Posts byRoger

Long term anti virus guy

October WebAttacker?


Hi folks,

Looks like there’s a new version of WebAttacker tonight. We just found a web site that we know to run Web Attacker and it’s clearly using SetSlice (MS06-057). We couldn’t get at the admin page, to see what else might be in the new version, but the format of the command we saw was “.cgi?type=MS06-057&SP2″, so that’s clearly new at a minimum.

If you’re patched to October, and you’re running SocketShield, you have little to fear, but if not, please be careful. Web Attacker is always widely used.

More to follow.

Roger

Chalk one up for Spamhaus

Hi folks,
Recapping briefly… last weekend, we discovered the SetSlice 0-day in use in both some of the St Petersburg Iframers websites, and in what I call the CoolWebSearch websites. By Monday, I was pleasantly surprised to find they’d been shut down. I figured that they’d made someone really grumpy.

It turns out that the grumpy ones were Spamhaus! Actually, I doubt they were really grumpy, because I doubt they take this stuff personally… but I digress… Spamhaus saw my warning about the CoolWebSearch sites using the SetSlice zero-day, and took the potentially original step of complaining to the ISP, variously known as EstHost or InHoster, and shockingly, EstHost/InHoster actually shut down those websites and a bunch of related websites immediately.

So why is this shocking? Isn’t that what ISPs are supposed to do? Well, yes, but CoolWebSearch has been serving up Windows Metafile exploits with impunity since January! 48 hours of SetSlice, and whap!…. half their network is gone.

One of four things has happened. Either …

(1) The ISP has suddenly become more responsible. Kudos to them if they have, and perhaps this is a harbinger of better days ahead, or,
(2) The ISP decided it didn’t like the heat of being associated with a zero-day. In other words, it’s fine to serve up mouldy old exploits, but not zero-days, or,
(3) The ISP is simply scared of Spamhaus, or,
(4) All of the above.

Spamhaus has been under siege lately, and I think it would behoove us all to understand and remember that they have nipped a potentially huge problem right in the bud.

Folks, do what you can to support Spamhaus.

Roger

SetSlice Update

Hi folks,

Last night our Hunting Pots found this in use in the wild at some of the St Petersburg iframers sites installing rootkits and who knows what else, and this morning, we found it in use at the CWS sites. It infects a fully patched XP SP2 quite nicely.

The CWS people have only been using WMF since december/ january, and have a very big, well-established network for drawing in victims. Imo, this represents a significant escalation.

The last time I examined it in detail, the CWS guys make money by selling their search engine to minor website operators with a pitch along the lines of “Pay us $100 per month, and we’ll guarantee 80m visitors each month”.

Then when a victim visits one of their exploit sites, they install a URL-visiting program and a list of URLs. The URL-visitor then visits each customer website in turn, forging the headers to make it look like a real visitor referred by the bogus search engine.

The minor website operator sees his 80m visitors a month, but doesn’t realize that they are just pcs…. no human eyes at all.

:-)

If they could make money with WMF, they’ll be rich from this one.

Roger