Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 05/30/07

Wednesday, May 30, 2007

The WebAttacker in Action

Interesting to see that the WebAttacker kit can still be seen in the wild. Here are the redirectors in action :

Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628

=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php

What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe

Several more URLs are to be found at the "green" domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php

Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I'll be covering in upcoming posts, the leak

of its source code made it easy for someone to tweak it for their personal needs and simply feed with undetectable binaries, new vulnerabilities, and newly registered domains -- even hijacked ones through web application vulnerabilities for instance.

In case you're interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here's another URL that's exploiting two vulnerabilities at once namely :

MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)

The domain in question is - _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm

Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West - Sample Seven
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

The Revenge of the Waitress

Think your scrooge tips will achieve their effect? Think twice but don't put the emphasis on underpaid waitresses, rather on the overall availability of credit card data reading devices as well as their vulnerability to such readers. Here's a video of another waitress clonning credit cards on the fly :

"A telltale clue that helped the restaurant and investigators zero in on the waitress: She would make quick visits to the restroom after picking up customers' charge cards, apparently to swipe them through a palm-sized device that recorded the confidential numbers."

Dancho Danchev

Reverse Engineering the ANI Vulnerability

Informative video analyzing the ANI cursor vulnerability, part of the Google TechTalks series.

"Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques in reverse engineering software to find vulnerabilities. Particularly, he'll discuss his technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista)."

Dancho Danchev