Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

2117966.net-- mass ASP/SQL injection

Published: 2008-03-14
Last Updated: 2008-03-17 14:59:16 UTC
by Kevin Liston (Version: 5)
2 comment(s)

Situation:

Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block 2117966.net at your web proxy.

Recommended follow-up action:

Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175
(Source: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack.  It is recommended to use a browser that does not support ActiveX.  Use of javascript controls such as NoScript are also effective.

Protecting Webservers:

The CSS Security Team as Microsoft has released details on how the code was injected into the servers.  It's an automated script that exploits poor input-checking code in the ASP page.

http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

A more rigorous description and how to protect your ASP from SQL injection is available here:
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

 

Update: Added additional exploit information

Update: Clarify that shadowserver is not the endpoint of the malicious traffic-- they provided that malware analysis (thanks guys)

Update: this was misidentified as an iframe injection when in fact it was a javascript link  on the altered ASP pages. 

Update: MS fills in the blanks on how the code was injected.

Keywords: SQL Injection
2 comment(s)

Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines

Published: 2008-03-14
Last Updated: 2008-03-14 19:33:43 UTC
by Kevin Liston (Version: 1)
0 comment(s)

On today's NoAH Blog (http://blogs.fp6-noah.org/noah/temporal-search-detecting-hidden-malware-timebombs-with-virtual-machines/) this is an entry on a paper out of the Computer Science department of the University of New Mexico: Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines by Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong.

Although the paper itself wasn't available, I was able to read it via Google cache.  It certainly looks like an interesting technique.  If they can marry it to some behavioral analysis to see how it responds when a user enters a password on a web form six hours later that would be quite helpful.

Keywords: ie
0 comment(s)

MS08-014 causes subtle Excel calculation error

Published: 2008-03-14
Last Updated: 2008-03-14 18:15:22 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Microsoft has released KB 950340 (http://support.microsoft.com/kb/950340) that identifies a potential calculation issue in Excel after the patch for MS08-014 has been applied.  An updated patch is likely forthcoming.

Source: http://blogs.technet.com/msrc/archive/2008/03/13/update-march-2008-monthly-release.aspx

Keywords:
0 comment(s)
Diary Archives