- adwnetw.com
- ausadd.com
- ausbnr.com
- bnsdrv.com
- butdrv.com
- cdrpoex.com
- cliprts.com
- crtbond.com
- destbnp.com
- drvadw.com
- gbradp.com
- gbradw.com
- hdrcom.com
- loopadd.com
- movaddw.com
- nopcls.com
- tctcow.com
- usaadp.com
- usaadw.com
- usabnr.com
Sponsored by..
Wednesday 9 July 2008
Asprox domains: 9/7/08
Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.
"Ban Ki-moon / United Nations" scam
An almost laughable scam email claiming to be from Ban Ki-moon (the UN's Secretary General) offering to reward victims of scams with $250,000. Of course if you are daft enough to fall for it, then you will soon find that there will be problems that will require up-front fees to be paid etc etc. Note that the reply-to address is actually mrbankimoonun1@sify.com (a free email service provider in India) although the email originated from Google Mail. You can be reasonably assured that Ban Ki-moon does not need to use a free email provider.
Subject: SCAMMED VICTIM/ US$ 250,000.00 BENEFICIARY.REF/PAYMENTS CODE:078654
From: "info@unitednation.org"
Date: Wed, July 9, 2008 12:44 pm
ZENITH BANK COMPENSATION UNIT, IN AFFILIATION WITH THE UNITED
NATION. Send acopy of your response to official email:
zenithba_nkplc19_51@hotmail.com
ATTN:Sir/Madam,
How are you today? Hope all is well with you and family?,You may not
understand why this mail came to you.
We have been having a meeting for the passed 7 months which ended 2 days ago
with the then secretary to the United Nations
This email is to all the people that have been scammed in any part of the
world, the United Nations have agreed to compensate them with the sum of US$
250,000.00
(Two Hundred and Fifty Thousand United States Dollars)This includes every
foriegn contractors that may have not received their contract sum, and
people that have had an unfinished transaction or international businesses
that failed due to
Government problems etc.
Your name and email was in the list submitted by our Monitoring Team of
Economic and Financial Crime Commission observers and this is why we are
contacting you, this have been agreed upon and have been signed.
You are advised to contact Mr. Jim Ovia of ZENITH BANK NIGERIA PLC, as he is
our representative in Nigeria, contact him immediately for your Cheque/
International Bank Draft of USD$ 250,000.00 (Two Hundred and Fifty
Thousand United
States Dollars) This funds are in a Bank Draft for security purpose ok? so
he will send it to you and you can clear it in any bank of your choice.
Therefore, you should send him your full Name and telephone number/your
correct mailing address where you want him to send the Draft to you.
Contact Mr. Jim Ovia immediately for your Cheque:
Person to Contact Mr. Jim Ovia
Telephone No: +234_8064109875.
Email: zenithba_nkplc19_51@hotmail.com
Goodluck and kind regards,
Mr. Ban Ki Moon
Secretary (UNITED NATIONS).
Making the world a better place
Monday 7 July 2008
Who are Vivids Media GmbH?
If you have been tracking the latest round of SQL Injection domains, then you might be familiar with the name Vivids Media GMBH as being the current registrar of choice.
The odd thing is that Vivids Media GmbH doesn't appear to have a web site or any traceable contact details. However, most of the domain registrations have a contact telephone number in Berlin of +49.3094413291 and some searching around gives this page with what looks like the correct contact details of:
There's no evidence that Vivid Media GmbH is directly invovled in anything bad - in fact there is barely any evidence that Vivid Media GmbH actually exists at all. Spammers and other bad guys do have a knack of finding registrars who are slow at terminating their accounts, so let's be charitable and say that Vivids Media are just understaffed in their abuse department.
The problem is that if you want to contact Vivids Media, then it seems to be very difficult. Their website is 56823.myorderbox.com which is a sort of white label domain registrar site. Myorderbox.com seems to be based in India, and looks to be a reseller of ResellerClub which in turns registers names through PublicDomainRegistry.com.
Complicated? Well, yes.. but ultimately PublicDomainRegistry.com are the registrar and it turns out that there is some light at the end of the tunnel. You will find that most of the domains used in these SQL Injection attacks have false WHOIS data, and you can report false WHOIS data here. Hopefully then the domain will be suspended.. not that it really matters too much because the bad guys will just register some more.
So the answer to the question "who are Vivids Media GmbH?" is "I don't know" but for most practical puporses you wouldn't need to deal with them if complaining about one of these domains, go to the registrar and report it there.
The odd thing is that Vivids Media GmbH doesn't appear to have a web site or any traceable contact details. However, most of the domain registrations have a contact telephone number in Berlin of +49.3094413291 and some searching around gives this page with what looks like the correct contact details of:
Name: Vivids Media GmbHThat indicates that Vivid Media GmbH is related to klikdomains.com and therefore klikvip.com which are part of another company that claims to be in Berlin, Klik Media GmbH (some of the alleged goings on of this company are mentioned here). A short step away from Klik are a whole set of domains registered via Estdomains (a familiar name to many) and things start to get seedy from there.
Email Address: support@klikdomains.com
Address: Leege-Gr str. 41
City: Berlin
Zip: 13055
Country : Germany
Tel No.: +49.3094413291
There's no evidence that Vivid Media GmbH is directly invovled in anything bad - in fact there is barely any evidence that Vivid Media GmbH actually exists at all. Spammers and other bad guys do have a knack of finding registrars who are slow at terminating their accounts, so let's be charitable and say that Vivids Media are just understaffed in their abuse department.
The problem is that if you want to contact Vivids Media, then it seems to be very difficult. Their website is 56823.myorderbox.com which is a sort of white label domain registrar site. Myorderbox.com seems to be based in India, and looks to be a reseller of ResellerClub which in turns registers names through PublicDomainRegistry.com.
Complicated? Well, yes.. but ultimately PublicDomainRegistry.com are the registrar and it turns out that there is some light at the end of the tunnel. You will find that most of the domains used in these SQL Injection attacks have false WHOIS data, and you can report false WHOIS data here. Hopefully then the domain will be suspended.. not that it really matters too much because the bad guys will just register some more.
So the answer to the question "who are Vivids Media GmbH?" is "I don't know" but for most practical puporses you wouldn't need to deal with them if complaining about one of these domains, go to the registrar and report it there.
Asprox domains: 7/7/08 and another SQL Injection mitigation article
Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:
- adbtch.com
- aladbnr.com
- allocbn.mobi
- adwadb.mobi
- apidad.com
- appdad.com
- asodbr.com
- asslad.com
- blcadw.com
- blockkd.com
- bnradd.mobi
- bnrbase.com
- bnrbasead.com
- bnrbtch.com
- browsad.com
- brsadd.com
- canclvr.com
- catdbw.mobi
- clrbbd.com
- dbgbron.com
- ktrcom.com
- loctenv.com
- lokriet.com
- mainadt.com
- mainbvd.com
- portadrd.com
- portwbr.com
- stiwdd.com
- ucomddv.com
- upcomd.com
Thursday 3 July 2008
Asprox domains: 3/7/08 and ngg.js
The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:
- adwadb.mobi
- allocbn.mobi
- canclvr.com
- catdbw.mobi
- ktrcom.com
- lokriet.com
- mainbvd.com
- portwbr.com
- stiwdd.com
- testwvr.com
- upcomd.com
- ucomddv.com
Wednesday 2 July 2008
Asprox domains: 2/7/08
These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).
Best advice to to block access to these sites and check your logs.
- adupd.mobi
- adwste.mobi
- bnrupdate.mobi
- cntrl62.com
- config73.com
- cont67.com
- csl24.com
- debug73.com
- default37.com
- get49.net
- pid72.com
- pid76.net
- web923.com
Best advice to to block access to these sites and check your logs.
Monday 30 June 2008
"Royal Alliance Financial Investment" scam
A slightly strange scam from some outfit pretending to be "Royal Alliance Financial Investment" offering a low-cost loan. The initial email does not ask for much in the way of personal data, presumably that comes as the next step.
There is no such company as "Royal Alliance Financial Investment" in the UK. Originating IP is 196.216.69.54 which is allocated to Swift Global Kenya Limited in Nairobi. Finance companies do not generally use free email accounts to solicit business, and the address is clearly wrong. Avoid.
From: "Royal Alliance Financial Investment"
Date: Mon, June 30, 2008 3:43 pm
Royal Alliance Financial Investment
(Financial Aid Professionals)
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.
Are you searching for a Genuine loan? at an affordable interest rate ?
processed within 4 to 6 working days. Have you been turned down constantly
by your Banks and other financial institutions? The goodnews is here !!!
Welcome to Royal Alliance Financial Investment,interest rate at 3%.It
gladdens our
hearts to bring to your notice that we offer all kinds of loan to any
part of the world.Being a licensed and registered company under the
finance ministry here in the United Kingdom we make available to customers
legitimate loan offers that are quick and affordable with interest rate at
a mere 3%.
Our Packages include:*Home Loan *Auto Loan*Mortgage Loan*Business
Loan*International Loan*Personal Loan*And Much More.
Please if you are delighted and interested in our financial offer,Do not
hesitate to contact us if in need of our service as you will be required
to furnish us with the following details to commence with the process of
your loan sum accordingly
1st INFORMATIONS NEEDED ARE
First Name:___________________________
Last Name:____________________________
Gender:_______________________________
Marital status:_______________________
Contact Address:______________________
City/Zip code:________________________
Country:______________________________
Date of Birth:________________________
Amount Needed as Loan:________________
Loan Duration:________________________
Monthly Income/Yearly Income:_________
Occupation:___________________________
Business name:________________________
Purpose for Loan:_____________________
Phone:________________________________
Fax:__________________________________
Thanks For Your Patronage!
'Your Business Is Our Blessing'
Mr,Jerry Mccarthy,
London Operations Manager,
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.
Email:royalalliance.finance02@gmail.com
visit.royalalliance@gmail.com
There is no such company as "Royal Alliance Financial Investment" in the UK. Originating IP is 196.216.69.54 which is allocated to Swift Global Kenya Limited in Nairobi. Finance companies do not generally use free email accounts to solicit business, and the address is clearly wrong. Avoid.
From: "Royal Alliance Financial Investment"
Date: Mon, June 30, 2008 3:43 pm
Royal Alliance Financial Investment
(Financial Aid Professionals)
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.
Are you searching for a Genuine loan? at an affordable interest rate ?
processed within 4 to 6 working days. Have you been turned down constantly
by your Banks and other financial institutions? The goodnews is here !!!
Welcome to Royal Alliance Financial Investment,interest rate at 3%.It
gladdens our
hearts to bring to your notice that we offer all kinds of loan to any
part of the world.Being a licensed and registered company under the
finance ministry here in the United Kingdom we make available to customers
legitimate loan offers that are quick and affordable with interest rate at
a mere 3%.
Our Packages include:*Home Loan *Auto Loan*Mortgage Loan*Business
Loan*International Loan*Personal Loan*And Much More.
Please if you are delighted and interested in our financial offer,Do not
hesitate to contact us if in need of our service as you will be required
to furnish us with the following details to commence with the process of
your loan sum accordingly
1st INFORMATIONS NEEDED ARE
First Name:___________________________
Last Name:____________________________
Gender:_______________________________
Marital status:_______________________
Contact Address:______________________
City/Zip code:________________________
Country:______________________________
Date of Birth:________________________
Amount Needed as Loan:________________
Loan Duration:________________________
Monthly Income/Yearly Income:_________
Occupation:___________________________
Business name:________________________
Purpose for Loan:_____________________
Phone:________________________________
Fax:__________________________________
Thanks For Your Patronage!
'Your Business Is Our Blessing'
Mr,Jerry Mccarthy,
London Operations Manager,
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.
Email:royalalliance.finance02@gmail.com
visit.royalalliance@gmail.com
Asprox: new domains including .mobi
Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.
It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.
It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.
Thursday 26 June 2008
Asprox: list of domains and mitigation steps
The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.
Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com
Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.
Wednesday 25 June 2008
Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input
A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.
Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,
Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,
Monday 23 June 2008
Motorola MOTOZINE ZN5
Former Moto fans such as myself have waited ages for a truly decent handset to come out from Motorola.The Motorola ZINE ZN5 certainly has an impressive looking camera.. but the problem is that the rest of the phone is pretty unimpressive.
Motorola's woes have been well documented, but this certainly does look like Motorola's last chance. And it looks like the ZN5 is not really up to the task..
ISC: SQL Injection mitigation in ASP
If you're trying to secure your SQL server against the latest round of injection attacks, then check out this item from the Internet Storm Center, which gives some pointers on how to secure you database with ASP.
It probably makes much more sense to an SQL development than to me.. but the important point is that just cleaning up the injection attack is not enough - you also need to prevent it from happening again by securing your SQL server. And I'm afraid that probably involves spending some time and money..
It probably makes much more sense to an SQL development than to me.. but the important point is that just cleaning up the injection attack is not enough - you also need to prevent it from happening again by securing your SQL server. And I'm afraid that probably involves spending some time and money..
SQL Injection: bnradw.com
Another SQL Injection domain to block or watch out for in your logs - bnradw.com.
Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.
Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.
Friday 20 June 2008
List of SQL Injection domains
My postings here about SQL injected domains are a bit ad-hoc, but Shadowserver also have a pretty up-to-date list if you're looking at blocking them.
Quite a lot of these domains are .cn (China). You might want to consider completely blocking access to .cn, but if you only have basic filtering then you might find yourself blocking things like www.cnn.com too (that took some diagnosing followed by a "d'oh!).
Quite a lot of these domains are .cn (China). You might want to consider completely blocking access to .cn, but if you only have basic filtering then you might find yourself blocking things like www.cnn.com too (that took some diagnosing followed by a "d'oh!).
SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com
More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.
No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.
No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.
Thursday 19 June 2008
msmvps.com, msinfluentials.com and Spyware Sucks offline
I'm a regular reader of Spyware Sucks and was surprised to see that it had been offline for a few days. It turns out that the server that runs the msmvps.com blogging service (used by main Microsoft specialists) got infected with this nasty.
The Google cache of the SBS Diva Blog throws up this information:
and
The Google cache of the SBS Diva Blog throws up this information:
In getting ready for the upgrade to CS 2008 I was trying to make some special backups... that wouldn't work. Well in digging into the matter more, that' service that is missing some files which is causing the peer to peer backups between Brianna and Yoda to fail.. isn't a real service at all.
http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgos.html
We have backups so first thing tomorrow morning I'll be calling PSS Security to, more than anything else find out the "how" this happened.
Bottom line we got a critter on the box and I didn't (intentially anyway) put it there.
And to check to see if Yoda should be quarantened (aka web server turned off) to protect web visitors as well. So if the blog goes off the air a bit we're just doing it to better protect viewers.
and
Oh well.. it can happen to anyone.
In looking at the log files and event logs of Yoda, I'm not liking what I'm seeing... so the blog site at www.msmvps.com and www.msinfluentials.com will be offline starting at 7p.m. Pacific possibly until Friday.
Apologies for the inconvenience to all the bloggers on the site and we'll get back online as soon as we can.
Microsoft recommends that any systems found to be compromised or suspected of being compromised be formatted and re-installed from a known good build (i.e. operating system CD + all security patches while disconnected from the network). CERT has a good web site that provides information on recovering from security incidents located at: http://www.cert.org/nav/recovering.html
Wednesday 18 June 2008
HTM Hell
One feature of these recent SQL Injection attacks is that the same sites will get repeatedly hit. So an infected site might have any number of malware-laded domains injected into the code. Click the image below to see a snippet from a really badly infected site.
The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.
The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.
chkadw.com
The latest domain in the SQL Injection attacks is chkadw.com (i.e. pointing to www.chkadw.com/b.js). Domain is registered to a (probably fake) Chinese contact through a Chinese registrar. Delivery mechanism and payload seem to be identical to the latest attacks.
Tuesday 17 June 2008
Yet more SQL injection domains
Keep an eye out for datajto.com, dbdomaine.com, upgradead.com, clsiduser.com, clickbnr.com, bnrcntrl.com, domaincld.com, jetdbs.com, updatead.com, all pointing to b.js (e.g. www.dbdomaine.com/b.js) - all forming part of the latest SQL injection attack.
Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.
If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.
Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.
If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.
Subscribe to:
Posts (Atom)