The malware contained on 89.149.253.17 is a DNS changer which can then forcibly (and surreptitiously) redirect the user to sites other than they expected. And because the DNS changer can resolve any domain to any IP, the effect would be seamless - and serious. For example, an infected user that typed in the URL for the bank website could have it resolved to an IP not owned by the bank. That IP could (and likely would) host a look-alike site for the legitmate bank and steal their account credentials when they attempted to login.

There's an old saying in the industry that you are only as secure as your weakest link. In this case, presumably, that weakest link was a workstation somewhere within Nature Publishing Group. And because of their considerable web presence, that single Trojan infection was able to impact an untold number of users who might have visited nature.com over the past couple of days. Within Wikipedia, nature.com is one of the top 500 linked sites (#333 according to Newswriter). And according to Quantcast, Nature.com is "a top 5,000 site that reaches over 877K U.S. monthly uniques". That would be about 29.3k unique visitors each day that risked exposure during the compromise (which fortunately has since been remedied).

Who's your weakest link?

All of this is having an enormous impact on web surfers. Because while individually these middle tier sites may not pack in the visitors, collectively they make up the long tail of the Web and account for the bulk of all Web traffic. In April alone, 49% of customers, or a ratio of 1:2 customers innocently accessed one of these impacted sites (of course, protected by ScanSafe throughout).

We'll be sending out more details about this ongoing attack in the coming week.

yl18.net (Oct/Nov)
uc8010.com (Dec/Jan)
2117966.net (Mar)
nmidahena.com (Apr)
414151.com (Apr)
aspder.com (Apr)
nihaorr1.com (Apr)

The attacks, targeting improperly code ASP/ASPX running under Microsoft SQL Server, are rendered using hexadecimal queries, as seen in the following abbreviated example:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C00610072
006500200040006D00200076006100720063006800610072002800380030003000300029003B00730065
007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B
0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D00730065
0074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400720069006D00280063
006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061

Briefly, the CAST command seen in the example above converts the hexadecimal into a standard string. The converted result is a SQL query that searches for table objects which contain text strings, looping through those found and appending the malicious iframe to each.

That the method is nearly identical between all the attacks means little -  an automated tool is presumably used in each of the instances, thus one would expect similarly formed attacks. However, the attacks share many other commonalities with one another which point to a possible connection.

 Four of the domains - uc8010.com, nmidahena.com, 414151.com, and nihaorr1.com - have very similar (though obviously bogus) whois info (including the repeated use of the surname "Zhang", the most common surname in China). And each of the four also share the same primary and secondary DNS:

    Primary DNS:  dns.51ym.com  219.153.20.207
  Secondary DNS:  dns1.51ym.com  61.128.198.181

Though the aspder.com whois info varies considerably from the others, the IP address for the domain (60.172.219.4) is also shared by 414151.com - which as mentioned, shares many similarities to uc8010.com, nmidahena.com, and nihaorr1.com.

The two that don't match directly (other than via the method of attack) are yl18.net and 2117966. There is no whois data for yl18.net to which to compare. But there are interesting patterns in some of the whois details that indicate a possibility of a connection between 2117966 and aspder.com (and, as noted, aspder.com appears to have a direct link to 414151.com, which in turn shares many similarities with the rest).

The attacks themselves appear to be progressive in nature. With each successive attempt, the attacker(s) appear to be honing their targeting skills. As an example, the uc8010 attacks in December/January targeted obscure, seldom visited pages (the Ikea website was one of the few exceptions - multiple highly visited pages on that site were impacted). And while the 2117966.net attacks impacted considerable numbers of sites, an equally considerable number of the attacks failed because the output was munged and incapable of running. 

In April, however, both the targeting and the output quality had evolved considerably - most particularly in the nihaorr1.com attacks.

As an example of that targeting, in addition to tens of thousands of sites worldwide, the nmidahena.com attacks compromised hundreds of gov.cn sites, the effects of which can still be seen in this Google search. Coincidentally, the nmidahena.com domain also had one of the shortest lifespans of any of these seemingly related SQL injection attack domains (ScanSafe's TTL estimate is 4 days). When the nihaorr1.com attacks appeared later in April, the attackers appeared to take great care to avoid gov.cn domains. As ssen in this Google search, of those Chinese sites that were impacted, most were primarily those with English language pages. 

In the month of April, approximately 12% of all ScanSafe malware blocks were a result of the nmidahena.com, 414151.com. aspder.com, and nihaorr1.com attacks - and approximately one in five customers attempted to access one of the infectious pages (but they were protected, of course, by ScanSafe).

So, a likely connection between most or all of these seven attacks and an increase in proficiency such that the latest round targeted not only much higher profile pages, but was also honed to avoid certain types of sites. Wonder what's next?

The entry led with a link to their post on the mystery host server compromises first reported by ScanSafe. The context for inclusion of that link (http://isc.sans.org/diary.html?storyid=3834) wasn't made clear. This led to assumptions that the SQL injection tool that SANS was discussing was the tool used in the host server compromises, as seen in this article: "Security gumshoes locate source of mystery web compromise".

In fact, the two are unrelated. SANS was kind enough to post an update to clarify this. That update reads, in part:

"First, let me clarify that this attack is a pure SQL injection. There was another mass attack at the beginning of the year which was more sophisticated and involved complete compromise of the web servers (i.e. the bad guys had the root access to the servers).
The tool described in this diary was used in the attack described in Kevin's diary (http://isc.sans.org/diary.html?storyid=4139)."

In other words, not the attacks discussed in Mari's SANS diary entry @ http://isc.sans.org/diary.html?storyid=3834.

On April 3, Trend Micro had also reported on the use of automated tools in the ongoing SQL injection attacks. It's not clear whether SANS is reporting on the same tool or a different one. What's interesting is that the tool(s) native language is Chinese, casting some doubt on claims that the recent round of SQL injection attacks are originating in Russia.

Now getting back to the still unsolved mystery web host compromise, we continue to block malware resulting from those host server attacks and the investigation into the source of those attacks is still ongoing. The situation has improved dramatically though. In March, the blocks from the host server attacks represented .3% (that's point three percent) of all malicious traffic, down from a high of 15% (fifteen percent) when the attacks were first reported in January.

Needless to say, we’ll be watching closely for the results. If I had to wager, I’d say we’ll hear a lot more about it in the days to come and that most of it will favor Untangle at the expense of other vendors.

So much for the first rule of Fight Club being that you don't talk about Fight Club .

A few things to ask yourself about this:

1. Is this even a real fight? Untangle is not an independent, objective product reviewer. Untangle is a security vendor. A sentence from their own press release reads: “The Untangle Gateway platform, the world’s first commercial-grade open source solution for blocking spam, spyware, viruses, adware and unwanted content on the network, provides a free and better alternative to costly, inflexible proprietary appliances.” Untangle clearly has an agenda.

Last summer at Linux World, Untangle conducted a similar “fight club” with anti-virus products. To no one’s surprise ClamAV, an open source solution that Untangle uses in its gateway product, was among the winners.

The point is that any reputable security firm will more than happily agree to have their products and services tested by independent reviewers without an agenda—like test labs or publications. And often the best most accurate test of a solution comes from businesses that have deployed it in a real world environment.

2. Methodology. Little information has been made available about the test methodology. A page on Untangle’s website promises that the methods and results will be made publicly available “to encourage discussion.” To date nothing has been made public except their widely circulated press release that merely states that the fight club “…will establish a baseline metric for porn filtering.”

Statements by Untangle to the press indicate that the test will focus exclusively on pornography and the PCs protected by the various filters will be used to search for 5,000 popular porn URLs to uncover whether the PC blocks them or not. It also indicates that Untangle has done some preliminary testing.

I’m not sure what purpose is served by a “test” that it is so limited. I mean why just test porn? What about other potentially offensive content? Seemingly all you need to do to win the fight is block these sites. There’s no attention given to sites blocked erroneously (like a medical site blocked as porn) or to perhaps the biggest web threat---malware.  Anyone who thinks a web filtering solution can be accurately tested by visiting well known porn sites has a very small and dated view of the Web security market. Web threats are increasingly found on legitimate, trusted sites, not just dodgy sites.

3. The participants. While we’re flattered to be included in this “fight club” some of the other big names in web content filtering—including Blue Coat and Secure Computing—are notably absent.

We’re not sure why Untangle has omitted these vendors, but it does make one wonder about the validity, scope and purpose of this fight club.

While we here at ScanSafe are always up for a good fight (win or lose), I’m not sure that’s what we’ll see. I hope Untangle proves me wrong.

The malicious script referenced by the iframe attempts to exploit the Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability described in MS06-071, as well as the RDS Data Control vulnerability described in MS06-014). The following CLSIDs are targeted:

BD96C556-65A3-11D0-983A-00C04FC29E36 (RDS Data Control)
AB9BCEDD-EC7E-47E1-9322-D4A210617116 (Business Object Factory)
0006F033-0000-0000-C000-000000000046 (Outlook Data Object)
0006F03A-0000-0000-C000-000000000046 (Outlook.Application)
6e32070a-766d-4ee6-879c-dc1fa91d2fc3 (Microsoft Update Web Control)
6414512B-B978-451D-A0D8-FCFDF33E833C (Software Distribution Web Control)
7F5B7F63-F06F-4331-8A26-339E03C0AE3D (WMI Object Broker)
06723E09-F4C2-43c8-8358-09FCD1DB0766 (VsmIDE.DTE)
639F725F-1B2D-4831-A9FD-874847682010 (DExplore.AppObj)
BA018599-1DB3-44f9-83B4-461454C84BF8 (Microsoft Visual Studio DTE)
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 (Microsoft.DbgClr DTE Object)
E8CCCDDF-CA28-496b-B050-6C07C962476B (VsaIDE.DTE)

As with several other known malware hosts, the IP for the site hosting the malicious script resolves to HopOne Internet, a US-based co-location provider. HopOne doesn't host sites directly, they do that through their resellers. Those resellers likely sell to other hosting resellers, and so on. These multi-tiered affiliate relationships can short change users, since the time it takes to play "who's the real host" extends the time the malware site is live. And, of course, that's exactly what the attackers want.

Some of the pages that have been compromised were completely replaced by the malicious iframe. For example, a page that should point to a specific automobile model will instead appear (on the surface) to be blank. Other pages have the malicious iframe embedded in the normal page source.

This is the second (known) compromise of the Honda Thailand website in recent months. In October 2007, the Honda Thailand website was defaced by a Turkish hacker who uses the moniker PowerDream.

The team of Dr. Charlie Miller, Jake Honoroff, and Mark Daniel (this team was also one of the first to discover vulnerabilities in the Apple iPhone), chose the Mac. It took seven and a half minutes to boot the MacBook, but only 30 seconds to compromise it. So how’d they do it? They tricked the judges into visiting a specially crafted website designed to exploit a zero-day vulnerability in Apple’s Safari browser.

The cash prize was $10,000 and the MacBook Air retails for between $1800 to $3000 USD. So roughly, the team earned a little over $400 a second, excluding boot time. The contest was sponsored by Tipping Point Zero Day Initiative and the exploited zero-day vulnerability was responsibly disclosed to Apple.

For further details, see “PWN to OWN Day Two: First Winner Emerges!“

For example, yesterday's suit accuses Ron Cooke and spouse Jane Doe Cooke of manipulating consumers into buying a bogus pop-up blocker and then using the installed pop-up blocker to spam pop-ups to even more potential victims. See: Messenger Solutions/Cooke Complain (PDF)

Rogue software generally comprises about 5% of all ScanSafe malware blocks. The most ubiquitous claim the user's system is infected when in fact the product isn't even capable of detecting real infectors. Once hooked, the user is instructed to purchase the bogus product in order to remove the erroneously indentified threat. Instead of getting a legitimate malware scanner, users are installing a Trojan downloader that will continually deliver a stream of unwanted and often harmful programs.

The initial hook (the social engineering aspect) is typically delivered via pop-up or banner advertisements. When the user clicks through (or is sometimes forcibly redirected), the resulting site generally delivers a fake scanning screen. In reality, no scan has taken place; it's all just smoke and mirrors to trick the unsuspecting.

These rogue scanners are constantly being morphed to avoid detection by traditional signatures. 73% of all rogue scanners blocked by ScanSafe in February were blocked via Outbreak Intelligence (Oi), a blend of behavior and reputation based technologies specifically designed to ferret out emerging new threats.

It also appears the actual number of sites compromised is much lower than has been reported. Or the sites/pages are so obscure, even Google and Yahoo don't acknowledge their existence. Based on search engine results for the script, it appears that only 200 or so sites were impacted with under 3000 pages overall (and again, in most cases the output was HTML-encoded and thus the script was neutered). And, no, I didn't go through each of the 2,880 individually - just enough to feel statistically comfortable with the use of the word "most".

In fact, so many non-functioning examples were encountered, I began wondering whether they were all running Microsoft IIS (which automatically encodes HTML output for ASP) - or had the attacker simply made a mistake? Either way, a broken script is the same thing as no script as far as risk of exposure goes.

The Trend Micro angle is an interesting case study though:

• It underscores that no site is completely immune from compromise;
• It serves as a great example of how we at ScanSafe wish all sites would respond - Trend immediately removed the pages at the moment of discovery; and
• It demonstrates how properly HTML-encoding special characters on output can keep site visitors safe even when the input validation has failed.

Kudos, Trend.

"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness." (Xiao Chen, Chinese hacker)

The Chinese hackers claim to have broken into U.S. Pentagon systems and subsequently sold the information to Chinese government officials. (The Chinese government denies the hackers' claims). But while cross-country cyber espionage is heady stuff, it's far outpaced by the everday attacks on the 'average joe'.

ScanSafe's January 2008 global threat report (PDF) includes a heat map which shows the distribution of malware-hosting web sites throughout the world. Collectively, China holds the #2 spot. The U.S. has the dubious distinction of being #1. But the January heat map includes all types of malware hosts, including those that may be the result of compromised computers (i.e. botnets), or resulting from rogue advertising.

When viewed from the perspective of password-stealing Trojans, China tops the list, dramatically so. A full 48% of the password-stealing Trojan hosts originate in China, compared to 28% in the U.S., 8% in Korea, 5% in the U.K, and 5% in Brazil.

Of course, most of us would never knowingly visit a malicious web site. But even visiting the most reputable of sites can lead to infection. And that's just where hackers like Xiao Chen come into play. Highly skilled, extremely patient, and possessing more knowledge of search engine optimization (SEO) techniques than even the most savvy marketing pro, today's hackers can ferret out and exploit a range of vulnerabilities on legitimate web sites, planting hidden scripts and iframes that silently deliver the malware hosted on the attacker-owned site. And once a site has been compromised, the hacker may put their SEO skills to work, boosting the site's ranking in search engine results to increase traffic to the compromised sites, thus increasing the number of potential victims.

So how do some of the other malware hosting categories stack up?

Worms: China 33%, U.S. 24%, U.K. 10%, India 10%, Russia 5%
Virus: U.S. 45%, U.K. 14%, China 6%, Korea 5%, Spain 5%
Droppers: U.S. 33%, Russia 18%, China 18%, Austria 8%, U.K. 8%
Backdoors: U.S. 48%, U.K. 6%, Nethlands 6%, France 4%, Spain 4%

Regardless of which country tops the list in any given malware category, geography alone is no key indicator of malware potential. Bottom line, you might get pwned by a hacker from China. But it's just as likely to be from some kid living in Kansas. Web site compromise is an equal opportunity employer and knows no boundaries, geographic or otherwise. Or to paraphrase Xiao Chen, no web site is safe - and no one country is completely to blame.