i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Attack on Wampserver and WordPress sites

Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer.  WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Almost at the bottom of the webpage the team discovering this found some Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file returns a 404, it’s just there to fool people.

Once the script was decoded they found an iframe leading to vc-business.com/in.php.  According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been listed as distributing the ZeroAccess rootkit.

Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool.  Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites.  But this is not the only way the attack was successful.  Another vector was to use stolen passwords to direct FTP changes.  In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

SSL Encryption Broken

Researchers have discovered a weakness in the SSL (secure sockets layer) protocol.  SSL is used by nearly all websites who are trying to protect data being sent from the web server to the end users browser.

The vulnerability was discovered in versions 1.0 and earlier of TLS (Transport Layer Security).  Although versions 1.1 and 1.2 of TLS aren’t vulnerable, not many websites or browsers support them, making encrypted transactions on the likes of PayPal, Banking sites and just about every other website, vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website being visited.

Researchers Thai Duong and Juliano Rizzo plan to demonstrate some proof of concept code later this week at the Ekoparty Conference in Buenos Aires.  The software is called BEAST, (Browser Exploit Against SSL/TLS). The code, apparently Javascript, works with a network sniffer to decrypt encrypted cookies that a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this research was first published, Google released a developer version of its Chrome browser designed to thwart the attack.

Good to see Google are on the case to fix this before it becomes an everyday issue.  LEts hope the rest of the browser developer community can be quick to act.