Hi all, folks.
Need Your help.
For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.
At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013
Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list
Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.
Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.
In case Your website listed in here:
Removal instructions [for site\host\shared hosting services Owners]:
1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)
2. Clean files attached in mod_rewrite.c section of .htaccess
3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return.
Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:
Have a look at code:
It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.
Interesting, I say especially, if You do DNS cache review/passive DNS monitor for living
As I see, in this particular case, even if malware not succeeded to switch DNS server, it continue to run.
So, our purpose is to prevent it from doing this.
How? … Group Policy!
Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable
Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.
In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.
Additional info about this piece of malware:
Size: 890 Kb
VT: [18/45]: https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/
Must see in comments to this file – analysis of binary done by @unixfreaxjp
Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here
Because of all that happened recently, let me be quick
Various soft present to automatically add text within webpages on compromised websites.
Those chain of samples for recent attack I followed
Hacker intrude on poorly configured website: thru software flaw, poor configuration or stolen credentials.
Software (shell) uploaded to remotely manage such website, link written in database of compromised websites.
Bundle of websites sent a command to add to each (or specific, default for example) page malicious code:
Facebook announced the Malware Checkpoint – service for detecting malicious activity on user’s computers. Technical solutions provided by Microsoft Security Essentials http://on.fb.me/infectedMSE and McAfee’s Scan and Repair http://on.fb.me/infectedMcA .
Here is some overview of the process
Today review results – improvement detected! But…
Last week, University of California, Berkeley, released the paper by Nicholas Carlini, Adrienne Porter Felt, and David Wagner “An Evaluation of the Google Chrome Extension Security Architecture”
Let me only add here a conclusion:
We performed a security review on a set of 100 Google Chrome extensions, including the 50 most popular, and found that 40% have at least one vulnerability. Based on this set of vulnerabilities, we evaluated the effectiveness of Chrome’s three extension security mechanisms: isolated worlds, privilege separation, and permissions. (p 12)
So, look at paper itself and, maybe, consider using something else, if you using Chrome
p.s. And recommend to Your clients not to use Chrome as default browser…
New bulletin from Adobe released Yesterday, more then 10 security flaws were fixed, including few known in wild 0-day.
Also – Microsoft released new Security Bulletin as usual, many security patches.
Make sure You done with them, because reverse engineering tools already did
Thx to this nice post for Arvind Doraiswamy, here we have few tips of how to prevent someone from creating shell or backdoor script on Your system\website by using SQLi vuln.
Trivial, but well explained with pictures, IMHO must read for those who not familiar.
Here them, extended by me
1. Sanitize Your input, that included in SQL query, properly. See manuals, plenty of them in Internet
2. Don’t leave world writeable directories on Your webserver. If needed, know them (logs directories, etc), try to move to not web accessible or change web access to them (via .htaccess file or somehow else).
3. Use restricted user without FILE permission for querying the SQL. Use restricted account for running SQL as well (on MS machines, for example).
4. Disable default DB accounts, use passwords and password policies.
5. Securely manage not only worldwide accessible parts of Your website or webapp, but also restricted directories and functions. WebShell can be placed in Your Admin directory, and linked or by LFI included in worldwide-accessible script.
So many automatic tools for PHP code review, so almost forgot how to do it manually.
Looking forward to prepare manual of hands-on to PHP code review, looking for known, less known or possibly unknown (?) code vulnerabilities.
upd1: O!. looks like not only me thinking about going back to basics. Ryan Dewhurst from InfoSec – “Finding Security Vulnerabilities in PHP Using Grep”
Upd2: Now, when I look at it, there are some previous work done, but as usual – when someone start to make a review of what to look and how to look – someone point him to automatic tool that “do the job” like RIPS, and there it stops. major result – less and less people who know what exactly they looking for, and more interesting – what they miss. )
p.s. actually, when You look at code itself, it overdue the language borders and differences. Already found few articles in Arabic with code examples, one Chinese forum with brightfull ideas (in open access and google-indexed, I am sure there are much more) and a lot of Russian articles (that one I still remember )
Almost all security techs, or “experts” if You wish, that I have been linked with, use encryption as a protection layer.
Well, for stolen laptop or compromised file archive, it’s may be a solution. but, lets say, You use encryption for preventing authorities from looking at it in some point for some reasons. Then You at least should be familiar with local law’s regarding encryption. For example, see the news headline about a year ago: UK: Youth jailed for not handing over encryption password or here
Same news You can find regarding other countries. In States there is Fifth Amendment that can be used as a protection point for such cases, but as we may see – not automatic and require major support of community (do You have it? ) For example: US court test for rights not to hand over crypto keys
I spoke with local Israel lawyer, she said that Israel state also have a similar law as UK have, that allow authorities to jail suspect for not revealing the measures for decrypt data.
So, If You using encryption to have a safe place from system eye-drop, make sure they cannot force You by law to reveal it. How? Hmmmm… Use Your imagination and approve it with lawyer.