Zeus/Citadel variant causing issues in the Netherlands
According to some new sources (thanks Alexander) a trojan is doing the rounds in the Netherlands at the moment causing major issues within organisations.
The web sites http://webwereld.nl/nieuws/111424/nieuwe-trojan-grijpt-wild-om-zich-heen-in-nederland.html and http://nos.nl/artikel/404668-computervirus-treft-ook-venlo.html (both in Dutch) report that a trojan is affecting a number of organisations. According to the article the trojan affects already Zeus infected machines. Fox-it has an analysis here http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/ and some of the original information can be found here http://www.damnthoseproblems.com/?lang=en
According to the analysis the malware encrypts files which will be a problem for those without proper backups.
If you have samples feel free to upload them to our contact form (ziped up with a password of infected please).
Mark
SQL Injection Lilupophilupop style, Part 2
Just as a quick follow up on Daniel's diary from last week (https://isc.sans.edu/diary.html?storyid=13813) regarding the liluhophilupop SQL injection run which has started up again as of approximately the 1st of August.
This particular run is very similar to the one back in December 2011 with one minor variation, so far. The platform being attacked is still applications with MSSQL as the backend. The target is to inject a php script which redirects, etc, etc (the usual rabbit hole). The main difference between the two attacks is that this time many different domains are being injected rather than the one main domain as was the case in December. Some of the comments on the previous diary entry provided some of the domains. These are the ones I have found so far.
- lasimp04risoned.rr.nu
- eighbo02rsbarr.rr.nu
- reque83ntlyin.rr.nu
- tentsf05luxfig.rr.nu
- andsto57cksstar.rr.nu
- brown74emphas.rr.nu
- tartis78tscolla.rr.nu
- senior78custome.rr.nu
- sfl20ewwa.rr.nu
- ksstar.rr.nu
- enswdzq112aazz.com
- www.bldked98f5.com
- www1.mainglobilisi.com
- xinthesidersdown.com
- inglon03grange.rr.nu
- senior78custome.rr.nu
rr.nu seems to be a nice spot for malicious domains.
The attack is ramping up slightly with search engines reporting approximately 235K pages infected at the moment. BTW previous sites that were affected back in December are being revisited as part of this run. So if that was you, then you may wish to check your log files to make sure you haven't been affected again.
If you look through your logs look for
--snip-- /somedirectory/somepage.asp somevar=38272%27+declare+%40s+varchar% --snip--
(I usually just grep/search for declare, or varchar or char, that usually does the trick)
If that does not find it look for large URL queries (say longer than 1000 chars) or 500 errors
identify the injection variable used, in this case somevar=38272
When you look through your previous logs you will find entries similar to these.
--snip-- /somedirectory/somepage.asp somevar=38272%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40v --snip--
--snip-- /somedirectory/somepage.asp somevar=38272%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%4 --snip--
--snip-- /somedirectory/somepage.asp somevar=38272%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40 --snip--
These are a initial tests to see if the application has some ready injection points.
Take the IP address from these log lines and check your web logs again for those IP addresses and you will find other activities. The user agent string is also good to use, as often these stay the same even though different IP addresses are being used.
When you are doing remediation make sure the developers understand that any input that results in a SQL query can be used to inject, It does not have to be a form variable, any variable is fair game. All input must be validated prior to being used (and not just at the client end either).
Thanks to those that provided some log records. Happy logging
Mark H
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago