4 X Security Team

It's summer, about 29ºC - 84ºF in Bilbao, a sunny and beautiful day. Good time for an ice-cream. But today we'll change the menu and we'll have an IcePack instead.

IcePack Platinum is the name of a new "Kit for installing malware through exploits". Regarding the exploits it uses, nothing new can be added, it is very similar to Mpack, which takes advantage of the last exploits that have appeared. This way, they have more chances to infect the users that are not patched with the last updates:

- MS06-014 Internet Explorer 6 - MS06-006 Firefox 1.5

- MS06-006 Opera 7

- WVF Overflow

- QuickTime Overflow

- WinZip Overflow

- VML Overflow

Here you have an image of the ftp checker:



IcePack is programmed by other group (IDT Group) different from Mpack creators (Dream Coders Team) . The price of this tool is also lower than the Mpack and can be purchased for $400

Download

A Brazilian group of hackers that call themselves InSaNiTy ZiNe c0rp. hacked the Brazilian Microsoft Web site last Saturday afternoon.

The page was taken offline Saturday afternoon and anybody who tried to access it got a black screen and the hacker's message. The hackers asked how come Microsoft, the one who has created IIS servers and is so worried about showing the security of its products, exhibit such precarious security on its own Web site.

The message went on: "This is a message for the Brazilian [hackers] groups: let's drop this "friendly" thing. Why do you only scratch sites? Let's study a little more - have a bit more of creativity, ok?."

Thomas Viertler, Manager of MSN Brasil, said the Brazilian Microsoft site is on a server in the U.S. and can be accessed by the URL www.microsoft.com/brasil. Microsoft Brazil uses a third party server via a Brazilian ISP, whose name Mr. Viertler did not disclose in order store the domain www.microsoft.com.br, which is used only to redirect users to the site stored in the U.S.

Viertler also said only the Brazilian server was the victim of the hackers' attack and not the main server, located in the U.S. The fact is the attack blocked the access to the Brazilian Microsoft page during all Saturday afternoon.

The hacking group Cult of the Dead Cow (CDC) this week released a tool that turns Google into an automated vulnerability scanner, scouring Web sites for sensitive information such as passwords or server vulnerabilities.

CDC first achieved notoriety ten years ago with its backdoor Back Orifice, which demonstrated in a highly public way just how easy it was to take unauthorized control of a Windows PC.

The new tool, called Goolag Scan, is equally provocative, making it easy for unskilled users to track down vulnerabilities and sensitive information on specific Web sites or broad web domains.

This capability should serve as a wake-up call for system administrators to run the tool on their own sites before attackers get around to it, according to CDC.

Download

There was a "cyberwar" in Estonia one year ago. Civil unrest, protests, and rioting culminated in DDoS attacks against Estonian government websites. What started on the streets moved online with those that couldn't be physically present taking part in DDoS attacks that lasted for more than a week.

We blogged about the attacks here (April 28th), here (April 30th), and here (May 9th).

There were plenty of DDoS tools distributed during the attacks:



The anniversary of the riots haven't generated any activity as of yet and we don't expect anything significant later.

More recent failed examples appear to indicate that a good deal of offline heat is required before online attacks catch fire.

An "e-jihad" planned for the 11th of November never materialized.

And earlier this month a DDoS attack planned against CNN resulted in only random outages, mostly in Asia.

Anti-CNN tools were distributed… but without street protests to really capture people's attention, nothing carried-over to online attacks.

There's another round of mass SQL injections going on which has infected hundreds of thousands of websites.

Performing a Google search results in over 510,000 modified pages.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
4C00410052004500200040005400200076006100720063006800610072
00280032003500350029002C0040004300200076006100720063006800
610072002800320035003500290020004400450043004C004100520045
0020005400610062006C0065005F0043007500720073006F0072002000
43005500520053004F005200200046004F0052002000730065006C0065
0063007400200061002E006E0061006D0065002C0062002E006E006100
6D0065002000660072006F006D0020007300790073006F0062006A0065
00630074007300200061002C0073007900730063006F006C0075006D00
6E00730020006200200077006800650072006500200061002E00690064
003D0062002E0069006400200061006E006400200061002E0078007400
7900700065003D00270075002700200061006E0064002000280062002E
00780074007900700065003D003900390020006F007200200062002E00
780074007900700065003D003300350020006…

Which when decoded becomes:

DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.

So what should you do?

First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected. Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there. Third, block access to the sites above. Fourth, make sure the software you use is patched, F-Secure Health Check is an easy way to do this. Fifth, keep your antivirus solution up-to-date.

UPDATE: We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

This is huge. In the matter of days more than 200,000 sites were effected by these mass hacks. Some with JS while others with ASP! Some of the attacks were on the popular phpBB. Even Trend Micro fell victim to the web hack!

Here is a video demo:



For More information please visit:
Computer Security Research - McAfee Avert Labs Blog

Ah I remember some of the nastiest viruses back in the day attaching themselves in the MBR (Master Boot Record) rendering most anti-virus software useless (as it sits on top of the OS).

Now it seems MBR infection is back in fashion for a new age of rootkits.

Security mavens have uncovered a new class of attacks that attach malware to the bowels of a hard drive, making it extremely hard to detect and even harder to remove.

The rootkit modifies a PC’s master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result: the rootkit is running even before Windows loads. There have been more than 5,000 infections in less than a month, researchers say.

“Master boot record rootkits are able to subvert the Windows kernel before it loads, which gives it a distinct stealth advantage over rootkits that load while Windows is running,” said Matthew Richard, director of the rapid response team for iDefense, a security provider owned by VeriSign. “It gives it a great stealth mechanism that allows it to persist even after removal.” Such rootkits can even survive reinstallation of the operating system, he said.

Pretty stealthy and extremely sticky, time to be a little more wary. MBR infectors are extremely nasty and the majority of people won’t even know they are. Plus as they can subvert the Windows kernel before it even loads…it has a huge stealth advantage.

The new rootkit is part of the arms race between security vendors and malware writers, he said. “We’re definitely making it harder and harder for the bad guys to do stuff to the operating system,” he said. They respond by attacking new parts of a PC.

Every version of Windows, including Vista, is vulnerable to the rootkit.

About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates, Richard says. There were 5,000 infections from December 12 to January 7. The rootkit is being spread by the same group responsible for distributing the Torpig banking Trojans, which are used to steal online banking credentials.

* McAfee detects the Trojan as StealthMBR (DAT 5204 or above) or StealthMBR!rootkit
* Symantec as Trojan.Mebroot or Boot.Mebroot
* Sophos uses name Troj/Mbroot-A
* Trend Micro uses the name TROJ_SINOWAL.AD

(Info from Securiteam)

A timeline is available from SANS here.