Within the last week, two large-scale releases of malicious code have included exploits for a vulnerability that Microsoft patched in April 2006. The weekend's defacement of more than 70,000 Web sites and the installation of an MBR rootkit both require exploitation of the number of older vulnerabilities, including MS06-014. Why bother?
The original security bulletin for MS06-014 was posted back in April 2006. It concerned a flaw within the Microsoft Data Access Components (MDAC), specifically within the RDS.Dataspace ActiveX control, that is part of the ActiveX Data Objects (ADO) distributed in MDAC. Shortly after the patch was available, an exploit was published to the Web.
Roger Thompson, chief research officer at Grisoft, said in an e-mail, "MS06-014 works really well, and it's really easy to use and modify. It's shocking that it's still producing enough to make it worth their while, but it must be so."
Shortly after MS06-014 was published, Microsoft released Windows XP SP2, which, among other things, includes all the previous Windows XP security patches.
Given the exploit's revival, there must be a large number of machines still running Windows with XP SP1 or before.
Thompson said the continued use of older exploits "underlines how hard it is to do a new exploit, as opposed to just using someone else's." Thompson, whose company makes the Linkscanner safe browsing application, said blocking these exploits is the best protection. Of course, keeping your Windows system up-to-date can't hurt either.
On Wednesday, the SANS Internet Storm Center and others published details about the massive SQL-based Web attack that occurred over the weekend. The attack, says SANS, is similar to a smaller SQL-injection attack seen in November. At least 70,000 sites were compromised in a short period of time, leading some to speculate this was an automated attack.
From logs files, the attack code appears to exploit a variety of SQL injection vulnerabilities existing on Web sites using Microsoft SQL or Microsoft IIS. On the vulnerable sites, malicious JavaScript is injected into all variable character fields and text fields in the SQL database such that when visitors hit the site, their browsers, if vulnerable, are then redirected to another domain--in this case, us8010.com.
Roger Thompson, chief research officer at Grisoft, identified one of the exploits served at the malicious server as taking advantage of MS06-014, a Microsoft Data Access Components vulnerability that Microsoft patched in September 2006. He also noted that "this domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains." Yet by January 5, most of these domains had already been cleaned.
What's interesting about this attack, aside from its automation, is that the SQL injection script is given in terms of a CAST statement, code that converts one data type to another. Ryan Barnett has provided a decoded version of this attack.
Barnett suggests that to protect against this attack a Web site should be front-ended by an Apache proxy and then back-ended by ISS or MS-SQL. SANS says other methods, such as blocking CAST statements, would also be effective.
Grisoft, maker of AVG antivirus and Internet security software, on Wednesday announced the acquisition of Exploit Prevention Labs, maker of the LinkScanner family of safe Web-browsing applications.
Unlike other safe-surfing applications, which tend to rely on databases, LinkScanner uses technology that determines, as the page is downloaded onto your browser, whether it is tainted with malicious software.
In CNET Reviews testing, LinkScanner has detected recent changes on Web pages where other safe surfing applications, such as McAfee SiteAdvisor, has not. One limitation of LinkScanner is its inability to determine whether a page is fraudulent; LinkScanner determines only whether the page has malicious content.
Grisoft plans to host Exploit Prevention Labs' products on its site. According to Grisoft, Exploit Prevention Labs' 18 employees will join Grisoft. Roger Thompson will become chief research officer, Greg Mosher will become vice president of engineering, and Chris Weltzien will become vice president of business development.
Security researcher Roger Thompson has found a new way to link to malicious servers that doesn't involve iframes (inline frames). An attack in June used cross-site scripting to place malicious iframes on legitimate Web sites. Iframes are used by Web designers to open additional windows (often hosted on other sites) within a main Web page; iframes can also be used by criminal hackers to redirect browsers to malicious-code sites.
"The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they've added some sort of image background href, with a large size...8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site," Thompson wrote on his blog. In particular, he found this trick used on the Alicia Keys MySpace.com page.
"The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra."
Thompson notes that the HTML code links to a site in China that is not indexed on Google or Yahoo. When CNET News.com tried the URL mid-afternoon on Thursday, a message said the URL was down for maintenance.
Thompson has posted a YouTube video of the attack here.
Security researcher Roger Thompson got a surprise the other night when he borrowed a computer to view a friend's Facebook blog--Internet Explorer wanted to download some malicious Microsoft Data Access Components (MDAC) objects. That didn't seem right, so he tried another computer, and said "I got extra copies of the browser starting, and ads being served."
Thompson is no stranger to such tricks. He heads Exploit Prevention Labs, a company that specializes in finding and mitigating browser exploits found on Web pages. This attack really surprised him. It uses an exploit of MS06-014, which means if your computer has been updated with the latest patches from Microsoft issued since September 2006, you won't experience a thing. But if you haven't updated your Windows computer in more than one year, you'll be subjected to a barrage of unwanted adware.
On an infected machine, a Google homepage now shows adware.
(Credit: Roger Thompson/Explabs)As the automated Mpack attack continues to turn thousands of legitimate Web sites into compromised sites offering drive-by downloads of malicious software, security researcher Roger Thompson over at Exploit Prevention Labs reminds us there are other exploits compromising legitimate sites, and some are as easy to find as entering a simple search string on Google. For more than a week (starting before the current Mpack attack), Thompson has been posting a list of dangerous search strings on his blog site. I've collected these and indicated in parentheses some of the known exploits associated.
- atlas mountains country (WebAttacker 2 or MPack)
- rotweiller rescue
- North Padre Island (WebAttacker 2 or Mpack)
- arches national park (WebAttacker 2 or MPack)
- canyonlands national park
- mass lottery
- air disasters in Florida (WebAttacker 2)
- cd key windows xp profesional
- batmobile for sale
- victoria's secret (fake codec)
- pokemon ruby gamesharks
- blue book (mdac exploit)
- IBM stock
- pallet fire
- Nigerian economic and financial crimes
- who's a rat
Exploit Prevention Labs makes LinkScanner, a browser plug-in that will identify and block known exploits on tainted sites before you download the page. There are other safe surfing tools available as well; some are free.
- prev
- 1
- next
