Tuesday, February 10, 2009

ASPROX Back with a vengance

So the SQL Injection attacks have slowed down a bit but the botnet is still very much alive and is now back running large scale phishing and money mule scams designed to prey on jobless Americans.

Please read or watch the amazing ASPROX report by Dennis Brown @ Verisign given at Toorcon on the latest on ASPROX anatomy.

If you or your organization's website are a victim of ASPROX please see our highly popular ASPROX Toolkit with recommendations on defense and post compromise remediation.



Known currently active ASPROX domains:
dbrgf.ru
lijg.ru
bnmd.kz
nvepe.ru
mtno.ru
wmpd.ru
msngk6.ru
dft6s.kz
47mode.name
berjke.ru
81dns.ru
53refer.ru
chk06.ru
driver95.ru
errghr.ru
lang42.ru
netcfg9.ru
sitevgb.ru
vrelel.ru
30area.ru
4log-in.ru
advabnr.com

Also being reported at:
http://www.matchent.com/wpress/?q=node/432
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090122

Forum Compromise gives insight into password security

A large programing forum (PHPBB) was recently hacked and 20,000 account passwords were posted online and in plain text by the attacker. Like last years Myspace account hack the was an excellent mining tool for security researchers to analyze common passwords and average password strength.

Here are the most commonly used passwords, notice #2 matched the forum name of PHBB. Other interesting weak passwords of note as the permutations of 123456 and the always popular "letmein" and "qwerty". This list is also probably a great source for a brute force dictionary on pen-testing.

3.03% "123456"
2.13% "password"
1.45% "phpbb"
0.91% "qwerty"
0.82% "12345"
0.59% "12345678"
0.58% "letmein"
0.53% "1234"
0.50% "test"
0.43% "123"
0.36% "trustno1"
0.33% "dragon"
0.31% "abc123"
0.31% "123456789"
0.31% "111111"
0.30% "hello"
0.30% "monkey"
0.28% "master"
0.22% "killer"
0.22% "123123"