Sponsored by..

Monday 29 December 2008

SQL injection: msngk6.ru, dft6s.kz and mcuve.cn

A new bunch of domains being used in SQL injection attacks at the moment:
  • www.msngk6.ru
  • www.dft6s.kz
These are calling a script called style.js and follow on from these, most likely the work of the Asprox gang. The registration details are probably fake, but for the record are:

domain: MSNGK6.RU
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN
The domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.

Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.

Monday 22 December 2008

Asprox SQL injections are back

The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.

inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered
The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.

Currently active domains are:
  • www.bnmd.kz
  • www.nvepe.ru
  • www.mtno.ru
  • www.wmpd.ru
Some notable impacted sites:
  • frontweb.vuse.vanderbilt.edu (Vanderbilt University)
  • maryvillecollege.edu (Maryville College)
  • guildford.ac.uk (Guildford University)
  • many .gov.ar (Argentina) and .gov.cn (China) sites
  • navigationusa.com (Online retailer)
  • worldcricketstore.com (Online retailer)
A Google search and Yahoo search indicate the extent of the problem (obviously, you don't want to visit any of these impacted sites).

Saturday 20 December 2008

"Classmates Info Center": Currently planning the 2009 Year Reunion

There's a fake "Classmates" email being spammed out, that leads to a fake video that needs a fake "Adoble Media Player" called Adobe_Player10.exe and as you would probably guess, at the end of all this fakery is a nasty trojan.



Subject: Currently planning the 2009 Year Reunion
From: "Classmates Info Center" personalvideo@classmates.com

Your Classmates Events: Reunion January 16th 2009

" With pride and joy we invite you to share a special day in our lives and join us
for the Class Reunion on Friday, January 16th 2009.
Bring the gang from Our High School back together again!
Great party - from start to finish! "

Proceed to view details:

http://video.classmates.logon.user-gandy3ts0.updateyourplayer.com/messages.htm?/identification/INVITATION=vvffx2dckssqnle



Your favorite people are already here, so use ClassmatesTM to bring them together.

With best regards, Josh Jacobson. Customer Service Department.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.




The landing page looks like this:


Detection rates are poor according to VirusTotal. ThreatExpert's report is right here. It installs a rootkit and does all sorts of nasty things. Avoid.

Friday 19 December 2008

Beijing AUG Networks Technology Co / augnetworks.cn scam

This is certainly spam.. but is it a scam? Most likely..

Subject: Dynamoo Domain name and Internet keyword Registration
From: "tom.xu"

Dec 19, 2008

Dynamoo

Domain name & Internet keyword

Dear Sir/Madam,

We are Beijing AUG Networks Technology Co., Ltd which is the domain name and internet keyword registration service company in China. We received a formal application from a company who is applying to register " dynamoo " as their domain name and Internet keyword on Dec 16, 2008.Since through our investigation we found that this word has been in use by your company, and this may involve your company name or trade mark so we inform you in no time. If you consider the domain name and internet keyword are important to your company and it is necessary to protect them by registering them first, contact us soon.

Kind Regards,

Tom Xu

Registration Comissioner

Tel/fax: +86-10-82797446

Email: tom.xu@augnetworks.cn

Website: www.augnetworks.cn

augnetworks.cn was only registered on 23/11/2008 to "Beijing AUG Networks Co", it is in no way an official registrar and the company probably doesn't even exist. Domain registrars are not actually responsible for checking trademarks, they most likely have had no such approach from a customer and really the whole thing is designed to make you panic into buying something you don't need.

There's more on Chinese domain malpractice here.

Tuesday 16 December 2008

MS08-078: Out-of-band patch for IE coming

Microsoft are issuing an out-of-band patch tomorrow (17th December) for the well-publicised flaw in Internet Explorer. This is another one of those "patch now" things - see here for more details.

"IE 7 users: stop looking at porn now!"


This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.

The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.

In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...

* or Myspace.. or Facebook..

Wednesday 10 December 2008

Vulnerability in WordPad Text Converter Could Allow Remote Code Execution

Most people will rarely use WordPad these days, but it's installed on pretty much every Windows system out there. So when Microsoft announce a vulnerability in WordPad, it could spell trouble.. essentially, a specially-crafted WordPad file could run arbitrary code on your system.

WordPad documents have a .DOC or .WRI extension, and if you have Word installed (or a similar product) then .DOC files will default to loading in Word instead. So, to mitigate against this you could simply block .WRI files at your proxy and/or mail filter. Or you could use Windows XP SP3 or Vista.. but that's not exactly a quick fix. Or you could deassociate .WRI files from WordPad using a policy.

There aren't a lot of WRI files to test with on the web, so here's a harmless file I prepared earlier:

Sunday 7 December 2008

Spammers try and fail with fake Classmates email

We've seen this particular attack several times before - an email for a bank or other service that requires some sort of software installation to proceed.. in this case, masquerading as an update to Flash for some nonsense to do with Classmates.com.

Subject: Classmates Organisation.Reunion Website Builder
From: "Classmates Messagebox#329" invitation591@classmates.com

Dear Classmates customer.
Classmates Day 2009 soon!

Video Invitation from your Classmates "2009 Classmates Day Announcement!" prepared to view.
Reunite Your High School Classmates and Celebrate This Day!
Your Classmates Are Waiting to Hear From You!

Proceed to view Your invitation now>>

With best regards, Lowell Abernathy.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.

Unfortunately, the stupidity of spammer is such the they have messed up the incredibly long URL, and if the users click on the link they'll get nowhere. The spammer is trying to send visitors to a subdomains of clasmatessup.com but they have forgotten the dot before com and instead are sending visitors to clasmatessupcom.

If you go to the effort of correcting the link, you get redirected to a site on a fast flux botnet which prompts you: Can't see the video? please download the Adobe_Player v10 Converter and this leads to a downloaded called AdobePlayer10.exe which actually doesn't appear to be malware (at the moment) as it identifies itself as "IIS Fortezza Setup Utility" which is a security add-on to Microsoft IIS servers, usually called fortutil.exe.

So, it's all kinda strange. Let's have a look at the WHOIS details for the domain:
Domain name: clasmatessup.com

Registrant Contact:
inc inc
Greff Frelos inc@yahoo.com
4576810811 fax: 4576810811
8883 Sh Road
New York NY 10003
us

[blah blah]

DNS:
ns1.licence-dsl.com
ns2.licence-dsl.com

Created: 2008-12-07
Expires: 2009-12-07
Of course, these are fake. The registrar is BIZCN.COM, who are often a registrar of choice for spammers. Of real interest are the name servers, ns1.licence-dsl.com is 207.150.183.180, ns2.licence-dsl.com is 66.34.177.43. 207.150.183.180 is an IP address connected with the Srizbi botnet and is a name server for a whole buncha domains.

If you run a corporate mail system, it might well be worth blocking email "from" classmates.com in any case, even if this time the spam is hugely unsuccessful, because all the bad guys will do is repackage it up and send it out again.

Saturday 6 December 2008

Joe Job against GoldPoll.com: welcome to the murky world of HYIP

GoldPoll.com is a web site about HYIPs (High Yield Investment Programs) that is hosted in the British Virgin Islands to an anonymous (possibly Panamanian) registrant, and until recently the registrar was the well-known fraudster's friend EstDomains. Despite this unpromising pedigree, it does appear that GoldPoll.com is legitimate..

..well, as legitimate as anything is in the world of HYIPs. Most HYIPs are generally just a front for Ponzi schemes and offer ridiculous payout rates such as 2% interest per day (about 624% per year) which are clearly unsustainable.

Anyway, as you can imagine there are a LOT of fraudulent HYIP schemes (are there any that are actually legitimate?) GoldPoll.com attempts to flag up schemes that aren't paying up.. which means that they have obviously annoyed some HYIP scammer somewhere who has decided to carry out a Joe Job against GoldPoll.com:

Subject: Gold Poll
From: goldpoll.com.ads@gmail.com
Date: Sat, December 6, 2008 3:57 pm

The most relevant information about the top HYIP programs from the best hyip monitoring. http://www.goldpoll.com


We personally invest in each HYIP and check the reliability of everyday payments. Click on any HYIP name to be redirected to it. Click on Program Details to get further information about a HYIP, find other members' posts and vote yourself.

goldpoll.com

Now GoldPoll.com states: "We never send SPAM and hate SPAMmers. Please don't trust in any e-mail that appeared to be from us and not stated on our Newsletters Archive!" which of course doesn't mean that much.. but a close investigation of the offending email indicates that it came from 211.95.78.71 in China. Now, 211.95.78.71 isn't just any IP address, it happens to be a server where a number of HYIP related domains are hosted:

  • Accuramoney.com
  • Bestinvestfar.com
  • Bestnethosta.com
  • Dalamonda.com
  • Google-analyser.com
  • Google-optimise.com
  • Google-spider.com
  • Healthcarem.com
  • Heroesadvent.com
  • Homegome.com
  • Injektus.com
  • Jampadventures.com
  • Libertyreiserve.com
  • Libertyrescerve.com
  • Luckautomachine.com
  • Luckjewel.com
  • Maxcargotrade.com
  • Ordtechnologies.com
  • Platinumtvonline.com
  • Sekermen.com
  • Toguessgame.com
  • Trancgroup.com
  • Webtradersite.com

It seems that there is a related server to this at 64.63.1.204, at least one of the domains (nasdaq-invest.com) is on GoldPoll.com's blacklist (there may be others).

  • Al-moeed.com
  • Boodjewel.com
  • Deluxeinvestment.org
  • E-investbank.net
  • Fastprofit-2008.com
  • Futureinvest.biz
  • Gpttalkpro.com
  • Higaintrade.com
  • Hyip-profits.com
  • Hyip-world.com
  • Hyipchecking.com
  • Hyipozaurus.biz
  • Katyadumper.com
  • Libertyrieserve.com
  • Mcdump.com
  • Monemoke.com
  • Moneyinvests.biz
  • More-invest-2009.com
  • Nasdaq-invest.com
  • Pensioninsurancefund.com
  • Perfectservers1.us
  • Photos-vn.com
  • Realforex.us
  • Sectrustbonline.com
  • Solid-fund.com
  • Supervirtualcards.com
  • Teekypleaze.com
  • Tieudiemchinh.com
  • Tomerbusiness.com
  • Tophyipsite.com
  • Ukoblos.com
  • Userinvest.com
  • Wertor.info
  • Wmrub.com
If you are an HYIP investor, then take some of these domain names and Google for them, and you'll get the measure of [un]reliable they are. You can pretty much guarantee that they are closely related.

But really my best advice is to avoid HYIP altogether. It's basically just a form of gambling, but with much worse odds in the long run.

Wednesday 3 December 2008

"Alpha Soft Company" bogus employment offer

Alpha Soft Company is a wholly legitimate Ukrainian software development company, this fake job offer is being sent out by someone pretending to be Alpha Soft, and who is fraudulently using the name of Taras Vergovsky (who is a director) in order to make the offer seem more credible.

There have been a few similar emails targeting companies from the Ukraine recently, for example: Infopulse, JavaRealm Software, VM-Soft, SocMart. They all follow a similar pattern and wording, and all mention the name of a senior person within the company.. and they are all bogus. In short, this is just another money laundering scam that should be avoided at all costs.




Hello Sir/Madam.

I Taras Vergovsky, Director of Alpha Soft Company specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

Please contact me for more information via email: alphasoft.ua.job@gmail.com

and send us the following information about yourself:

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,
Taras Vergovsky ,
Alpha Soft Company




Some email addresses to look out for are alphasoft.ua.job@gmail.com, sup.alphasoft@gmail.com, job.alphasoft@gmail.com.. there are probably others. Sending IP is 217.170.2.228.

Tuesday 2 December 2008

Awesome or what? The Nokia N97.



Announced a couple of hours ago, the Nokia N97 is a pretty awesome looking bit of kit. We've waited a long, long time for Nokia to come up with something like this.. although I don't think that I will be giving up the Nokia E90 just yet, since the rumour is that there will be a touchscreen Communicator next year (probably announced at Mobile World Congress).

It's not cheap: €550 (around £450 or $650) SIM-free before tax. You can get a laptop for that. Very tempting though...