i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Attack on Wampserver and WordPress sites

Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer.  WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Almost at the bottom of the webpage the team discovering this found some Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file returns a 404, it’s just there to fool people.

Once the script was decoded they found an iframe leading to vc-business.com/in.php.  According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been listed as distributing the ZeroAccess rootkit.

Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool.  Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites.  But this is not the only way the attack was successful.  Another vector was to use stolen passwords to direct FTP changes.  In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

Microsoft YouTube site pwned

The weekend saw Microsoft’s youtube presence hacked and content changed from helpful video’s to cartoons and advertising offers.

One of the uploaded videos, called Bingo, showed a character from the LA Noire video game shooting another animated figure in the head. Other videos called on YouTube visitors to post video responses, create new background images for the channel or provide sponsorship.

By midday GMT the site had been returned to normal.  Nobody is claiming to know how this hack took place, but the obvious theory is poor password security by a Microsoft employee.  There are also rumours circulating that the account and channel was actually created by a Microsoft fan before being handed over to Microsoft at a later date.  It could be that the account was still linked to the previous owners email and therefore a password change was easy to facilitate.

One heading on the channel also read, “I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/.”  So maybe there is something

Mass attack on websites running ASP.NET

Research has highlighted a mass attack on web servers running ASP.NET, the infection redirects users to site’s running old versions of Oracle’s JAVA, Adobe’s Flash and various browsers.  The attack was disclosed by security firm Armorize on Wednesday.

The initial attack is showing around 1.15 million infected pages and the follow on exploit around 17500 pages, figures shown are from Google searches.

The infection injects code into ASP.NET websites and plants an invisible link in to visitors’ browsers to sites including jjghui.com and nbnjkl.com, which in turn redirect to a number of other sites which include obfuscated code.  The sites use a number of attacks that exploit well known vulnerabilities in JAVA, Flash etc.  Computers running unpatched versions are then used by the attackers.

Armorize researchers submitted the attack code lastweek and at the time only six of the top 43 antivirus vendors detected the attack, hopefully this figure has drastically increased since then.

Another firm, Securi, has released a scanner that can detect if your site is infected, click here

If your site is compromised you must remove the infection from your database and audit ALL code to remove SQL Injection issues.

Windows 7 God Mode

Today I received an email detailing the “Windows7 God Mode”. OK, so its not quite God Mode but it gives you all the Administrator tools you could dream in one place, just by creating a new folder. Yes I know it sounds odd but carry on reading and try, you’ll be amazed. I just hope server administrators don’t let their users run as local administrators otherwise ALL of these tools will be available to them now, oops!!

 

Start by creating a New Folder on the Desktop (right click and choose New Folder)

 

 

 

 

Then rename the folder to “GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}” (no inverted commas)

 

 

 

 

 

 

 

 

Once this is created it automatically populates with a huge number of useful Windows administrative tools which are ready to use.

Now this is really useful for windows admins, however you should also make sure that your users cannot create this file. If they can create it they will still need to have admin rights to use most of the tools, however it’s best not to give them the chance.