« December 2007 · June 2008 · March 2010 »

Calendar:

• 24.04.2008: Thousands of More Hacked Websites Targeting Your Passwords
• 20.04.2008: Entropy and Bot Counts
• 10.04.2008: DSL Reports under DDoS Attack Again
• 28.03.2008: New Packer Statistics
• 20.03.2008: See below.
• 13.03.2008: Recently Hacked Websites Aiming to Steal Your Passwords
• 11.03.2008: Intel Strategy Conference - Portland Oregon, United States
• 01.03.2008: New Whitepaper: RBN "Rizing"
• 29.02.2008: ISO4 Conference - Sunnyvale California, United States
• 20.02.2008: NSP-SEC Summit - San Jose California, United States
• 18.02.2008: Gambling Websites Under Attack
• 10.02.2008: Storm Worm Valentine's Day Update
• 09.02.2008: Inbot08 Conference - Aachen, Germany

Newest first Oldest first

Thursday, 20 March 2008

uc8010.com and 2117966.net Attacks Linked

We are posting this up a little late, but better late than never. In our last post we mentioned the several thousands of websites that were SQL injected to reference malicious JavaScript code on 2117966.net. At the time we were actually just taking an educated guess that this was the result of SQL injection. However, it has since been confirmed on Neil Carpenter's Blog at http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx.

Now we can further continue to compare these attacks the uc8010.com attacks that occurred last January. At first comparison we can note that Chinese servers were used in both instances, the exploits were similar, and the attack method was the same as it hit ".asp" files with SQL injection attempts. We can see further similarities in the attack method (SQL Injection and used of CAST statements etc.) by comparing Neil's blog to this ISC posting as it relates to uc8010.com incident at http://isc.sans.org/diary.html?storyid=3823.

This could still arguably be just very similar or a copy cat attack one might think. That possibility crossed our minds too, until Neil provided one last piece of information when asked about any source IP(s) he might have seen involved in the attacks this month. He came back and provided a single IP address: 202.101.162.73. It turns out this is the same IP address that carried out the SQL injection attacks related to the uc8010.com incident. Not very subtle are they? You might want to keep an eye out for the IP 202.101.162.73.

=>Posted March 20, 2008, at 10:45 AM by Steven Adair

Packer Statistics

Yesterday Panda Security had an interesting blog on packers and their relationship with malicious software and how the current big-named packers are being avoided to help in the non-detection of malware.

So, we thought it would be interested as an accompaniment to their article, we would show our statistics for packers as well for the malware we have managed to collect.

For the month of March:

+-----------------------------------------+------------+---------+
| packer                                  | md5count   | percent |
+-----------------------------------------+------------+---------+
| MEW v11SEv1.2                           |  2,750,638 | 74.9659 |
| UPX All_Versions                        |    873,744 | 23.8130 |
| Allaple_Polymorphic_Packer vna          |     23,647 |  0.6445 |
| ASPack v2.1                             |      5,248 |  0.1430 |
| ASPack v2.12                            |      2,263 |  0.0617 |
| PE_Compact v2.X                         |      1,554 |  0.0424 |
| NullSoft_NSIS Generic                   |      1,082 |  0.0295 |
| Armadillo v1.xx-v2.xx                   |      1,058 |  0.0288 |
| Themida vna                             |        969 |  0.0264 |
| FSG V1.3x                               |        883 |  0.0241 |
+-----------------------------------------+------------+---------+

For all of 2008:

+-----------------------------------------+------------+---------+
| packer                                  | md5count   | percent |
+-----------------------------------------+------------+---------+
| MEW v11SEv1.2                           |  6,359,439 | 67.6442 |
| UPX All_Versions                        |  2,439,689 | 25.9505 |
| Allaple_Polymorphic_Packer vna          |    245,800 |  2.6145 |
| ASPack v2.1                             |    239,579 |  2.5484 |
| ASPack v2.12                            |     71,491 |  0.7604 |
| FSG V1.3x                               |      5,806 |  0.0618 |
| PE_Compact v2.X                         |      4,351 |  0.0463 |
| Themida vna                             |      3,918 |  0.0417 |
| NullSoft_NSIS Generic                   |      2,397 |  0.0255 |
| Armadillo v1.xx-v2.xx                   |      2,005 |  0.0213 |
+-----------------------------------------+------------+---------+

And from all of our malware:

+-----------------------------------------+------------+---------+
| packer                                  | md5count   | percent |
+-----------------------------------------+------------+---------+
| MEW v11SEv1.2                           | 10,593,147 | 61.0993 |
| UPX All_Versions                        |  2,838,809 | 16.3737 |
| Allaple_Polymorphic_Packer vna          |  1,367,385 |  7.8868 |
| FSG V1.3x                               |  1,218,590 |  7.0286 |
| ASPack v2.1                             |    842,397 |  4.8588 |
| ASPack v2.12                            |    322,536 |  1.8603 |
| ASPack vna                              |     28,384 |  0.1637 |
| PE_Compact v2.X                         |     12,369 |  0.0713 |
| Themida vna                             |      8,623 |  0.0497 |
| NsPack All_Versions                     |      7,478 |  0.0431 |
+-----------------------------------------+------------+---------+

=>Posted March 20, 2008, at 08:33 PM by freed0