Friday, April 28, 2006

The 'hostance.net' dialers have a new home

Well, this major repository (also known as TrafficAdvance and Carima Ltd), responsible of creating and hosting tens of thousands of repacked trojan/dialers, has a new home: traffic-advance.net (with dialers being typically pushed from deposito.traffic-advance.net).

Here's the whois:

Domain Name: traffic-advance.net

Created on..............: 03 Apr 2006 12:55:10
Expires on..............: 03 Apr 2008 12:55:10

Administrative Info:
CARIMA ENTERPRISES LIMITED
CARIMA ENTERPRISES
45 Welbeck Street
London, UK W1G 8DZ
GB
Phone: +1.2402555993
Fax..: +1.2402555993
Email: ******************@lycos.co.uk

Technical Info:
CARIMA ENTERPRISES LIMITED
CARIMA ENTERPRISES
45 Welbeck Street
London, UK W1G 8DZ
GB
Phone: +1.2402555993
Fax..: +1.2402555993
Email: ******************@lycos.co.uk

Registrant Info:
CARIMA ENTERPRISES LIMITED
CARIMA ENTERPRISES
45 Welbeck Street
London, UK W1G 8DZ
GB
Phone: +1.2402555993
Fax..: +1.2402555993
Email: ******************@lycos.co.uk

Status: Locked

Put "traffic-advance.net" in your block lists as soon as possible. There are reports of hijacks already.

EDIT: please note that "hostance.net" is still up as well, and still hosting trojans. So don't remove that one.

And another IE remote hole...

Well, remember that day when the last IE remote hole was posted? Here's another one:

"A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to a race condition in the processing of security dialogs when prompting a user to install/execute an ActiveX control, which could be exploited by remote attackers to manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page and perform certain actions (e.g. write a specific text in a text field) that will cause a malicious ActiveX control to be inadvertently installed and/or executed".

http://www.frsirt.com/english/advisories/2006/1559

Yawn.

Thursday, April 27, 2006

If you use Ethereal, update as soon as possible

From SANS: "Yes, if you use Ethereal, it is time to upgrade. According an advisory posted by Frsirt, 28 vulnerabilities has been identified in Ethereal "which could be exploited by remote attackers to compromise a vulnerable system or cause a denial of service.""

http://isc.sans.org/diary.php?storyid=1288

28 vulnerabilities? Wow. Ethereal is a great program, but it's time they really think about security. OpenBSD even removed it from its ports as a consequence of its problems.

Maybe I'll try to "sandbox" it through Core Force and see what can be done, but still, it might be that because of Ethereal's inherent privileges it's not going to be enough.

Wednesday, April 26, 2006

Yet another IE remote security hole

From Secunia: "Michal Zalewski has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of certain sequences of nested "object" HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site.

Successful exploitation allows execution of arbitrary code
".

Sheesh. "Execution of arbitrary code". And I thought this was serious *sarcasm*.

http://secunia.com/advisories/19762

Tuesday, April 25, 2006

Name change

Well, I changed the name of this blog, since I found out that the "Destroy All Malware" name was already taken. Too bad, it was a nice name. Anyway, I didn't want to spend too much time thinking of a good name, so I just name it "Cut the Crap". You don't like it? I don't care.
The guys at Sunbelt found a fake Red Cross site that tries to exploit the browser's vulnerabilities.

Image Hosted by ImageShack.us

The interesting thing is that this one exploits Firefox too. It works only on quite old versions, but still, this is the first Firefox exploit "in the wild" I've seen being used by actual malware distributors.

So update your Firefox to the latest version if you haven't done it already.

Monday, April 24, 2006

What's behind link spam

Chances are that if you ever created a weblog or a guestbook, you've come know that "nice" phenomenon known as link spam. I'll show you who the people behind this typically are, and they are not nice people.

Here's an example:



Lots of crappy links. Ever wondered what clicking on one does (note: DON'T). Well, it brings you to a page like this:



Nothing but a bunch of nonsense and pasted text. So why would anyone bring anybody to a page like that? Unfortunately, there's more than meets the eye. Notice that red circle on the top-left. In the center, you can see a small square. That's an iframe, one of the two idiotic techniques that people behind malware use when trying not to be seen.



The iframe itself, of course, uses the other idiotic technique: javascript obfuscation. Considering how easy it is to deobfuscate this things, I wonder why the bother in the first place. Oh, maybe because antivirus link checkers are completely fooled by something this simple. Heh.

So what's in the iframe? Well, this one for instance has:



That, in mechanism that took me the amazing incredible time of 2 minutes to decrypt, is something like this:



Note that I snipped the image, as the code extended way beyond: click to see the image with the whole code... and don't try that code at home... ;)

And what's that? Nothing but a series of exploits that attempt to break the visitor's machine as much as possible. This is the what the whole scam tries to do:

- determine whether you have Norton or McAfee antivirus through the use of an ActiveX object; if yes, they avoid loading some exploits that they know Norton and McAfee recognize; yes, IE, Norton and McAfee are such amazing products that they let the malware people directly manage what kind of exploits or malware it's safer to load. Wow

- it might determine (server-side) whether you are using Internet Explorer (if not, some of these iframes won't load anything); I wouldn't visit any of these links with the swiss cheese known as IE if I were you (then again I wouldn't visit ANY site with that swiss cheese anyway). But if you want to explore the actual "full exploits" page you can always download these through wget with the --user-agent option; you don't know what wget is or how to set the --user-agent? Don't bother in the first place.

- load, of course, a series of exploits and malware, such as this trojan (195.225.176.34/ad/0118/get.php?file=exe):



and this (195.225.176.34/ad/0118/files/spl/Microsoft_Windows_Advanced_Upgrade_Wizard_Logo2______________________________________________________________________.emf):



and this (195.225.176.34/ad/0118/files/spl/ani.anr):



and this (195.225.176.34/ad/0118/files/spl/java/java.jar):



and this (195.225.176.34/ad/0118/get.php?file=hta):



and this (195.225.176.34/ad/0118/files/spl/onload/fillmem.php):



Weird, they didn't use the CreateTextRange exploit, maybe they're slipping, huh?

And of course, who are these people? You guessed it, Coolwebsearch.

So, for the love of God, fix your guestbooks and blogs. Please. Don't let this criminals make money by infecting more people.
microscopic-scrabbly