Sponsored by..

Wednesday, 3 September 2008

"Bangui" malware domains

A whole set of domains distributing malware, currently based on 206.53.51.119 and allegedly registered to someone in Bangui (although most likely it is the RBN again). These domains are being used in blog spam and also what appears to be PHP and ASP injection attacks.

Unlike some injection attacks, the pages carry some scraped text that's relevant to the URL. Combine this with the inbound links created through spam and injection attacks and you have a very black hat SEO campaign. Yahoo! seems to be more prone to this type of SEO than Google.

The pages on these domains use a javascript redirector (menu.js) to end up at a set of fake video and rogue anti-malware sites that install all sorts of nasty things.. again, these endpoints have the hallmark of the RBN.

  • Afwwwf.info
  • Apostit.info
  • Bcuioc.info
  • Bglkhg.org
  • Bihuru.org
  • Biiwhw.info
  • Bikgfjr.info
  • Bioblor.info
  • Bioqw.info
  • Biowfr.info
  • Bkjksl.org
  • Bkssdoue.info
  • Bloiw.org
  • Bocaca.org
  • Cascaa.info
  • Cbasoa.info
  • Cbr1000rrxx.info
  • Csccons.org
  • Cskaa.org
  • Eomnb.info
  • Fasca.info
  • Fasfw555.info
  • Fasw.org
  • Fbkshk.org
  • Fdsaa.org
  • Firstnax.org
  • Fjkjfjoi.info
  • Fjwiojnc.info
  • Flsab.info
  • Foeww.org
  • Foxrat.info
  • Fsaff.org
  • Fsafvn.info
  • Fsancao.info
  • Fsanp.org
  • Fsaqq.info
  • Fsaw.org
  • Fsfa22rr.info
  • Fsfkg.info
  • Fsfworg
  • Fsgkle.org
  • Fsjklhg.info
  • Fskjhgkb.info
  • Fullmediabase.net
  • Fwe75r4fyf65.cn
  • Fwfds.org
  • Fwfisow.org
  • Fwjijc.org
  • Fwoijwh.org
  • Gcoigkm.org
  • Gewop.info
  • Gjgkgjhew.org
  • Golodnijya.org
  • Gucwd.org
  • Hellodolly5k.net
  • Hellodomy5k.net
  • Hhkjj.org
  • Hkljccc.info
  • Hodnejgreat.info
  • Hofhwbc.info
  • Hohotv.org
  • Homosapien5k.net
  • Hrr553.info
  • Hudinarjiii.cn
  • Itgfbn.org
  • Jfldsh.org
  • Jflhg.info
  • Jlbyuo.org
  • Jnbq.info
  • Jowely.org
  • Jplhnh.info
  • Juiok.org
  • Jumpsert.org
  • Jwionw.info
  • Kiwedox.org
  • Kjhiofw.org
  • Kjhlfsh.org
  • Knwponc.org
  • Madnes.info
  • Mazafaker.com
  • Mfpwjmc.org
  • Mkmcsss.org
  • Mpfwmcs.org
  • Mpkcmzz.org
  • Mpmccz.org
  • Mybestz5k.net
  • Nado1000traffa.info
  • Nfeow.org
  • Nfwojw.org
  • Nfwon.org
  • Nhphpkj.info
  • Nifa422.info
  • Njpaw.info
  • Nosdsh.org
  • Pokoder.org
  • Sonvfs.org
  • Werbin.org
  • Wfwcn.org
  • Wn59whgp3w.cn
  • Workfox.info
  • Yzfr1yamahad.info

Tuesday, 2 September 2008

Asprox: 2b24.ru

These domains seem to be today's current Asprox SQL Injection domains - check for them in your logs or block them. 2b24.ru seems to be new, the rest have been around for a few days. The exploit is still using a script called script.js to run.

  • 2b24.ru
  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • mj5f.ru
  • oc32.ru
  • vwsc.ru

Monday, 1 September 2008

"WorldWide Offshore Integrated Systems Inc"

Another money mule scam, this time claiming to be from "WorldWide Offshore Integrated Systems Inc" of New York, a company that does not exist according to the New York Division of Corporations. Also, there are no Google matches for that search term... except that there will be since I've posted this. Oh, you can figure out what I mean.

Originating IP is 78.175.218.143 in Turkey. Also, I can't think of many "WorldWide " corporations that have to use Yahoo!'s free email service.




Subject: Looking for a job? Good chance for you!
Date: Mon, September 1, 2008 4:38 pm



Hello.

WorldWide Offshore Integrated Systems Inc. is a custom software development company
located in New York, USA.

We offer full cycle custom software programming services, from product idea,
offshore software development to outsourcing support and enhancement.
WorldWide Offshore Integrated Systems Inc. employs a large pool of software
engineers coming from different backgrounds.
We are able to balance product development efforts and project duration to your
business needs.

WorldWide Offshore Integrated Systems Inc. customer service department is currently
offering employment for residents
in order to provide it's new branch with qualified personnel.
The private client support desk is responsible for following up client enquiries,
helping the clients to understand how WorldWide Offshore Integrated Systems Inc. can
save them money on foreign
currency transactions, and developing new business through referrals.

First of all you need no prior experience, even though we are value
your current knowledge, but we will provide all necessary training when
you will join us.

If you're a customer service fanatic, and enjoy working in a challenging and
rewarding environment,
please see below for our current list of opportunities.

Requirements:

è Proficiency in MS Word, Excel & Internet
è Excellent communication skills both oral and written

- This work does not require any experience!
- This is a work at home

You will be paid USD 2500 per 2 weeks.

Should you have any questions regarding this letter,
our offer of employment or anything else, please write me an e-mail.
We are excited to have you join our organization and look forward to working with you.


If you are interested in our position reply to e-mail worldwide61@yahoo.com


Best regards,
Katrin Olley
Employment Manager


Asprox: cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, oc32.ru and vwsc.ru

Another bunch of Asprox SQL injection domains to block or monitor for, all quite new:

  • cg33.ru
  • cv2e.ru
  • cv32.ru
  • mc2n.ru
  • oc32.ru
  • vwsc.ru
Alternatively, look for .ru/script.js in your logs which should pick up most of them.

Update: here's another one - mj5f.ru

Friday, 29 August 2008

Atrivo / Intercage

Atrivo, Inc (also known as Intercage) and their main customer, Esthost (related to Estdomains) might well be a familiar name to people working in IT security. Atrivo is based is California and is run by one Emil Kacperski, so it has always surprised me that such a small operator should be a persistent host of malware.

Well, Atrivo's activities have not gone un-noticed by HostExploit.com who have produced a whitepaper and diagram and a YouTube video explaining how Atrivo's network is involved in a typical PC exploit.

Brian Krebs at the Washington Post has a comprehensive commentary. Note in particular the comments from "Emil K." at the bottom of the article. The RBN blog also has a comment here. Fascinating stuff.

Thursday, 28 August 2008

Where a link turns into a lawsuit

I've seen some daft excesses in local politics in my time, but over Sheboygan, Wisconsin, things have taken a new twist... with a lawsuit over a link.

Jennifer Reisinger operates a website called Sheboygan Spirit which appears to be very critical of local officials and also a now defunct web design business called Brat City Web Design. She was also involved in a campaign to recall the elected mayor, which probably didn't endear her to some city officials.

Last year, the city filed a lawsuit against Ms Reisinger. Why? Because one of her sites carried a link to the Sheboygan Police Department (oops). First, the city sent a cease and desist asking her to remove it, and when she refused to do so they initiated a criminal investigation and legal proceedings.

Remember, this is just a link to the local police department. Not a link to illegal or confidential material. Of course, really the city didn't have a leg to stand on and in November 2007 decided not to pursue the case.

But Ms Reisinger wasn't finished, and a few days ago filed a counter-suit alleging loss of business and a violation of first amendment rights. It looks like it could be a significant case.. depending on the outcome.

There's more information in this item at the Milwaukee Journal Sentinel, and also here at the Citizen Media Law Project.

Wednesday, 27 August 2008

"Bank of America Installation and Upgrade Warning."

The bad guys are busy today, here's another fake bank "upgrade" leading to malware, following on from this one.


Subject: Bank of America Installation and Upgrade Warning.
From: "Bank Of America Update Service Department"
Date: Wed, August 27, 2008 2:23 pm

Attention All Bank of America Customers.
Security & Fraud Protection Update.

At Bank of America, were committed to keeping your information confidential and
secure, and we take that responsibility very seriously.
Our Fraud detection solution helps to protect your business against the risk of
fraudulent transactions alerting you to potential risks.
We have developed the following protection tools to insure you confidentiality.

You can download the latest security pack from our Customer Service Department>>

Sincerely, Jodie William.
2008 Bank of America Corporation. All rights reserved.
This leads to a very convoluted URL with an executable Setup_BankofAmericaclientno4508832.exe - virus detection for this one is a bit poor. Malware is identified variously as TR/ATRAPS.Gen (AntiVir & WebWasher), DeepScan:Generic.Malware.dld!!.083539B0 (BitDefender) and one or two others come up with a generic detection.

Incidentally, the URLs used in both attacks are incredibly long and convoluted.. and not terribly convicincing.

Avoid these "bank certificates" at all costs.

Tilde.exe in C:\Windows\System32 folder


This isn't really about tilde.exe at all, but a file called C:\Windows\System32\~.exe that has a habit of showing up on laptops that have been playing up with frequent browser crashes.

~.exe is kind of an odd name for a file, and crucially it's an ungoogleable name, because Google uses the tilde mark for its Synonym Search function.

Probing more deeply at the file shows that is is 34,616 bytes in size and is described internally as "Microsoft® Remote Std I/O Shell". The version information gives the following details:

  • Company: Microsoft Corporation
  • File Version: 6.0.6001.16470 (fbl_tools(patst).070215-1229)
  • Internal name: remote.exe
  • Language: Language Neutral
  • Original File name: remote.exe
  • Product Name: Microsoft® Windows® Operating System
  • Product Version: 6.0.6001.16470
The icon is identical to the remote.exe sometimes supplied with various Microsoft debugging or support tools. Indeed, it does seem to be just another version of remote.exe which is a component of Microsoft's SMS server.

The ~.exe file may also be accompanied by a couple of strange-looking .dat files, for example __c0084F92.dat or __c00E460A.dat which on closer examination are actually executables.

It does genuinely seem to be a bit of Microsoft software, but in this case it would appear to be acting as a trojan downloader. The .dat files are lilely to be the second stage of the infection, and this could well be related to all the fake anti-virus products that have been promoted recently.

~.exe is detected variously as Trojan-Downloader.Win32.Agent.abnd, Win32/TrojanDownloader.Agent.ABND or Trojan:Win32/Vundo.gen!V (VirusTotal results here). The .dat file shows up variously as Trojan-Downloader:W32/FakeAlert.AN, TROJ_TIBS.CKN, Tibs.gen222, not-a-virus:AdWare.Win32.Agent.ekj (VirusTotal results here and here).

Removal: delete the ~.exe file and any unusual looking .dat files that match the above pattern. If the trojan is active, then one of the .dat files will be locked. The F-Secure Online Scanner seems to be able to safely remove this trojan, although a reboot will be required.

This is the first time that I have seen a Microsoft SMS component used in this way. Presumably it attempts to connect up to a back-end server that I have not yet been able to identify. It may well be that a corporate firewall would block such behaviour.

Tuesday, 26 August 2008

"Colonial Bank Emergency Alert System"

Emergency alert system? Nope, malware download more likely.

Subject: Colonial Bank Emergency Alert System.
From: "Colonial Bank Account Support"
Date: Tue, August 26, 2008 8:35 pm

Dear Colonial Bank Customers. Protect your passwords!

- Never write down your passwords.
- Never share passwords with anyone.
- Change your password every few months.
- Change your password if you think it has been compromised.

For a password to be strong and hard to break, it should be at least nine characters
long, contain characters from each of the following three groups: letters (uppercase
and lowercase), numerals, symbols (all characters not defined as letters or
numerals), not contain your name or user name and not be a common word or name.
Be sure your computer is up-to-date with security patches, anti-virus, and
anti-spyware protection.
Download our latest all-in-one Internet software from our Customer Service
Department to make your online life completely secured.

Press here to Start>>

Sincerely, Parker Wheeler.
2003-2008 Colonial bank Support Team
VirusTotal detections are a mixed bag:

File ColonialDigicertx_509.exe received on 08.26.2008 23:52:05 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.8.21.02008.08.26-
AntiVir7.8.1.232008.08.26HEUR/Crypted
Authentium5.1.0.42008.08.26-
Avast4.8.1195.02008.08.26-
AVG8.0.0.1612008.08.26-
BitDefender7.22008.08.26DeepScan:Generic.
Malware.dld!!.6B08AD0D
CAT-QuickHeal9.502008.08.26(Suspicious) - DNAScan
ClamAV0.93.12008.08.26PUA.Packed.MEW-1
DrWeb4.44.0.091702008.08.26-
eSafe7.0.17.02008.08.26Win32.Stration
eTrust-Vet31.6.60502008.08.26-
Ewido4.02008.08.26-
F-Prot4.4.4.562008.08.26-
F-Secure7.60.13501.02008.08.26Suspicious:W32/Malware!Gemini
Fortinet3.14.0.02008.08.26-
GData192008.08.26-
IkarusT3.1.1.34.02008.08.26Trojan-Proxy.Win32.Small.DT
K7AntiVirus7.10.4282008.08.25-
Kaspersky7.0.0.1252008.08.26-
McAfee53702008.08.26-
Microsoft1.38072008.08.25PWS:Win32/Uloadis.A
NOD32v233902008.08.26-
Norman5.80.022008.08.26W32/Suspicious_M.gen2
Panda9.0.0.42008.08.26-
PCTools4.4.2.02008.08.26Packed/MEW
Prevx1V22008.08.26-
Rising20.59.11.002008.08.26-
Sophos4.32.02008.08.26Mal/EncPk-BA
Sunbelt3.1.1582.12008.08.26VIPRE.Suspicious
Symantec102008.08.26-
TheHacker6.3.0.6.0602008.08.23W32/Behav-Heuristic-066
TrendMicro8.700.0.10042008.08.26Cryp_MEW-11
VBA323.12.8.42008.08.26-
ViRobot2008.8.26.13502008.08.26-
VirusBuster4.5.11.02008.08.26Packed/MEW

Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.
  • beyry.ru
  • cb3f.ru
  • cnld.ru
  • iopc4.ru
  • iopoe.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • okcd.ru
  • nucop.ru
  • port04.ru
  • ueur3.ru
  • vj64.ru
Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

Friday, 22 August 2008

Asprox: iopc4.ru, jetp6.ru, loopk.ru, netr2.ru and ueur3.ru

The domains used is the Asprox SQL injection attack have been stable for most of the past week, but over the last 24 hours some ne wdomains have been registed, so check your logs and/or block the following:

  • iopc4.ru
  • jetp6.ru
  • loopk.ru
  • netr2.ru
  • ueur3.ru

It is likely that some more will turn up during the course of the day.

Friday, 15 August 2008

Another SQL injection domain: mo98g.cn

I mentioned some days ago that there seems to be a parallel SQL injection attack to Asprox with all the hallmarks of being Chinese. Over the past day or so, mo98g.cn has appeared on some infected sites (often alongside Asprox) making a call to mo98g.cn/q.js which is hosted on 222.122.128.5 in South Korea.

The back end seems not to be working at present, so maybe the server has been cleaned up. In any case, this is another domain to block or check your logs for.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Thursday, 14 August 2008

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

  • 3njx.ru
  • cb3f.ru
  • cnld.ru
  • nbh3.ru
  • okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

  • bcus2.ru
  • jkn3.ru
  • juc8.ru
  • locm.ru

Tuesday, 12 August 2008

All quiet on the Asprox front?

For the moment the Asprox SQL injection attacks seem to have stopped, although infected sites are still infected and need to be secured as soon as possible.

So, does this mean that the bad guys have given up? Well, no.. but there are probably thousands of sites out there which are still infected, so from that point of view they will still be getting "hits" to their malware sites.

Perhaps the answer is this - the people behind the SQL injection attacks are doing something else. Two very newsworthy events happening over the past few days have been the war in Georgia and the Beijing Olympics. Dancho Danchev reports that the RBN have been actively involved in attacking Georgian sites, including using SQL injection attacks. F-Secure report that Chinese sites have been attacked since the run-up to the Olympics started.

It might well be that these Asprox attacks will be quiet for a couple of weeks, but it is likely that general SQL injection attacks will ramp up again soon.

Sunday, 10 August 2008

Spammers are still stupid

Another case where a spammer is too stupid to use the spamming tool they have just bought.

Subject: hey
From: "hvgoxscw"
Date: Sun, August 10, 2008 7:59 pm

You have 2 options here,
Option 1 - You can put ANY text you want in here.

Option 2 - We will fill it in with the text only portion of the
html message if you put the macro for you: [url removed]
in here.

NOTE: Some email clients don't disply html data. In that case what you
put here will be seen by the recipient. If the email client does

display html data then this will NOT be seen by the recipient.
Based on this you may wish to put a text version of your add here;
however, you can also put some macros here to make the message
more random.

Or use Option 3 and don't add anything at all. Idiot.

Saturday, 9 August 2008

"Hey, take a look!!" / "Yahoo Daily News"

Looks like another variant of the Storm Worm /Zapchast doing the rounds:

Subject: Hey, take a look!!
From: "Yahoo Daily News"

Hello friend !
You have just received a yahoo messenger ultimate version !!


Click Download Now to begin downloading and installing Yahoo Messenger ultimate version 10 ver 10.1



1. Download Now Click Download Now to begin downloading and installing Yahoo! Messenger ultimate version 10.
ver. 10.1
2. When prompted, please click the Run button in each window that appears.

Other versions: XP (9.0 Beta), Vista, Mac, Web, Mobile

Thank you for using our services !!!
Please take this opportunity to let your friends use about this new software by sending them the source.

Copyright © 2008 Yahoo! Inc. All rights reserved. Copyright/IP Policy | Terms of Service |Guide to Online Security

Relevant advertising creates a better web experience. See how

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy
In this case the target file to download is msgr8.5us.exe, VirusTotal detection is pretty good.

Expect to see a LOT of these over the next few days, either themed for the Olympics or the war in South Ossetia. Although the subject will always change, a crash course in user education can help to mitigate the risk.

ISC: "More SQL Injections - very active right now"

The Internet Storm Center has published technical details on the Chinese-based SQL injection attack which may be of interest to SQL administrators and programmers and also security specialists. It also flags up another javascript file to look for: csrss/w.js

Keep an eye out for log activity pointing to this file. Blocking the entire .cn TLD will probably do very little harm for most businesses.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Tuesday, 5 August 2008

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

  • 8hcs.ru
  • 98hs.ru
  • bgsr.ru
  • bywd.ru
  • ibse.ru
  • ncbw.ru
  • nwj4.ru
  • ojns.ru
  • porv.ru
  • uhwc.ru

Saturday, 2 August 2008

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

  • 8hcs.ru
  • 98hs.ru
  • bgsr.ru
  • bywd.ru
  • ibse.ru
  • ncbw.ru
  • nwj4.ru
  • ojns.ru
  • porv.ru
  • uhwc.ru

Friday, 1 August 2008

Fake "Correspondence manager" job

Money mule scams are now very common - basically some poor fool ends up laundering money or reshipping goods following the instructions of someone they have never met and is likely to be untraceable.

This particular job offer seems to go a step further. This "correspondence manager" could well be another layer in the scammer's obfuscation. Perhaps the correspondence manager handles communications with the money mules?

One danger here is that this particular role is more credible that the "money for nothing" jobs that scammers usually offer. On the face of it, it doesn't involve handling money, but it does seem to be very easy and the salary looks attractive.

There's an interesting bit of social engineering where the email says "THE SELECTED CANDIDATE MUST PASS A CRIMINAL BACKGROUND CHECK". Of course, it is the employer who needs to pass a background check too. Always verify that your job offers are from a genuine, verifiable business.




Subject: Re: WELL - PAID JOB!
From: ls51@salud.gov.pr
Date: Fri, August 1, 2008 11:52 am

Dear, Job Seeker!

Our firm has an opening vacancy: Correspondence manager.

Please attach your resume in DOC or reach text format and apply right now. This
position is limited.



Company Name
Global Logistic


Job Category
Correspondence


Location
United States


Position Type
Part-Time/Home Based


Salary
$ 35,000 - $ 50,000


Experience
1+


Desired Education Level
High School or Equivalent


Date Posted
March 17, 2008



Job Summary:
You will make some basic tasks from your manager daily; manage personal assets;
making simple correspondence operations. You don't need to have any kind of
education or experience. We will make online training for position offered. You
will have more information in job description document. Apply now.
Requirements: US citizenship or US permanent residency

High school or College in relevant field or 1+ years experience in management;
basic computer, good verbal and grammar skills; must have a cellular phone for
urgent tasks; must be able to work part-time; must provide resume for
qualification process.

ALL RESUMES WILL BE CONFIRMED AND VERIFIED. THE SELECTED CANDIDATE MUST PASS A
CRIMINAL BACKGROUND CHECK
If you're interested send your full name, phone number, age and RESUME
mailto:NannieHolderCE@gmail.com and I'll redirect it to our HR department.


Beware of unsolicited loan offers

Loan scams are a another variant of the advanced fee fraud scam (e.g. fake lotteries, dead dictator's fortunes etc). These seem to be more popular recently due to the "credit crunch". Fundamentally the approach is the same as any other advanced fee fraud: you apply for the loan only to discover that there is a fee payable up front. Of course, no legitimate lender would ask for an up front fee for a loan.

Although the wording for this particular example sounds like it is from Nigeria, the IP address is from the Hathway network in Bangalore. Oddly from "from" address is Hathway too.

Subject: LOAN OFFER
From: ramanks@hathway.com
Date: Thu, July 31, 2008 8:14 pm
Priority: Normal


Dear Customer
We are corporate lenders. we give out loans to
A very honest and reliable personalities. we give
out our loans at low interest rate and moderate
values as cheap as 3% rate. Because of scam
we tender our qualifications if it satisfies, you
can continue with the transaction, but if you are
not satisfied you can go to another lender.
Channel your response to this email.
thomassteve2@gmail.com
Greatest Regards
Marketing Manager
Mr Thomas Steve.
Although this particular one is pretty laughable, it is likely that the scammers will get better at it. Beware of unsolicited loan offers and remember that all fees and interest will come out of your repayments, not from an up front fee.

Wednesday, 30 July 2008

PestPatrol: Zuten detected in c:\windows\minidump

This one looks like a false positive.. CA PestPatrol with signature version 2008.7.29.15 seems to be detecting Zuten in the c:\windows\minidump folder.

A close examination of the description indicates that the following files may be being misdetected:

%windows%\minidump\mini072908-01.dmp
%windows%\minidump\mini072908-02.dmp
As you can see, yesterday's date in encoded into the .dmp files. If your computer system has generated a .dmp file in the past day, then PestPatrol may well be mis-detecting it.

Tuesday, 29 July 2008

The SQL Injection war

Dancho Danchev had has some very good writeups on the current round of SQL injection attacks. This post on copycat attacks caught my eye, because it shows that there's more than one crew at work here.

If anything, this situation is likely to get worse. The tools needed to carry out a SQL injection attack are now almost available off-the-shelf, the attacks are obviously financially successful because they have been ongoing now for some months, and enumeration of vulnerable servers can be done through Google or Yahoo if you don't want to bother crawling the web.

Identifying and blocking domains helps, but it isn't a real solution. Most of these attacks are thwarted by a fully patch client (and I do mean all the software on the client, the Secunia Software Inspector can help here or some other decent audit tool). Using Firefox + NoScript is a good idea for the technically savvy. But ultimately, the best way of fighting this is to secure or shut down infected SQL servers. Don't be afraid to use the abuse@ email address where a web site is posing a continuing threat.

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

  • b4so.ru
  • bce8.ru
  • bjxt.ru
  • bnsr.ru
  • bosf.ru
  • bsko.ru
  • ch35.ru
  • gty5.ru
  • iroe.ru
  • jve4.ru
  • kj5s.ru
  • kjwd.ru
  • kpo3.ru
  • kr92.ru
  • ncb2.ru
  • ncwc.ru
  • nemr.ru
  • njep.ru
  • nmr43.ru
  • oics.ru
  • pfd2.ru
  • po4c.ru

Monday, 28 July 2008

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

  • bs04.ru
  • bce8.ru
  • bjxt.ru
  • bnsr.ru
  • bosf.ru
  • bsko.ru
  • ch35.ru
  • iroe.ru
  • jve4.ru
  • kjwd.ru
  • kodj.ru
  • kpo3.ru
  • kr92.ru
  • ncb2.ru
  • ncwc.ru
  • nemr.ru
  • nmr43.ru
  • oics.ru
  • pfd2.ru
  • po4c.ru
ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Friday, 25 July 2008

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

  • bce8.ru
  • ch35.ru
  • iroe.ru
  • jve4.ru
  • kjwd.ru
  • kodj.ru
  • kpo3.ru
  • kr92.ru
  • ncwc.ru
  • nemr.ru
  • nmr43.ru
  • pfd2.ru
  • po4c.ru
One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Thursday, 24 July 2008

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.
  • jve4.ru
  • nmr43.ru
  • po4c.ru

"ABT Solutions" scam email

Following on from the recent "Infopulse" scam, another Ukranian firm has been targeted by the money mule operators. ABT Solutions appears to be a legitimate and quite innocent company that has been around for a few years, but this email does not come from ABT Solutions. The [fake] name used in the email is very similar to the name used in the abtsolutions.net WHOIS data, it is likely that it has been lifted from there.

Two telltale signs - one is the use of a Google Mail address where you would expect it to come from abtsolutions.net, the other one is that the job offer appears to be too good to be true. The company name is also spelled incorrectly.




Subject: A proposal for collaboration. Additional revenue.
From: job.abtsolutions@gmail.com
Date: Wed, July 23, 2008 11:07 pm

Hello Sir/Madam,

I am Chebotar' Aurelian, Director of ABT Solutins
specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a
reliable and trustworthy partner working successfully with a number of
West European companies and providing them with reliable software
development services in financial and media sectors.
Unfortunately we are currently facing some difficulties with receiving
payments for our services. It usually takes us 10-30 days to receive
a payment and clearing from your country and such delays are harmful
to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help
us accept and process these payments faster.
If you are looking for a chance to make an additional profit you can
become our representative in your country. As our representative you will
receive 8% of every deal we conduct. Your job will be accepting funds in
the form of wire transfers and forwarding them to us.
It is not a full-time job, but rather a very convenient and fast way
to receive additional income. We also consider opening an office in your
country in the nearest future and you will then have certain privileges
should you decide to apply for a full-time job. Please if you are
interested in transacting business with us we will be very glad.

Please contact me for more information via email:

and send us the following information about yourself: job.abtsolutions@gmail.com

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you
can become our representative. Joining us and starting business today will
cost you nothing and you will be able to earn a bit of extra money fast
and easy. Should you have any questions, please feel free to contact us
with all your questions.

Sincerely,
Chebotar' Aurelian,
Director of ABT Solutins.


Wednesday, 23 July 2008

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

  • cgt4.ru
  • kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

  • 4cnw.ru
  • 4vrs.ru
  • 5kc3.ru
  • 90mc.ru
  • 9jsr.ru
  • bts5.ru
  • chds.ru
  • cvsr.ru
  • d5sg.ru
  • ecx2.ru
  • gb53.ru
  • h23f.ru
  • jex5.ru
  • jvke.ru
  • keec.ru
  • keje.ru
  • kgj3.ru
  • lkc2.ru
  • lksr.ru
For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Wednesday, 16 July 2008

"Infopulse Ukraine Ltd" Money Mule Scam

Infopulse Ukraine appears to be a legitimate software development company, but this email that claims to be from them is certainly not legitimate. Tell-tale signs are the free email address (rather than using infopulse.com.ua and the fact that this sort of money transfer operation appears to be an easy way to earn money doing very little.. which means that it will be some sort of money laundering operation. Avoid.




Subject: Earning additional salary with us!
From: jobinfopulse@gmail.com
Date: Wed, July 16, 2008 4:56 pm

Hello Sir/Madam,

I am Alexey Sigov, Director of Infopulse Ukraine Ltd
specializes in innovative IT solutions and complex software projects development.

My company based in Ukraine. We've earned ourselves a reputation of a
reliable and trustworthy partner working successfully with a number of
West European companies and providing them with reliable software
development services in financial and media sectors.
Unfortunately we are currently facing some difficulties with receiving
payments for our services. It usually takes us 10-30 days to receive
a payment and clearing from your country and such delays are harmful
to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help
us accept and process these payments faster.
If you are looking for a chance to make an additional profit you can
become our representative in your country. As our representative you will
receive 8% of every deal we conduct. Your job will be accepting funds in
the form of wire transfers and forwarding them to us.
It is not a full-time job, but rather a very convenient and fast way
to receive additional income. We also consider opening an office in your
country in the nearest future and you will then have certain privileges
should you decide to apply for a full-time job. Please if you are
interested in transacting business with us we will be very glad.

Please contact me for more information via email:

and send us the following information about yourself: jobinfopulse@gmail.com

1. Your Full Name as it appears on your resume.
2. Education.
3. Your Contact Address.
4. Telephone/Fax number.
5. Your present Occupation and Position currently held.
6. Your Age

Please respond and we will provide you with additional details on how you
can become our representative. Joining us and starting business today will
cost you nothing and you will be able to earn a bit of extra money fast
and easy. Should you have any questions, please feel free to contact us
with all your questions.

Sincerely,
Alexey Sigov,
Director of Infopulse Ukraine Ltd


Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

  • adwnetw.com
  • adpzo.com
  • ausbnr.com
  • brcporb.ru
  • btoperc.ru
  • cdport.eu
  • cdrpoex.com
  • gbradde.tk
  • grtsel.ru
  • korfd.ru
  • movaddw.com
  • tctcow.com
  • usabnr.com
ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Tuesday, 15 July 2008

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

  • adpzo.com
  • adwnetw.com
  • ausbnr.com
  • bkpadd.mobi
  • butdrv.com
  • cdport.eu
  • cdrpoex.com
  • cliprts.com
  • gbradde.tk
  • gbradp.com
  • gitporg.com
  • hdrcom.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tctcow.com
  • tertad.mobi
  • usabnr.com
These are still using ngg.js in the injected code.

Friday, 11 July 2008

"I'm customer from Singapore.."

If you sell any kind of high-value goods (or even if you have a web site that just mentions them) then you probably get all sorts of fraudulent emails.

One in particular is the "Customer from Singapore" email of which the following is an example.



Subject: special order
From: "Tony Canna"
Date: Fri, July 11, 2008 7:45 am

I'm customer from Singapore ,and I would like to purchase some products from your
company,but before we doing bussines,I need your answers for my questions
below.

1.Do you accept credit card for payment?
2.Do you ship overseas via UPS,DHL or FedEX Service ?

Thanks before for the attentions and we are glad to doing more bussines with
your company.

I look Forward to hearing from you soon.

Best Regards,
Tony Canna



Singapore is a pretty good place to do business with. Crime and corruption are very low, and you could be reasonably certain that business transactions from with Singapore would be 100% legitimate. The problem with this email is that the sender isn't from Singapore at all, but from neighbouring Indonesia as an examination of the mail headers shows. At the risk of offending Indonesian readers.. well.. put it this way - Indonesia is a much more tricky place to do business with.

Another telltale mark of a fraud is the phrase "Special order". I don't know why, but these scammers often like to mark their emails with this. Go figure.

This Indonesian/Singaporean scam is actually quite common, so be cautious about people claiming to be from Singapore, check mail headers carefully and check that the delivery address is a real business or residential address if you can (rather than some warehouse at an airport, for example).

Thursday, 10 July 2008

"Dibag Industries AG" money mule scam

A money mule scam pretending to come from Dibag Industries AG - clearly trying to pass itself off as the wholly legitimate Dibag Industriebau AG who have nothing to do with it.

Of course there is a PayPal Germany and $78,000 a year for an Office Assistant is probably a little on the high side..




Subject: Office Assistant Required - 1500/week

We are a Germany company, we are doing business all over the Europe, our main
activities are real estate investments and digital currencies exchanges.
As a result of expading our business in North American region, our company must keep
up with our American customers accepting the most popular payments in the United
States: Paypal. We are currently seeking an dependable and enthusiastic US
representative to handle the transactions.
Being located in Germany, a transfer via Paypal system sent here can take up to 14
days to arrive, therefore we need a US representative with an US paypal account who
able to accept the payments from our US customers.
This will significantly improve our business, that's why we can pay 5% from every
transfer processed.
Almost anyone is accepted, but a verified paypal account is required, an account
where you will be receiving the transfers.
If you are interested to find more about this position, let me know at:
martin_rohwerder@live.com

Thank you,
Martin Rohwerder
Dibag Industries AG


Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

  • adwnetw.com
  • ausadd.com
  • ausbnr.com
  • bnsdrv.com
  • butdrv.com
  • cdrpoex.com
  • crtbond.com
  • destad.mobi
  • destbnp.com
  • drvadw.com
  • gbradw.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tertad.mobi
  • usaadw.com
  • usabnr.com
No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

  • bkpadd.mobi
  • tctcow.com

Wednesday, 9 July 2008

ZoneAlarm: "The firewall has blocked Internet access to.."

If you have recently patched your Windows computer with KB951748 and have ZoneAlarm installed then you'll probably find that everything has stopped working with a message similar to:
ZoneAlarm Security Alert
Protected
The firewall has blocked Internet access to whatever.com (0.0.0.0) (HTTP) from your computer (TCP Flags: S)


This is because the Microsoft patch you just applied has made some fairly significant changes to the way your PC looks up internet names (such as web pages, email hosts etc) and ZoneAlarm isn't aware of those changes and is consequently having a panic.

It isn't really a fault with the patch, and given the nature of the change, you can perhaps expect ZoneAlarm not to cope [see note below]. If you really want some more technical background read this article at the Internet Storm Center: Multiple Vendors DNS Spoofing Vulnerability.

As a temporary workaround, the best advice is to deinstall the KB951748 until ZoneAlarm is updated. It is an important update, but you are either going to have to disable ZoneAlarm or remove the patch and at the moment my advice would be to stick with ZoneAlarm.

To remove the patch in Windows XP (Vista will be similar):
  1. Click Start and select Control Panel (or Start.. Settings.. Control Panel depending on your setup).
  2. Open "Add or Remove Programs"
  3. Tick "Show Updates"
  4. Scroll down (probably very near the bottom of the list) to Security Update for Windows XP (KB951748) (Vista may be worded differently, but the key thing to look for is KB951748).
  5. Click Remove
  6. Follow the steps to remove the patch and then reboot
Keep an eye out on the ZoneAlarm Official Announcements forum for updates - hopefully your copy of ZoneAlarm should download a fix for it automatically. When you have downloaded the update for ZoneAlarm, then visit Windows Update and then reapply the patch.

Update 1:
Sandi made the following comment:
It is not necessary to uninstall the patch, or disable/remove Zonealarm. Simply reset the ZoneAlarm database:

http://forum.zonelabs.org/zonelabs/board/message?board.id=cfg&message.id=52727

"To solve this, just reset the ZA database and the ZA will be "fresh" as when it was first installed:


Boot your computer into the Safe Mode
Navigate to the c:\windows\internet logs folder
Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder
Clean the Recycle Bin
Reboot into the normal mode
ZA will be just like new with no previous settings or data


Once this is finished, reboot back into the normal mode and in the new network found windows, set the new network to Trusted.
Then do this to ensure the ZA is setup properly:

Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
3. Click OK and Apply. Then do the same for the DHCP server.
4. The localhost (127.0.0.1) must be listed as Trusted.
5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
Plus it must have both Trusted and Internet Access."
Update 2:
ZoneAlarm have a press release with a couple of workarounds here.

Workaround to Sudden Loss of Internet Access Problem

Date Published : 8 July 2008

Date Last Revised : 9 July 2008

Overview : Microsoft Update KB951748 is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.

Impact : Sudden loss of internet access

Platforms Affected : ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite


Recommended Actions -

Download and install the latest versions which solve the loss of internet access problem here:

  • ZoneAlarm Internet Security Suite
  • ZoneAlarm Pro
  • ZoneAlarm Antivirus
  • ZoneAlarm Anti-Spyware
  • ZoneAlarm Basic Firewall
  • - or follow the directions below.

    Option 1: Move Internet Zone slider to Medium

    1. Navigate to the "ZoneAlarm Firewall" panel
    2. Click on the "Firewall" tab
    3. Move the "Internet Zone" slider to medium

    Option 2: Uninstall the hotfix

    1. Click the "Start Menu"
    2. Click "Control Panel", or click "Settings" then "Control Panel"
    3. Click on "Add or Remove Programs"
    4. On the top of the add/remove programs dialog box, you should see a checkbox that says "show updates". Select this checkbox
    5. Scroll down until you see "Security update for Windows (KB951748)"
    6. Click "Remove" to uninstall the hotfix


    I must say what is kind of annoying about this whole thing is that ZoneAlarm is owned by Checkpoint who will definitely have been in on the whole DNS update issue and could have updated the product in a more timely manner. Many users of ZoneAlarm have been left high and dry because they don't have the technical skills to fix this.

    Asprox domains: 9/7/08

    Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

    • adwnetw.com
    • ausadd.com
    • ausbnr.com
    • bnsdrv.com
    • butdrv.com
    • cdrpoex.com
    • cliprts.com
    • crtbond.com
    • destbnp.com
    • drvadw.com
    • gbradp.com
    • gbradw.com
    • hdrcom.com
    • loopadd.com
    • movaddw.com
    • nopcls.com
    • tctcow.com
    • usaadp.com
    • usaadw.com
    • usabnr.com

    "Ban Ki-moon / United Nations" scam


    An almost laughable scam email claiming to be from Ban Ki-moon (the UN's Secretary General) offering to reward victims of scams with $250,000. Of course if you are daft enough to fall for it, then you will soon find that there will be problems that will require up-front fees to be paid etc etc. Note that the reply-to address is actually mrbankimoonun1@sify.com (a free email service provider in India) although the email originated from Google Mail. You can be reasonably assured that Ban Ki-moon does not need to use a free email provider.




    Subject: SCAMMED VICTIM/ US$ 250,000.00 BENEFICIARY.REF/PAYMENTS CODE:078654
    From: "info@unitednation.org"
    Date: Wed, July 9, 2008 12:44 pm

    ZENITH BANK COMPENSATION UNIT, IN AFFILIATION WITH THE UNITED
    NATION. Send acopy of your response to official email:
    zenithba_nkplc19_51@hotmail.com
    ATTN:Sir/Madam,

    How are you today? Hope all is well with you and family?,You may not
    understand why this mail came to you.

    We have been having a meeting for the passed 7 months which ended 2 days ago
    with the then secretary to the United Nations

    This email is to all the people that have been scammed in any part of the
    world, the United Nations have agreed to compensate them with the sum of US$
    250,000.00
    (Two Hundred and Fifty Thousand United States Dollars)This includes every
    foriegn contractors that may have not received their contract sum, and
    people that have had an unfinished transaction or international businesses
    that failed due to
    Government problems etc.

    Your name and email was in the list submitted by our Monitoring Team of
    Economic and Financial Crime Commission observers and this is why we are
    contacting you, this have been agreed upon and have been signed.

    You are advised to contact Mr. Jim Ovia of ZENITH BANK NIGERIA PLC, as he is
    our representative in Nigeria, contact him immediately for your Cheque/
    International Bank Draft of USD$ 250,000.00 (Two Hundred and Fifty
    Thousand United
    States Dollars) This funds are in a Bank Draft for security purpose ok? so
    he will send it to you and you can clear it in any bank of your choice.

    Therefore, you should send him your full Name and telephone number/your
    correct mailing address where you want him to send the Draft to you.

    Contact Mr. Jim Ovia immediately for your Cheque:

    Person to Contact Mr. Jim Ovia
    Telephone No: +234_8064109875.
    Email: zenithba_nkplc19_51@hotmail.com

    Goodluck and kind regards,


    Mr. Ban Ki Moon
    Secretary (UNITED NATIONS).
    Making the world a better place


    Monday, 7 July 2008

    Who are Vivids Media GmbH?

    If you have been tracking the latest round of SQL Injection domains, then you might be familiar with the name Vivids Media GMBH as being the current registrar of choice.

    The odd thing is that Vivids Media GmbH doesn't appear to have a web site or any traceable contact details. However, most of the domain registrations have a contact telephone number in Berlin of +49.3094413291 and some searching around gives this page with what looks like the correct contact details of:

    Name: Vivids Media GmbH
    Email Address: support@klikdomains.com
    Address: Leege-Gr str. 41
    City: Berlin
    Zip: 13055
    Country : Germany
    Tel No.: +49.3094413291
    That indicates that Vivid Media GmbH is related to klikdomains.com and therefore klikvip.com which are part of another company that claims to be in Berlin, Klik Media GmbH (some of the alleged goings on of this company are mentioned here). A short step away from Klik are a whole set of domains registered via Estdomains (a familiar name to many) and things start to get seedy from there.

    There's no evidence that Vivid Media GmbH is directly invovled in anything bad - in fact there is barely any evidence that Vivid Media GmbH actually exists at all. Spammers and other bad guys do have a knack of finding registrars who are slow at terminating their accounts, so let's be charitable and say that Vivids Media are just understaffed in their abuse department.

    The problem is that if you want to contact Vivids Media, then it seems to be very difficult. Their website is 56823.myorderbox.com which is a sort of white label domain registrar site. Myorderbox.com seems to be based in India, and looks to be a reseller of ResellerClub which in turns registers names through PublicDomainRegistry.com.

    Complicated? Well, yes.. but ultimately PublicDomainRegistry.com are the registrar and it turns out that there is some light at the end of the tunnel. You will find that most of the domains used in these SQL Injection attacks have false WHOIS data, and you can report false WHOIS data here. Hopefully then the domain will be suspended.. not that it really matters too much because the bad guys will just register some more.

    So the answer to the question "who are Vivids Media GmbH?" is "I don't know" but for most practical puporses you wouldn't need to deal with them if complaining about one of these domains, go to the registrar and report it there.

    Asprox domains: 7/7/08 and another SQL Injection mitigation article

    Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

    • adbtch.com
    • aladbnr.com
    • allocbn.mobi
    • adwadb.mobi
    • apidad.com
    • appdad.com
    • asodbr.com
    • asslad.com
    • blcadw.com
    • blockkd.com
    • bnradd.mobi
    • bnrbase.com
    • bnrbasead.com
    • bnrbtch.com
    • browsad.com
    • brsadd.com
    • canclvr.com
    • catdbw.mobi
    • clrbbd.com
    • dbgbron.com
    • ktrcom.com
    • loctenv.com
    • lokriet.com
    • mainadt.com
    • mainbvd.com
    • portadrd.com
    • portwbr.com
    • stiwdd.com
    • ucomddv.com
    • upcomd.com
    If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

    Thursday, 3 July 2008

    Asprox domains: 3/7/08 and ngg.js

    The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

    • adwadb.mobi
    • allocbn.mobi
    • canclvr.com
    • catdbw.mobi
    • ktrcom.com
    • lokriet.com
    • mainbvd.com
    • portwbr.com
    • stiwdd.com
    • testwvr.com
    • upcomd.com
    • ucomddv.com
    The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

    Wednesday, 2 July 2008

    Asprox domains: 2/7/08

    These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

    • adupd.mobi
    • adwste.mobi
    • bnrupdate.mobi
    • cntrl62.com
    • config73.com
    • cont67.com
    • csl24.com
    • debug73.com
    • default37.com
    • get49.net
    • pid72.com
    • pid76.net
    • web923.com

    Best advice to to block access to these sites and check your logs.

    Monday, 30 June 2008

    "Royal Alliance Financial Investment" scam

    A slightly strange scam from some outfit pretending to be "Royal Alliance Financial Investment" offering a low-cost loan. The initial email does not ask for much in the way of personal data, presumably that comes as the next step.

    There is no such company as "Royal Alliance Financial Investment" in the UK. Originating IP is 196.216.69.54 which is allocated to Swift Global Kenya Limited in Nairobi. Finance companies do not generally use free email accounts to solicit business, and the address is clearly wrong. Avoid.




    From: "Royal Alliance Financial Investment"
    Date: Mon, June 30, 2008 3:43 pm


    Royal Alliance Financial Investment
    (Financial Aid Professionals)
    Contant Address:85 Fleet Street.
    London EC4Y 1AE.
    Manchester United Kingdom.


    Are you searching for a Genuine loan? at an affordable interest rate ?
    processed within 4 to 6 working days. Have you been turned down constantly
    by your Banks and other financial institutions? The goodnews is here !!!

    Welcome to Royal Alliance Financial Investment,interest rate at 3%.It
    gladdens our
    hearts to bring to your notice that we offer all kinds of loan to any
    part of the world.Being a licensed and registered company under the
    finance ministry here in the United Kingdom we make available to customers
    legitimate loan offers that are quick and affordable with interest rate at
    a mere 3%.

    Our Packages include:*Home Loan *Auto Loan*Mortgage Loan*Business
    Loan*International Loan*Personal Loan*And Much More.

    Please if you are delighted and interested in our financial offer,Do not
    hesitate to contact us if in need of our service as you will be required
    to furnish us with the following details to commence with the process of
    your loan sum accordingly

    1st INFORMATIONS NEEDED ARE

    First Name:___________________________
    Last Name:____________________________
    Gender:_______________________________
    Marital status:_______________________
    Contact Address:______________________
    City/Zip code:________________________
    Country:______________________________
    Date of Birth:________________________
    Amount Needed as Loan:________________
    Loan Duration:________________________
    Monthly Income/Yearly Income:_________
    Occupation:___________________________
    Business name:________________________
    Purpose for Loan:_____________________
    Phone:________________________________
    Fax:__________________________________


    Thanks For Your Patronage!


    'Your Business Is Our Blessing'

    Mr,Jerry Mccarthy,
    London Operations Manager,
    Contant Address:85 Fleet Street.
    London EC4Y 1AE.
    Manchester United Kingdom.
    Email:royalalliance.finance02@gmail.com
    visit.royalalliance@gmail.com



    Asprox: new domains including .mobi

    Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

    It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

    Thursday, 26 June 2008

    Asprox: list of domains and mitigation steps

    The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

    Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

    Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

    Wednesday, 25 June 2008

    Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

    A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

    Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,

    Monday, 23 June 2008

    Motorola MOTOZINE ZN5

    Former Moto fans such as myself have waited ages for a truly decent handset to come out from Motorola.

    The Motorola ZINE ZN5 certainly has an impressive looking camera.. but the problem is that the rest of the phone is pretty unimpressive.

    Motorola's woes have been well documented, but this certainly does look like Motorola's last chance. And it looks like the ZN5 is not really up to the task..

    ISC: SQL Injection mitigation in ASP

    If you're trying to secure your SQL server against the latest round of injection attacks, then check out this item from the Internet Storm Center, which gives some pointers on how to secure you database with ASP.

    It probably makes much more sense to an SQL development than to me.. but the important point is that just cleaning up the injection attack is not enough - you also need to prevent it from happening again by securing your SQL server. And I'm afraid that probably involves spending some time and money..

    SQL Injection: bnradw.com

    Another SQL Injection domain to block or watch out for in your logs - bnradw.com.

    Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.

    Friday, 20 June 2008

    List of SQL Injection domains

    My postings here about SQL injected domains are a bit ad-hoc, but Shadowserver also have a pretty up-to-date list if you're looking at blocking them.

    Quite a lot of these domains are .cn (China). You might want to consider completely blocking access to .cn, but if you only have basic filtering then you might find yourself blocking things like www.cnn.com too (that took some diagnosing followed by a "d'oh!).

    SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com

    More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.

    No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.

    Thursday, 19 June 2008

    msmvps.com, msinfluentials.com and Spyware Sucks offline

    I'm a regular reader of Spyware Sucks and was surprised to see that it had been offline for a few days. It turns out that the server that runs the msmvps.com blogging service (used by main Microsoft specialists) got infected with this nasty.

    The Google cache of the SBS Diva Blog throws up this information:

    In getting ready for the upgrade to CS 2008 I was trying to make some special backups... that wouldn't work. Well in digging into the matter more, that' service that is missing some files which is causing the peer to peer backups between Brianna and Yoda to fail.. isn't a real service at all.

    http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgos.html

    We have backups so first thing tomorrow morning I'll be calling PSS Security to, more than anything else find out the "how" this happened.

    Bottom line we got a critter on the box and I didn't (intentially anyway) put it there.

    And to check to see if Yoda should be quarantened (aka web server turned off) to protect web visitors as well. So if the blog goes off the air a bit we're just doing it to better protect viewers.


    and

    In looking at the log files and event logs of Yoda, I'm not liking what I'm seeing... so the blog site at www.msmvps.com and www.msinfluentials.com will be offline starting at 7p.m. Pacific possibly until Friday.

    Apologies for the inconvenience to all the bloggers on the site and we'll get back online as soon as we can.

    Microsoft recommends that any systems found to be compromised or suspected of being compromised be formatted and re-installed from a known good build (i.e. operating system CD + all security patches while disconnected from the network). CERT has a good web site that provides information on recovering from security incidents located at: http://www.cert.org/nav/recovering.html
    Oh well.. it can happen to anyone.

    Wednesday, 18 June 2008

    HTM Hell

    One feature of these recent SQL Injection attacks is that the same sites will get repeatedly hit. So an infected site might have any number of malware-laded domains injected into the code. Click the image below to see a snippet from a really badly infected site.


    The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.

    chkadw.com

    The latest domain in the SQL Injection attacks is chkadw.com (i.e. pointing to www.chkadw.com/b.js). Domain is registered to a (probably fake) Chinese contact through a Chinese registrar. Delivery mechanism and payload seem to be identical to the latest attacks.

    Tuesday, 17 June 2008

    Yet more SQL injection domains

    Keep an eye out for datajto.com, dbdomaine.com, upgradead.com, clsiduser.com, clickbnr.com, bnrcntrl.com, domaincld.com, jetdbs.com, updatead.com, all pointing to b.js (e.g. www.dbdomaine.com/b.js) - all forming part of the latest SQL injection attack.

    Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.

    If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.

    Friday, 13 June 2008

    One to watch: js.users.51.la

    What the heck is js.users.51.la? In fact, where the heck is .la anyway? And why am I asking?

    As I've mentioned before, there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia. Their techniques are very similar, but the seem to have distinct differences.

    js.users.51.la appears in many of the "Chinese" exploits - 51.la itself appears to be a legitimate web counter site. Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file.

    This doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process.

    Where is .la? Officially it is Laos, but the TLD is also being punted as "Los Angeles" by www.la. No clue there, but the fact that all the signups for 51.la are in Chinese really does indicate that there's a Chinese connection here.

    advabnr.com and adsitelo.com

    SQL injection time again, this time with two new domains advabnr.com and adsitelo.com both loading a script called b.js (i.e. advabnr.com/b.js and adsitelo.com/b.js)

    This is turning up on sites that have already been infected with other SQL injection attacks. The good news is that the new attacks seem to be smaller, indicating that people really are managing to secure their web servers.

    Some notable infected sites (many of these have been cleaned up).

    adsitelo.com
    • bioimmune.com - BioImmune Inc (Health)
    • immuquest.com - Health
    • eyemdlink.com - Health
    • tandberg.com - Tandberg (Electronics)
    • techsol.com - Technology Solutions Company (ERP services)
    • pollingcompany.com - The Polling Company (Market Research)
    • spjc.edu - St Petersburg College
    • judge.com - The Judge Group (jobs)

    advabnr.com
    • ibs.com - IBS, Inc (IT Services)
    • outsourcingcentral.com - Business information
    • mintek.com - Mintek Mobile Data Solutions
    • engcen.com - Engineering jobs
    • micronet.com - Digital storage
    If you're searching for these domains yourself, I recommend using Yahoo! and Google as they give different results. Of course, these sites contain live malware so approach with caution.

    Thursday, 12 June 2008

    bigadnet.com - lastest SQL injection domain

    A continuation of the latest wave of SQL Injection attacks is bigadnet.com - many sites infected with "older" attacks have been "upgraded" to bigadnet.net. The inserted code to look for is www.bigadnet.com/b.js which then forwards to bigadnet.com/cgi-bin/index.cgi?ad - this in turn seems to be able to deliver a variety of malware.

    bigadnet.com is running on a fast flux botnet, so it's highly distributed and resilient but not very reliable at actually delivering a payload.

    Tuesday, 10 June 2008

    UK Goverment sites hit by SQL Injection attacks

    Do you trust the government with your personal data? A look at some recent national and local government sites that have been compromised with SQL injection attacks might make you think again.

    • fco.gov.uk - Foreign and Commonwealth Office
    • dfes.gov.uk - Department for Children, Schools and Families
    • harrow.gov.uk - Harrow Council
    • cwic.cornwall.gov.uk - Cornwall County Council
    • cityoflondon.gov.uk - City of London
    • corpoflondon.gov.uk - City of London
    • nottinghamcity.gov.uk - Nottingham City Council
    • relocateleicester-shire.gov.uk - Leicetershire County Council
    • gos.gov.uk - Government Office Network
    • lda.gov.uk - London Development Agency
    • uktradeinvest.gov.uk - UK Trade & Investment
    • dcalni.gov.uk - Northern Ireland leisure and tourism
    • colchester.gov.uk - Colchester Borough Council
    • countryside.wales.gov.uk - Welsh assembly
    • cefngwlad.cymru.gov.uk - Welsh assembly
    • broadband.cymru.gov.uk - Welsh assembly
    • wmra.gov.uk - West Midlands Regional Assembly
    • wmlga.gov.uk - West Midlands Local Government Association
    • wycombe.gov.uk - Wycombe District Council
    • southshropshire.gov.uk - South Shropshire District Council
    • businesslink.gov.uk - Business Development
    • shetland.gov.uk - Shetland Council
    • unlockingessex.essexcc.gov.uk - Essex County Council
    • southshropshire.gov.uk - South Shropshire District Council
    • e-petitions.kingston.gov.uk - Kingston Borough Council
    • clevelandfire.gov.uk - Cleveland Fire & Rescue
    • surreyheath.gov.uk - Surrey Heath Council
    • rbkc.giv.uk - Royal Borough of Kensington and Chelsea
    • conwy.gov.uk - Conwy County Council
    These are some example searches that show the problem (note that the search results will change over time, and the results themselves may lead to malware). Yahoo! examples: 1 2 3 4 5; Google examples: 1 2 3 4

    Widen the search to sites containing .gov with a "b.js" exploit in (the most common), and you can see that government sites all over the world have been compromised, with Yahoo! estimating 11,000 infected pages. Think about it.. these should be trusted sites, but clearly they are not safe. Remember: there is no such thing as a trusted site anymore.

    SQL Injection: advertbnr.com, logid83.com, script46.com, rexec39.com

    Another batch of domains being used in SQL Injection attacks: advertbnr.com, logid83.com, script46.com, rexec39.com. Sanitize your inputs.

    It looks like a lot of recent domains have been suspended by their registrar, some of the recent domains are with Xin Net who have been spam-friendly in the past, but may be cleaning up their act.

    Google indicates that around 668,000 web pages are infected, but a search at Yahoo! shows around 3,000,000 infected pages which is probably more accurate.

    Monday, 9 June 2008

    Apple iPhone 3G



    After lots and lots of rumours, the Apple iPhone 3G is finally here. It adds UMTS and HSDPA (3.5G), plus GPS and mapping. There's a new software platform, plus a number of other enhancements. But, really it's a bit disappointing.. the camera is still poor and you can't take out the battery.. and the 480 x 320 pixel display is so last year..

    One surprising thing is that the iPhone will ship to 70 countries from July onwards. They've managed to do all that while keeping the iPhone 3G very quiet indeed.

    Oh well, perhaps the iPhone 3 will finally be the one that fits in everything but the kitchen sink!

    SQL Injection: sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com

    Another batch of domains showing up in SQL injected are sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com.

    Some notable compromised sites:

    • ise.ie - Irish Stock Exchange
    • pittsfield-ma.org - City of Pittsfield
    • corangamite.vic.gov.au - Corangamite Shire, Victoria
    • fdc.org.br - Brazilian government agency
    • dailyu.com - Local newspaper
    • www.humanrightsfirst.org - Campaigning organisation
    • therecruitbusiness.com - Recruiting
    • corporate-responsibility.org - Business information
    • childcarefinancialaid.org - Financial information
    • micronet.com - Computer storage
    • tairawhiti.ac.nz - Tairawhiti Polytechnic, New Zealand
    The payload at the moment is undertermined, and some of these sites will have been cleaned up. At the time of writing, Irish Stock Exchange at ise.ie is still compromised.