayMember”–with Administrator privileges and enables this account to remotely access the infected machine. The created account is also hidden from login screen, to prevent the victim from noticing.

Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below. A successful login suggests the infected machine could be completely controlled by a remote attacker.

Still feel safe downloading and installing toolbars from untrusted sources? Attackers can take advantage.

Aug16
by Macky Cruz (Technical Communications)

Trend Micro Advanced Threats Researchers Ivan Macalintal and Paul Ferguson report that Internet spammers have turned to file-sharing scare-tactics. This is to entice would-be victims to open a malicious attachment, threatening the unfortunate recipients with interrupted Internet connectivity or legal action.

Here are are screenshots of two of the sample email messages:

Figure 1. A certain “ISP Consorcium” [sic] purports to protect the rights of software authors by monitoring networks.

Figure 2. Media Defender, a company known to protect clients from copyright infringement, was used this time. The spam says that the company claimed to have logged Internet activity on several BitTorrent sites.

Recipients are most likely to be motivated by fear to fall for this ruse. It is, after all, the Internet surfer’s worst nightmare to have all their Internet activities known to other parties — epecially those who threaten legal prosecution.

These spam runs seem to use a self-righteous tone against piracy, which makes the ruse even all the more believable. (Remember the Feds supposedly scanning Facebook accounts? Or how about the even more far-fetched one about the death of the Internet?)

However, downloading the attached file is not in the recipient’s best interests. We advise users to consider all unsolicited email suspect. We are currently investigating this incident and will update this entry as more information becomes available.

 Drops, Dumps, CVVS, WMZ, WU, et cetera... Posted by Mikko @ 11:41 GMT | postCount('00001486'); Comments (6)

Underground forums are always full of chatter around various activities related to online crime.

You keep reading about things like dumps (stolen credit card information), carding (using those cards), WU (Western Union), WMZ (Webmoney), CVVs (card verification value) and drops.

So what's a drop?

A drop is a remailing location. Many online shops refuse to send expensive items (think laptops, video cameras and so on) to faraway countries. So criminals use stolen credit cards to purchase items and have them mailed to a local drop, where someone else picks up the gear and forwards it to the final destination. Alternatively the dropkeeper will simply sell the goods in online auctions and then credits the carder with part of the profits.

Here's an example from an underground forum where an individual is advertising his website, providing such services. He offers 25% of the profits of the carder items to the carder — keeping 75% to himself.

And here's his website. Nice one.

Aug15
by Ryan Flores (Advanced Threats Researcher)

Seems like the bad guys pushing fake antivirus software are not done yet.

We received several reports from the North American region earlier today about users being victimized by a rogue antispyware software. Users download this rogue program after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear on the PC, suggesting that the system has indeed been infected. This is not goodwill, though — downloading the “trial version” only scans the system. To remove the infection, the user will have to purchase the entire antispyware with real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites.

Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO (search engine optimization) poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage.

How does this work?

A simple Google/Yahoo! search can lead users to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead them to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections.

Figure 1. Poisoned string leads users to a malware-serving site.

Figure 2. Poisoned string leads users to a malware-serving site.

The two Web sites hosting the malicious pages are normal by themselves, but the exact URL that it points to will automatically redirect to hxxp:// windows-scanner2009. com.

Figure 3. The PC is redirected several times, during which the user begins to see signs that the PC is infected.

Figure 4. Message boxes suggest that the user might want to get rid of viruses in his/her PC by installing a certain software named Antivirus 2009.

Figure 5. Clicking OK in Figure 4 means the user has agreed to a “free scan.” The message even ends with what should be a comforting note saying that the file is certified free of malware. But don’t be fooled.

Figure 6. A convincing GUI for Antivirus 2009 performing the system scan might still convince users that they are using legitimate software.

After all the fake notifications, the user will be asked to download the file AV2009Install_880488.exe, which is detected by Trend Micro as TROJ_FAKEAV.DM.

The other fake antivirus will lead users to hxxp://scan. free-antispyware-scanner. com instead of the earlier example.

Figure 7. Variation on the rogue antispyware scam.

This will ask the user to download setup_100722_3.exe (detected as TROJ_FRAUDLOA.WM) instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)

According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves).

This is not the first time Trend Micro has seen this incident — a previous SEO poisoning of this scale was also discovered back in December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised Web sites were used instead.

Digging a little bit deeper, we’ve also found that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases cover the range from “free downloads, lyrics, travel, politics” and anything in between.

Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it is best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles.

img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Aug14
by Paul Oliveria (Technical Communications)

Our researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal. We have also received reports that the said link is circulating in instant messaging applications and private messages in social networking Web sites, too.

Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the download of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX. This Trojan is a rogue antivirus that displays very convincing (and for some, alarming) messages, such as the following:

Note that since users are only using the “trial version,” TROJ_FAKEAV.CX even convinces users to get the full version so that they are always supposedly protected:

TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users — for example, they modify the system’s wallpaper and screensaver settings to display BSOD (Blue Screen of Death/Doom). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.

Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months (the Anjelina spam being one of the more recent examples).

Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cyber criminals are riding on this season to ramp up their profits. Bad news for the infected users, though, as their latest versions of “antivirus software” are actually adding more threats to their system.

Trend Micro is still investigating this spam run. Updates will be posted when more information becomes available.

yahooBuzzArticleHeadline = "Fake Antivirus Trojans Ramping Up"; yahooBuzzArticleCategory = "world_news"; yahooBuzzArticleType = "text"; http://blog.trendmicro.com/fake-antivirus-trojans-ramping-up/trackback/ Buzz up!on Yahoo!

### Another Round of Peacomm Infections Underway

 The Peacomm network has definitely turned out to be a survivor. With infections dating back to January 2007 and a P2P structure largely unchanged in about a year, Peacomm continues to evolve and infect new hosts. In early August our honeypots began capturing a new version of Peacomm. This iteration has been relatively low key as it propagates via users visiting infected Web sites, rather than by spam. Although Peacomm has been distributed via infected Web sites in the past, they were usually Web sites that were spammed to users as opposed to relying on drive-by downloading to gather its new recruits.The attack toolkit used to install Peacomm in these drive-by attacks has changed as well. The infection begins with a user visiting an infectious Web site, which silently redirects the user to hostile content on a set of registered domains via an IFRAME. At this point, Kallisto TDS will serve a set of exploits against the victim. These include Acrobat PDF CollectEmailInfo, ANI Header Size, and MDAC.Symantec IPS (NIS, NAV, N360, SEP, and SCS) will detect these attacks as follows with existing signatures:HTTP ANI File Hdr Size BOHTTP Malicious Toolkit Download ActivityHTTP MS Unsafe ActiveX Obj InstantiationIf a system were to become infected, the Peacomm P2P traffic will be detected as:BD Peacomm Trojan - and the bot would be detected by antivirus as Trojan.Peacomm. Message Edited by SR Blog Moderator on 08-14-2008 04:16 PM

Published: 2008-08-25,
Last Updated: 2008-08-25 16:51:18 UTC
by John Bambenek (Version: 1)

The Sunday Herald reported on Sunday that Best Western was struck by a trojan attack that lead to the possible compromise of about 8 million victims. There is some debate as to the extent of the breach and not a small amount of rumor going around. I'm not entirely disposed to trust corporate press releases for the facts, nor am I going to blindly accept claims of security researchers who's first call is to the PR team when discovering a problem.

That said, here is what seems to be the agreed upon facts:

- A trojan was installed on one of the machines in Best Western's booking systems which lead to a compromise of credentials for the hotel's staff. These credentials were attempted to (and probably successfully) sold to organizations with links to the Russian mafia.

- Best Western is and was PCI DCC compliant.

Of course, PCI really only helps one piece of the security equation and compliance is not the same as security. In fact, it is usually (at best) a poor substitute and more often an excuse to stop thinking about security ("We're Compliant!" followed by self-congratulatory back slapping). The same is true with relying on encryption. Encryption can be "defeated" and the ways to do it are well-known. (For instance, here is a paper I wrote almost 4 years ago on how to do it). If you can own the endpoint of a communication, encryption is irrelevant.

As another example, remember the backup tape heists a few years ago? Attackers know it takes an excessive amount of time to crack encryption, so they target ways to avoid it. Someone had the great idea of stealing backup tapes at which point few people would have even thought to have protected those. Now it's due diligence.

That said, here are 5 areas that are likely targets in the near future (or are targets now) that you may be overlooking:

- Centralized patching systems (i.e. WSUS). If you can hijack an update server and have it distribute a malicious patch, you own every desktop in an environment. The RedHat compromise should be a wake-up call in this regard.

- Centralized configuration and management systems (i.e. Configuresoft or the like). Same as above... the machine that controls all your desktops becomes the single point of pwnership.

- Payroll. Your payroll system has salary information and identification information. In short, it has everything you need to commit tax fraud. In the US, in particular, it also has your national identification number (what is falsely called a "Social Security Number") which allows an attacker to basically jack your entire identity as well.

- Web 2.0. There have been some attempts to spread malware or spear phish using Web 2.0 technology. In as far as your organization uses Web 2.0, the more "legitimate" a message looks, the more likely a user is to click it. Web 2.0 provides a great vector to compromise an organization, especially if many of your employees use it. (Think social engineering).

- Malicious insiders. Ok, this last one is not new, but still a solid majority of attacks have at least some component of an insider attack. In some cases, simply installing a keylogger and "selling" the result is simple enough for a disgruntled employee with even a token level of access to an environment.

Will put up more info on Best Western as the situation warrants. Thoughts to the top 5 lists? What would you add or take off?

--
John Bambenek
bambenek /at/ gmail \dot\ com

Keywords: best western compromise data loss

Published: 2008-08-22,
Last Updated: 2008-08-22 15:45:39 UTC
by Patrick Nolan (Version: 2)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4921&rss'; digg_title = 'RedHat compromise sparks a Critical openssh security update'; digg_skin='compact'; digg_topic = 'security';

Critical: openssh security update

"Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action". "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4  (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)".

"processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk".

Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

CVEs (cve.mitre.org): CVE-2007-4752

Update - RedHat OpenSSH blacklist script released

RedHat has released "shell script which lists the affected packages and can verify that none of them are installed on a system".

Keywords:
0 comment(s)