Threat Center Security News Nifty hacker details attacks on anti-virus websites
Nifty hacker details attacks on anti-virus websites Print E-mail
Written by Rebecca Mints   
Sunday, 01 March 2009 19:59

A versatile hacker calling himself Methodman is becoming increasingly the nemesis of many anti-virus vendors for his sleek antiques, including spreading vulnerabilities using HTTPS that has so far infected ESET, Kaspersky and Avira.

His latest assault is on ESET, developer of the popular NOD32 anti-virus solution. Users of this utility will receive arbitrary alerts and be enticed to browse on legitimate looking websites as well as click on malicious files.

ESET has already released an advisory that websites controlled by the company in Taiwan and the United Kingdom are vulnerable to SQL injection and cross-site scripting.

ESET has issued a statement on February 22 claiming that the flaw has already been fixed as soon as they were notified by security experts of the said vulnerability.

Methodman himself published proof-of-concept attacks against specific sites run by ESET, including http://www.eset.com.tw, https://secure.eset.co.uk, and http://www.virus-radar.com. In the past months, Methodman has divulged details of attacks against Kaspersky and Avira which, he said, have XSS vulnerabilities that he exploited by prompting arbitrary alerts. The virus author said the mentioned sites have a search form that does not properly sanitize input and therefore are vulnerable to attacks.

Social engineering techniques have been reportedly utilized by Methodman to carry out the daring assaults. Through SQL injection and URL manipulation, Methodman also lures users to unwittingly go to external websites that he controls. In detailing his assault, Methodman posted screenshots of how he performed SQL injection on ESET's UK website. Access to MySQL 5.0.27 using an ODBC 3.51 driver injects malicious files through SQL. Methodman cracked the ASP-coded website by using the XSS vulnerability.

Methodman's latest escapade before the published ESET attack involves the high-end Intel Product Security Center website. He himself reported that advisory pages run by Intel in its security center can be exploited by attackers using the same XSS vulnerability.

Intel patched the XSS vulnerability immediately before ill-motivated attackers are able to exploit it.

For ESET however, the flaw on virus-radar.com remains uncorrected. The website, which publishes statistics about e-mail threats, is prone to session cookie hijacking, issuing of arbitrary alerts or redirection that is not authorized by the user. Such actions will result in cross-site scripting vulnerability that can be readily exploited through iframe injection.

 

 

WTW Threat Level