Unfortunate brand squatting

Hi folks,

A common practise among enterprising webmeisters is what's known as brand-squatting. That's where you find a domain whose owner has neglected, or not bothered, to renew it, and it's up for grabs. If you get something modestly popular, then you get the beneift of whatever residual traffic they've generated as a starting point. Makes sense for most domains.

This time, however, someone re-registered and re-vitalized one of the most notorious brands in malcode history .... coolwebsearch ! :-) :-) :-)

Not only that, but while it was a search-enginey kind of page, it was also hosting an exploit!!! Whether that was deliberate or accidental is not clear, but it doesn't matter much as it's down now.

coolwebsearch.us was registered on about the 18th of April 2009, and our first detection was 24th April. Our last was yesterday, but as this graph shows, activity has been tapering off anyway.

Here's a graph of the detection events our users told us about.



As you can see, we had about 11,000 hits spread over 40 days, across 106 countries.

It's a dangerous internet folks, but at least it's sometimes funny.

Keep safe,

Roger

Please follow me on Twitter

Here's a whoopsie to start the week.

*** don't go to any of these websites... they seem safe today, but you can't be certain, and it's better to avoid them ***

It's just a simple (and common) script injection, but the victim is kind of interesting. Seems like none other than the City of London website has poor security. :-)


As usual, the page itself renders just fine, and looks like this ...




but if you have a look at the source, you see something like this ...



If you look closely, you see references to URLs like 4log-in.ru, and in fact there are eight different ones...

www.ojns.ru/js.js>
www.ujnc.ru/js.js>
www.64do.com/script.js
www.mnicbre.ru/script.js>
www.4log-in.ru/script.js>
www.berjke.ru/script.js>
www.wmpd.ru/style.js
www.lijg.ru/script.js

(again, don't go to these places unless you know what you're doing, because you might get nailed)

What this means is that the City of London website has been nailed, not once, but _eight_ times.

Fortunately, the site is seemingly not infective, so the injections have only partly worked, but then again, it might depend on what you click on the page, and there might well be other hacked pages that we've not discovered yet.

What needs to happen is that the injections need to be removed, and the City of London webmeisters need to find the form that is allowing the injections, and fix it.

It's a dangerous Internet, folks. Keep safe.

Cheers

Roger

The gift that keeps on giving

So... years ago, I wrote a program called WormRadar. It was designed to detect and measure the malware of the day, worms. More recently, the web became the main attack vector, and we started building programs to detect and measure that activity (which is where LinkScanner came from), and WormRadar gradually fell into disuse. Really recently (as opposed to more recently, and yes, my old English teacher wants to rap my knuckles for that), we cranked up a WormRadar node again, just to see what new things were circulating, and the number one thing we're detecting is .... Slammer!!!!!!

Now, many readers will already see the funny side of that, but many will also not, so for the "nots" ... SqlSlammer was a worm that appeared in January 2003, and really hit the Internet hard. That was pretty amazing at the time, because it exploited a vulnerabilty that had been patched as MS02-039... _six_ months earlier. In other words, although a patch had been released for six months, so many people had not patched, that the worm was able to be a major spreader six months later.

Then, in 2004, Microsoft released XP Service Pack 2, in which the firewall was on by default for first time, and this was really an Extinction Level Event for most worms, because even little old Windows firewall is enough to stop all worms. There have not been any worms since then that can force their way thru the firewall from outside. Conficker, for example, relies on gettin ginside the firewall by some other method... USB drive... social engineering ... whatever... and then runs rampant inside a network, but it can't _force_ its way in.

This then, is the amusing and amazing thing about Slammer... it's still alive and well six _years_ after its first appearance, which is six _years and six months_ after the patch was released!

In other words, there are computers which are just never patched!!!!

There is a name for this type of user .... Victims!

Keep safe folks! (Oh, and keep patched! ;-))

Roger

The imminent demise of the Internet ...

is being greatly exaggerated, in case you haven't figured it out by yourself.

What's happening is that people are worried because the Conficker worm is due to do "something" on Apr 1st, and no one knows exactly what. Human nature being what it is, some folks are fixating on the worst possible outcome. It'd be pretty bad if you got hit by a meteor too, but no one is building meteor shelters.

There are two main issues to consider here. The first is that Conficker is a pretty well-thought out attack, and it's pretty unlikely that they want to do anything but make money for their efforts. It's not in their, or anyone's interests to try to kill the Internet. They can't make money if they do that. They don't want to chop down the apple tree... they just want to shake it and pick up the apples that fall off.

The second is that this is a government/ corporate/ education problem... not a consumer. The two main vectors for spreading are a vulnerability in a service called RPC, which was patched in October 2008, and poorly protected network shares. The only people that have networks and who also don't patch are government, corporates and education users. Fortunately, they're also the folk that have staff with expertise that they can call on to fight back. The worm probably grabbed millions of users right out of the box in December 2008, but any gov/ corp/ edu user who is still infected after five months, deserves it. On the other hand, JoeThe Plumber almost certainly allows automatic patching each month, and probably doesn't have much of a network, and presents a much smaller target.

Yes, some of Joe's friends will have been nailed by now, by infected USB keys or something, but it's not going to be a massive number of users. The conficker botherders will simply have achieved their goal of building a fairly bullet-proof botherd, and will now "farm" that botnet, while they prepare their next attack. (We will see things like this again, so now would be a good time to upgrade to AVG identity protection ... it'll provide a good safety net for the next attack)

By the way, I think this is a fairly predictable consequence of playing whackamole with botherds. All you do is cull the weak ones from the herd, and encourage the smarter ones to build a stronger botnet.

All in all, I think the date of April 1st is entirely (if accidentally) appropriate.

Keep safe, folks.

Roger

KoobFace, Facebook and Classmates... oh my.

Hi folks,


So, the March pitch from KoobFace seems to be bigger in scope...well, that's if you can derive stats from a sample-base of one, because I've personally received three pitches this time... One for FaceBook, and two for Classmates.com... but the basic pitch is the same.

It comes as an email along these lines ... : "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!".

If you go to the webpage in the email, it looks pretty much like the site is Facebook or Classmates, because the fake site draws a bunch of content directly from the real site, like this ...





and, of course, the aim is to get you to download a fake Adobe update, which is really the worm.

Of course, if you look at the url in the browser bar, it is obviously not really FaceBook, but that's not the point. They don't expect to fool everybody .... they just want to fool enough bodies.

And, of course, it goes without saying that LinkScanner detects and blocks the fakes just fine.

Oh, and I am kidding about deriving stats from a sample-size of one. :-)

Keep safe folks,

Roger

One website cleaned ... many more to go

Hi folks,

Just a quick note to share that the hacked page at phoenix.spelthorne.gov.uk has been cleaned, and no longer displays "Fatal Error ownz you" and is no longer redirecting to sites in Turkey.

We have, however, found lots of other .gov.uk websites with hacked and (sometimes) infective pages, which we'll blog about shortly.

Cheers

Roger

To be notified of updates to this blog, please follow me on Twitter

Oh goody! City of Streator has a Yahoo counter!

The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...



As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.


This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.

Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)

This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...





If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)

And sure, enough, if we look at the critical files list, we see the start of an infection cycle...



I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.

Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.

Look both ways when crossing the web, folks.... it's dangerous out there.

Roger

Ps to be notified of updates to this blog, please follow me on Twitter