Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

• Sergio Hernando’s Blog (in Spanish)
• Dancho Danchev’s Blog
• Sophos
• Trend Micro
• The Register
• The Web Hacking Incidents Database
• CyberCrime Updates Blog
• Hackers Center Blog
• Net-Security
• Kriptopolis (in Spanish)

It’s interesting to note that all of them gave credit to my post as the first report on the issue, all except one: Trend Micro. The reason became clear when I read Paul Baccas’s post on SophosLabs:

“The interesting thing from my point of view is that Ismael’s screenshot (on Passionate about Information Security) suggests he is using Sophos Anti-Virus for Mac.”

So, there you go. It’s obvious that Trend Micro didn’t want to include a link to a post that included a screenshot of Sophos for Mac picking up the virus. Awesome!

On the other hand, it’s fair to say that Trend Micro posted an excellent report on the incident, including updates on their analysis:

Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

…

Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr.suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.

Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.

I didn’t check the website for a while, but as of yesterday, embajadaindida.com redirects to embassyindia.es, a new domain that hosts a new website. This confirms what I was told by the Consul of India in Madrid when I called to report the incident last week. Back then I was told that the old compromised website was going to be replaced by a new one in the coming days.

Whether all these news pushed them to deploy it before they planned I don’t know, but at least we’re all glad that action was taken and that the site seems to be clean, by now…

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

The alert description is fairly self-explanatory, though a quick look at the source code erases all doubt:

Everything indicates that the site was compromised and those invisible iframe tags appended to the index.php (and possibly other files too) to load multiple pieces of malware from the following domains:

• msn-analytics.net
• pinoc.org
• wsxhost.net

Obviously, do not visit any of these sites as, at the very least, it is known that they have facilitated the distribution of malicious software in the past. In fact, Google’s Safe Browsing Diagnostic page reports that one of those has hosted malicious sofware that has infected at least 33 domains in the last 90 days, as shown below.

Although the attack vector is still unknown, it’s likely to be due to either weak directory and file permissions or to a vulnerability in any of their PHP scripts. Actually, similar effects were reported to the Joomla! discussion forum back in September last year, so I guess we must be dealing with the same kind of attack.

I’ve personally reported this security issue to the Embassy of India in Spain, and it’s expected they will be taking some action to remove the iframe tags sooner rather than later. In the meantime, please DO NOT VISIT THE SITE.

All of the above describe how the password attack picture was before a new technique, called ‘Pass-The-Hash’ made its way into the hacking scene. Although someone may think this technique is quite new, it was actually back in 1997 when Paul Ashton posted on Bugtraq a Windows exploit named “NT Pass the Hash” along with the theory which the exploit was based on. This Unix-based tool implemented a modified version of a SMB client that allowed the use of captured LanMan hashes, without having to decrypt them first. However, it wasn’t before last year when Core Security finally took this concept to the next level and produced a much more powerful tool called ‘Pass-The-Hash Toolkit’, which now runs on Windows and works with NTLM hashes. Let’s see how this technique works in more detail.

Pass-The-Hash is a different kind of password attack in that its ultimate goal is not to reveal what the password is, but rather to use it without having to crack it. Think about this, do you really care whether the password you are cracking is actually “peanuts”, “Barbie” or “Mickey Mouse”? I don’t think so. All you need to know is that it will give you access to the resource it’s protecting. Well, that’s the main concept behind ‘Pass-The-Hash’ attack.

First step to launch this attack is obviously to extract the password hashes. I’m not pretending to detail how to obtain them here, but you know you can either dump the SAM database if you managed to get admin privileges or dump current user SAM from memory if you ‘only’ have regular user privileges. Now, instead of trying to crack the hashes with L0pthCrack or Cain, all you need to do is to USE them directly.

To do so, the ‘Pass-The-Hash Toolkit’ contains utilities that let you manipulate the Windows Logon Session maintained by the LSA (Local Security Authority) component, allowing you not only to list the current logon sessions along with its corresponding NTLM credentials, but also to change in runtime the current username, domain name, and even NTLM hashes. Isn’t DLL injection lovely?

The Toolkit contains three utilities:

• IAM.EXE: This tool allows you to change your current NTLM credentials directly in memory without having the cleartext passwords. Only the password hashes are needed. Yes, that means no password cracking anymore! From the moment the NTLM credentials are changed you can immediately use commands that make use of NTLM authentication, like ‘net use’ or ‘net view’, with the stolen user’s credentials.
• WHOSTHERE.EXE: This tool will list logon sessions with NTLM credentials, including username, domain name, LM and NTLM hashes. Those logon sessions also include remote sessions like Remote Desktop Connections. That means you can now steal Domain Administrator’s password not only from the Domain Controller but also from any machine the Administrator may RDP to. Just run WHOSTHERE.EXE while the admin is logged on and use IAM.EXE from your machine to compromise the Domain Controller using those credentials. Also Man-in-the-middle attacks could be used effectively with this tool.
• GENHASH.EXE: This tool generates LANMAN and NT hashes from user given passwords. It’s just a small tool designed to help testing of IAM.EXE.

The advantages of using this technique are out of doubt. First, the time consuming password cracking is not needed, and additionally, the account lockouts that happened so often when doing password guessing won’t happen anymore. This is a massive improvement so it’s not surprising that Penetration Testers are increasingly relying on ‘Pass The Hash’ techniques.

For the folks on the other side of the line, that is from a defensive perspective, the above reinforces the need of adopting best practices when it comes to high privilege account management, using secure authentication schemes and maintaining a suitable patch and vulnerability management programme. Doesn’t it sound familiar?

—

The tools described in this post are part of the Pass-the-Hash Toolkit (pshtoolkit), written by Hernán Ochoa from Core Security. Latest release of Pass-The-Hash toolkit (v1.3 published on February 29, 2008) is available for free download here.