Mpack attacks and Yahoo's cross-site scripting POC.
A malware distribution and attack kit sold commercially through underground channels on the Internet has compromised hundreds of thousands of systems in the past six months, including an epidemic of infections that hit Italian Web servers this past weekend, according to security and antivirus firms. Known as Mpack, the kit consists of commercial-grade software components written in the PHP Web programming language and apparently sold by a group of Russian programmers. The software, which comes with a year of support, was first mentioned in an analysis penned by antivirus firm Panda Software. In mid-May, Panda stated that the software had compromised at least 100.000 computers. The kit uses techniques similar to previous attacks that leverage legitimate Web sites that have been compromised to redirect visitors to malicious download sites. The software uses HTTP header information to send exploits that target the victim's specific browser. The software has garnered attention this past weekend because a number of compromised Web sites in Italy have redirected visitors to malicious sites running Mpack, according to antivirus firm Trend Micro. The Mpack kit sells for around 1.000 dollars. If you've been following the media, you'll know that the majority of sites affected are in Italy. Although it hasn't caused anything like the havoc wreaked by the worm epidemics of 2004 and 2005, Italian TV went so far as to warn viewers of the danger...
And that's not all ....
A proof of concept code for a cross-site scripting (XSS) exploit involving Yahoo Mail has been discovered recently. The POC code involved in the exploit comprises of two components. The first component is a CGI script directly responsible for the exploit while the second component acts as a module that generates a URL string, which is critical in the execution of the exploit. The first component is installed on a web server. This code is supposed to execute whenever a user visits a web page that is hosted on that server. The path of the CGI script on the web server is then parsed by the second component and appends a Yahoo URL string to it. An entirely new URL is generated. This URL can be sent to an unsuspecting user through an innocent-looking email or YM message. When the user clicks on the URL, his Yahoo account becomes compromised. Fortunately this piece of POC code does nothing but display an email from the user’s inbox in a webpage that is external from Yahoo’s domain. Despite its limited functionality, the POC code has made its point that the user’s web mail account can be easily compromised by a simple click of a link.
Stupid to say that both are of course detected by your AV product.
And that's not all ....
A proof of concept code for a cross-site scripting (XSS) exploit involving Yahoo Mail has been discovered recently. The POC code involved in the exploit comprises of two components. The first component is a CGI script directly responsible for the exploit while the second component acts as a module that generates a URL string, which is critical in the execution of the exploit. The first component is installed on a web server. This code is supposed to execute whenever a user visits a web page that is hosted on that server. The path of the CGI script on the web server is then parsed by the second component and appends a Yahoo URL string to it. An entirely new URL is generated. This URL can be sent to an unsuspecting user through an innocent-looking email or YM message. When the user clicks on the URL, his Yahoo account becomes compromised. Fortunately this piece of POC code does nothing but display an email from the user’s inbox in a webpage that is external from Yahoo’s domain. Despite its limited functionality, the POC code has made its point that the user’s web mail account can be easily compromised by a simple click of a link.
Stupid to say that both are of course detected by your AV product.
posted by Eddy Willems at 3:41 pm
<< Home