Security Bytes: Turning servers into 'malcode pushers'

By SearchSecurity.com Staff 14 Mar 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Attackers turn servers into malcode pushers
An attack on site-hosting servers last weekend was apparently designed to turn infected machines into malcode pushers, according to the Bethesda, Md.-based SANS Internet Storm Center (ISC).

"We have received reports and evidence that a number of companies that provide shared hosting Web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked," the ISC reported on its Web site Sunday.

The ISC reported that hackers used multiple means to infect computers. In some instances a script was tacked to all home pages of sites hosted on infected servers. If a user visited one of those pages, the script would redirect them to a malicious site.

"The second attack vector involves DNS [cache] poisoning," the ISC said. "We are not quite sure yet how this is being done, as the files that we've received so far 'only' install the ABX toolbar and do not seem to contain DNS/DHCP poisoning code."

Attackers tried to make the onslaught more difficult to stop using Dynamic DNS, a service that allows users to automatically update the DNS server when an IP address is automatically assigned to a network device.

"When the issue was first reported, the three involved domain names were resolving to www.7sir7.com (217.160.169.87); 123xxl.com (217.160.169.87, 207.44.240.79, 216.127.88.131); and abx4.com (217.160.169.87, 207.44.240.79, 216.127.88.131)," the ISC said.

"Until a few hours ago, the address being served up was '217.16.26.148' for all three domains. Thus, the parties behind this attack have quite skillfully 'shifted' the target whenever an ISP started to block traffic or to shut down one of their servers. The involved DynDNS providers have been contacted in the meantime and were very responsive."

Regulators shut down bogus antispyware vendor
A software vendor that tried to drive up sales by offering to clean up nonexistent computer spyware has been temporarily shut down, U.S. regulators told the Reuters news service.

Reuters said the makers of Spyware Assassin tried to scare consumers into buying software through pop-up ads and e-mail that warned their computers had been infected with malicious monitoring software, the Federal Trade Commission said.

Free spyware scans offered by Spokane, Wash.-based MaxTheater Inc. turned up evidence of spyware even on machines that were entirely clean, and its $29.95 Spyware Assassin program did not actually remove spyware, the FTC said, according to Reuters.

A U.S. court has ordered the company and its owner, Thomas Delanoy, to suspend its activities until a court hearing, which was scheduled for today. The company could be required to give back all the money it made from selling Spyware Assassin, the news service added.

Java Trojan can download spyware on alternative browsers
Finnish security firm F-Secure Corp. said it has proof Java is indeed a portable programming environment:

Christopher Boyd from Vitalsecurity.org has found a Java Trojan that can download and infect Internet Explorer with spyware and adware even if you use a Java-supporting alternative browser like Firefox, F-Secure reported in its daily blog. The firm has labeled this Trojan Java.OpenStream-T.

"What is happening here is that the Trojan is in signed Java archive… signed with [a] valid certificate," the firm said on its blog. This causes the Java runtime to ask users if "this applet should be executed or not. And if [the] user answers yes, the Java applet is given all the access that any other binary running under the user account would have."

This allows the Trojan to do the same damage as any other Java downloader Trojan, but without using any kind of exploits, F-Secure said.

"Also what makes the case interesting is that this Trojan is probably not intended to work with Firefox or any other alternative browser," F-Secure said. "The Trojan works just because the Trojan author did not use any Microsoft specific code, thus making the Trojan portable to other platforms. So if a Web site asks you whether you want to run Java applet, and you are not intending to run some Java application you trust, just answer no."

Tags: Web Browser Security,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary