Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Hundreds of thousands of SQL injections

Published: 2008-04-24
Last Updated: 2008-04-25 13:47:50 UTC
by donald smith (Version: 2)
1 comment(s)

Hundreds of thousands of SQL injections UPDATE.
It is recommend that you block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

1.js is the file they are currently injecting. That could change and has been injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

The crew over at shadowserver has published additional information related to SQL injected sites. They included the botnet controllers IP address 61.188.39.214 and a content based snort signature for the bot control traffic that is not ip dependent. The bot controller is alive and communicating on port 2034 with some infected clients at this time.
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313

They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of “trusted website”. or "safe sites".

The register covered it stating their search returned 173k injected results:
http://www.theregister.co.uk/2008/04/24/mass_web_attack/
The number I received doing the same search was 226k. Those are not all unique websites. Many sites got hit more then one time.

Lou a self described “accidental techie” has been discussing it as they have been reinjecting this into his database/website “every other day”. http://www.experts-exchange.com/Database/MySQL/Q_23337211.html
Websense has good information on it here:
http://securitylabs.websense.com/content/Alerts/3070.aspx

We covered the injection tool, the methods to prevent injections and other details here:
http://isc.sans.org/diary.html?storyid=4139
http://isc.sans.org/diary.html?storyid=4294

1 comment(s)

Targeted attacks using malicious PDF files

Published: 2008-04-24
Last Updated: 2008-04-24 18:22:15 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Dating back to the end of February, we have been tracking test runs of malicious PDF messages to very specific targets. These PDF files exploit the recent vulnerability CVE-2008-0655.

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no "public, widespread" exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order.

At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser. From a user experience, there are two possible methods of detection:

- If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
- If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file. We're not listing MD5 hashes or file names due to the sheer number of samples we've seen so far.

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HTML/Shellcode.Gen
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 Exploit.Shellcode.J
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 Exploit:Win32/ShellCode.C
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 Mal/JSShell-B
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Script.Shellcode.Gen

The embedded dropper is generally specifically written for the occasion:

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan-Spy.Win32.Agent.bzq
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 Trojan-Spy.Win32.Agent.bzq
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 W32/Agent.FEOU
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware

Acrobat Reader is proving to be an interesting target because users are not very much inclined to upgrade manually. The file format is relatively stable and users of Acrobat Reader 7 may not always feel a need to upgrade.

As such, we strongly recommend that you:

- Ensure your Acrobat Reader installations have been upgraded to version 8.1.2;
- Disable Javascript parsing through Edit>Preferences>Javascript, by disabling the 'Enable Acrobat JavaScript' option.

Naturally we greatly appreciate any additional information you can provide on attacks you feel may be related to this exploit. Additional amples especially are always welcome.

Cheers,
Maarten

0 comment(s)
Diary Archives