May 18, 2012 hacked

As it can be seen from a post from websense, then the was hacked again, again...

HTML code showing the exploit embedded in amnesty
(screenshot from websense)

The exploit used is CVE-2012-0507 ("Java AtomicReferenceArray Type Violation Vulnerability") - which is exploitet using MetaSploit Framework (MSF).

As it can be seen, then the malware is hostet at hxxp:// (file backup).

sethc.exe's certificate

By examining the file's certificate it becomes clear that this file is not the same as websense saw.
Some things seems odd.. like what's up with the "http://billgates-serve/CertEnroll/VeriSign Class 3 Code Signing 2011-2 CA.crl" ?!

I won't be analyzing the file (but if anyone do, then please post a comment with a link!). However by just looking at some strings in a hexeditor, it very much looks like origin of the file is China.
C:\Program Files\SogouPinyinUp.exe
C:\Program Files\1.exe
And Resource Hacker "confirms" this:
Resource Hacker showing language = LANG_CHINESE

The website:
I've inspected the website, and well, I'm not impressed. It literally took me less than five  minutes to hack the site - only using free online script kiddies tools... Point-click'n'access :(

What is wrong with the site? First I found a SQL Injection vulnerability. Then I extracted the username and plaintext password! And from here I could easy login.

I can't tell how the hackers managed to upload the sethc.exe file (I couldn't find any place to upload files), but the website contained lots of vulnerabilities, so any unintended upload-vulnerability wouldn't surprise me.

Another interesting vulnerability I found is the "backup feature", which is basically a world+dog-readable dump of the database. Now, opening the file in any standard program will create a popup asking for a password, but as shown here; Jet MDB security - under the hood then the file isn't actually encrypted, its just "protected" via Security through obscurity, which is very bad:

(NirSoft Access PassView 1.12)

I have contacted the site, but hasn't heard anything from them.

No comments:

Post a Comment

Feel free to write anything :-) Post posted as anonymous, is actually anonymous (i.e. I can't see your IP or anything)