Redmondmag.com and related sites serving up malware

One notable name that keeps coming up with regards to the latest round of SQL Injection attacks is Redmondmag.com, published by 1105 Media, Inc as well as a number of sister sites. For a publication for IT professionals to be so badly impacted by SQL injection attacks raise some eyebrows.

A quick bit of Google searching shows how bad it is: a search for sysid72.com "1105 media" shows 35 infected pages belonging to virtualizationreview.com, visualstudiomagazine.com, redmondmag.com, reddevnews.com and certcities.com. Searching for xiaobaishan.net "1105 media" comes up with 121 matches for tcpmag.com and certcities.com. There are similar hits when searching for en-us18.com and locale48.com.

An alternative search you can do is b.js "1105 media" where this current batch of injected javascripts can clearly be seen (of course, this blog entry will also turn up for the same search string in time!)

This problem goes back to at least April when redmondmag.com was infected by the nihaorr1.com attack.

Here's the thing: the sites showing up in Google are not infected at the moment, but they were when Google crawled them. Clearly 1105 Media cleans up the attacks quickly, but it has not yet managed to secure its SQL server against injection attacks. Perhaps 1105 Media should read some of their own articles on the subject (see redmondmag.com/news/article.asp?editorialsid=9928 - visit at your own risk!)

The BBC iPlayer in a corporate environment

The BBC have spent a lot of time and money developing the BBC iPlayer it turns out that it's just another P2P application running on Kontiki.

So, I've written a guide for corporate IT departments giving them a pointer as to what the iPlayer is all about and how to block it - which it turns out should be easy enough!

Blocking BBC iPlayer, 4OD and Sky-by-Broadband

Empireonline.com compromised

The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.

The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on 61.151.239.13 in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:



g.htm loads a couple of IFRAMES and has a web counter.



014.htm has some nasty obfuscated javascript:



The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.



Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.

In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.

MS07-039 clarification

Yesterday was Patch Tuesday, and amongst the usual load of vulnerabilities was MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) - however in this case Microsoft are a little vague about exactly which servers are impacted, referring only to "Active Directory Servers".

Well, what are Active Directory Servers? If you're running an AD environment then all servers are members servers of Active Directory. Does these mean that all servers needs patching, or is it restricted to Domain Controller (DC) and Global Catalog (GC) servers only? Patching DCs and GCs isn't too big a deal.. patching all servers for MS07-039 would be a nightmare.

One the clue is in Knowledgebase article 926122 which explains that this really is limited to servers performing the DC/GC role:

A hotfix was created to work around a problem in which the domain controller has to be restarted to let users renew their certificates. However, this hotfix let any user renew a certificate. This security update includes a hotfix to modify this behavior. After you install this security update, authentication is required for certificate renewal.

After you install this security update, only domain administrators and network administrators can renew certificates. Also, an administrator cannot delegate the right to renew certificates.

For such a critical vulnerability, Microsoft's wording is particularly vague. It does seem that it doesn't apply to member servers, but just to Domain Controllers (including Global Catalog servers, FSMO servers etc). These are critical servers, so you should patch them soon before the bad guys get to them.

Patch Tuesday

A number of nasty looking vulnerabilities. These are my takes on the seriousness of these flaws, you should evaluate them against your own organisation.


MS07-026 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
A series of flaws in Microsoft Exchange 2003 and 2007, the most serious of which is a MIME decoding flaw which can allow a remote attacker to take complete control of the system through a specially crafted email message. This is an extremely serious problem because most corporate firewalls will not offer any protection against messages of this type. There are no known current exploits, but these usually come about very quickly after the vulnerability is announced.
Client impact: low
Server impact: high


MS07-029 Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
A critical flaw in the DNS server service can allow a remote attacker to take complete control of a system. This is clearly a significant threat to any servers running the DNS service role and will patching as soon as possible. This is being actively exploited at the moment. Corporate firewalls will mitigate against this somewhat, until an infected machine enters your network.
Client impact: low
Server impact: high


MS07-023 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
A depressingly familiar flaw in MS Office impacting Excel 2000, 2002, 2003 and 2007 and even Excel 2004 for the Mac. WSUS or some other patching method should be used to roll these out to client workstations. Safe server practices should mean that this is not so important for corporate servers.
Client impact: high
Server impact: low

MS07-024 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
Another Office flaw, this time for Word 2000, 2002 and 2003 plus Microsoft Works 2004, 2005 and 2006 - but not Word 2007. This is being actively exploited and should be authorised for rollout as soon as possible.. Office 2000 installations will require manual remediation.
Client impact: high
Server impact: low

MS07-025 Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
A vulnerability in the way Office handles drawing objects can be exploited by a specially crafted Office document (e.g. attached to an email) or an object embedded in a web site. This affects Office 2000, 2002, 2003 and 2007 and also Office 2004 for the Mac - primarily the Excel, Publisher and FrontPage components. It also impacts Excel Viewer 2003. This should be authorised for rollout to clients as soon as possible. Office 2000 will require manual remediation.
Client impact: high
Server impact: low

MS07-027 Cumulative Security Update for Internet Explorer (931768)
Various flaws in IE6 and IE7 on Windows 2000, XP, 2003 and Vista. Safe practice on servers should mitigate against this (i.e. restrict use of IE to Windows Update only). Some of these flaws are being actively exploited, so patch as soon as possible.
Client impact: high
Server impact: low

MS07-028 Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
Well, obviously high if you use this product, else few people will be at risk.
Client impact: low
Server impact: low

Patch Tuesday - January

A very small number of patches this month, none of which are critical for servers (assuming you don't read email, process office documents or surf the web on a server) and which may not even require a reboot on most client PCs. I've ordered these roughly in order of importance.

MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
This addresses an active exploit in IE and should be applied as soon as possible.
Client impact: high
Server impact: low

MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)
http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
A series of potentially serious flaws that could lead to an exploit if the user opens a specially crafted email message. Outlook 2000 is vulnerable to this, but cannot be patched via WSUS so this would need to be applied manually where possible. Replaces MS06-055.
Client impact: high
Server impact: low

MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)
http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx
Similar to MS07-003, and Excel 2000 is similarly impacted with no WSUS remediation.
Client impact: high
Server impact: low

MS07-001 Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585)
http://www.microsoft.com/technet/security/Bulletin/MS07-001.mspx
This only impacts Office 2003 with the Brazilian Portuguese language pack. It should be a big problem for most users.
Client impact: low
Server impact: low