Is Aminet OK/infected?

[Piru]

Yes, aminet is infected. It attempts a drive-by attacks against windows systems via java vulnerability, at least. It likely attempts to use several attack vectors depending on the targets system: java, flash, pdf, and vulnerabilities in the browsers themselves.

Here's how you can see the initial javascript payload regardless of the platform:

Code: [Select]

curl --user-agent 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)' http://aminet.net/util/arc/lha.run | less
Modifying e(s) the end of the code to document.write(s) we can see the actual payload decoded. It opens an iframe with URL "http://.ibiz.cc/?go=2" that'll perform the actual drive-by attack:

[Piru]

Don't fear, you don't need the web for everything... yet.

Unfortunately you cannot trust anything coming from aminet at this stage. The FTP could be distributing malware as well, though luckily windows binaries are in the minority...

[Piru]

I'd like to hear an explanation for this however. Unless if the method of original penetration can be figured out and blocked it could happen again and again (as has happened with certain other amiga related sites). Also, it seems that the domain name used to distribute the malware expired (or was changed deliberately).

Some official word from aminet would be in order I'd say.

[Piru]

We do know about it, I've been researching it all evening.

Did you manage to find out how the initial exploitation vector was? That's the most important thing to figure out. If the hole isn't fixed properly you might just get pwned again.

The timing of these issues makes me think of the recent PHP-CGI remote command injection vuln:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

[Piru]

I was discussing this earlier today with a colleague.  Why run PHP as a CGI under *nix rather than a compiled so or compiled into the httpd?  On Windows I can see it (FastCGI,) but on a *nix machine I just don't see an advantage.

Whatever the reasons are, there are likely tens of thousands of hosts around with the vulnerable setup and the vulnerability is exploited actively. I expect to see very active scanning for these in the httpd logs.

[Piru]

This is not something just hitting our little crater of the world, but a widespread problem on the internet as a whole.  The below gives a rough overview of how widespread it is:

http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit

Classic SQL injection.  In this day and age, there's no reason to not be running up to date, modern virus and malware protection, especially on a Windows machine.

Unless you absolutely need Java, uninstall it.

SQL injection? Really? I'd find that somewhat surprising.

[Piru]

Unsure about the exact terms of what happened to Aminet, but Blackhole is being spread by such methods (SQL, PHP).

http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Well that article does explain many parts related to the kit itself, like for example that it itself is PHP and that it uses MySQL backend. It also covers many of the client side vulnerabilities it exploits (that list is obviously outdated by now, though).

It however does not mention anything about how the actual sites linking to it are compromised in the first place or if Blackhole has any tools for that.

There are two sides to this:
1) pwning websites / servers and making them link to blackhole instance
2) blackhole exploiting the client vulnerabilities of the unsuspecting browsers of the infected sites and installing malware

Anything in 2 is obvious. But how 1 happens in the first place is the interesting part.

[Piru]

are these attacks windows specific or ?

Well it depends on what you're asking.

There are two levels at play:

1. Someone is attacking web sites via some vulnerabilities in their software (old vulnerable sw versions, security issues in the actual web sites themselves etc). These are very often running linux or bsd, but also sometimes Windows. Sometimes the access to the system is gained by stealing the login credentials by attacking a desktop/laptop of the administrator.

2. The successfully breached websites are programmed by distribute malware. The motive in this case is money: The attackers "lease" the hacked sites and distribute tailored malware for whoever is willing to pay. Typically the malware is a rootkit that'll man-in-the-browser normal bank transactions to steal money. In most (if not all) cases these malwares target Windows platform. That's only because most of the potential victims are using Windows. If OS X continues to gain ground it will be targeted as well at some point.

So at different levels the attacks are targeting different platforms.

Recommendations

System administrators

Keep your host operating system up to date with security updates. Keep track of security updates of the actual web application platforms as well, and install new security updates as soon as they arrive (of course using staging host to verify that everything works fine after installing the upgrade). You can follow the Full Disclosure mailing list to keep track of recent activity on the security front. There are also numerous RSS/Twitter feeds you can follow, but I find those a bit tiresome in the long run. YMMV.

End users

Windows users need to be very careful to maintain security of their systems and installed applications. I can recommend Secunia PSI to all windows users. This tool will check all installed applications for old versions and (optionally) automagically install the required updates.

OS X users should install the OS security updates as soon as they arrive. For application updates there's AppFresh tool which works somewhat similar to Secunia PSI. It's not as good as PSI, but best I've found for OS X so far.

Linux/BSD users should install security updates weekly.

While OS X / Linux/BSD users might not be targets for the most attacks, that's really no excuse to skip the security updates. Sometimes vulnerabilities in these systems are actually exploited and the feeling of false security the users of these systems might have can lead to some rather nasty surprises (say for example storing tons of confidential material on the systems in belief no-one can possibly breach the system...).

[Piru]

My best guess at present is that it's a variant of this:-

BlackHole Exploit Kit

Yes it is. But this has nothing to do with the actual vulnerability that was used to pwn it. This is just the tool they use to infect victims browsing the site. (In my earlier post, this is the step 2. How the step 1 was achieved remains unclear.)

Any attempts to remove the malware links are in vain until the actual root cause for the site exploit has been identified and fixed.

[Piru]

We identified php/Kryptik.AB trojan in a file called php_engine9181.php this evening. We have removed the infected file and restored the index.php file as before.

Did you also identify how the trojan got there? That's the important question.