'"Beladen" new attack on the block'

[polonus]

Howdy malware fighters,

The number of websites that has been hacked in the "Beladen" attack
re: http://securitylabs.websense.com/content/Blogs/3408.aspx  &
http://blog.scansafe.com/journal/2009/6/1/beladennet-qa.html
now has risen from 20.000 to 40.000.

This according to security vendor Websense.
More than likely attackers through stolen FTP-passwords found access to websites,
also SQL-injected brute-force attacks on web-servers form an option, re:
http://bt.uptime.cz/apache/apache_attack_EN.pdf
According to websense's Carl Leonard mainly vulnerabilities  in both Internet Explorer and
Firefox browsers were being exploited, but also attacks against Adobe Reader, QuickTime and WinZip are being launched, re:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133820&taxonomyId=17&intsrc=kc_top
Despite of the recent growing number the beladen attacks are rather small as compared to the ongoing Gumblar attacks. According to ScanSafe the number of beladen hacked sites would only total a couple of thousand sites:
http://www.scmagazineuk.com/Claims-made-that-Beladen-has-compromised-around-40000-computers/article/137904/

[!Donovan]

...WinZip...

Does that mean if you download a .zip, when you click on it (and not any other files in it) it can execute a virus?

[polonus]

Hi donovansrb10,

Yes, my friend, if it comes as a txt.zip file and one does not know what is safe to click.
The Bagle worm already knew to play this trick on victims, but as always these things happen to users and web-owners that have older not fully patched and updated software on their servers/machines, and these very vulnerabilities are being exploited by the attackers, so mainly users of "older" browser versions of IE and Fx are victims, the websites sought out by the malware are also smaller and so more vulnerable for these attacks,

polonus

[!Donovan]

Too bad I'm sticking with IE7 and Firefox (Current Version)

[kubecj]

New...   We're blocking beladen.net from 7th of May. And if you see the VirusTotal, only 3 engines detect the stuff. We're detecting it as 'Cruzer-D' right now.

[!Donovan]

There should be more because Google and WOT blocks it.

[RejZoR]

New...   We're blocking beladen.net from 7th of May. And if you see the VirusTotal, only 3 engines detect the stuff. We're detecting it as 'Cruzer-D' right now.

I assume you guys simply add web addresses found in malware samples to the Network Shield block list and prevent 2 things at the same time. That very sample and all further ones.

[polonus]

Hi malware fighters,

Good that avast is on top of this, here some further info:
block *.beladen.net 
 

Mass compromises are certainly nothing new. They regularly take place,
because attackers commonly use server-side vulnerabilities in an automated way
to infiltrate legitimate Web sites and inject them with malicious code.
The challenge in these kinds of attacks, from a security firm prespective,
is to recognize malicious patterns in legitimate Web sites (they're usually obfuscated),
and then research the exploit sites those attacks lead to. Read more here:

Beladen.net is full of various attacks and after a successful exploitation,
a malicious file will be run on the infected computer.

The exploit also uses the ‘typo-squatter’ domain with a similar name to
the legitimate Google Analytics domain (google-analytics.com),
redirecting users to beladen.net.

Beladen also had a low anti-virus detection rate.
At the time the attack was first reported,
only four out of 40 anti-virus vendors had reported the threat.


He also said that if an exploit didn’t work on a machine,
the attack would also try to download rogue anti-virus software,
in order to dupe users in downloading a trojan.



securitylabs.websense.com/content/Blogs/3408.aspx
Due to some manipulation of the dns process beladen.net makes
everytime new subdomains and referral dns servers.
Trying to block each of them can't be done.

So look at these example and just block anything connected to it
Edited by me for security reasons:
when the problem comes up you're redirected to 7914421.beladen.n*t
and after that you've redirected to hxtp://scan4top.com/22/?uid=keyin that disguise like ...
wxw.vbulletin.com/forum/showthread.php?p=1735111 - 97k -

I spotted this last night, e.g.: h x t p://0e6047.beladen.net/t/m1002z188371.html
appeared down left and redirecting to h x t p://scan4note.com/22/?uid= ...
wxw.hondenforum.nl/phpBB2/viewtopic.php?p=3378096&sid=

Próba wlamania do mojego komputera podjeta przez tzvx.beladen.n*t
Tried to connect to my computer:
(91.207.61.40,80) 30.04.2009 00:08:16 zostala zablokowana. ... (was blocked)
f*lieton102.bloog.pl/kat,0,m,4,r,2009,index.html

polonus

[cinchez]

Thanks for the great info pol^^

Good thing avast! was one of the four AVs that caught the very first attack^^

Cheers for avast!^^

-AnimeLover^^

[REDACTED]

My updated Avast IS still (again?) declares every new password for my Adobe account, in 'Avast Passwords' as 'compromised'. And does so without explanation or reference to any useful information. 

Adobe forum reps say it is an Avast problem.  Is it an 8 year old problem, or a new one which has not yet been addressed, explained, or explored for work-around?

Re thread title: "New" is a poor word to use in a permanent text. Just use a date!

[MrMaxaMan]

This thread is nearly 8 years old, best to start a new one.