Security Bytes: Turning servers into 'malcode pushers'

Attackers turn servers into malcode pushers
An attack on site-hosting servers last weekend was apparently designed to turn infected machines into malcode pushers, according to the Bethesda, Md.-based SANS Internet Storm Center (ISC).

"We have received reports and evidence that a number of companies that provide shared hosting Web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked," the ISC reported on its Web site Sunday.

The ISC reported that hackers used multiple means to infect computers. In some instances a script was tacked to all home pages of sites hosted on infected servers. If a user visited one of those pages, the script would redirect them to a malicious site.

"The second attack vector involves DNS [cache] poisoning," the ISC said. "We are not quite sure yet how this is being done, as the files that we've received so far 'only' install the ABX toolbar and do not seem to contain DNS/DHCP poisoning code."

Attackers tried to make the onslaught more difficult to stop using Dynamic DNS, a service that allows users to automatically update the DNS server when an IP address is automatically assigned to a network device.

"When the issue was first reported, the three involved domain names were resolving to www.7sir7.com (217.160.169.87); 123xxl.com (217.160.169.87, 207.44.240.79, 216.127.88.131); and abx4.com (217.160.169.87, 207.44.240.79, 216.127.88.131)," the ISC said.

"Until a few hours ago, the address being served up was '217.16.26.148' for all three domains. Thus, the parties behind this attack have quite skillfully 'shifted' the target whenever an ISP started to block traffic or to shut down one of their servers. The involved DynDNS providers have been contacted in the meantime and were very responsive."

Regulators shut down bogus antispyware vendor
A software vendor that tried to drive up sales by offering to clean up nonexistent computer spyware has been temporarily shut down, U.S. regulators told the Reuters news service.

Reuters said the makers of Spyware Assassin tried to scare consumers into buying software through pop-up ads and e-mail that warned their computers had been infected with malicious monitoring software, the Federal Trade Commission said.

Free spyware scans offered by Spokane, Wash.-based MaxTheater Inc. turned up evidence of spyware even on machines that were entirely clean, and its $29.95 Spyware Assassin program did not actually remove spyware, the FTC said, according to Reuters.

A U.S. court has ordered the company and its owner, Thomas Delanoy, to suspend its activities until a court hearing, which was scheduled for today. The company could be required to give back all the money it made from selling Spyware Assassin, the news service added.

Java Trojan can download spyware on alternative browsers
Finnish security firm F-Secure Corp. said it has proof Java is indeed a portable programming environment:

Christopher Boyd from Vitalsecurity.org has found a Java Trojan that can download and infect Internet Explorer with spyware and adware even if you use a Java-supporting alternative browser like Firefox, F-Secure reported in its daily blog. The firm has labeled this Trojan Java.OpenStream-T.

"What is happening here is that the Trojan is in signed Java archive… signed with [a] valid certificate," the firm said on its blog. This causes the Java runtime to ask users if "this applet should be executed or not. And if [the] user answers yes, the Java applet is given all the access that any other binary running under the user account would have."

This allows the Trojan to do the same damage as any other Java downloader Trojan, but without using any kind of exploits, F-Secure said.

"Also what makes the case interesting is that this Trojan is probably not intended to work with Firefox or any other alternative browser," F-Secure said. "The Trojan works just because the Trojan author did not use any Microsoft specific code, thus making the Trojan portable to other platforms. So if a Web site asks you whether you want to run Java applet, and you are not intending to run some Java application you trust, just answer no."