Sponsored by..

Thursday, 10 July 2008

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

  • adwnetw.com
  • ausadd.com
  • ausbnr.com
  • bnsdrv.com
  • butdrv.com
  • cdrpoex.com
  • crtbond.com
  • destad.mobi
  • destbnp.com
  • drvadw.com
  • gbradw.com
  • loopadd.com
  • movaddw.com
  • nopcls.com
  • porttw.mobi
  • pyttco.com
  • tertad.mobi
  • usaadw.com
  • usabnr.com
No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

  • bkpadd.mobi
  • tctcow.com

Wednesday, 9 July 2008

ZoneAlarm: "The firewall has blocked Internet access to.."

If you have recently patched your Windows computer with KB951748 and have ZoneAlarm installed then you'll probably find that everything has stopped working with a message similar to:
ZoneAlarm Security Alert
The firewall has blocked Internet access to whatever.com ( (HTTP) from your computer (TCP Flags: S)

This is because the Microsoft patch you just applied has made some fairly significant changes to the way your PC looks up internet names (such as web pages, email hosts etc) and ZoneAlarm isn't aware of those changes and is consequently having a panic.

It isn't really a fault with the patch, and given the nature of the change, you can perhaps expect ZoneAlarm not to cope [see note below]. If you really want some more technical background read this article at the Internet Storm Center: Multiple Vendors DNS Spoofing Vulnerability.

As a temporary workaround, the best advice is to deinstall the KB951748 until ZoneAlarm is updated. It is an important update, but you are either going to have to disable ZoneAlarm or remove the patch and at the moment my advice would be to stick with ZoneAlarm.

To remove the patch in Windows XP (Vista will be similar):
  1. Click Start and select Control Panel (or Start.. Settings.. Control Panel depending on your setup).
  2. Open "Add or Remove Programs"
  3. Tick "Show Updates"
  4. Scroll down (probably very near the bottom of the list) to Security Update for Windows XP (KB951748) (Vista may be worded differently, but the key thing to look for is KB951748).
  5. Click Remove
  6. Follow the steps to remove the patch and then reboot
Keep an eye out on the ZoneAlarm Official Announcements forum for updates - hopefully your copy of ZoneAlarm should download a fix for it automatically. When you have downloaded the update for ZoneAlarm, then visit Windows Update and then reapply the patch.

Update 1:
Sandi made the following comment:
It is not necessary to uninstall the patch, or disable/remove Zonealarm. Simply reset the ZoneAlarm database:


"To solve this, just reset the ZA database and the ZA will be "fresh" as when it was first installed:

Boot your computer into the Safe Mode
Navigate to the c:\windows\internet logs folder
Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder
Clean the Recycle Bin
Reboot into the normal mode
ZA will be just like new with no previous settings or data

Once this is finished, reboot back into the normal mode and in the new network found windows, set the new network to Trusted.
Then do this to ensure the ZA is setup properly:

Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
3. Click OK and Apply. Then do the same for the DHCP server.
4. The localhost ( must be listed as Trusted.
5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
Plus it must have both Trusted and Internet Access."
Update 2:
ZoneAlarm have a press release with a couple of workarounds here.

Workaround to Sudden Loss of Internet Access Problem

Date Published : 8 July 2008

Date Last Revised : 9 July 2008

Overview : Microsoft Update KB951748 is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.

Impact : Sudden loss of internet access

Platforms Affected : ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite

Recommended Actions -

Download and install the latest versions which solve the loss of internet access problem here:

  • ZoneAlarm Internet Security Suite
  • ZoneAlarm Pro
  • ZoneAlarm Antivirus
  • ZoneAlarm Anti-Spyware
  • ZoneAlarm Basic Firewall
  • - or follow the directions below.

    Option 1: Move Internet Zone slider to Medium

    1. Navigate to the "ZoneAlarm Firewall" panel
    2. Click on the "Firewall" tab
    3. Move the "Internet Zone" slider to medium

    Option 2: Uninstall the hotfix

    1. Click the "Start Menu"
    2. Click "Control Panel", or click "Settings" then "Control Panel"
    3. Click on "Add or Remove Programs"
    4. On the top of the add/remove programs dialog box, you should see a checkbox that says "show updates". Select this checkbox
    5. Scroll down until you see "Security update for Windows (KB951748)"
    6. Click "Remove" to uninstall the hotfix

    I must say what is kind of annoying about this whole thing is that ZoneAlarm is owned by Checkpoint who will definitely have been in on the whole DNS update issue and could have updated the product in a more timely manner. Many users of ZoneAlarm have been left high and dry because they don't have the technical skills to fix this.

    Asprox domains: 9/7/08

    Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

    • adwnetw.com
    • ausadd.com
    • ausbnr.com
    • bnsdrv.com
    • butdrv.com
    • cdrpoex.com
    • cliprts.com
    • crtbond.com
    • destbnp.com
    • drvadw.com
    • gbradp.com
    • gbradw.com
    • hdrcom.com
    • loopadd.com
    • movaddw.com
    • nopcls.com
    • tctcow.com
    • usaadp.com
    • usaadw.com
    • usabnr.com

    "Ban Ki-moon / United Nations" scam

    An almost laughable scam email claiming to be from Ban Ki-moon (the UN's Secretary General) offering to reward victims of scams with $250,000. Of course if you are daft enough to fall for it, then you will soon find that there will be problems that will require up-front fees to be paid etc etc. Note that the reply-to address is actually mrbankimoonun1@sify.com (a free email service provider in India) although the email originated from Google Mail. You can be reasonably assured that Ban Ki-moon does not need to use a free email provider.

    From: "info@unitednation.org"
    Date: Wed, July 9, 2008 12:44 pm

    NATION. Send acopy of your response to official email:

    How are you today? Hope all is well with you and family?,You may not
    understand why this mail came to you.

    We have been having a meeting for the passed 7 months which ended 2 days ago
    with the then secretary to the United Nations

    This email is to all the people that have been scammed in any part of the
    world, the United Nations have agreed to compensate them with the sum of US$
    (Two Hundred and Fifty Thousand United States Dollars)This includes every
    foriegn contractors that may have not received their contract sum, and
    people that have had an unfinished transaction or international businesses
    that failed due to
    Government problems etc.

    Your name and email was in the list submitted by our Monitoring Team of
    Economic and Financial Crime Commission observers and this is why we are
    contacting you, this have been agreed upon and have been signed.

    You are advised to contact Mr. Jim Ovia of ZENITH BANK NIGERIA PLC, as he is
    our representative in Nigeria, contact him immediately for your Cheque/
    International Bank Draft of USD$ 250,000.00 (Two Hundred and Fifty
    Thousand United
    States Dollars) This funds are in a Bank Draft for security purpose ok? so
    he will send it to you and you can clear it in any bank of your choice.

    Therefore, you should send him your full Name and telephone number/your
    correct mailing address where you want him to send the Draft to you.

    Contact Mr. Jim Ovia immediately for your Cheque:

    Person to Contact Mr. Jim Ovia
    Telephone No: +234_8064109875.
    Email: zenithba_nkplc19_51@hotmail.com

    Goodluck and kind regards,

    Mr. Ban Ki Moon
    Secretary (UNITED NATIONS).
    Making the world a better place

    Monday, 7 July 2008

    Who are Vivids Media GmbH?

    If you have been tracking the latest round of SQL Injection domains, then you might be familiar with the name Vivids Media GMBH as being the current registrar of choice.

    The odd thing is that Vivids Media GmbH doesn't appear to have a web site or any traceable contact details. However, most of the domain registrations have a contact telephone number in Berlin of +49.3094413291 and some searching around gives this page with what looks like the correct contact details of:

    Name: Vivids Media GmbH
    Email Address: support@klikdomains.com
    Address: Leege-Gr str. 41
    City: Berlin
    Zip: 13055
    Country : Germany
    Tel No.: +49.3094413291
    That indicates that Vivid Media GmbH is related to klikdomains.com and therefore klikvip.com which are part of another company that claims to be in Berlin, Klik Media GmbH (some of the alleged goings on of this company are mentioned here). A short step away from Klik are a whole set of domains registered via Estdomains (a familiar name to many) and things start to get seedy from there.

    There's no evidence that Vivid Media GmbH is directly invovled in anything bad - in fact there is barely any evidence that Vivid Media GmbH actually exists at all. Spammers and other bad guys do have a knack of finding registrars who are slow at terminating their accounts, so let's be charitable and say that Vivids Media are just understaffed in their abuse department.

    The problem is that if you want to contact Vivids Media, then it seems to be very difficult. Their website is 56823.myorderbox.com which is a sort of white label domain registrar site. Myorderbox.com seems to be based in India, and looks to be a reseller of ResellerClub which in turns registers names through PublicDomainRegistry.com.

    Complicated? Well, yes.. but ultimately PublicDomainRegistry.com are the registrar and it turns out that there is some light at the end of the tunnel. You will find that most of the domains used in these SQL Injection attacks have false WHOIS data, and you can report false WHOIS data here. Hopefully then the domain will be suspended.. not that it really matters too much because the bad guys will just register some more.

    So the answer to the question "who are Vivids Media GmbH?" is "I don't know" but for most practical puporses you wouldn't need to deal with them if complaining about one of these domains, go to the registrar and report it there.

    Asprox domains: 7/7/08 and another SQL Injection mitigation article

    Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

    • adbtch.com
    • aladbnr.com
    • allocbn.mobi
    • adwadb.mobi
    • apidad.com
    • appdad.com
    • asodbr.com
    • asslad.com
    • blcadw.com
    • blockkd.com
    • bnradd.mobi
    • bnrbase.com
    • bnrbasead.com
    • bnrbtch.com
    • browsad.com
    • brsadd.com
    • canclvr.com
    • catdbw.mobi
    • clrbbd.com
    • dbgbron.com
    • ktrcom.com
    • loctenv.com
    • lokriet.com
    • mainadt.com
    • mainbvd.com
    • portadrd.com
    • portwbr.com
    • stiwdd.com
    • ucomddv.com
    • upcomd.com
    If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

    Thursday, 3 July 2008

    Asprox domains: 3/7/08 and ngg.js

    The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

    • adwadb.mobi
    • allocbn.mobi
    • canclvr.com
    • catdbw.mobi
    • ktrcom.com
    • lokriet.com
    • mainbvd.com
    • portwbr.com
    • stiwdd.com
    • testwvr.com
    • upcomd.com
    • ucomddv.com
    The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

    Wednesday, 2 July 2008

    Asprox domains: 2/7/08

    These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

    • adupd.mobi
    • adwste.mobi
    • bnrupdate.mobi
    • cntrl62.com
    • config73.com
    • cont67.com
    • csl24.com
    • debug73.com
    • default37.com
    • get49.net
    • pid72.com
    • pid76.net
    • web923.com

    Best advice to to block access to these sites and check your logs.

    Monday, 30 June 2008

    "Royal Alliance Financial Investment" scam

    A slightly strange scam from some outfit pretending to be "Royal Alliance Financial Investment" offering a low-cost loan. The initial email does not ask for much in the way of personal data, presumably that comes as the next step.

    There is no such company as "Royal Alliance Financial Investment" in the UK. Originating IP is which is allocated to Swift Global Kenya Limited in Nairobi. Finance companies do not generally use free email accounts to solicit business, and the address is clearly wrong. Avoid.

    From: "Royal Alliance Financial Investment"
    Date: Mon, June 30, 2008 3:43 pm

    Royal Alliance Financial Investment
    (Financial Aid Professionals)
    Contant Address:85 Fleet Street.
    London EC4Y 1AE.
    Manchester United Kingdom.

    Are you searching for a Genuine loan? at an affordable interest rate ?
    processed within 4 to 6 working days. Have you been turned down constantly
    by your Banks and other financial institutions? The goodnews is here !!!

    Welcome to Royal Alliance Financial Investment,interest rate at 3%.It
    gladdens our
    hearts to bring to your notice that we offer all kinds of loan to any
    part of the world.Being a licensed and registered company under the
    finance ministry here in the United Kingdom we make available to customers
    legitimate loan offers that are quick and affordable with interest rate at
    a mere 3%.

    Our Packages include:*Home Loan *Auto Loan*Mortgage Loan*Business
    Loan*International Loan*Personal Loan*And Much More.

    Please if you are delighted and interested in our financial offer,Do not
    hesitate to contact us if in need of our service as you will be required
    to furnish us with the following details to commence with the process of
    your loan sum accordingly


    First Name:___________________________
    Last Name:____________________________
    Marital status:_______________________
    Contact Address:______________________
    City/Zip code:________________________
    Date of Birth:________________________
    Amount Needed as Loan:________________
    Loan Duration:________________________
    Monthly Income/Yearly Income:_________
    Business name:________________________
    Purpose for Loan:_____________________

    Thanks For Your Patronage!

    'Your Business Is Our Blessing'

    Mr,Jerry Mccarthy,
    London Operations Manager,
    Contant Address:85 Fleet Street.
    London EC4Y 1AE.
    Manchester United Kingdom.

    Asprox: new domains including .mobi

    Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

    It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

    Thursday, 26 June 2008

    Asprox: list of domains and mitigation steps

    The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

    Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

    Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

    Wednesday, 25 June 2008

    Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

    A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

    Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,

    Monday, 23 June 2008

    Motorola MOTOZINE ZN5

    Former Moto fans such as myself have waited ages for a truly decent handset to come out from Motorola.

    The Motorola ZINE ZN5 certainly has an impressive looking camera.. but the problem is that the rest of the phone is pretty unimpressive.

    Motorola's woes have been well documented, but this certainly does look like Motorola's last chance. And it looks like the ZN5 is not really up to the task..

    ISC: SQL Injection mitigation in ASP

    If you're trying to secure your SQL server against the latest round of injection attacks, then check out this item from the Internet Storm Center, which gives some pointers on how to secure you database with ASP.

    It probably makes much more sense to an SQL development than to me.. but the important point is that just cleaning up the injection attack is not enough - you also need to prevent it from happening again by securing your SQL server. And I'm afraid that probably involves spending some time and money..

    SQL Injection: bnradw.com

    Another SQL Injection domain to block or watch out for in your logs - bnradw.com.

    Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.

    Friday, 20 June 2008

    List of SQL Injection domains

    My postings here about SQL injected domains are a bit ad-hoc, but Shadowserver also have a pretty up-to-date list if you're looking at blocking them.

    Quite a lot of these domains are .cn (China). You might want to consider completely blocking access to .cn, but if you only have basic filtering then you might find yourself blocking things like www.cnn.com too (that took some diagnosing followed by a "d'oh!).

    SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com

    More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.

    No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.

    Thursday, 19 June 2008

    msmvps.com, msinfluentials.com and Spyware Sucks offline

    I'm a regular reader of Spyware Sucks and was surprised to see that it had been offline for a few days. It turns out that the server that runs the msmvps.com blogging service (used by main Microsoft specialists) got infected with this nasty.

    The Google cache of the SBS Diva Blog throws up this information:

    In getting ready for the upgrade to CS 2008 I was trying to make some special backups... that wouldn't work. Well in digging into the matter more, that' service that is missing some files which is causing the peer to peer backups between Brianna and Yoda to fail.. isn't a real service at all.


    We have backups so first thing tomorrow morning I'll be calling PSS Security to, more than anything else find out the "how" this happened.

    Bottom line we got a critter on the box and I didn't (intentially anyway) put it there.

    And to check to see if Yoda should be quarantened (aka web server turned off) to protect web visitors as well. So if the blog goes off the air a bit we're just doing it to better protect viewers.


    In looking at the log files and event logs of Yoda, I'm not liking what I'm seeing... so the blog site at www.msmvps.com and www.msinfluentials.com will be offline starting at 7p.m. Pacific possibly until Friday.

    Apologies for the inconvenience to all the bloggers on the site and we'll get back online as soon as we can.

    Microsoft recommends that any systems found to be compromised or suspected of being compromised be formatted and re-installed from a known good build (i.e. operating system CD + all security patches while disconnected from the network). CERT has a good web site that provides information on recovering from security incidents located at: http://www.cert.org/nav/recovering.html
    Oh well.. it can happen to anyone.

    Wednesday, 18 June 2008

    HTM Hell

    One feature of these recent SQL Injection attacks is that the same sites will get repeatedly hit. So an infected site might have any number of malware-laded domains injected into the code. Click the image below to see a snippet from a really badly infected site.

    The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.


    The latest domain in the SQL Injection attacks is chkadw.com (i.e. pointing to www.chkadw.com/b.js). Domain is registered to a (probably fake) Chinese contact through a Chinese registrar. Delivery mechanism and payload seem to be identical to the latest attacks.

    Tuesday, 17 June 2008

    Yet more SQL injection domains

    Keep an eye out for datajto.com, dbdomaine.com, upgradead.com, clsiduser.com, clickbnr.com, bnrcntrl.com, domaincld.com, jetdbs.com, updatead.com, all pointing to b.js (e.g. www.dbdomaine.com/b.js) - all forming part of the latest SQL injection attack.

    Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.

    If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.

    Friday, 13 June 2008

    One to watch: js.users.51.la

    What the heck is js.users.51.la? In fact, where the heck is .la anyway? And why am I asking?

    As I've mentioned before, there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia. Their techniques are very similar, but the seem to have distinct differences.

    js.users.51.la appears in many of the "Chinese" exploits - 51.la itself appears to be a legitimate web counter site. Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file.

    This doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process.

    Where is .la? Officially it is Laos, but the TLD is also being punted as "Los Angeles" by www.la. No clue there, but the fact that all the signups for 51.la are in Chinese really does indicate that there's a Chinese connection here.

    advabnr.com and adsitelo.com

    SQL injection time again, this time with two new domains advabnr.com and adsitelo.com both loading a script called b.js (i.e. advabnr.com/b.js and adsitelo.com/b.js)

    This is turning up on sites that have already been infected with other SQL injection attacks. The good news is that the new attacks seem to be smaller, indicating that people really are managing to secure their web servers.

    Some notable infected sites (many of these have been cleaned up).

    • bioimmune.com - BioImmune Inc (Health)
    • immuquest.com - Health
    • eyemdlink.com - Health
    • tandberg.com - Tandberg (Electronics)
    • techsol.com - Technology Solutions Company (ERP services)
    • pollingcompany.com - The Polling Company (Market Research)
    • spjc.edu - St Petersburg College
    • judge.com - The Judge Group (jobs)

    • ibs.com - IBS, Inc (IT Services)
    • outsourcingcentral.com - Business information
    • mintek.com - Mintek Mobile Data Solutions
    • engcen.com - Engineering jobs
    • micronet.com - Digital storage
    If you're searching for these domains yourself, I recommend using Yahoo! and Google as they give different results. Of course, these sites contain live malware so approach with caution.

    Thursday, 12 June 2008

    bigadnet.com - lastest SQL injection domain

    A continuation of the latest wave of SQL Injection attacks is bigadnet.com - many sites infected with "older" attacks have been "upgraded" to bigadnet.net. The inserted code to look for is www.bigadnet.com/b.js which then forwards to bigadnet.com/cgi-bin/index.cgi?ad - this in turn seems to be able to deliver a variety of malware.

    bigadnet.com is running on a fast flux botnet, so it's highly distributed and resilient but not very reliable at actually delivering a payload.

    Tuesday, 10 June 2008

    UK Goverment sites hit by SQL Injection attacks

    Do you trust the government with your personal data? A look at some recent national and local government sites that have been compromised with SQL injection attacks might make you think again.

    • fco.gov.uk - Foreign and Commonwealth Office
    • dfes.gov.uk - Department for Children, Schools and Families
    • harrow.gov.uk - Harrow Council
    • cwic.cornwall.gov.uk - Cornwall County Council
    • cityoflondon.gov.uk - City of London
    • corpoflondon.gov.uk - City of London
    • nottinghamcity.gov.uk - Nottingham City Council
    • relocateleicester-shire.gov.uk - Leicetershire County Council
    • gos.gov.uk - Government Office Network
    • lda.gov.uk - London Development Agency
    • uktradeinvest.gov.uk - UK Trade & Investment
    • dcalni.gov.uk - Northern Ireland leisure and tourism
    • colchester.gov.uk - Colchester Borough Council
    • countryside.wales.gov.uk - Welsh assembly
    • cefngwlad.cymru.gov.uk - Welsh assembly
    • broadband.cymru.gov.uk - Welsh assembly
    • wmra.gov.uk - West Midlands Regional Assembly
    • wmlga.gov.uk - West Midlands Local Government Association
    • wycombe.gov.uk - Wycombe District Council
    • southshropshire.gov.uk - South Shropshire District Council
    • businesslink.gov.uk - Business Development
    • shetland.gov.uk - Shetland Council
    • unlockingessex.essexcc.gov.uk - Essex County Council
    • southshropshire.gov.uk - South Shropshire District Council
    • e-petitions.kingston.gov.uk - Kingston Borough Council
    • clevelandfire.gov.uk - Cleveland Fire & Rescue
    • surreyheath.gov.uk - Surrey Heath Council
    • rbkc.giv.uk - Royal Borough of Kensington and Chelsea
    • conwy.gov.uk - Conwy County Council
    These are some example searches that show the problem (note that the search results will change over time, and the results themselves may lead to malware). Yahoo! examples: 1 2 3 4 5; Google examples: 1 2 3 4

    Widen the search to sites containing .gov with a "b.js" exploit in (the most common), and you can see that government sites all over the world have been compromised, with Yahoo! estimating 11,000 infected pages. Think about it.. these should be trusted sites, but clearly they are not safe. Remember: there is no such thing as a trusted site anymore.

    SQL Injection: advertbnr.com, logid83.com, script46.com, rexec39.com

    Another batch of domains being used in SQL Injection attacks: advertbnr.com, logid83.com, script46.com, rexec39.com. Sanitize your inputs.

    It looks like a lot of recent domains have been suspended by their registrar, some of the recent domains are with Xin Net who have been spam-friendly in the past, but may be cleaning up their act.

    Google indicates that around 668,000 web pages are infected, but a search at Yahoo! shows around 3,000,000 infected pages which is probably more accurate.

    Monday, 9 June 2008

    Apple iPhone 3G

    After lots and lots of rumours, the Apple iPhone 3G is finally here. It adds UMTS and HSDPA (3.5G), plus GPS and mapping. There's a new software platform, plus a number of other enhancements. But, really it's a bit disappointing.. the camera is still poor and you can't take out the battery.. and the 480 x 320 pixel display is so last year..

    One surprising thing is that the iPhone will ship to 70 countries from July onwards. They've managed to do all that while keeping the iPhone 3G very quiet indeed.

    Oh well, perhaps the iPhone 3 will finally be the one that fits in everything but the kitchen sink!

    SQL Injection: sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com

    Another batch of domains showing up in SQL injected are sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com.

    Some notable compromised sites:

    • ise.ie - Irish Stock Exchange
    • pittsfield-ma.org - City of Pittsfield
    • corangamite.vic.gov.au - Corangamite Shire, Victoria
    • fdc.org.br - Brazilian government agency
    • dailyu.com - Local newspaper
    • www.humanrightsfirst.org - Campaigning organisation
    • therecruitbusiness.com - Recruiting
    • corporate-responsibility.org - Business information
    • childcarefinancialaid.org - Financial information
    • micronet.com - Computer storage
    • tairawhiti.ac.nz - Tairawhiti Polytechnic, New Zealand
    The payload at the moment is undertermined, and some of these sites will have been cleaned up. At the time of writing, Irish Stock Exchange at ise.ie is still compromised.

    "Company Littmann Stethoscopes Co.Ltd" bogus job, spoofing medisave.net

    medisave.net is an "under construction" website belonging to the wholly legitimate Medisave UK Ltd, a supplier of medical equipment.

    Unfortunately, there is a fake job offer being sent out in Medisave's name. One twist is that the "From:" address is jobs@medisave.net, but the reply to address is littmannstethoscopeshelpdesk@gmail.com. The spammers are taking advantage of the fake the the "reply to" address is often not clear until the user clicks "reply", otherwise they tend to see the fake "from" address (note, medisave.net is not compromised and is not sending out these emails).

    The job offer is likely to be some sort of money mule/money laundering scam. Really there's no need to dig further. Of interest is the fact the the email address has been harvested from a UK retailer and this is a UK-targeted spam.

    From: Company Littmann Stethoscopes Co.Ltd
    Reply-To: littmannstethoscopeshelpdesk@gmail.com
    Subject: Online Job Opportunity (Apply Now )

    Would you like to earn £5,000 in a week?

    Reply Back for more details

    100% legal No upfront payment from you.

    Risk Free

    Amazon.com - reverse pump and dump or blackmail?

    I received this unintelligible email from an IP address in Russia (, probably relating to the recent mystery outage at Amazon.com.

    Subject: Amazon.com In what a problem?
    Date: Mon, June 9, 2008 7:14 am

    News agency Reuters informs about not to working capacity of a site amazon.com in
    current of two weeks since June, 9th and corresponding it to falling of share price. Be close
    at work with them.
    What gives? My best guess is that someone is trying to either drive the share price down (perhaps they have a put option), or perhaps it is part of some blackmail plot relating to the amazon.com outage.

    Unfortunately for the bad guys, the email is completely incomprehensible. As spam, this one is definitely destined for the failboat.

    Thursday, 5 June 2008

    Googling for SQL injection infected sites

    A very rough and ready Google search shows (warning: results may lead to malware) 792,000 pages that were infected when Google visited the site. Sites that say "This site may harm your computer." can be considered as persistent offenders. Note also that the search results may have some false positives.

    All very interesting, you might think. But if you work in an IT department, it can be very useful to find sites that your users might visit so that you can take action.. or perhaps you can even check your own business.

    In this current round of attacks, the bad javascript file is called b.js, so you can find a lot of infected sites by Googling for "script src" b.js (you need to include the quotes). That gives hundreds of thousands of matches.

    One obvious check is to add your company name, for example "script src" b.js "oceanic airlines", but Google is cleverer than that. If you use the "inurl" function, then you can search for sites in certain TLDs or with certain names. For example "script src" b.js inurl:gov lists several government sites, "script src" b.js inurl:oceanic would find results on sites such as oceanic-air.com, oceanicair.net, oceanic-air.co.uk.

    You can narrow down results by country by using the Advanced Search (or you could just use the "national" Google site such as google.co.uk, google.ca etc). You can use other search engines too, but really Google has the most powerful searching options.

    Of course, if you want to confirm if the site is still infected, then you will need to visit it. If you don't want all the hassle of firing up a Linux box, then one safe tool is SamSpade for Windows which allows you to look at the underlying HTML safely. It's a pretty old tool, and not perfect, but very useful for a number of tasks. Alternatively, WGET for Windows is more powerful and it allows you to download files in a command line (although care needs to be taken once they are on your machine). I tend to use both.

    More SQL injection fun: view89.com, exe94.com and tag58.com

    Yet more new domains in this never ending wave of SQL Injection attacks: view89.com, exe94.com and tag58.com. Infected sites load a malicious javascript from www.view89.com/b.js or www.tag58.com/b.js which redirects through exe94.com/cgi-bin/index.cgi?ad - that in turn might try any number of things to infect the visitor's PC.

    Chinese "selling-domain" mails

    Probably not a scam, and really only a moderate hit on the Spam-O-Meter, but there do seem to be a number of emails from a person called Liu offering to sell a .cn version of your .com domain.

    Subject: selling-domain: ------.cn
    From: ljp013@vip.163.com
    Date: Thu, June 5, 2008 1:13 am

    We have ------.cn and think it is useful for you to made a China Website and
    to explore China market.

    We are pleased to inform you that we are now engage an activity by which you
    can purchase this domain only with $1000 USD. If you are interested in it
    ,please reply to us and discuss the domain tranfer matters.
    We could finish the transaction through www.sedo.com which is a international
    Domain trade agency.Then,sedo.com will help you transferred the domain.
    China is the biggest market in the world £¡Dot.cn domains is a symbol of
    enterprises in China£¡10,000,000 .cn domains are been registered£¡

    At last,Sorry for the disturb if any.

    Wish you a happy new year 2008, and welcome to our China to visit Olympic Games.

    Best Regards.



    Some large international companies use .cn domain in China.
    http://www.google.cn/ The world's largest search company google.com China Station
    http://www.Amazon.cn The world's largest online bookstore amazon.com company
    China Station
    http://www.Yahoo.cn Yahoo.com he is the sub-stations in China

    It used to be the case that anyone wanting to register a .CN name had to either live in China or have a business that operated in China, although this is no longer the case and it seems everyone can register a .CN name (some restrictions apply on names and content). Neulevel's FAQs on the .CN TLD are enlightening. There is a dispute policy if you feel that your domain name has been registered unfairly.

    To be honest, I'm not at all bothered about .CN names and I certainly won't be shelling out $1000 for something I won't use. But as ever, if you want to protect your brand abroad then perhaps securing the .cn version of your domain might be a good idea, there's a list of registrars at CNNIC.

    flyzhu.9966.org and exec51.com SQL injection attacks

    More in the ever morphing world of SQL injection attacks. Sites that were hit with the xiaobaishan.net attack are now directing to flyzhu.9966.org/us/Help.asp and sites previously infected with en-us18.com are now pointing to www.exec51.com/b.js

    9966.org appears to be a dynamic DNS service, exec51.com is a fast flux botnet. My best guess is that there are two rival groups performing SQL injections, one of them is Chinese and the other Russian.

    The nature of the botnet means that the payload delivery is a bit erratic, but with a bit of effort exec51.com coughs up a reference to fake anti-spyware site advancedxpdefender.com. That tries to install a trojan which is pretty well detected by most AV products.

    Thanks also to Amir who pointed us in the direction of his guide to preventing SQL injection attacks - if your server has been hit by one of these exploits, then it might be useful to you.

    Wednesday, 4 June 2008

    Redmondmag.com and related sites serving up malware

    One notable name that keeps coming up with regards to the latest round of SQL Injection attacks is Redmondmag.com, published by 1105 Media, Inc as well as a number of sister sites. For a publication for IT professionals to be so badly impacted by SQL injection attacks raise some eyebrows.

    A quick bit of Google searching shows how bad it is: a search for sysid72.com "1105 media" shows 35 infected pages belonging to virtualizationreview.com, visualstudiomagazine.com, redmondmag.com, reddevnews.com and certcities.com. Searching for xiaobaishan.net "1105 media" comes up with 121 matches for tcpmag.com and certcities.com. There are similar hits when searching for en-us18.com and locale48.com.

    An alternative search you can do is b.js "1105 media" where this current batch of injected javascripts can clearly be seen (of course, this blog entry will also turn up for the same search string in time!)

    This problem goes back to at least April when redmondmag.com was infected by the nihaorr1.com attack.

    Here's the thing: the sites showing up in Google are not infected at the moment, but they were when Google crawled them. Clearly 1105 Media cleans up the attacks quickly, but it has not yet managed to secure its SQL server against injection attacks. Perhaps 1105 Media should read some of their own articles on the subject (see redmondmag.com/news/article.asp?editorialsid=9928 - visit at your own risk!)

    win496.com, tag58.com, rundll841.com and sslput4.com: another SQL injection attack

    Yet another SQL injection attack doing the rounds, this time inserting references to www.win496.com/b.js, www.tag58.com/b.js and www.rundll841.com/b.js. The javascript redirects to sslput4.com/cgi-bin/index.cgi?ad. (Obviously, don't visit these sites unless you know what you are doing!)

    All the domains run on a distributed botnet and were freshly registered this morning to a no-doubt fake address:

    whois -h whois.crsnic.net win496.com ...

    whois -h whois.PublicDomainRegistry.com win496.com ...
    Registration Service Provided By: VIVIDS MEDIA GMBH
    Contact: +49.3094413291

    Domain Name: WIN496.COM

    lera (casta4000@mail.ru)
    reklama uslug 727 94-00
    Tel. +7.4952345672

    Creation Date: 04-Jun-2008
    Expiration Date: 04-Jun-2009

    Domain servers in listed order:

    Administrative Contact:
    lera (casta4000@mail.ru)
    reklama uslug 727 94-00
    Tel. +7.4952345672

    Technical Contact:
    lera (casta4000@mail.ru)
    reklama uslug 727 94-00
    Tel. +7.4952345672

    Billing Contact:
    lera (casta4000@mail.ru)
    reklama uslug 727 94-00
    Tel. +7.4952345672

    There are probably several different payloads, one we have seen is the Danmec trojan which drops a file called aspimgr.exe into the SYSTEM32 folder (more details here, here and here). The payload delivery may be randomised, it seems to be quite difficult to determine exactly what is going on.

    If your server has been infected, then you need to do more than just clean it up.. you need to sanitize your SQL inputs. You can read more details of how SQL injections works here.

    Right now it is difficult to say how many sites are impacted as the domains are really very new.

    Added: you can add sysid72.com/b.js to this list too. That was registered 5 days ago, and a Google search already shows over 2000 hits. Also locale48.com has infected over 4000 pages in the same time frame.

    Tuesday, 3 June 2008

    Some people are stupid

    A classic post over at the F-Secure blog where some muppet "hacker" accidentally emailed out their malware generation tool and put it right into the hands of anti-virus researchers. To quote F-Secure, Hey, thanks. Keep up the good work.

    On a more serious note, this tool is used to generate trojanised PDF files. So go and check that your version of Adobe Reader is up to date right now before doing anything else..

    en-us18.com, libid53.com and rundll92.com SQL injection attack

    Another bunch of at least three domains (perhaps more) being used in SQL injection attacks are en-us18.com, libid53.com and rundll92.com. In each case the injected script points to b.js, and this then tries to redirect visitors to libid53.com/cgi-bin/index.cgi?ad

    It looks like some sort of fast flux network based on a botnet, so it's not actually very reliable and as yet it hasn't delivered a payload in our lab. The ISC indicate that the attack serves up a couple of infected Flash banners, although in this case the redirector seems to be en-us18.com/cgi-bin/index.cgi?ad

    At the moment, these merely serves up another redirector to MSN.com, but it would be easy enough for the botnet controllers to change it to a malicious payload.

    Some notable infected sites:

    • tcpmag.com (Technology magazine - again!)
    • annefrank.org (Anne Frank Museum)
    • galatta.com (Indian movies)
    • onefootball.dk (Sport)
    • tvoneonline.com (US TV station)
    • belfastcity.gov.uk (UK local government)
    • marketingprinciples.com (Marketing guide)
    • hobsonsbay.vic.gov.au (Australia local government)
    This is quite a fresh looking exploit, this is not comprehensive. It is very disappointing to see tcpmap.com listed yet again, and we've seen sister publication redmondmag.com infected before too.

    xiaobaishan.net - yet another SQL injection attack

    It looks like the sites hit by the chliyi.com attack have been hit again, this time with an injection to a script pointing at www.xiaobaishan.net/dt/us/Help.asp. Right at the moment, the www.xiaobaishan.net domain is not resolving, but it does appear to be hosted on in China.

    It looks like the domain may well be a legitimate one that has somehow been compromised and looks like a pretty standard shared server.

    It's possible that the chliyi.com infected sites were deliberately targeted, the resulting HTML is an awful mess though (see below).

    Some notable infected sites:

    • kcsg.com (again)
    • sciencescotland.org (again)
    • paramountcomedy.com (again)
    • drdrew.com (again)
    • gisp.org (again)
    • legis.state.ia.us (Iowa State legislature)
    • modernamuseet.se (Stockholm Museum)
    • calbears.berkeley.edu (University)
    • reportchildsex.com (Child protection)
    • cas.org.uk (Citizen's Advice Scotland)
    • tcpmap.com (Technlogy magazine)
    • randomhouse.com.au (Random House publishers, Australia)
    • ispyni.com (Northern Ireland tourism)
    There are a number of other sites, notably in Ireland, Australia and Canada hit too.

    This is not the only SQL injection attack doing the rounds today, and I suspect that some of them have been hit by another one pointing at en-us18.com/b.js

    As an aside, these multiple SQL injections are really messy. A code snippet from sciencescotland.org demonstrates this:

    Monday, 2 June 2008

    Bizarre USPS scam

    It's hard to tell what the scammer is trying here due to the amusingly bad English. Mail originates from the spammers favourite email service, Gmail ( but uses a French Yahoo! email address as a drop box with a Polish "From" address.

    Clearly some sort of parcel scam where there will be a release fee of some description. Steer clear.

    Subject: Please Contact Us With This Email Address Below (usps6864@yahoo.fr)
    From: "markwillams2 Gazeta.pl"

    Hello Dear,

    Please i have to let you knowing this that your have reciverd your parcel,
    and do not let me knowing about that since last year.

    At this very point now, do to i have not heard from you to knowing the
    sitution of things now, for your information track your parcel and you will
    sean what am talking about please.

    However if you knowing that you are not the one please do get back to me as
    matter of urgent to day.please track and sean with this information Below


    Label Number: 0515 0134 7110 8886 8806

    Please Contact Us With This Email Address Below (usps6864@yahoo.fr)

    Mark Williams

    Tuesday, 27 May 2008

    pest-patrol.com is not the real PestPatrol - part II

    The fake pest-patrol.com site we mentioned a few days ago has fixed its download problem and has given us a sample. Like many of these fake anti-malware sites, the executable morphs continually to avoid protection.

    Detection rates are not good (VirusTotal results), and the real PestPatrol / eTrust product doesn't pick it up yet.

    I strongly suspect that there's nothing good in the - range at all, and it is probably a good idea to block access to that entire IP block.

    Antivirus;Version;Last Update;Result

    chliyi.com - another injection attack

    Thanks to Dancho Danchev for the heads up, it looks like there's another SQL injection attack on the loose, this time pointing to chliyi.com/reg.js, with about 10,000 hits currently on Google for a variety of sites.

    Reportedly, this launches some sort of ActiveX attack via obfuscated VBscript. This is another good reason not to use Internet Explorer, as most other browsers do not support ActiveX and are not vulnerable.

    Unlike some other recent injection attacks, this one seems to use a legitimate domain called chliyi.com - unfortunately for the bad guys, the registration on the domain is going to run out pretty soon.

    Domain Name.......... chliyi.com
    Creation Date........ 2003-06-12 11:21:39
    Registration Date.... 2003-06-12 11:21:39
    Expiry Date.......... 2008-06-12 11:21:39
    Organisation Name.... junrong shen
    Organisation Address. dongxiaoqiao3-1-104
    Organisation Address.
    Organisation Address. suzhou
    Organisation Address. 215006
    Organisation Address. JS
    Organisation Address. CN

    Admin Name........... shen junrong
    Admin Address........ dongxiaoqiao3-1-104
    Admin Address........
    Admin Address........ suzhou
    Admin Address........ 215006
    Admin Address........ JS
    Admin Address........ CN
    Admin Email.......... wzh@hisuzhou.com
    Admin Phone.......... +86.51265678898
    Admin Fax............ +86.51257306265

    Tech Name............ zhihui wang
    Tech Address......... suzhou
    Tech Address.........
    Tech Address......... suzhou
    Tech Address......... 215021
    Tech Address......... JS
    Tech Address......... CN
    Tech Email........... wzh@hisuzhou.com
    Tech Phone........... +86.5169697639
    Tech Fax............. +86.5167621807

    Bill Name............ zhihui wang
    Bill Address......... suzhou
    Bill Address.........
    Bill Address......... suzhou
    Bill Address......... 215021
    Bill Address......... JS
    Bill Address......... CN
    Bill Email........... wzh@hisuzhou.com
    Bill Phone........... +86.5169697639
    Bill Fax............. +86.5167621807
    Name Server.......... dns22.hichina.com
    Name Server.......... dns21.hichina.com
    The IP address of the server is which is not in the Spamhaus DROP list which indicates again that the chliyi.com might well be legitimate, just compromised.

    This is another attack that goes to show that "there is no such thing as a safe site". A scan of the Google results comes up with some interesting (and alarming) infected sites:

    • forces.ca - Canadian military
    • paramountcomedy.com - Paramount Comedy (Cable TV channel)
    • kcsg.com - KCSG (Utah TV station)
    • umnh.utah.edu - University of Utah
    • digital.lib.ecu.edu - East Carolinia Unitersity
    • chapel.duke.edu - Duke University
    • drdrew.com - Dr Drew (relationship advice)
    • gisp.org - Global Invasive Species Program
    • sciencescotland.org - Royal Society of Scotland
    • moffitt.org - H. Lee Moffitt Cancer Center and Research Institute
    • confetti.co.uk - Confetti (Wedding planning)
    • buildabear.com - Build-a-Bear Workshop
    • delluniversity.com - Dell
    • trelleborg.com - Trelleborg AB (Polymer manufacturer)
    None of these are huge sites when it comes to traffic, but there are some well-known names there and certainly some which you would hope would be more secure. Out of the other infected sites, it seems that the US Canada, Australia, the UK and Ireland seem to have the biggest cluster of infected sites with very few showing outside those countries.

    This is not a comprehensive list of infected sites, and many of these sites will have been cleaned up.

    If you are running an SQL server, then the rule is to secure your inputs, else you will get attacked again and again.

    Wednesday, 21 May 2008

    pest-patrol.com is not the real PestPatrol

    Thanks to Dancho Danchev for pointing out pest-patrol.com, yet another dodgy looking scareware site. Of course, the real PestPatrol is a pretty well known and legitimate anti-spyware product from CA, the one with the hyphen in the middle is definitely trying to pass itself off as the real thing. (Click the thumbnail for a larger picture).

    The fake pest-patrol.com is hosted on in the Ukraine, a range of network addresses that features on the Spamhaus DROP list, and has domain registration service from Estdomains which always seems to be a popular choice with dodgy web sites.

    The bottom of the page has a copyright notice claiming that it was created by "Pest Patrol, Inc.", but that is likely to be fake. A large amount of text has been copied and pasted directly from the real CA site. The "PestPatrol" name is pretty widely registered as a trademark, so apart from anything else, this fake pest-patrol.com site is clearly violating CA's trademark rights.

    What's interesting about this is just how the pest-patrol.com domain ended up in the hands of a bunch of guys in Eastern Europe. Although the "PestPatrol" name is trademarked, that only applies to computer software. As is turns out, the original pest-patrol.com controlled pests of the creepy crawly variety. CA (or SaferSite Inc as it was before CA took over) would have had no claim over the domain name as it wasn't violating any trademark or causing confusion. But eventually the name expired and after being dropped a couple of times it ended up with someone who clearly is using it to violate a trademark.

    The lesson for businesses is perhaps that they need to keep an eye on domains that could potentially violate a trademark or be confusing and secure them if they expire, several registrars can back order domain names. In the long run, that's probably easier than trying to track down an anonymous registrant from the former Soviet Union.

    The download option on pest-patrol.com doesn't work at present, but it could be similar to this one (VirusTotal scan results) which appears on a sister site. Unfortunately, CA's genuine product doesn't seem to detect it..

    Sunday, 11 May 2008

    Mass phpBB attack free.hostpinoy.info and xprmn4u.info

    Another injection attack reported by the ISC, and this time it appears to be using one of many potential flaws in phpBB. Injected code points to free.hostpinoy.info/f.js and xprmn4u.info/f.js, and a Google search of these two terms currently comes up with 858,000 matches between them indicating that this is a very large scale attack.

    phpBB is a great bit of software, but sadly it is riddled with security holes and requires constant updating. If you're running a phpBB forum then you need to patch it as a matter or urgency. If you don't run phpBB and are looking at running a forum then I've got to say.. try something else.

    It looks like some version of the Zlob trojan is being served up, see here and here for more details. (Thanks sowhatx). Detection rates seem to be patchy. It's possible that the injected code is using some sort of geotargetting as the destination sites are not consistent.

    free.hostpinoy.info is (XLHost.com)
    xprmn4u.info is (Mastak.ru)

    Updated: A brief analysis of some of the impacted sites shows a mix of high traffic forums and long-dead ones. Some of these forums are hit with multiple exploits and massive amounts of spam, which indicates that they are running a very out of date version of phpBB.. so folks, if you have a forum which you don't use any more, do everyone a favour and delete it.

    Wednesday, 7 May 2008

    winzipices.cn and bbs.jueduizuan.com - another SQL injection attack

    The ISC has warned about another SQL Injection attack, following on from this one a few weeks ago. This time the injection is inserting a script pointing to the winzipices.cn and bbs.jueduizuan.com domains.

    The malicious script is pointing to winzipices.cn/1.js, winzipices.cn/2.js, winzipices.cn/3.js, winzipices.cn/4.js and winzipices.cn/5.js and also bbs.jueduizuan.com/ip.js. As ever, don't visit these sites unless you know what you are doing.

    Right at the moment, winzipices.cn is coming up with a server error, but bbs.jueduizuan.com is functioning just fine. This tries to attack visiting systems using the MS07-004 vulnerability, a RealPlayer vulnerability plus it attempts to download an executable from www.bluell.cn/ri.exe possibly using a shell vulnerability (VirusTotal analysis here, mostly detected as Trojan.Win32.Agent.lpv, Trojan.MulDrop.origin or TR/Dropper.Gen).

    Some IP addresses:
    www.bluell.cn is
    winzipices.cn is
    bbs.jueduizuan.com is

    My recommendation is to block access to the entire 60.191.239.x range if you can.

    The the moment, a Google search for winzipices.cn shows 1790 matches, for jueduizuan.com it is 1640 matches. Expect those figures to climb sharply.

    If you are running an impacted SQL server, then you need to secure it and perform better validation, else the problem will happen again. Client machines should be protected if they are fully up-to-date on patches, if you have been infected then use the excellent Secunia Software Inspector to check your system for vulnerable apps.

    As always, there are some high profile sites that have been compromised. They may well have been cleaned up by now, so inclusion here does not mean that they are unsafe or safe to visit.

    • safecanada.ca (Canadian Homeland Security again).
    • breastcanceradvice.com, arthritisissues.com, menssexhealth.com, www.bipolardepressioninfo.com (Health)
    • dubaicityguide.com (Travel)
    • classicdriver.com (Motoring)
    • imo.org (International Maritime Organisation)
    • cifas.org.uk (Fraud Prevention)
    • hmdb.org (Historical Marker Database)
    • abbyy.com (OCR software)
    • cancerissues.com, adhdissues.com, depressionissues.com, diabeticdiets.org, erectilefacts.com, prostatecancerissues.com, digestivefacts.com (Health)
    • www.asiamedia.ucla.edu, www.international.ucla.edu, www.asiaarts.ucla.edu, www.isop.ucla.edu (UCLA)
    • newmarket.travel (Travel)
    • discoverireland.ie (Travel)
    • gay.tv (Lifestyle)
    Some of these sites are regularly infected with SQL injection attacks, and safecanada.ca was infected with the last major outbreak. The problem is that once a site has been attacked and enumerated, then it will be attacked again and again until it is fixed.

    As mentioned before, there is no such thing as a safe site.

    Wednesday, 23 April 2008

    nihaorr1.com - there's no such thing as a "safe" site

    Websense gave a heads up about yet another mass defacement, impacting a few high profile web sites. Just to make life difficult, they didn't specify the domain in use.. but it isn't exactly rocket science to find out that it is nihaorr1.com.

    I'm going to make an assumption that if you're reading this blog, you're at least somewhat technically savvy. Don't visit any of these sites unless you know what you are doing.

    Googling nihaorr1.com/1.js brings up several thousand matches. Surprisingly, an eximination of www.nihaorr1.com/1.js shows that it is not obfuscated at all and points to www.nihaorr1.com/1.htm.. and that has all the exploits nicely laid out - MS07-055, MS07-033, MS07-018, MS07-004 and MS06-014. Also there are exploits for RealPlayer, Ajax, QQ Instant Messenger and some sort of Yahoo! product (probably Instant Messenger).

    If your site has been compromised and you're looking for answers.. well, all I can tell you is that it will have been done through some sort of SQL Injection similar to this one.

    If you're supporting client PCs that are fully patched, you have a little less to worry about unless you have RealPlayer or Yahoo! IM installed. Perhaps it is a good time to consider banning these applications in any case, particularly RealPlayer which is a very common vector for attack.

    Why do I say there's no such thing as a "safe" site? Well, among the compromised sites are the following:

    www.redmondmag.com [Independent publication about Microsoft]
    www.pocketpcmag.com [Smartphone & Pocket PC magazine]
    www.careers.civil-service.gov.uk [UK Civil Service]
    www.faststream.gov.uk [UK Civil Service]
    www.safecanada.ca [Canadian National Security]
    www.n-somerset.gov.uk [UK Local Government]
    events.un.org [United Nations]
    www.unicef.org.uk [UNICEF]
    www.iphe.org.uk [Institute of Plumbing and Heating Engineering]
    www.umc.org [United Methodist Church]
    www.umita.org [United Methodist Information Technology Association]
    www.simplyislam.co.uk [Islamic Information site]
    www.rsa.org.uk [Royal Society for the Encouragement of Arts]
    www.24.com [Sports]
    www.oddbins.co.uk [Major UK wine retailer]
    www.avx.com [Electronic components]
    www.advantech.com [Computer components]
    www.aeroflot.aero [Airline]
    www.aeroflot.ru [Airline]

    In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.

    Tuesday, 22 April 2008

    Win32/Loodok!generic.2 in SYSTEM.DLL - likely false positive

    We're getting a plague of these with eTrust (pattern 5723):

    [time 22/04/2008 12:54:21: ID 14: machine xxxxx.com: response 22/04/2008 12:54:46] The Win32/Loodok!generic.2 was detected in C:\DOCUME~1\XXXXX\LOCALS~1\TEMP...\SYSTEM.DLL. Machine: XXXXX, User: XXXXX\xxxxx. Status: File was cured; system cure performed.

    The subdirectory varies, but it is usually %user profiles%\local settings\temp\ns???.tmp where the question marks indicate a random letter/number. You may find that the subdirectory has vanished by the time you investigate.

    This appears to be happening with the installer for Firefox (also tested with Netscape Navigator). You can see the problem if you snooze the AV scanner and then fire up the Firefox installer and leave it running.. the SYSTEM.DLL is clearly there.

    Apart from eTrust, VirusTotal gives it a clean bill of health.

    You may be seeing this fire off by itself if a software package is autoupdating. I can't identify exactly which installer is in use here, but it is likely to be shared between many other applications.. so expect a storm of these.

    As usual with false positives, expect a fix to be issued by CA very soon. The problem seems to be with pattern 5723, so updating to a later virus signature should probably cure it.

    Added: Pattern 5724 also reports a positive, but the beta version of 5725 does not. You can download beta signatures from CA here.

    Added: 5725 is now available for download as normal, this should cure the problem!

    Thursday, 17 April 2008

    RavMon.exe virus on new Toshiba Satellite laptop from Comet, Part II

    A few weeks ago I wrote about a new laptop with a virus preloaded that was bought from Comet. As far as I knew, I was the only person to have this problem but after carefully checking everything that I had done to set up the machine, my conclusion was that the RAVMON.EXE malware was preloaded on the PC.. but perhaps it was a one-off.

    Not so. From the comments on the post, it seems that Toshiba laptops from Currys and PC World have the problem, over at the Irreverence Is Justified blog, it turns out that exactly the same thing has happened. Same virus, same model of Toshiba and Comet (again).

    Detections were varied, but it appears to be a trojan that possibly loads itself on via a USB key. The implication is that some part of the manufacturing process / preparation is compromised with infected USB devices.

    So Toshiba's manufacturer process is compromised? Well, it appears to be.. but almost definitely an accident rather than a malicious act. Presumably there are many more L40-18Z laptops with the same problem..

    Wednesday, 16 April 2008

    2117966.net revisited

    Last month I blogged about Trend Micro's website being compromised as well as thousands of others with an IFRAME injection to 2117966.net .

    The ISC has followed up with an analysis of the tool used to compromise the sites. It uses an SQL injection attack to infect the server, but the interesting thing is that it uses Google to enumerate the vulnerable sites first, a technique called Google Hacking.

    I guess there are a few things to note here - despite the ubiquitousness of SQL, it can still be tricky to set up and is best left to people who know what they are doing. Keep your patches up-to-date, and consider carefully if you want Google (or any other search engine) to be able to index your WHOLE site and adjust your robots.txt if necessary.

    The ISC article also links to some good resources if you want to properly secure your database.

    Thursday, 10 April 2008

    ezBay.me.uk - or how NOT to start an online business

    Sometimes, people make mistakes with their online marketing. Newbies can accidentally buy a "millions of email addresses CD" with a load of scraped email addresses and spam away. Sometimes they are not aware of trademark laws. But sometimes they are just plain stupid in so many ways that there is no excuse for not ripping into them.

    Mistake One - Trademark Violation
    In this case, the budding entrepreneur has gone for the name ezBay.me.uk - confusingly similar to a well-known auction company called eBay. Sure, there are other users of the "ezbay" name, but the closeness of the name and even the "camel case" capitalisation are asking for trouble, possibly some years down the line.. but trouble nonetheless.

    Mistake Two - Choose a stupid domain name.
    Not only does "ezbay.me.uk" possibly violate trademarks, but it uses the ".me.uk" namespace which is designed for personal use only. That could well lead to the name being revoked by the registrar. Worse, the name doesn't make sense in British English - "Ee Zed Bay"? In American English it's "Easy Bay" which *does* makes sense.. but not in conjunction with a .me.uk domain name.

    Mistake Three - Spam
    There's no excuse for sending out unsolicited bulk email to scraped email address, but ezBay.me.uk have done exactly that. That tends to lead to a very short life expectancy for the new auction site that you have just created.

    24/7 online Auction Site

    This is our new 24/7 on line auction please feel free to take a look if you like what you find please register and we will give you £20.00 sellers fee completely free there is no listing fee for items that you may want to sell so what are you waiting for sign up to day for your £20.00 and start selling at www.ezbay.me.uk feel free to take a look around at all the bargins
    we have many less than 50% cheaper than the high street price so come on see
    how easy it is with ezbay happy shopping


    Car DVD player starting bid 50p buy now price £139.00

    MP4 player with 1.3m pixels digital camera 2.5in TFT screen starting bid 50p buy now price £32.90

    12mp digital video camera with MP3/MP4 starting bid 50p buy now price £76.00

    1.1 inch screen clip MP3 player starting bid 50p buy now price £8.50

    12.1-inch with 4:3 display roof mount TFT-LCD monitor Starting bid 50p buy now price £62.50

    MP3 player sunglasses with FM super-plastic frame and build-in 1 GB flash
    memory starting bid 50p buy now price

    best regards

    mr a m dick
    ezbay world

    Mistake Four - Be offensive
    Signing off an email with a name of "Mr A M Dick" is always likely to annoy people (unless that is the person's name in which case.. oh dear).

    Mistake Five - Read Receipts
    Not only is this spam, but it also sent out with a read receipt in a clumsy way to confirm the recipient's email address. Not only will the muppet sending out the spam be overwhelmed with receipts, but many people regard them as invasive of privacy.

    The forensics..
    The headers indicate that the mail comes from which is also the IP address of www.ezbay.me.uk, so that's pretty much a smoking gun.

    The domain name is registered to:

         Domain name:


    Registrant type:
    UK Individual

    Registrant's address:
    8 Calle Las Encines
    Fuenta De Piedra
    295 30

    Last time I checked, Malaga wasn't in the UK. This address is connected with an Alibaba operation called Murrays Discount.

    There's no evidence that this is a scam, but it is almost a textbook example of how to kill a business before it starts. It is notable that despite the spam run, the only person actually selling is "Murray" himself.

    Tuesday, 8 April 2008

    419 Scams and Social Engineering

    One key element that scammers use when carrying out their business is social engineering. Usually, the approach is to make the victim believe that they are getting something for nothing.. it's even better when they can persuade the victim that the VICTIM is actually scamming someone else.

    Take this recent example:

    Subject: COMPENSATION,
    From: eze_john1@aol.in
    Date: Tue, April 8, 2008 9:15 am

    My Dear Friend,
    This is to thank you for your effort.I understood that your hands were tied.But Not
    to worry.

    I have succeeded,the money has been transfered into the account provided by a newly
    found friend of mine in Australia. To compensate for your past assistance and
    commitments,i have droped an International Certifie Bank Draft cheque worth of
    $1,200,000,00 for you.
    I am in London with my family presently.I do intend to establish some business
    concerns here,and possibly buy some properties.Contact my Secretary in
    benin-Republic? job_mike20@yahoo.fron his email below ( job_mike20@yahoo.fr) Forward
    my mail to him,then ask him to send the cheque to you.Take good care of your self.
    Best Regards,

    Even though the English is very poor, the concept here is a bit more sophisticated than your average 419 scam. The email has been designed to look as though it has been misdelivered in some way - so the victim thinks that this should have been sent to someone else. But there's a dangling carrot of $1.2m here, and some people will see an opportunity to try to bilk "Eze John" out of the money.

    Of course, there is no money.. but there will be a whole set of mysterious "fees" and expenses to try to get the money out, that at least is standard for a 419 scam. The twist is here that the VICTIM is also attempting to perpetrate a fraud, and this makes it very unlikely that the victim will ever go to the police to report it. It is also possible that the scammer might try to blackmail the victim to keep it quiet.

    This approach offers a great deal of protection for the fraudsters. The original email is rather vague and might not be obvious to law enforcement. And if anyone takes the hook, then the victim too appears guilty.

    This attempt is a bit of a lame one, but a truly successful con artist can use these techniques with a great deal more polish. So although you would never follow up on a misdirected email like this, it is easy to see how people can fall for it.

    Monday, 7 April 2008

    "uslegaljobs.net" Money Mule Scam

    Money mule scams are usually associated with Eastern European criminals, but this one is slightly different originating from an IP address of in Nigeria.

    Industrial & Personal Financier's
    Our Ref: FMF-117-212.
    MEMO: 2008-2nd Quarter-Online Search Recruitment Exercise.

    HILTON FINANCE HOME Inc in-support of Magnum Building Company Int (Interior
    Furniture Experts) will be opening this offer to Interested Individuals/Corporate
    bodies in the United States, Canada, Australia and the Entire Europe to enable them
    make an extra 10.05% commission based earning right from the convenience of their
    home or office apartment and without affecting their primary occupation.

    WHAT WE DO:-
    We issue and help to secure loans on behalf of customers who make purchases from our
    partner company Magnum Building Company Int which we also process and monitor to
    make sure that our loans are used for the sole reason of financing our customer
    purchases with our parent company.

    Since most of our customers make payments in large Instrumental fractions after
    securing a finance loan for them, our mother company became faced with the task of
    receiving loan payments from Magnum Building Company Int customers through our
    conventional method of payments remittance due to delays in processing time. Hence,
    we decided to advertise and search for Individuals of GOOD STANDING who will assist
    the company receive these finance payments directly from our finance houses/banks as
    on behalf of our customers and then forward on to the company on a weekly/monthly
    basis. Some little amounts however will come from our customers directly

    You will be accredited as our legal Payment representative in the United States,
    Canada, Australia and the Entire Europe and will be in charge of all payments from
    within your region, for this you will be paid a 10.05% of all payments you receive,
    and forward on a weekly/monthly basis.

    To get more Information about this Business arrangement, you should reply to our
    e-mail providing the Information listed below and we will either respond by regular
    mail or Fax providing you with our business prospectus.

    First Name:
    Last Name:
    Contact Address:
    Fax Numbers:
    Best Time to Call:

    Please send your correspondence and Information to.
    Recruit Department.
    David Benson.
    E-mail: register@uslegaljobs.net
    IMPORTANT NOTICE:- Please be advised that this is a 100% legal business endeavor and
    that it is only a contract based employment program and that it will not in any way
    affect your primary employment.

    Copyright 2008-2009 Hilton Finance Home Inc © All right reserved

    This is soliciting replies to a domain of uslegaljobs.net, registered in January 2008 - this appears to be registered to a real address and possibly with genuine contact details. Usually in these cases, the contact details are false, so I've attached this as an image rather than something indexable.

    The domain is hosted by Microsoft, and although there's no web site there is an MX record:
    uslegaljobs.net mail is handled by 25 pamx1.hotmail.com

    So, on a first inspection the domain looks legitimate.. it might even be that it is legitimately registered but has been hijacked. Nonetheless, this is a classic money mule scam where the victim thinks they are getting 10.05% commission for next to no work.. the Nigerian IP address is a clincher too. And you've got to love the phrase please be advised that this is a 100% legal business endeavor which is always another sure sign of a scam.