« December 2007 · June 2008 · February 2010 »
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 24.04.2008: Thousands of More Hacked Websites Targeting Your Passwords
- 20.04.2008: Entropy and Bot Counts
- 10.04.2008: DSL Reports under DDoS Attack Again
- 28.03.2008: New Packer Statistics
- 20.03.2008: uc8010.com and 2117966.net Attacks Linked
- 13.03.2008: See below.
- 11.03.2008: Intel Strategy Conference - Portland Oregon, United States
- 01.03.2008: New Whitepaper: RBN "Rizing"
- 29.02.2008: ISO4 Conference - Sunnyvale California, United States
- 20.02.2008: NSP-SEC Summit - San Jose California, United States
- 18.02.2008: Gambling Websites Under Attack
- 10.02.2008: Storm Worm Valentine's Day Update
- 09.02.2008: Inbot08 Conference - Aachen, Germany
Thursday, 13 March 2008
Recently Hacked Websites Aiming to Steal Your Passwords
More Websites Injected with Malicious JavaScript in SQL Injection Attacks
In the last week there has been increasing coverage of another round of SQL injections targeting websites across the Internet to inject them with malicious JavaScript. According to US-CERT and McAfee Avert Labs there have been a large number of websites and possibly over 10,000 pages that have been affected. It turns out the Internet Storm Center had actually blogged about the same thing last week as well when it was probably first starting off.
A successful attack against a website will attempt to inject a JavaScript link into the pages of the site that point back to "www.21179 66.net/fuckjp.js". Please do NOT visit this website, it should be considered dangerous. This JavaScript file will then attempt to take advantage of a vulnerable system with a variety of exploits. See one of the above links for more details on these vulnerabilities.
Behind the Malware - It Wants Your Passwords!
Shadowserver has learned that a successful attack against an end user from one of the websites will result in a password stealer being installed on their computer. We have have analyzed the executable the exploit code attempts to place on victim systems and have determined it appears to be a variant of what TrendMicro calls TROJ_AGENT.KAQ. It matches the description the report very well, with the exception that we have not observed it downloading updates.
The trojan does not appear to do anything at all and makes no outbound connections if your machine is idle. However, if Internet Explorer is launched and makes a POST request involving an password field, the the trojan will spring into action sending encrypted traffic to another server in China. The trojan appears to specifically look for password input tags (<input type="password">). It does not appear to send off POST data unless there is a password input tag. If it detects a qualifying POST request it will immediately begin sending encrypted traffic to a Chinese server at 61.188.39.175 on port 2034. It does not appear to be using DNS to find this IP address.
Malware Binary:
File MD5: dca9063dd1f1f5dfc4c313f0136114c2
File Size: 69632 bytes
Malware DLL:
File MD5: d24d9c46a79ba36d742a1f0b61ed9cc8
File Size: 45056 bytes
Sample output of all the traffic:
Sample output of the data being sent to the server:
Note: This behavior was only observed with Internet Explorer and did not occur in tests with Firefox.
It is recommended that you monitor your network for traffic to and from this IP address and also consider blocking traffic to it altogether. Also, as with all malware, this information is time sensitive and subject to change at any moment. Feel free to contact us with any questions you might have.
=>Posted March 13, 2008, at 09:21 PM by Steven Adair
