Dangers of Java vulnerabilities, and others!

Conspirator
User avatar
Posts: 5464
Joined: Mon Jan 24, 2011 5:03 pm
Location: བདེ་འབྱུང

PostThu Apr 05, 2012 2:03 am » by Iamthatiam


Hackers are compromising WordPress 3.2.1 blogs in order to infect their visitors with the notorious TDSS rootkit, according to researchers from Web security firm Websense.

It's not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.

Once they gain unauthorized access to a blog, the attackers inject malicious JavaScript code into its pages in order to load a Java exploit from a third-party server.

"From our analysis the number of infections is growing steadily (100+)," said Websense principal security researcher Stephan Chenette in a blog post on Monday. The company's research into this mass code injection campaign indicates that whoever is behind it is experienced.

The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS rootkit on the computers of people visiting the website.

"The TDSS rootkit is one of the stealthiest rootkits in the wild," Chenette said. "Its goal is to acquire total control of infected PCs and use them as zombies for its botnet."

The CVE-2011-3544 vulnerability started being targeted by most exploit toolkits in December 2001. These attack frameworks usually contain exploits for vulnerabilities in several software products like Adobe Reader, Flash Player and Java.

The Websense researchers are not sure if this mass code injection campaign uses an updated toolkit or an entirely new one, but experts from security firm M86 Security have tied recent WordPress 3.2.1 compromises to the Phoenix Exploit Kit.

According to M86 security researcher Daniel Chechik, the people behind these attacks are luring victims to the infected websites by sending them spam emails that contain malicious links. The fact that these links lead to legitimate blogs helps attackers bypass URL reputation filters, Chechik said in a blog post on Monday.

It's not clear if the attacks analyzed by M86 Security and Websense are perpetrated by the same gang, but since they both target WordPress 3.2.1 blogs, webmasters are urged to upgrade to the latest version of WordPress, which at this time is 3.3.1.

In order to protect themselves from exploits, Web users should keep the software installed on their computers up to date, especially their OS, browser and browser plug-ins.

-------------------------------------------------------------------------------------------------------------------

>>>Tdss rootkit silently owns the net<<<...

Rootkit and Antirootkit developments have always been a cat-and-mouse game and it has become more widespread since rootkits have started being the right friend for trojans, backdoors and other nasty infections used to steal user credentials or to get access to infected PCs.

While writing trojans or backdoors is not bringing any new technique - all new samples we analyze are often just using old and known tricks - rootkit development is the real field where malware writers could show their skills, their potential, their fantasy.

While at the beginning writing rootkits was more a pure exercise and a way to show how the system could be easily compromised, now they are strongly playing along with trojans and backdoors to help them subverting user's systems.

Malware writers are now sending a "catch me, if you can" message to antivirus companies in a hide-and-seek game where rootkit techniques are always a step ahead to security countermeasures and they open wide the road to every other malware which don't mind using even old and known tricks - they are just invisible to everyone, they are free to do as they please. Key word is money.

Tdss rootkit 3rd variant is the last member of Tdss rootkit family that is quickly spreading around the world. While a number of rootkits are just developed as a proof of concept, this is not the case. Tdss rootkit is well known to antivirus companies because of its goal to get total control of the infected PCs and using them as zombies for its botnet.

During these years it has always shown a team of skilled people behind it, who always applied advanced techniques often able to bypass antirootkit softwares. Actually, this last variant could be easily named as the stealthiest rootkit in the wild.

This infection is bringing all together the best of MBR rootkit, the best of Rustock.C and the experience of old Tdss variants. Result is an infection that is quickly spreading on the net and it is undetected by almost every security software and 3rd party anti rootkit software.

The infection comes from the usual dropper spread by peer to peer networks or by crack and keygen websites, and it needs administrator privileges to run its payload. If UAC is disabled or the user voluntarily gives admin permissions, this infection can run even on Windows Vista and Windows 7. This is likely to be the usual scenario, where a user looks for specific cracks and don't mind if UAC warnings him, he gives admin privileges to the wanted crack.

When run, the infection is using a similar technique applied by MBR rootkit: all kernel mode and user mode components are stored to the last sectors of the hard drive, outside the file system. By doing so, they appear to be only raw bytes, bypassing every security check. Tdss rootkit bring this trick to a more advanced level, by encoding its components before they are written to the disk. Files are encoded and decoded on the fly.

Image

Then, to be loaded at Windows startup, Tdss rootkit uses a technique we have seen applied by Rustock.C rootkit - and other rootkits like Neprodoor: infecting Windows system drivers. Tdss rootkit walks back the chain of drivers that handle hard drive I/O looking for last miniport driver object. When found, it infects driver's PE file by overwriting 824 bytes of the resource section. By doing so, it evades a simple check that some antirootkits usually use to detect hidden rootkits: file size cross check. Usually rootkits that infect files can hide their presence by showing the original file instead of the infected one. Antirootkits which are using raw disk reading techniques could read below the filter applied by these kind of rootkits and could cross check file sizes looking for discrepances.

This time is different, because of two evident reasons: currently no antirootkit is able to bypass disk filtering technique used by Tdss rootkit but, even if it was possible, this rootkit could not be detected by file size cross check because file size of the original and infected files are exactly the same.

When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).

Image

The rootkit intecepts every communication and filters out IRP_MJ_SCSI packets that have specific SRB flags set. By doing so, it hides patched driver on the disk and all disk sectors where its components are located. This is a really effective technique of disk hiding.

Tdss rootkit then sets up a Load Image notify routine to intercept every process that loads kernel32.dll library. When intercepted, it injects inside the specified process its user mode components of the infection, tdlwsp.dll, tdlcmd.dll. They are able to turn infected PC in a botnet's zombie. Config.ini, one of the components of the infection, contains settings of the botnet, commands to be executed, bot ID and C&C servers addresses. Communication with C&C servers is SSL encrypted, to evade HTTP filters.

Image

Tdss rootkit is indeed a really worrying infection, it is in the wild and it's quickly spreading without being intercepted and detected by almost anyone. Some antiviruses may throw up a warning about the presence of tdlcmd.dll or tdlwsp.dll, without being able to do anything. Most of times users won't be warned at all, they just don't know their PC is part of a botnet and it is under the control of malware writers which can use their PC as they please.

We heartily recommend to not download and use cracks or keygens, they are often vector for very nasty infections.

Despite the complexity of the infection we are able to detect and clean the infection and we will update Prevx with appropriate detection and cleanup routines. In the meanwhile, every Prevx customer who has been affected by this infection can contact our technical support who will remove the infection by remote assistance.


:arrow: CREDIT: http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
Image

"The Heaven's Lights are fed by the energy generated inside the furnaces of Hell; I AM One Conductive Wire! "

Conspirator
User avatar
Posts: 8122
Joined: Sun Sep 18, 2011 7:52 pm

PostThu Apr 05, 2012 3:37 am » by Noentry


thanks for the info iamthatiam
That was an interesting read
:cheers:
"The third-rate mind is only happy when it is thinking with the majority.
The second-rate mind is only happy when it is thinking with the minority.
The first-rate mind is only happy when it is thinking."
A. A. Milne

Conspirator
User avatar
Posts: 5464
Joined: Mon Jan 24, 2011 5:03 pm
Location: བདེ་འབྱུང

PostFri Apr 06, 2012 1:07 am » by Iamthatiam


noentry wrote:thanks for the info iamthatiam
That was an interesting read
:cheers:


Glad you liked, my friend! :flop:

:hugging:
Image

"The Heaven's Lights are fed by the energy generated inside the furnaces of Hell; I AM One Conductive Wire! "

Initiate
User avatar
Posts: 696
Joined: Fri Aug 29, 2008 11:36 pm

PostFri Apr 06, 2012 2:48 am » by Domeika


This is a known (albeit scary) vulnerability, and for windows 7 and server 2008 there is a patch...KB 2506014
http://support.microsoft.com/kb/2506014

Conspirator
User avatar
Posts: 5464
Joined: Mon Jan 24, 2011 5:03 pm
Location: བདེ་འབྱུང

PostFri Apr 06, 2012 3:47 pm » by Iamthatiam


domeika wrote:This is a known (albeit scary) vulnerability, and for windows 7 and server 2008 there is a patch...KB 2506014
http://support.microsoft.com/kb/2506014


Thanks, Domeika! :flop:
Image

"The Heaven's Lights are fed by the energy generated inside the furnaces of Hell; I AM One Conductive Wire! "

Conspirator
User avatar
Posts: 1841
Joined: Sun Aug 01, 2010 9:46 am

PostFri Apr 06, 2012 4:35 pm » by Cosmine


Can i advise members to buy spywall,spywall is an euristic program that guard your computer "ahead " scanning incoming data not according to a malware list but according to the behavior of malwares,stoping it and "eating" it before it enter your computer.
It run in the background by itself if you want you can click it's icon to see the numbers of malware the fat black kitten eaten...after a few months it can be in the ten of thonsands...:twisted:

Ps. It's a legend that linux's are not sensitive to malware and linux programers and users live whit a false sensation that there above these proplems...download apparmor to protect your linux...

:cheers:

Conspirator
User avatar
Posts: 5464
Joined: Mon Jan 24, 2011 5:03 pm
Location: བདེ་འབྱུང

PostFri Apr 06, 2012 4:44 pm » by Iamthatiam


cosmine wrote:Can i advise members to buy spywall,spywall is an euristic program that guard your computer "ahead " scanning incoming data not according to a malware list but according to the behavior of malwares,stoping it and "eating" it before it enter your computer.
It run in the background by itself if you want you can click it's icon to see the numbers of malware the fat black kitten eaten...after a few months it can be in the ten of thonsands...:twisted:

Ps. It's a legend that linux's are not sensitive to malware and linux programers and users live whit a false sensation that there above these proplems...download apparmor to protect your linux...

:cheers:


My best policy is to have your 'warzone' PCs ( :twisted: ), where you do all kinds of shits, and a completely separated one, which could be a simple one, just to do stuffs such as Internet shopping!

:cheers:
Image

"The Heaven's Lights are fed by the energy generated inside the furnaces of Hell; I AM One Conductive Wire! "

Initiate
User avatar
Posts: 307
Joined: Thu Apr 19, 2012 8:07 pm

PostFri Apr 06, 2012 11:25 pm » by FullDisclosure


Been slapped with that java virus but caught it in time.... Immediately after hitting an infected site my browser window shrunk down to a tiny square which is the point I hit CTRL-ALT-DEL and closed the browser. Ran a search and found an executable partially downloaded with the .part filename extension.



Image
I try not to troll, but sometimes people just fucking deserve it.



  • Related topics
    Replies
    Views
    Last post
Visit Disclose.tv on Facebook