2117966.net-- mass ASP/SQL injection
Situation:
Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.
Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.
Recommended immediate action:
Block 2117966.net at your web proxy.
Recommended follow-up action:
Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175
(Source: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.
Protecting Browsers:
A properly-patched system should not be at-risk from this attack. It is recommended to use a browser that does not support ActiveX. Use of javascript controls such as NoScript are also effective.
Protecting Webservers:
The CSS Security Team as Microsoft has released details on how the code was injected into the servers. It's an automated script that exploits poor input-checking code in the ASP page.
http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx
A more rigorous description and how to protect your ASP from SQL injection is available here:
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
Update: Added additional exploit information
Update: Clarify that shadowserver is not the endpoint of the malicious traffic-- they provided that malware analysis (thanks guys)
Update: this was misidentified as an iframe injection when in fact it was a javascript link on the altered ASP pages.
Update: MS fills in the blanks on how the code was injected.
Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines
On today's NoAH Blog (http://blogs.fp6-noah.org/noah/temporal-search-detecting-hidden-malware-timebombs-with-virtual-machines/) this is an entry on a paper out of the Computer Science department of the University of New Mexico: Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines by Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong.
Although the paper itself wasn't available, I was able to read it via Google cache. It certainly looks like an interesting technique. If they can marry it to some behavioral analysis to see how it responds when a user enters a password on a web form six hours later that would be quite helpful.
MS08-014 causes subtle Excel calculation error
Microsoft has released KB 950340 (http://support.microsoft.com/kb/950340) that identifies a potential calculation issue in Excel after the patch for MS08-014 has been applied. An updated patch is likely forthcoming.
Source: http://blogs.technet.com/msrc/archive/2008/03/13/update-march-2008-monthly-release.aspx
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago