Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-06-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New sql injection site with fastflux hosting

Published: 2008-06-02
Last Updated: 2008-06-02 22:13:22 UTC
by donald smith (Version: 1)
0 comment(s)

One of our frequent contributors notified us of a new sql injection site.
hxxp://en-us18.com/b.js is being injected via sql into websites.

When I googled for it I saw 560 injected webpages.
“b.js injects an iFrame which points to
hxxp://en-us18.com/cgi-bin/index.cgi?ad
which in turn embeds two Flash files:

advert.swf:
http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf:
http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc” 

This appears to be fast fluxed or at least setup to change rapidly based on this dig output. 

dig www.en-us18.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 1
;; QUERY SECTION:
;;      www.en-us18.com, type = A, class = IN
;; ANSWER SECTION:
www.en-us18.com.        10M IN A        156.17.227.218
www.en-us18.com.        10M IN A        84.121.210.189
www.en-us18.com.        10M IN A        99.194.80.27
www.en-us18.com.        10M IN A        69.65.91.5
www.en-us18.com.        10M IN A        83.27.126.102
www.en-us18.com.        10M IN A        99.225.66.211
www.en-us18.com.        10M IN A        82.159.61.76
www.en-us18.com.        10M IN A        85.53.64.13
www.en-us18.com.        10M IN A        148.81.132.211
www.en-us18.com.        10M IN A        83.23.188.93
www.en-us18.com.        10M IN A        216.170.109.251
www.en-us18.com.        10M IN A        62.21.81.188
www.en-us18.com.        10M IN A        83.242.74.153

www.en-us18.com.        10M IN A        87.205.33.92
;; AUTHORITY SECTION:
en-us18.com.            1d18h57m52s IN NS  ns3.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns2.en-us18.com.

en-us18.com.            1d18h57m52s IN NS  ns4.en-us18.com.
en-us18.com.            1d18h57m52s IN NS  ns1.en-us18.com.
;; ADDITIONAL SECTION:
ns1.en-us18.com.        1d21h10m38s IN A  75.110.190.181 

A second dig a few minutes later produced similar but slightly different results.
So this domain is changing. I guess they got tired of people blackholing their ip address.
So in that case I would recommend you dns blackhole that domain.

Keywords:
0 comment(s)

New Stormworm download site

Published: 2008-06-02
Last Updated: 2008-06-02 21:11:49 UTC
by donald smith (Version: 1)
0 comment(s)

New Stormworm download site
DavidF brought a new stormworm download site to our attention.
122.118.131.58 is being spammed out with a message that states:

Crazy in love with you” hxxp://122.118.131.58

I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says “love riddles”.
Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D aka  Stormworm.

I recommend you block this ip address till it gets cleaned up.

Keywords: stormworm
0 comment(s)

sms-vishing for your bank info

Published: 2008-06-02
Last Updated: 2008-06-02 19:41:35 UTC
by donald smith (Version: 3)
0 comment(s)
I have recently become aware of and involved in researching sms vishing attacks. As part of that research I came across an automated toolkit that appears to have been cobbled together for sms spamming and vishing (phishing using voice networks instead of data networks). The name of the main tool was SmssmtpSender.

SmssmtpSender consisted of several individual tools cobbled together to create a single toolkit to compromise, manage and control a set of systems for sending SMS spam via compromised popaccounts that had weak passwords. Here is a "short" analysis of the elements of that tool kit.

NameFile typedescription
Top_level_dir directory Top level directory.
/greetingisland.gsm data Greeting Message used to vish customers this version was for North Island Credit Union.
Contents of welcome message;
“Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services”
/hello.wavRIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 16000 Hz Greeting Message used to vish customers for North Island Credit Union.
Contents of welcome message;
“Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services”
/hordedirectory>Top level directory for horde remote compromise tool.
/horde/.dc perl script text “Data Cha0s Connect Back Backdoor” This could be used as a backdoor control channel however in the systems analyzed ssh on a high numbered ports was used for management instead.
/horde/gweeELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped.

 

From the man page "gwee  (generic web exploitation engine) is a small program written in C designed to exploit arbitrary command  execution  vulnerabilities  in  web scripts, such as Perl, CGIs, PHP, etc. gwee is much like an exploit, except  more  general purpose."

This appears to have been tested for remote web based shell access using .dc above. The systems that I am aware of were compromised via the horde.pl script not gwee with .dc.

/horde/gwee-1.36 directory Top Level directory for gwee.
/horde/gwee-1.36/binaries directory Directory for binaries created in the compile of gwee.
/horde/gwee-1.36/binaries/gwee.exe PE executable for MS Windows (console) Intel 80386 32-bit gwee executable for windows.
/horde/gwee-1.36/gwee ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5,; stripped gwee executable for linux on intel >= 2.2.5
 /horde/gwee-1.36/gwee.1 troff or preprocessor input text man page for gwee
 /horde/gwee-1.36/gwee.c ASCII C program text, with very long lines gwee source code
 /horde/gwee-1.36/Makefile ASCII text gwee makefile
 /horde/gwee-1.36/mktarball.sh Bourne shell script text executable script to create a tarball for gwee
 /horde/gwee-1.36/README ASCII English text Installation notes for gwee
 /horde/gwee-1.36.tar.gz gzip compressed data, from Unix gzipped tar ball of gwee
 /horde/horddy.pl perl script text executable Horde help module remote execution perl exploit. This was used to compromise horde hosts to use as the smtp -> sms  senders.
 /horde/root.txt Bourne shell script text executable

“ PRCTL local root exp By Sunix effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.Elsmp”

A local privilege escalation root exploit for LINUX kernals 2.6.13-2.6.17. The horde.pl exploit often would not provide direct root access so a privilege  escalation tool was included in this tool kit.

 /horde/try Bourne shell script text executable script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell.
 /horde/try.bak Bourne shell script text executable Script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell. Appears to be used after horddy.pl to check for success of the remote exploit to see if the backdoor port was opened.
 /hordetry.tgz gzip compressed data, from Unix gzipped tar ball of the horde tool.
 /netstatx.c ASCII C program text, with escape sequences  “ps.c,v 1.11 2001/09/03” trojaned ps replacement style root kit. Wraps ps filtering the output via egrep –v for the set of hidden words. Any word in the hidden word set is removed from the ps output. Effectively hiding any process in the “Hidden Word” set on a compromised system. Hidden words are stored in /usr/lib/.lib/libps or libph.
 /popprober directory Top level directory for popprober tool.
 /popprober/checked.txt ASCII text File with accounts that have been tested.
 /popprober/copy.txt ASCII text List of accounts with status such as “Unread”. Appears to be a list of active but unused accounts. These are post processed via probe.pl.
 /popprober/message.txt ASCII text Probe.pl looks for this message to validate the account is still unused.
 /popprober/popvuln.txt ASCII text List of vulnerable pop accouts with account, password, ip address of pop/smtp server and type of login {LOGIN|CRAM-MD5}
 /popprober/probe.pl perl script text executable Tool used to post process copy text for unread/unmonitored accounts.
 /popprober/smtp-client.pl perl script text executable Simple SMTP client with STARTTLS and AUTH support. Tool used to send the smpt commands.
 /popprober/Test.pl perl script text executable  “Meca smtp Test v1.0” Wrapper for smtp-client.pl to send to accounts listed in popvuln.txt.
 /smssmtpsender directory  The sms smtp sending tools main directory.
/smssmtpsender/message.txt ASCII text Spam text to be sent via smtp to an smtp->sms gateway. This is the actual messege being sent to sms enabled devices.
/smssmtpsender/poplist.txt ASCII text List of accounts to use when sending smtp messeges. Same format as popvuln.txt.
/smssmtpsender/send.plperl script text executable“Meca smtp sender v1.0”. Used to send smtp SPAM messages.
/smssmtpsender/smtp-engine.pl perl script text executable Another perl script that can be used to send the smpt commands + spam messeges. This one spoofs Outlook by using a Xmailer variable of Microsoft Outlook Express 6.00.2600.0000
/smssmtpsender.tgz gzip compressed data, from Unix Gzipped tar ball of smssmtpsender tool kit.
Keywords:
0 comment(s)

A little vunerable 'flash from the past' ala MS-XP-SP3

Published: 2008-06-02
Last Updated: 2008-06-02 19:18:05 UTC
by donald smith (Version: 1)
0 comment(s)

It appears that XP service pack 3 installs an older vulnerable version of the flash player.
Causing those systems to be vulnerable to these vulnerabilities.
http://www.adobe.com/support/security/bulletins/apsb06-11.html

Microsoft has documented it here:
http://www.microsoft.com/technet/security/Bulletin/MS06-069.mspx

"Why was this Bulletin revised on May 13, 2008?
This bulletin was revised to add Windows XP Service Pack 3 as affected software.
This is a detection update only. There were no changes to the binaries, since
the same update for Windows XP Service Pack 2 and Windows XP Professional x64
Edition applies to Windows XP Service Pack 3. Customers with Windows XP Service
Pack 2 and Windows XP Professional x64 Edition who have already installed the security
update will not need to reinstall the update. Customers with Windows XP Service Pack 3
should apply the update immediately."

 

Keywords:
0 comment(s)

Emergingthreats.net and ThePlanet

Published: 2008-06-02
Last Updated: 2008-06-02 18:03:53 UTC
by Jim Clausing (Version: 1)
0 comment(s)

You know what they say about the best laid plans...  Several of our readers have written in today saying they couldn't reach emergingthreats.net.  I just talked to Matt Jonkman and he tells me that they expect to be live again shortly (maybe even by the time  you read this).  It turns out they have 2 servers that used to be in 2 different datacenters until ThePlanet bought ev1 and moved their other server into that same datacenter in Houston where their first server was located.  You know, the one that had the big fire (see http://isc.sans.org/diary.html?storyid=4504).

Keywords: emergingthreats
0 comment(s)
Diary Archives