During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is written in Russian (hmm... last time i've cheked it was in Netherlands), and not significantly different from many other similar sites.

During our research for the latest Malicious Page of the Month that has just released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware.

There are some things in common to most of the attack toolkit, one of which is exploit against the MDAC vulnerability (patched in 2006), MDAC is also in many cases the first exploit the attacker is trying to use.

Following up on my last post, after filing a complaint with the abuse department of privacyprotect.org (and blogging about the problem), I have just received an update noting that:

As part of the “closure” on the February Malicious Page of the Month, which involved meoryprof.info (taken down), and spywaresafe.net we have contacted the appropriate parties in order to notify them that these websites contain malicious code.

We here at the MCRC conduct independent vulnerabilities research once in a while, in order to provide our customers the best protection we can offer. The last MS security update included fixes for 2 vulnerabilities in the MS Office Web Component that we have discovered, one of which (CVE-2007-1201) was reported to Microsoft two years ago (!!). This means a 2 year long window of vulnerability. Needless to say, Finjan customers have been protected for the last 2 years against exploitation of this vulnerability, even at times when this vulnerability has been used in the wild with no patch available.

We have been working recently on a XSS attack that impacted a huge number of potential victims, as the attack itself has been “optimized” by SEO (Seacrh Engine Optimization) practices that pushed it to Google’s indexes.

I’m not about to discuss the pros/cons regarding full disclosure, just to show an amusing example of it: A 0day vulnerability was discovered in “Rising” – a Chinese AV product (insecure method vulnerability) and a PoC was published at milw0rm.com. Today we found a site trying to exploit the vulnerability, but the funny thing is, it used the PoC as is (changing only the payload URL, and using obfuscation to hide it) leaving the original function name (test ) and “GO !” button to trigger it (e.g. the exploit will only run once the user clicks the “GO !” button ). Needless to say, the exploit is served as a hidden IFrame so the user won’t even see the button.

While conducting research for the latest Malicious Page of the Month we have just released, we tried to track down the origins of the crimeware.

As part of our on-going research we had the chance to “meet in person“ some parts of the server side operations behind the new version of the NeoSpolit toolkit.

We have been watching in amazement what kind of impact our latest Malicious Page of the Month have had on the industry and media.

Not a virus. Not even a malware. Neither is the runner up... It's the method of how malware is populated.