Thanks to ISC readers Yin, Doug, Lorenzo, Ron, Jan and Placebo for contributing their data to the ongoing analysis of "Run, Forest!" (JS.Runfore) after our earlier SANS ISC diary last week. Here's what we have so far:
How do web servers get infected with Run Forest's initial attack vector? Good question. All we have so far is that existing JavaScript (.js) files apparently were amended with the obfuscated Blackhole redirect code. Symantec's early analysis suggests that Run Forest comes with a file infector that looks for and changes .JS files. The sites from where we received infected files didn't have much in common, and also didn't have (sigh!) any useful logs that would have allowed tracking back to the source of infection. If you have additional details, please share!
Don't count on anti-virus. While Symantec was quick to detect and name JS.Runfore one week ago, they are now missing the latest versions, pretty much like every other AV Vendor out there. Here's AV detection for the Blackhole Redirect Script on Virustotal: 4/41 Your best defense, as usual, is to keep all your software fully up to date, and to make sure all your computer users are educated not to click on scams .. especially not on scams that pop up unexpectedly after visiting a completely unrelated web page. Let me rephrase that: Your best defense is to go off grid completely, and start growing your own potatoes and cabbage in some remote rural corner of Wisconsin or Idaho. But things are not quite that dire yet :).
|
Daniel 385 Posts ISC Handler Jun 26th 2012 |
Thread locked Subscribe |
Jun 26th 2012 9 years ago |
Sigh... PLESK...
|
Yinette 12 Posts |
Quote |
Jun 26th 2012 9 years ago |
Looks like Forest relocated. The 16-char URL's now resolve to 141.136.17.97
|
Daniel 385 Posts ISC Handler |
Quote |
Jun 27th 2012 9 years ago |
Yep, new ip is 141.136.17.97. (btw the amount of (distinct) compromised websites is scary)
|
Daniel 3 Posts |
Quote |
Jul 2nd 2012 9 years ago |
resolving to new ip: 188.211.239.249.
|
Daniel 3 Posts |
Quote |
Jul 3rd 2012 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!