[Owasp-singapore] [security-77] viewerschoice.com.sg

Wong Onn Chee ocwong at usa.net
Tue Aug 25 11:30:35 EDT 2009


Again, on this topic.
This case is similar to the one suffered by websites of UniSIM, Fiat SG
and Popular Bookstore.

I will like to seek feedback from the group on how you will address such
a scenario:

That the web server is infected with malicious Javascript which does not
affect the infected web server, but affects all visitors to the site by
tricking them to download and install malware which is hosted elsewhere.

Let's assume the following:

1) Server-side AV software is useless here as the malware is not on the
affected web server.
2) Client-side AV software is not effective if the malware could be a
zero-day exploit.
(The successful infection of UniSIM students in Jan this year shows that
client-side AV is not foolproof.)

There are tons of ways for the malicious Javascript to get into the
affected web server.
Feel free to propose the possible causes and the relevant counter-measures.

Let's get creative! :-)


On 08/25/2009 10:11 PM, Johnny Wong wrote:
> Was there a preceding email? I can't seem to see the initiating email.
>
> At 09:26 PM 25-08-09, you wrote:
>> Was trying to browse to the site ..
>>
>>   Any stats on how many Singapore websites are affected by such
>> drive-by downloads?
>>
>>
>>     *Safe Browsing*
>>
>>
>>
>>
>>       *Diagnostic page for www.viewerschoice.com.sg
>>       <http://www.viewerschoice.com.sg>*
>>
>>
>>
>> *What is the current listing status for www.viewerschoice.com.sg
>> <http://www.viewerschoice.com.sg> ?
>> *
>>
>>
>>     Site is listed as suspicious - visiting this web site may harm
>>     your computer.
>>
>>     Part of this site was listed for suspicious activity 2 time(s)
>>     over the past 90 days.
>>
>> What happened when Google visited this site?
>>
>>     Of the 120 pages we tested on the site over the past 90 days, 8
>>     page(s) resulted in malicious software being downloaded and
>>     installed without user consent. The last time Google visited this
>>     site was on 2009-08-21, and the last time suspicious content was
>>     found on this site was on 2009-08-21.
>>
>>     Malicious software is hosted on 3 domain(s), including a5m.ru/
>>     <http://www.google.com/safebrowsing/diagnostic?site=a5m.ru/&hl=en>,
>>     lotbetsite.cn/
>>     <http://www.google.com/safebrowsing/diagnostic?site=lotbetsite.cn/&hl=en>,
>>     bigtopleads.cn/
>>     <http://www.google.com/safebrowsing/diagnostic?site=bigtopleads.cn/&hl=en>.
>>
>>     This site was hosted on 2 network(s) including AS4628 (PACIFIC)
>>     <http://www.google.com/safebrowsing/diagnostic?site=AS:4628&hl=en>,
>>     AS15169 (GOOGLE)
>>     <http://www.google.com/safebrowsing/diagnostic?site=AS:15169&hl=en>.
>>
>> Has this site acted as an intermediary resulting in further
>> distribution of malware?
>>
>>
>>     Over the past 90 days, www.viewerschoice.com.sg
>>     <http://www.viewerschoice.com.sg> did not appear to function as
>>     an intermediary for the infection of any sites.
>>
>> Has this site hosted malware?
>>
>>
>>     No, this site has not hosted malicious software over the past 90
>>     days.
>>
>> How did this happen?
>>
>>
>>     In some cases, third parties can add malicious code to legitimate
>>     sites, which would cause us to show the warning message.
>>
>> Next steps:
>>
>>     * Return to the previous page.
>>       <http://www.google.com/safebrowsing/diagnostic?site=http://www.viewerschoice.com.sg/&hl=en#>
>>
>>     * If you are the owner of this web site, you can request a review
>>       of your site using Google Webmaster Tools
>>       <http://www.google.com/webmasters/tools/>. More information
>>       about the review process is available in Google's Webmaster
>>       Help Center
>>       <http://www.google.com/support/webmasters/bin/answer.py?answer=45432>.
>>
>>
>>
>>
>>
>>
>>
>> --
>> Please Note: If you hit "REPLY", your message will be sent to
>> everyone on this mailing list (security-77 at meetup.com
>> <mailto:security-77 at meetup.com>)
>> This message was sent by kianjui (kianjui at gmail.com) from The
>> Singapore Security Meetup Group <http://www.meetup.com/SGSecurityMG/>.
>> To learn more about kianjui, visit his/her member profile
>> <http://www.meetup.com/SGSecurityMG/members/10170594/>
>> To unsubscribe or to update your mailing list settings, click here
>> <http://www.meetup.com/account/comm/>
>>
>> Meetup Support: support at meetup.com
>> 632 Broadway, New York, NY 10012 USA 
>
>
>
>
> --
> Please Note: If you hit "*REPLY*", your message will be sent to
> *everyone* on this mailing list (security-77 at meetup.com
> <mailto:security-77 at meetup.com>)
> This message was sent by Johnny Wong (johnnywkm at gmail.com) from The
> Singapore Security Meetup Group <http://www.meetup.com/SGSecurityMG/>.
> To learn more about Johnny Wong, visit his/her member profile
> <http://www.meetup.com/SGSecurityMG/members/5695170/>
> To unsubscribe or to update your mailing list settings, click here
> <http://www.meetup.com/account/comm/>
>
> Meetup Support: support at meetup.com
> 632 Broadway, New York, NY 10012 USA 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090825/ce4e211e/attachment.html 


More information about the Owasp-singapore mailing list