Breaking news

It still requires user interaction, so it is not that much different from tricking the user to download and install an exe.

You clicked "Yes" when it asked you to install something that you had no idea what it was and did not request... That's not "browseritis," that's stupidity. You got what was coming to you.

deorece necesita interactiunea utilizatorului

acest exploit afecteaza toate browserele cu suport java

Entire web farms hacked to serve up the 7sir7 redirect

We have received reports and evidence that a number of companies that provide shared hosting web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked. In one case, a Perl script was used to modify each customers homepage with the additional IFRAME snippet that fellow handler Lorna had already reported in the diary two days ago. The Perl script reads in the web server configuration (httpd.conf) on a compromised server, and then appends the malicious iframe code to all the index.html pages of all the virtual hosts available on this server. The same reader who managed to isolate this script has also contributed a script written by himself to clean up the affected pages. If you shout loud enough, we might include it in tomorrow's diary :-)

The page at 7sir7 is making use of several recent vulnerabilities in order to download and install malware on the PC of whoever visits the site.

- Exploits the .ANI cursor vulnerability (MS05-002)
- Exploits the HTML Help Cross Domain Vulnerability (MS05-001)

If successful, the exploits drop either of two files "mhh.exe" or "sr.exe", both of which so far are only recognized by Kaspersky and called (not-a-virus:AdWare.ToolBar.SearchIt.h). The files have been submitted to the other AV vendors.

DNS Cache Poisoning

The second attack vector involves DNS poisoning. We are not quite sure yet how this is being done, as the files that we've received so far "only" install the ABX toolbar and do not seem to contain DNS/DHCP poisoning code. One submission stated that the whole problem started when he added an ip helper-address on the router to one of the VLANs that had infected PCs on it. The DNS server was running W2K and Symantec Web Security, and once it was open to broadcasts from the affected subnet, all systems that made DNS requests got redirected to 7sir7.

SE1R33 16.03.2005

New Definitions
============================================

    * VoiceIP
    * Dialer.PrivateAccess
    * Win32.Worm.Agobot.E


Updated Definitions
============================================

    * Abox +2
    * AsianRaw Dialer
    * EGroup Dialer +2
    * IMSDialer +2
    * Win32.Backdoor.Agobot
    * Generic Dialer
    * ClickSpring
    * CoolWebSearch +2
    * eSyndicate BHO
    * eZula
    * IST.Slotch
    * MidAddle +2
    * Statblaster +2


MD5 for the defs.ref file: 390045468f18afed6ca0f94d3cd8b200

Install Microsoft Windows Server 2003 Service Pack 1 (SP1) to help secure your server and to better defend against hackers. Windows Server 2003 SP1 enhances security infrastructure by providing new security tools such as Security Configuration Wizard, which helps secure your server for role-based operations, improves defense-in-depth with Data Execution Protection, and provides a safe and secure first-boot scenario with Post-setup Security Update Wizard. Windows Server 2003 SP1 assists IT professionals in securing their server infrastructure and provides enhanced manageability and control for Windows Server 2003 users.

SE1R35 31.03.2005

Updated Definitions
============================================

    * AdIntelligence.Apropos Toolbar +3
    * BarginBuddy
    * Begin2Search
    * Claria
    * ClearSearch +5
    * CommonName
    * CometSystems
    * CoolWebSearch +7
    * IEHijacker.Hotoffers
    * IntexusDial
    * Marketscore(Netsetter)
    * MediaMotor +2
    * NavExcel +2
    * Prutect +3
    * TIB Browser
    * Win32.TrojanDownloader.Swizzor.br +7


MD5 for the defs.ref file: ccceb757adfec87414244aebb49120bc

Additional Information
============================================
You can use Webupdate to install the new reference file, or download it manually from:
http://download.lava...public/defs.zip

On 12 April 2005 the Microsoft Security Response Center is planning to release:

- 5 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart.

- 1 Microsoft Security Bulletin affecting Microsoft Office. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates will not require a restart.

- 1 Microsoft Security Bulletin affecting MSN Messenger. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates may require a restart.

- 1 Microsoft Security Bulletin affecting Microsoft Exchange. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates will not require a restart.

In addition, Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).

Finally, Microsoft will release two NON-SECURITY High-Priority Updates for Windows on the Windows Update site. These will be distributed to Software Update Services and are not required to install the security updates.

April 12th is also the date all copies of pre-SP2 XP with automatic updates enabled will receive Service Pack 2. The blocking tool stops working after this date.