I’m writing this post while seated on a train going from Birmingham’s International Airport to Banbury, a small town located in the heart of Oxfordshire. It’s only a 40 minutes trip but I really enjoy it, especially if I have a good album to listen to (like that of The Script I’m listening now), some coffee and the nice view of the English countryside I can see through the window right now.

I come to Banbury very often, like once every two or three months, most of the times to hold meetings with my team colleagues, to support ISO 27001 audits or to conduct onsite assessments. None of those are the main purpose of my visit this time. After delivering a new one-day session on Incident Response and Computer Forensics at my employer’s European offices in Leiden (the Netherlands), Bochum (Germany) and Warrington (UK), it’s now Banbury’s turn.

The goal of this sessions is to train our ICT staff on how to best react to security incidents while preserving volatile and non-volatile evidence, but at the same time to give them an overview on what Computer Forensics is all about, so they can understand the importance of handling digital evidence appropriately.

While I’ve run similar sessions in the past, I’m particularly happy with the new material that I’ve put together this time, and the feedback I’m getting from the people that have attended this sessions (more than 25 so far) confirms me that.

I can’t give much detail on its content now (and I will tell you why in a bit) but all I can say is that the training is now packed with hands-on exercises that uses a virtual machine as a portable forensics lab and the image of a compromised Windows 2003 Server as the target of the analysis. It’s based on a real-case scenario and illustrates the methods and the tools that are typically used throughout the course of a real computer forensic investigation. Really useful and fun stuff!

The reason why I can’t give much detail now is because earlier this year, Ewa Dudzic, Editor in Chief of Hakin9 magazine, invited me to write an introductory article on Computer Forensics for their well-known and prestigious magazine, and that article is actually based on the content of the training described above. Now I’m glad to see that the current issue of the magazine announces that the first part of my two-series article will be published in the next issue of Hakin9, that is 4/2009. The article will not just include a step-by-step guide to forensic response and investigation but also references to all the tools and images you can use to set up your own forensic lab and do the exercises at home. Stay tuned, as I will post more details on that as soon as the article is released.

In the meantime I will carry on with my ‘European tour’ that I expect to finish at my home office later in May. Remote locations like India and Sydney might come next, possibly during the second half of 2010.

No doubt, one of the best things about delivering this training is that it’s given me the opportunity to spend more time with colleagues from different geographies and, why not, to have some fun after work. As you can see in the pictures below, I even had the opportunity to watch a live game at Old Trafford!

Watching Manchester Utd vs Porto live at Old Trafford, the Theatre of Dreams! (UEFA Champions League 2009)

Great time riding through the streets of Leiden, in the Netherlands

Thanks Andy and Paul for such a great time

Many sites reported on the issue, from antivirus vendors to security professional’s blogs and online magazines. Whilst most of them just echoed what others said, some shed more light on it posting some interesting notes and only a few did an in-depth analysis worth of mention, the most relevant being:

• Sergio Hernando’s Blog (in Spanish)
• Dancho Danchev’s Blog
• Sophos
• Trend Micro
• The Register
• The Web Hacking Incidents Database
• CyberCrime Updates Blog
• Hackers Center Blog
• Net-Security
• Kriptopolis (in Spanish)

It’s interesting to note that all of them gave credit to my post as the first report on the issue, all except one: Trend Micro. The reason became clear when I read Paul Baccas’s post on SophosLabs:

“The interesting thing from my point of view is that Ismael’s screenshot (on Passionate about Information Security) suggests he is using Sophos Anti-Virus for Mac.”

So, there you go. It’s obvious that Trend Micro didn’t want to include a link to a post that included a screenshot of Sophos for Mac picking up the virus. Awesome!

On the other hand, it’s fair to say that Trend Micro posted an excellent report on the incident, including updates on their analysis:

Trend Micro Advanced Threats Analyst Ryan Flores also revealed that there is inserted code in the compromised websites that injects pages that look like blog entries into the compromised sites’ domain. The inserted pages contain various pharma information. Flores then states that this is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters.

…

Though no trace of malware was found in the other links, Trend Micro Antivirus Engineer Edgardo Diaz, Jr.suggests that this is possibly an advertisement scam or a massive malware attack in its early stage. This would also explain why parts of this threat do not appear to be fully functional. He warns, though, that since the website is already compromised, it’s just a matter of modifying the tags to turn the seemingly “non-malicious” injection of code into a full-blown malware attack.

Updated 5:49 PM: BKDR_TDSS.CG drops a rootkit that is then injected into SVCHOST.EXE. While injected, the rootkit attempts to connect to several websites to send and receive information.

Updated February 1, 2009: At this time, BKDR_TDSS.CG is also downloading an encrypted configuration file. Once decrypted, this file appears to contain commands to download other dll files and an updated copy of TDSSserv.sys, load certain modules from the dll files, upload log files (which contain error logs, process lists, and OS details), display popup ads, prevent security software from running, and set command delays. While the content of the files from the download URLs are not the same every time, this backdoor does keep accessing from the list of URLs even after completing its routine–so it may eventually get to access all URLs (except of course the currently inaccessible ones) it needs to achieve all mentioned functionalities.

I didn’t check the website for a while, but as of yesterday, embajadaindida.com redirects to embassyindia.es, a new domain that hosts a new website. This confirms what I was told by the Consul of India in Madrid when I called to report the incident last week. Back then I was told that the old compromised website was going to be replaced by a new one in the coming days.

Whether all these news pushed them to deploy it before they planned I don’t know, but at least we’re all glad that action was taken and that the site seems to be clean, by now…

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

The alert description is fairly self-explanatory, though a quick look at the source code erases all doubt:

Everything indicates that the site was compromised and those invisible iframe tags appended to the index.php (and possibly other files too) to load multiple pieces of malware from the following domains:

• msn-analytics.net
• pinoc.org
• wsxhost.net

Obviously, do not visit any of these sites as, at the very least, it is known that they have facilitated the distribution of malicious software in the past. In fact, Google’s Safe Browsing Diagnostic page reports that one of those has hosted malicious sofware that has infected at least 33 domains in the last 90 days, as shown below.

Although the attack vector is still unknown, it’s likely to be due to either weak directory and file permissions or to a vulnerability in any of their PHP scripts. Actually, similar effects were reported to the Joomla! discussion forum back in September last year, so I guess we must be dealing with the same kind of attack.

I’ve personally reported this security issue to the Embassy of India in Spain, and it’s expected they will be taking some action to remove the iframe tags sooner rather than later. In the meantime, please DO NOT VISIT THE SITE.