Google Friends Newsletter May 2008 Spring greetings to our Google friends. We hope you enjoy this month s update on our products and services. POWER TIP See related topics when searching on Google News When you search with Google News, you ll now see a list of related searches at the bottom of the results page. For example, a search for
It seems to be the quot;in thing quot; these days using an automated tool to perform SQL injections against vulnerable sites across multiple domains. Although the attack method isn t new, some sites are hit multiple times, as evident by a corruption of the injection code when one attacker overwrite a previously injected record. Below, you can see cached search results when searching for a specific known script injection: Image 1: Search results indicating embedded scripts multiple attacks In the above highlighted portion, note the beginning of an original script tag injection being superimposed with another script tag injection. Below, you can see the effect of multiple attacks on another site and as evident in the page source: 160; Image 2: HTML source indicating multiple embedded script tags from various SQL injection attacks 160; Speaking of SQL injections however, one has to wonder what s all the hype? What are attackers after or what is their motive? It would seem that there are several motives, but one motive that may or not be surprising is the uprising in injecting code that executes multiple exploits in an attempt to download and execute game password stealers. Let me say that again game password stealers. We continue to monitor injected scripts, and add detections to cover various iterations the threats are detected as quot;Trojan:JS Redirector quot;: Image 3: Microsoft Forefront Client FCS Security Warning alert 160; Our friends over at ShadowServer have compiled a list of offending domains that are either compromised and don t know it, or are under control of an attacker and are hosting or did host malicious scripts or executables. Below is a list as of May 14 2008 of domains, courtesy of this link: http: www.shadowserver.org wiki pmwiki.php?n Calendar.20080514 Domain nihaorr1.com free.hostpinoy.info xprmn4u.info nmidahena.com winzipices.cn sb.5252.ws aspder.com 11910.net bbs.jueduizuan.com bluell.cn 2117966.net s.see9.us xvgaoke.cn 1.hao929.cn 414151.com cc.18dd.net yl18.net kisswow.com.cn urkb.net c.uc8010.com rnmb.net ririwow.cn killwow1.cn qiqigm.com wowgm1.cn wowyeye.cn 9i5t.cn computershello.cn z008.net b15.3322.org direct84.com caocaowow.cn qiuxuegm.com firestnamestea.cn a.ka47.us a188.ws qiqi111.cn Approximate of Pages Injected 468,000 444,000 369,000 140,000 75,000 69,000 62,000 47,000 44,000 44,000 39,000 39,000 33,000 20,000 17,000 15,000 15,000 13,000 13,000 9500 7000 6000 4000 3600 3500 2800 2500 2300 1600 1200 1100 900 800 700 600 500 230 160; I was reviewing the qiqi111.cn attack and learned that the malicious script requested files from these domains: pigzd.cn and dota11.cn . I decided to follow the white rabbit, taking the first domain and I began to retrieve the malicious script am6.htm identified already as quot;Exploit:JS Repl.B quot; . The script am6.htm contains a handful of attack methods, attempting exploits to download and execute more code: 160; 160; Image 4: Source code of am6.htm illustrating the attack methods I know what you re saying, quot;what the heck, what are all these iframes? quot;, so let s take a quick look at them: This attack focuses on systems that have not applied Microsoft Security Bulletin MS06 014. The attack specifically targets a Microsoft Data Access Components MDAC ADO ActiveX Control quot;RDS.DataSpace quot; in order to execute arbitrary code, or in this case, another Web hosted script identified as quot;TrojanDownloader:JS Psyme.BA quot; it tries to retrieve and execute an online game password stealer as a file named quot;mm.exe quot; from the domain gf.ccves.cn This attack executes the ActiveX control for RealPlayer this method also allows execution of code identified as quot;Exploit:HTML Repl.D quot; This attack exploits a 0 day vulnerability in an Avatar ActiveX control for Ourgame GLWorld named quot;C: Program Files GlobalLink Game Share GLAvatar.ocx quot; and referenced by its control quot;GLAVATAR.GLAvatarCtrl.1 quot; when the ActiveX control executes, it loads a script that contains a vulnerability against another ActiveX Control contained in GLIEDown2.dll , a library component of GLWorld; there isn t yet a CVE Common Vulnerabilities ID for this vulnerability, thus it s considered quot;0 day quot;. It was issued a Bugtraq ID 29118, and as of the time of this writing there, public awareness of the vulnerability seems somewhat low, and not well discussed other than this blog entry, and one from Trend Micro the HTML file axlz.htm is identified as quot;Exploit:JS Gdow.A quot; Incidentally, there are other known exploits components of GLWorld www.ourgame.com : Multiple Buffer Overflow Vulnerabilities within quot;HanGamePluginCn18.dll quot; referenced by this control: HanGamePluginCn18.HanGamePluginCn18.1 Stack based Buffer Overflow Vulnerability within quot;GLChat.ocx quot; referenced by this control: GLCHAT.GLChatCtrl.1 Ourgame GLIEDown2.dll ActiveX Control Remote Code Execution Vulnerability referenced by this control: GLIEDown.GLIEDown.1 This attack exploits a vulnerability in Baofeng Storm StormPlayer ActiveX control identified as quot;Exploit:Win32 Senglot.J quot; This last method is an attack against an ActiveX control for Xunlei Thunder DapPlayer this file was not available at the time of this writing So with five opportunistic attacks, the odds increase in favor of acquiring some Internet nasties and we will continue to monitor these attacks. Additional Resources During our research, we analyzed some of the malicious scripts. More details about these scripts are available at our Microsoft Malware Protection Center Encyclopedia: http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.H http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.I http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.J http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.K http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.L http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.M http: www.microsoft.com security portal Entry.aspx?Name Trojan:JS Redirector.N Additional resources and recommendations are available from the Security Vulnerability Research amp; Defense team: http: blogs.technet.com swi archive 2008 05 29 sql injection attack.aspx 160; and from Bala Neerumalla, Microsoft Corporation, who discusses common coding mistakes in ASP code that can lead to SQL Injections in the following article: 160; http: msdn.microsoft.com en us library cc676512.aspx 160; 160; Patrick Nolan
The second day of media2008 conference in London was much more revolving around development than the first one, which was about the design challenges we face as web developers. Here are some short summaries of the different sessions I managed to attend:
Posted by Andrew Bowers, Product ManagerWe hosted Google I O at the Moscone Center in San Francisco this week, with 3,000 developers in attendance. They took advantage of nearly 100 in depth technical sessions, on site massage therapists, and 3,500 po…
Continuing in the spirit of London Web Week the lovely people from Moo were the special guests at a Geek Dinner last night. In a pub in High Holborn about 40 geeks and hackers converged for the event. There were lots of people from Moo in attendance which gave everyone the chance to meet many of the people they d seen speak at conferences like Richard Moross, Richard Pope and Denise Wilton. Rather than a formal talk Richard M gave an impromptu history of the company from it s inception as the dubiously named Pleasure Cards to the Moo of today. They discussed some of the reasons for their success. Richard said that customer service was key. Being very accommodating early on created a really loyal following. They found that owning up to the mistakes they made and dealing with them created the happiest customers of all. Creating an honest dialogue is clearly important to the company. When asked about market Richard talked about his time in the advertising industry. He lamented about some of the best creative minds trying to market bad products. Rather than wasting energy on marketing a bad product he d rather put that energy into making a better product to start with. Moo have found that a lot of their marketing is just word of mouth because people are happy with the product. Denise really agreed with this, and describe the feeling of delight they want people to have opening a new delivery of Moo cards. She also added that partnerships like the one they have with Flickr have really helped to encourage people to participate with their own photos. Moo is obviously a company that deeply cares about their products and customers. It was great to hear some of their experiences, their successes and the lessons they learned. Finally, I m excited by the amount of great stuff happening in London Web Week with so many amazing people speaking and attending these events. Tom Hughes Croucher Yahoo! Developer Network
Posted by Sapna Mehta, Online Operations AssociateWe know a lot of you are committed multi taskers, and hey, who doesn t love the TV view for efficient video searching? To make you even better multi taskers, we ve added a feature that allows you to bro…
On the heels of Wednesday 8217;s YUI 2.5.2 release, we wanted to take minute to share some of the YUI links and projects that have caught our eye in the past few weeks. Matt Snider F2E lead at Mint continues his long term process of blogging about the work he 8217;s doing building on top of YUI with 34;Dom.activate …
We re happy to let you know that our service has been fully restored and all your swickis should be back up and running again. Again, sorry for any inconvenience and thank you so much for your patience with us! In…
Check it out: We realize that often you just need to get a sense of what your query is about. Wikipedia is great for that nbsp; you can learn enough from the first paragraph of a Wikipedia article to start you out on the right path. For Wikipedia results, we now show a good portion of the first paragraph and a few links from the table of contents. You can see more about the topic right there and see what else the article offers. We hope you learn more, faster with our expanded Wikipedia descriptions. Let us know what you think. Kemp Peterson, Program Manager, Live Search
Today was the first day of media2008 in London, England. For the fourth time hundreds of people interested in web design, development and information architecture came to see what experts in the field had to say and network in probably Europe s biggest web conference focusing on the front end of development. This is a short roundup of the sessions I attended, as the conference worked on two tracks the massive, Queen Elizabeth Hall and the smaller Purcell Room in the Southbank Centre.