New blog

Hi folks,

please visit and bookmark my new blog at http://thompson.blog.avg.com/

Cheers

Roger

Riddle us this, Batman

Hi folks,

Normally, we provide answers here, but today we have a question.

If you whois xpantivirus2008.com, it shows that the registrar is ESTDOMAINS (the actual owner is hidden, as usual).

If you look up the IP address of xpantivirus2008.com, it shows as 72.14.207.99.

If you whois 72.14.207.99, _that_ shows as GOOGLE!

The question is .... why? All we can think of is that they have a sense of humor.

Cheers

Roger

Here's a whoopsie to start the day

Hi folks,

One of the rolling headlines on AOL.com this morning is this ...

"Disgraced 'Oprah' Author Is Back",




and if you click on the link, you're taken to this page...



Attentive readers of this blog will immediately recognize that as being a probable fake codec, but not everyone is an attentive reader of this blog, and if you click the link, you're rewarded with this screen...



Folks, the rule is this ... if ever you have to install a codec to watch a vid, DON'T!!!. It's just not worth the risk. Btw, these guys frequently target MAC users too. It's increasingly common for them to look at your OS platform and offer up a MAC binary instead of Windows.

Btw, I know that AOL takes security seriously, so if they can get caught, anyone can get caught with this trick.

And shout-outs to Bruce for noticing this one.

Keep safe folks!

Roger

Well, there goes the Montana option

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...



Looks innocent enough, but a view of the source reveals a chunk of escaped javascript ...



Aha! That looks suspicious.... And a look at our debug tool shows a call out to a gpack exploit site...



The web cams are actually pretty interesting, but we can't find any way to contact the site owner to tell him, so we thought we'd post it here.

Cheers

Roger

This might be the ultimate irony

Hi folks,

Today we found what might be the ultimate irony... a spyware product where the home page has been hacked, and is installing someone else's rootkit!

The product is one of those spy-on-your-spouse/kids/employees things that says it's stealthy (in other words, _it's_ supposed to be a rootkit itself), and the home page has a chunk of escaped javascript



that calls out to a Neosploit site that's installing a rootkit.




And it's the new Neosploit too.

We're trying to contact the site owner to tell them, but the "contact me" page crashes.



Oh well... we'll keep trying.

Cheers

Roger

GPack

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,

A new exploit framework, called Gpack, has been popping up on our radar for a while now. We couldn't find much information on it, so we thought we'd better write some.

The first interesting thing about it is that the external, obfuscated wrapping script is a mix of vbscript and javascript. In other words, some of it is interpretted by the vbscript engine, and then the result of that is used to interpret the javascript portion. The idea here is to make it hard to decrypt and hard for av engines to follow it. To some extent they're successful with this, as the un-obfuscated code is seriously ugly and hard to follow.

The second interesting point is that there is nothing new in it. They've gone to a lot of trouble to obfuscate some really old and common exploits.

The third interesting thing is the number of innocent websites that have been hacked by someone pointing back at this kit. There are lots and lots of them... mostly mom and pop shops, but _lots_. We haven't figured out what the common thread between them is so far, but there clearly is one, for so many to be hacked.

The fourth interesting thing is that while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar.

By the way, the exploit set seems to be:

MDAC/ MS06-014
MDAC variant - MS06-042
QuickTime
SetSlice
WinZip
VML

These are very common, and we can assume the author simply lifted them from the public domain, and put most of his effort into the obfuscation.

Nothing new here folks, except that it's being quite widely adopted.

Cheers

Roger

New Exploit Targets Corporate Users of CA Apps

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.

Secondly, the vulnerability is likely to be quite widespread, simply because of CA's size and spread within the corporate market.

Thirdly, the exploit will likely soon also be quite widespread, simply because it is Neo, and Neo is quite popular as an exploit package.

Fourthly, corporate clients should probably be pretty nervous, because their firewall is unlikely to protect them against this. Remember, web traffic is usually permitted to go right thru the firewall, because it _starts_ from a trusted place ... _inside_ the firewall.

Another contributing factor to corporate nervousness is that they rarely allow automatic patching. This is an example where they probably should.

The current list of exploits is therefore:-

Mdac/ MS06-014
SuperBuddy
CaListCtrl
NctAudio
GomWebCtrl
SetSlice
DaxCtle

In other words, they've added the CaListCtrl exploit, and dropped the Yahoo Jukebox and Microsoft xVoice exploits, presuambly because they were not productive.

Folks, this appears to be one for the corporates rather than consumers, but it highlights that the Bad Guys are still thinking hard and probing hard.

Natuarally, LinkScanner and AVG 8 users have little to fear, as we detect it and block it just fine (which is how we noticed it in the first place)

Cheers

Roger

Arthur C Clark dies, and Space.com gets hacked!

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),



and launching a encrypted javascript




that turns out to be a simple and venerable MS06-014 exploit.

It's not an exploit pack, so it's just a single exploit, and it's tracking IPs, so it'll only come once, but it's there.

And the exploit is only an MS06-014, but the point is that if the website is vulnerable enough to have a mouldie old exploit injected, it could have something much newer and fiercer. Space.com needs to fix their website, and we've sent them an email about it. Hopefully they will, because they get an awful lot of visitors each month.

Cheers

Roger