Re: News: Major Exploit Underway... in Security http://www.dslreports.com/forum/r11905436 en Fri, 27 Nov 2009 23:31:56 EDT Fri, 27 Nov 2009 23:31:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11945083 anon : About 90% of the browsing world
»regfreeze.freeserverhost.com/ ;)]]> http://www.dslreports.com/forum/remark,11945083 Wed, 24 Nov 2004 04:43:50 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11935925 TeMerc : Little bit more on CNET:
»news.com.com/Attackers+strike+us···l?tag=nl
--
Remember............You can NEVER be OVERPROTECTED!!]]> http://www.dslreports.com/forum/remark,11935925 Tue, 23 Nov 2004 02:52:53 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11934071 Indy Sabre :
said by TerryMiller See Profile:

As long as the user doesn't have permission to install applications.
Terry, thanks for the answer, that is what I thought.

BTW, I made the jump to installing a HOSTS file. Thanks for your helpful answers!]]> http://www.dslreports.com/forum/remark,11934071 Mon, 22 Nov 2004 22:21:33 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11933835 TerryMiller :
said by Indy Sabre See Profile:

Would surfing in IE on a limited user account in W2000 likely prevent damage from these exploits?
As long as the user doesn't have permission to install applications.
--
My family site]]> http://www.dslreports.com/forum/remark,11933835 Mon, 22 Nov 2004 22:00:57 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11933165 Indy Sabre : Would surfing in IE on a limited user account in W2000 likely prevent damage from these exploits?]]> http://www.dslreports.com/forum/remark,11933165 Mon, 22 Nov 2004 20:59:10 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11933004 jig : this is at least partially done with some of the content filtering boxes out there. what i've seen is that they contact an offsite service that checks the web address against a list and returns a 'grade' that labels the site as childsafe, adult, hate, etc. if the device is set to allow that subset, then the client can connect directly.

problem is, of course, that only the most recent requests are cached. so if the offsite service goes down or is otherwise unreachable, the protection isn't there anymore. and i don't think most of the offsite services would allow their entire list to be locally cached..

and i don't know how these offsite services deal with any kind of litgation over whether or not a site is labeled correctly.

i suppose it would be interesting if a hardware manufacturer sold a product that had some general ability to upload what is in effect a hosts file. general enough so that they couldn't get sued over someones site getting put into one of the various lists and uploaded to the router. and upgradeable memory. that would be enough, but the next step would be to have various sets of lists that could be applied to subnets in various combinations.

the more i think about it though, most of the appliances that have even the beginning of the right kinds of resources already cost as much as the cheapest dell, which has more than enough umph to do all the above AND much more.

still, i'd buy an appliance that did everything above for $300 or less. appliance = something without moving parts (no fan or hard drive).]]> http://www.dslreports.com/forum/remark,11933004 Mon, 22 Nov 2004 20:44:22 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11932168 claudeo : I'd really like to find a single purpose, inexpensive appliance that could subscribe to a blacklist and automatically block access from my home network (maybe sit between the NAT/router and the modem). I know I can build one using Linux, but I don't have the time. Also I don't have time to learn how to make the ipchain or similar rules dynamically updatable from a "plain" blacklist updated continuously from a trusted source.

Nothing smart, nothing elegant,no smart rules, pure brute force. Simpler than messing around with hosts files (which BTW doesn't work well with Win2K where a big hosts file just seems to kill performance). And yes, I know, woe to whoever is accidentally listed--this is why it has to be updating continuously. It should also update continuously so that phishing sites can be listed as soon as they are detected, not days or weeks after they've been taken down.

I bet by now there are hundreds of thousands of people and small companies who would gladly pay $50-$100 for such a gadget, along with a $1/month subscription to the update service. Hint hint.]]> http://www.dslreports.com/forum/remark,11932168 Mon, 22 Nov 2004 19:32:28 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11931482 eburger68 : Hi All:

An article in appeared in The Register today about this exploit:

http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,11931482 Mon, 22 Nov 2004 18:27:16 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11929176 bobince : > Is this being caused by unscrupulous companies intentionaly serving these exploits [...] Or is it unscrupulous individuals that are infecting blameless companies

In the case of the sp2f*cked/sp2admin/etc. exploits, seems to be "both". Some 'affiliates' are putting the exploits on their own dodgy properties, whilst some are apparently r00ting other webservers to inject the iframes.

culverj:

> Most/all of the domains originally identified as exploiting this vulnerability have been taken down.

Absolutely not. Some of the most widely-publicised URLs have been removed, and a bogus 'deactivated' message put up on the main sp2f*cked root page, but most of the other URLs we've seen used by these exploits are still very much active.

Similar sites (CWS havens) have been known for months and have not been taken down. We are dealing with rogue ISPs here.]]> http://www.dslreports.com/forum/remark,11929176 Mon, 22 Nov 2004 14:24:19 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11929101 Bubba :
said by ctrip See Profile:


Could someone answer a simple question for me? Is this being caused by unscrupulous companies intentionaly serving these exploits from their webservers to the unwary visitors?
If I'm understanding your question as it relates to the beginning of this thread....I believe the answer is in Eric's first post ?

said by eburger68 See Profile
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
]]> http://www.dslreports.com/forum/remark,11929101 Mon, 22 Nov 2004 14:13:39 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11929011 SolarPup : Whoa... he's the guy that hosts my colocate... wham bang!]]> http://www.dslreports.com/forum/remark,11929011 Mon, 22 Nov 2004 14:01:18 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11928897 ctrip : Could someone answer a simple question for me? Is this being caused by unscrupulous companies intentionaly serving these exploits from their webservers to the unwary visitors?

Or is it unscrupulous individuals that are infecting blameless companies who happen to be running Apache webservers?
--
I actually voted for John Kerry...

before I voted against him.]]> http://www.dslreports.com/forum/remark,11928897 Mon, 22 Nov 2004 13:45:16 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11928806 suzi : To find out where the domain is hosted and the pages are being served, the nameserver info is needed.

Name: ns1.sp2fucked.biz
Address: 69.50.168.146

Name: ns2.sp2fucked.biz
Address: 69.50.168.147

The IP lookup for those nameservers shows they are hosted by this company:

OrgName: Atrivo
OrgID: ATRIV
Address: 200 Paul Avenue
City: San Francisco
StateProv: CA
PostalCode: 94124
Country: US

NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: ATRIVOTECHNOLOGIES
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
Comment:
Comment: ## Comments listed here will appear in ARIN's WHOIS database.
RegDate: 2003-06-04
Updated: 2003-08-21

NOCHandle: EKA4-ARIN
NOCName: Kacperski, Emil
NOCPhone: +1-925-550-3947
NOCEmail: abuse@atrivo.com

OrgAbuseHandle: ABUSE658-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail: abuse@atrivo.com

OrgNOCHandle: NETWO601-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-925-550-3947
OrgNOCEmail: noc@atrivo.com

OrgTechHandle: EKA4-ARIN
OrgTechName: Kacperski, Emil
OrgTechPhone: +1-925-550-3947
OrgTechEmail: abuse@atrivo.com

A Google search for Atrivo and Atrivotechnologies does *not* put the company in a good light:

»www.google.com/search?sourceid=n···q=Atrivo

»www.google.com/search?sourceid=n···nologies

Atrivotechnologies is listed on a number of spam block lists, among other things.

The owner, Emil Kacperski, is reportedly a 26 year old in California. He posts at »webhostingtalk.com/ forums using the name "goose". (The forum seems to be down at the moment). From what I read there, he and Atrivo are well regarded on that forum, but Google search results for the name Emil Kacperski paint a different picture of him and it's not pretty.

»www.google.com/search?sourceid=n···erski%22

Emails to the abuse department at Atrivo might be in order.

(edited to correct grammar)
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,11928806 Mon, 22 Nov 2004 13:35:08 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11928799 paranoidxe : Internet Explorer has simply become a browser that has more holes than a cheese grater. My freakin mother that does nothing more than browse the internet and read her email (doesn't download anything) has become infected by 4 different spyware programs using exploits from IE. This is EVEN with the latest patches from microsoft.

The real failure here is Microsoft, they have let everyone down with lack of security in their internet explorer program. Maybe it is high time they get off their asses and sandbox internet explorer from the windows interface, I knew eventually the intergation of IE would be a HUGE mistake.

I am sick of the argument for internet explorer fans, it can BE secure. Why would I waste my time trying to configure internet explorer to be "secure" through trial and error, when I can switch to a healthy alternative like Kmeleon, Mozilla, Firefox, Opera, etc. that are secure out of the box.

The other argument, Internet Explorer is FASTER! Sure it might be slightly faster, but the time wasted clearing the scumware off your machine through the holes in it is much more time consuming/difficult than waiting 1 or 2 seconds longer for a page to load. Since when does SPEED rule over SECURITY? come on now.

These are exploits that Microsoft seems to have refused to fix, because a lot of these exploits have been around for awhile now. It seems like to me that microsoft takes longer and longer to release patches for internet explorer when they should be putting them out much quicker.
--
- paranoidxe (textsource.org)]]> http://www.dslreports.com/forum/remark,11928799 Mon, 22 Nov 2004 13:34:07 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11928387 Dirtyping : Dammit! Now I find this thread. I am still completely Windows 2000 patched and I ended up getting infected. The only day this week I used IE I got infected. (I always use Firefox)

»IDS CPU/Memory usage

That will teach me not to ever run IE again or forget to update my Blackice signatures. ]]> http://www.dslreports.com/forum/remark,11928387 Mon, 22 Nov 2004 12:40:36 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11928298 TeMerc : Well, it seems CNET picked up the article from the Register:
»news.com.com/2001-9373_3-0.html?···efd.xtra

Maybe now it will get even more ink.

Bump:D
--
Remember............You can NEVER be OVERPROTECTED!!]]> http://www.dslreports.com/forum/remark,11928298 Mon, 22 Nov 2004 12:29:46 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11923278 Doctor Four : It is getting worse out there, and has gotten so since the
first RPC worms started coming out. Now an unpatched system
can get infected in less than a minute after being connected
to the Internet.

As for the Reg's adserver being infected by Bofra, I was
on their site yesterday during the time frame they mentioned,
but since Falk-AG's URLs are all in my hosts file, the site
was prevented from fetching the infected code. And I was
running Mozilla anyway.

But I think I'll be very careful about what sites I visit
from my workstation, which while protected, may not offer
the same degree as Mozilla (it uses IE w/no popup blocker.)
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.]]> http://www.dslreports.com/forum/remark,11923278 Sun, 21 Nov 2004 19:56:01 EDT Bofra exploit hits The Register http://www.dslreports.com/forum/remark,11923127 groundling : 21st November 2004
Important notice Early on Saturday morning some banner advertising served for The Register by third party ad serving company Falk AG became infected with the Bofra/IFrame exploit. The Register suspended ad serving by this company on discovery of the problem.

If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software

http://www.theregister.co.uk/2004/11/21/register_adserver_attack/]]> http://www.dslreports.com/forum/remark,11923127 Sun, 21 Nov 2004 19:37:46 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11922530 SolarPup : Interesting Whois Output:

Request: sp2fucked.biz
whois server for *.biz is whois.neulevel.biz ...
connected to whois.neulevel.biz [209.173.53.169:43] ...
Domain Name: SP2FUCKED.BIZ
Domain ID: D7921805-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Sponsoring Registrar IANA ID: 303
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: DI_937571
Registrant Name: John Miller
Registrant Organization: Liber Inc
Registrant Address1: 135/2 Washington str
Registrant City: Limasson
Registrant Postal Code: 06432
Registrant Country: Cyprus
Registrant Country Code: CY
Registrant Phone Number: +944.8735673
Registrant Email: support@coolsearch.biz
Administrative Contact ID: DI_937571
Administrative Contact Name: John Miller
Administrative Contact Organization: Liber Inc
Administrative Contact Address1: 135/2 Washington str
Administrative Contact City: Limasson
Administrative Contact Postal Code: 06432
Administrative Contact Country: Cyprus
Administrative Contact Country Code: CY
Administrative Contact Phone Number: +944.8735673
Administrative Contact Email: support@coolsearch.biz
Billing Contact ID: DI_937571
Billing Contact Name: John Miller
Billing Contact Organization: Liber Inc
Billing Contact Address1: 135/2 Washington str
Billing Contact City: Limasson
Billing Contact Postal Code: 06432
Billing Contact Country: Cyprus
Billing Contact Country Code: CY
Billing Contact Phone Number: +944.8735673
Billing Contact Email: support@coolsearch.biz
Technical Contact ID: DI_937571
Technical Contact Name: John Miller
Technical Contact Organization: Liber Inc
Technical Contact Address1: 135/2 Washington str
Technical Contact City: Limasson
Technical Contact Postal Code: 06432
Technical Contact Country: Cyprus
Technical Contact Country Code: CY
Technical Contact Phone Number: +944.8735673
Technical Contact Email: support@coolsearch.biz
Name Server: NS1.SP2FUCKED.BIZ
Name Server: NS2.SP2FUCKED.BIZ
Created by Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Last Updated by Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Domain Registration Date: Sat Oct 09 17:54:48 GMT 2004
Domain Expiration Date: Sat Oct 08 23:59:59 GMT 2005
Domain Last Updated Date: Tue Nov 16 23:03:13 GMT 2004

>>>> Whois database was last updated on: Sun Nov 21 23:24:33 GMT 2004

Here's what Symantec speaks of it:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: MHTMLRedir.Exploit
File: C:\Documents and Settings\userid.DOMAIN\Local Settings\Temporary Internet Files\Content.IE5\VR1NRTW4\adv65[1].htm
Location: Quarantine
Computer: PEGASUS
User: casey
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Nov 21 16:21:54 2004]]> http://www.dslreports.com/forum/remark,11922530 Sun, 21 Nov 2004 18:25:29 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921860 Bobby_Peru : Hi BillBigus See Profile, well that is not good at all! Unfortunately, I do not know. The prevention I was addressing was on the surfing end, not the web server itself. Hopefully someone will come along that is able to address this, short of trying to simply turn off all 3ed Party Objects served to a site's users until this calms down - which actually might be the safest route, but which might entail lost revenue and contractual complications on a commercial site.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/remark,11921860 Sun, 21 Nov 2004 16:38:33 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921788 MagMan : Nice info Thanks;)]]> http://www.dslreports.com/forum/remark,11921788 Sun, 21 Nov 2004 16:29:55 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921742 Bobby_Peru :
said by Formeister See Profile:

I couldn't get on to any of those sites and I was wondering if it's just because I use the latest Hosts file from this forum
From earlier posts in this thread, it appears that hpguru See Profile's/IE-SYPAD would stop you from getting on the sites, even if they were still active.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/remark,11921742 Sun, 21 Nov 2004 16:23:13 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921589 Mei Guo Ren : Most/all of the domains originally identified as exploiting this vulnerability have been taken down. I think if you look around there are some sites that demonstrate the IFRAME buffer overflow vulnerability without actually hosing your system.

As for the great unwashed masses, I'm cleaning 4-5 PCs a month for friends and family. A friend who used to be in the PC OEM business (aka, Mom & Pop) now makes his living cleaning up Windows computers, and he's working six days a week, 12 hours a day. Better money than he ever made as a screwdriver shop.

The average user doesn't have Windows autoupdate turned on. They don't on AV software, or they do (only because it came from the OEM with a trial subscription) but they let the subscription lapse and don't even realize they are surfing naked. They have been conditioned by IE to believe that annoying popups are "normal." Their kids and spouses are using the computer for God knows what-- especially for AIM, where "autodownload files sent to me" is a default setting!

Back in the good old days, the threat to your computer was sneakerware-- stuff on floppies and CDs. Today, it's any website you visit, anyone on your "buddy" list, anyone who gets a mailer virus and has one of your email addresses in their address book, and whether there are unpatched OS or IE vulnerabilities already being used by malware.

As recently as two years ago, I didn't have any AV software. I used a software firewall when I had dial up, and still use a router/fw with broadband. And I never had a virus infection on any of the five PCs here, all but one running windows (my main WS has run Linux since 1998). I know today that most computers are hosed to one extent or another by malware--and I'm not even counting tracking cookies. If they are on the net, without a firewall, OS patches, and antivirus, I would bet that anyone with broadband is hosed, and even most dialup users are hosed. With threats like the IFRAMEs exploit, even people with AV software, anti-spyware utilities, a firewall, and the system fully patched can get hosed just by visiting a website with banner ads.]]> http://www.dslreports.com/forum/remark,11921589 Sun, 21 Nov 2004 16:06:09 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921523 ironwalker : Thanx...missed it.]]> http://www.dslreports.com/forum/remark,11921523 Sun, 21 Nov 2004 15:57:04 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921431 Formeister : I find this interesting and feel sorry for all non-geeks who put out good money to buy a computer and have it ruined because they lack the knowledge to combat these intrusions. That said, does anyone have any links to other sites that actually will do what the author has shown? On my computer, XP pro, patched but w/o SP 1 or 2 and no active firewall besides Windows, I couldn't get on to any of those sites and I was wondering if it's just because I use the latest Hosts file from this forum and Opera instead of IE or if it's because I don't hit the right porn sites. Any way I'd like to try it in IE and see what happens (I'm a glutton for punishment).:D

Forgot to say to IM links rather than post. Tks]]> http://www.dslreports.com/forum/remark,11921431 Sun, 21 Nov 2004 15:42:15 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11921057 TheJoker :
said by ironwalker See Profile:

Does IESpyad block these?
Already posted in the thread. IE-SYPAD does indeed block all the sites listed in Eric's first post in this thread. To check to see if IE-SPYAD blocks a specific site, just open ie-ads.reg in Notepad, hit CTRL+F, and paste in the name of the site you want to check for.
--
TheJoker]]> http://www.dslreports.com/forum/remark,11921057 Sun, 21 Nov 2004 14:38:11 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11920674 ironwalker : Someone have a sygate dat file People can import to block most of these sites?
Does IESpyad block these?]]> http://www.dslreports.com/forum/remark,11920674 Sun, 21 Nov 2004 13:40:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11920507 BillBigus : OK
My server was done in the exact way that you describe.
However, the server management company insist that it was done by an individual in Texas, who just 'Happened" to guess my password...
First time !
Yeah right, I believe that (NOT)

so if I am correct, and my server people are lying to me and it had been hacked...
What would I be looking for to prove it, aside from the iframes injected into the pages themselves ? And also... What do i need to remove to stop it re-occurring ? Thanks]]> http://www.dslreports.com/forum/remark,11920507 Sun, 21 Nov 2004 13:17:09 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11919732 Bobby_Peru :
said by Joe Stewart See Profile:

I've written up some more detail of some of the banner-ad IFRAME exploiters:

http://www.lurhq.com/iframeads.html

One of the banner services being abused to infect users is oas-central.realmedia.com.
Thanks Joe. This sure seems to me to be a real solid reason to BLOCK the calling and downloading of such 3ed Party Objects!
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/remark,11919732 Sun, 21 Nov 2004 11:11:03 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11919694 Joe Stewart : I've written up some more detail of some of the banner-ad IFRAME exploiters:

http://www.lurhq.com/iframeads.html

One of the banner services being abused to infect users is oas-central.realmedia.com.

-Joe]]> http://www.dslreports.com/forum/remark,11919694 Sun, 21 Nov 2004 11:04:05 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11919676 3SGTE : But be careful at majorgeeks:
»crappy ads at majorgeeks.com]]> http://www.dslreports.com/forum/remark,11919676 Sun, 21 Nov 2004 10:59:40 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11919650 PentiumIII : Alternatively, people with SP1a can use this temporarily fix from Maxthon to patch the IFRAME vulnerability until the official patch is released by Microsoft http://www.majorgeeks.com/download.php?det=4412
It can be uninstall as well for those who are worry about conflicts with the future official patch. It has worked flawlessly for myself so far to date.]]> http://www.dslreports.com/forum/remark,11919650 Sun, 21 Nov 2004 10:55:20 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11919587 Bobby_Peru : Hi KyeU See Profile, would you post just the filters applicable to this exploit (Reg-Ex is ok, if existent), since AdBlock (WebWasher...) users might want to Add them to their existing filter set? I have already added b00gle.info coolsearch.biz newiframe.biz pizdato.biz . While these folks may presently just be attempting to exploit an IE vulnerability, any known areas were they operate might should be avoided, even by FF users. Thanks!
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/remark,11919587 Sun, 21 Nov 2004 10:43:59 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11919076 illukka : just to bump :)]]> http://www.dslreports.com/forum/remark,11919076 Sun, 21 Nov 2004 08:19:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918625 Mele20 : I read that SANS diary earlier today. I'm still not going to install SP2. Microsoft will issue a patch for SP1. In the meantime, anyone with SP1 should use another browser. ]]> http://www.dslreports.com/forum/remark,11918625 Sun, 21 Nov 2004 04:10:59 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918597 suzi :
quote:
Microsoft fully supports SP1 and will issue a patch for what ever exploit this is I'm sure. It sounds to me like you have to be rather naive to get this infection. You have to use IE (only the naive do that these days), and you have to do a bunch of suspicious clicks? That is what the naive do.


Well, I think most of us were naive at one time. Being naive or not has nothing to do with it. This is a dangerous exploit. In fact, there has been some speculation that it's a prelude to a major distributed denial of service attack. SANS is reporting on it.

quote:
Spy/Adware via Browser Vulnerabilities and Compromised Web Servers

Steve Friedl pointed us to the BroadbandReports discussion that documents a series of web server compromises that deliver spy/adware to victims that visit compromised sites. The victims are running a vulnerable browser. The information is still preliminary, but there are indications that the attackers are using an IFRAME vulnerability in Internet Explorer to deliver the payload. The web servers hosting the malicious code seem to be running Apache.

The BroadbandReports discussion of this incident:
http://www.broadbandreports.com/forum/remark,11904374

A post to the Full-Disclosure list that may be related to this incident, referencing IFRAME and Apache (this link was posted on the BroadbandReports forum):
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857

Information about the recent IFRAME vulnerability (no patch available at the moment; Windows XP SP2 systems not affected):
http://secunia.com/advisories/12959

We don't have much information regarding this attack pattern to determine its scope. We'd love to hear from you if you can share with us logs, malware samples, or observations relevant to this incident. If server compromises are wide-spread, this incident is reminiscent of attacks on Web servers that distributed the Download.Ject trojan in June.


And the updates on the IFRAME vulnerabilities:

quote:
Just to refresh everyone on the details. On October 24, a vulnerability was discovered in the IFRAME tags of Internet Explorer 6.0 affecting all Windows platforms except Windows XP SP2. This vulnerability can be exploited by going to a web-site that has malicious code. Currently, some high profile sites with banner ads are linking to servers that have the exploit and malicious code.


I traced the file which set off the exploit from one web page down through multiple nested IFRAMES embedded in web page on a forum.

It also notes that machines with XP SP 2 are NOT vulnerable. I've installed SP 2 on both my XP machines with no problems whatsoever.
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,11918597 Sun, 21 Nov 2004 03:58:24 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918511 Jeremy341 :
said by Mele20 See Profile:

you couldn't pay me to upgrade a Dell.
Well of the computers I have personally upgraded to SP2, 10 of them have been Dells. I maintain that if you know what you're doing, the process will go well. You will not convince me that's untrue, because I have never done a bad SP2 install.
--
I do not trust Firefox. Spread anything besides that horrid piece of crap.]]> http://www.dslreports.com/forum/remark,11918511 Sun, 21 Nov 2004 03:24:07 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918499 Mele20 :
said by Jeremy341 See Profile:

said by Mele20 See Profile:

I am not at all convinced that I need to install SP2 with all its headaches.
If you haven't installed it, how can you know it will cause headaches? I have installed SP2 on many computers, and have never had a problem.
Have you been following Libra See Profile threads? We both have Dell Dimensions (I have the 8300 she has the 8400). After helping her for some time now, you couldn't pay me to upgrade a Dell. ;) Dell told her that upgrading her brand new 8400 Dimension to SP2 is what wrecked her computer. She has had a huge mess ever since. Dell took her back to SP1 and she has had problem after problem. Microsoft and Dell together can't even figure it all out.

Additionally, I have a scanner that cannot upgrade to SP2. It is using 98SE software on SP1a but that won't work on SP2.

Microsoft fully supports SP1 and will issue a patch for what ever exploit this is I'm sure. It sounds to me like you have to be rather naive to get this infection. You have to use IE (only the naive do that these days), and you have to do a bunch of suspicious clicks? That is what the naive do.

ctrip See Profile Of course XP Pro SP1 can be fully patched. I have all the patches and Microsoft supports SP1 for two more years and I will continue to get all patches. So don't say SP1 cannot be fully patched. That will be the case ONLY after Microsoft ceases supporting it. By that time I will either install SP2 (if I have not already done so) or have Longhorn. I have never said I will never install SP2. But I see no need to do so now and I would prefer to wait and install Longhorn instead (assuming Longhorn will be compatible with this hardware). If and when I decide SP2 is necessary then I will install it. I don't believe it is necessary at this time and this IE exploit doesn't convince me.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789]]> http://www.dslreports.com/forum/remark,11918499 Sun, 21 Nov 2004 03:19:36 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918467 claudeo : The other thing is, teach anyone you support to use Alt-F4 on the keyboard rather than clicking anything on the window. I got one of those a few weeks back on which I looked at the source. Sure enough, the "Continue" and "No thanks" button were linking to the exact same thing. ]]> http://www.dslreports.com/forum/remark,11918467 Sun, 21 Nov 2004 03:10:45 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918385 toddbs98 : Ok if a fully patched XP box isn't effected then this really isn't an exploit is it if the problems been fixed?]]> http://www.dslreports.com/forum/remark,11918385 Sun, 21 Nov 2004 02:45:51 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11918167 KyeU : I've written some Proxomitron filters to remove the danger from "sp2f***ed.biz"

These are filters included in my "Browser Security Pack".
I've uploaded v4.25 to my site and the Prox-List Y! Group.

»www.kye-u.com/proxo/forums/index···ntry3104
»www.kye-u.com/proxo/downloads.ph···cfgpacks
»groups.yahoo.com/group/prox-list···ge/20178]]> http://www.dslreports.com/forum/remark,11918167 Sun, 21 Nov 2004 01:56:57 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11917789 danball1976 : It happens to be affecting more websites than are listed. At least two websites I regularly visit have this stealth attempting to install the stuff listed below.

Whats worse is that when it attempts to download, it will first put its own little page telling you that you must download it in order to view the website.

I did it once, but luckily, I have ZoneAlarm and told it to block access to whatever attempts to access the internet. Also, I fought the download and deleted things that kept being downloaded. When that was all over, I ran adaware, and deleted whatever else there was to delete, and then searched the registry to delete any more things.

The only thing to do is tell Internet Explorer to NOT download items that are from the company "CLICK HERE TO CONTINUE" and IE will block it.]]> http://www.dslreports.com/forum/remark,11917789 Sun, 21 Nov 2004 00:35:36 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11916533 ctrip :
said by Mele20 See Profile:

I haven't seen anyone say that SP1a (fully patched) with Proxo (latest JD5000 alpha extra/advanced filters) gets infected. So, I am not at all convinced that I need to install SP2 with all its headaches.
SP1a cannot be fully patched because a fully patched XP machine would be SP2. But I wish you good luck in your daring and determined experiment of never updating your XP machine to protect yourself from exploits and vulnerabilities as they are discovered.
--
I actually voted for John Kerry... before I voted against him.]]> http://www.dslreports.com/forum/remark,11916533 Sat, 20 Nov 2004 21:35:10 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11916459 Jeremy341 :
said by Mele20 See Profile:

I am not at all convinced that I need to install SP2 with all its headaches.
If you haven't installed it, how can you know it will cause headaches? I have installed SP2 on many computers, and have never had a problem.
--
I do not trust Firefox. Spread anything besides that horrid piece of crap.]]> http://www.dslreports.com/forum/remark,11916459 Sat, 20 Nov 2004 21:24:27 EDT Re: video recording method http://www.dslreports.com/forum/remark,11916449 jig :
said by Ben Edelman:

I use Windows Media Encoder, free from »www.microsoft.com/windowsmedia . It generally does a good job. Sometimes my test machine gets so badly infected that the encoder crashes, though. I doubt that MS ever tested the encoder under such conditions, or designed it to cope with such conditions.
thans much, it works really well, at least on a fastish computer.

also, consider this another vote for you to subscribe here..]]> http://www.dslreports.com/forum/remark,11916449 Sat, 20 Nov 2004 21:23:23 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11916345 Mele20 :
said by ironwalker See Profile:

quote:
toddbs98, the exploits I tested were not successful in harming a fully patched version of XP, at least not in my testing. My tests show an unpatched XP installation.



Now,hopefully, all those that didnt/wont/uninstalled sp2 will now seee why its a much needed resource.
Thanx Ben
I haven't seen anyone say that SP1a (fully patched) with Proxo (latest JD5000 alpha extra/advanced filters) gets infected. So, I am not at all convinced that I need to install SP2 with all its headaches. I very seldom use IE anyhow.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789]]> http://www.dslreports.com/forum/remark,11916345 Sat, 20 Nov 2004 21:07:52 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11915971 JollyStomper :
quote:
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz


Thanks for all the info, Eric. All blocked at the firewall level now.

js
--
"As I was sayin' buster, this planet ain't big enough for the two of us so... OFF YA GO!"]]> http://www.dslreports.com/forum/remark,11915971 Sat, 20 Nov 2004 20:15:21 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11914885 jonkman : You're right. I said fully patched, I should have said XP SP1 with all patches, but not SP2.

We work on that assumption in work and on bleeding snort generally. There are still such a large number of apps that SP2 breaks we work to keep SP1 secure.

Although the new vulns in SP2 are getting it caught up with SP1 for open issues. :)

Thanks for pointing that out, I'll correct my post on the bleedingsnort site as well.

Matt]]> http://www.dslreports.com/forum/remark,11914885 Sat, 20 Nov 2004 17:35:10 EDT Re: Effect of patches; testing methods http://www.dslreports.com/forum/remark,11914411 Nerdtalker :
said by Ben Edelman:

Nerdtalker, yes, I was using a vmware test environment for the tests shown in the video. Vmware makes it much easier to run these kinds of tests.
Thanks!

So this un-patched XP installation was essentially SP1?

Thanks again Ben for elaborating on all this.
--
Touch a thistle timidly, and it pricks you; grasp it boldly, and its spines crumble. -William S. Halsey

I'm testing Gmail's spam filters, fill it up: Broadbandreports1@gmail.com
Spam to date: 548]]> http://www.dslreports.com/forum/remark,11914411 Sat, 20 Nov 2004 16:32:05 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913839 ironwalker :
quote:
toddbs98, the exploits I tested were not successful in harming a fully patched version of XP, at least not in my testing. My tests show an unpatched XP installation.



Now,hopefully, all those that didnt/wont/uninstalled sp2 will now seee why its a much needed resource.
Thanx Ben
--
"LIVE FREE OR DIE" www.Theforumz.com ---- www.ownt.com-- Fiber Optics is the future of high-speed internet access. Stop by the BBR Fiber Optic]]> http://www.dslreports.com/forum/remark,11913839 Sat, 20 Nov 2004 15:19:05 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913581 eburger68 : kpatz:

I haven't tested this on a fully patched XP box myself. In an interesting thread over at BleedingSnort, however, Matt Jonkman (who posted earlier in this thread) reports (see »www.bleedingsnort.com/forum/view···opic=257 ):

said by Matt Jonkman:
I had about 15 unique spyware packages installed from that link on a stock XP workstation fully patched running IE.


Perhaps Matt could elaborate a bit on this.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,11913581 Sat, 20 Nov 2004 14:48:33 EDT Effect of patches; testing methods http://www.dslreports.com/forum/remark,11913552 anon : toddbs98, the exploits I tested were not successful in harming a fully patched version of XP, at least not in my testing. My tests show an unpatched XP installation.

Nerdtalker, yes, I was using a vmware test environment for the tests shown in the video. Vmware makes it much easier to run these kinds of tests.]]> http://www.dslreports.com/forum/remark,11913552 Sat, 20 Nov 2004 14:44:08 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913433 Zhen-Xjell :
said by jaykaykay See Profile:

said by Zhen-Xjell See Profile:


»www.aluriasoftware.com/forum/thread351.html
»www.prnewswire.com/cgi-bin/stori···6&EDATE=

I shudder.
"Aluria Announces First-of-Its-Kind Spyware Hotline Designed to Protect the Public From the Latest Spyware Threats".........

Oh, yeah. Now tell me another story!!! And just how many have already been fooled by this kind of tommy rot. :(
There is real damaging evidence now against Aluria. It turns out that they sent a cease and desist to SpywareGuide for posting information about their privacy policy, which AdwareReport claims was false. Thanks to a person who wishes to be unknown, Web Archive has revealed that Spyware Guide was correct about Aluria's privacy policy.

»castlecops.com/article-5516-nested-0-0.html
--
Lee Ho Fook's]]> http://www.dslreports.com/forum/remark,11913433 Sat, 20 Nov 2004 14:28:19 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913359 NetFixer :
said by kpatz See Profile:

Curious - has anyone hit the exploit site in Firefox? Does it attempt to infect in this case, or is it only IE exploits it uses?
Actually there are an unknown number of exploit sites since the web sites themselves have been hacked. I looked at several sites which were reported as infected in other threads on this site using Netscape 7.2 (Mozilla 1.7.2) and did not see any problems. I also have popup blocking enabled and use the MVPS hosts file. I would think that Firefox would be protected as well from the exploits so far reported (IE IFRAME vulnerability... see http://isc.sans.org/diary.php for additional information). However, since the real problem is infected web sites rather than any specific browser exploit, it may be possible that some web site(s) might have imbedded exploits which could target Mozilla/Firefox.
--
Never explain- your friends do not need it and your enemies will not believe it anyhow.]]> http://www.dslreports.com/forum/remark,11913359 Sat, 20 Nov 2004 14:16:31 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913248 kpatz : Curious - has anyone hit the exploit site in Firefox? Does it attempt to infect in this case, or is it only IE exploits it uses?

How about XP SP2?
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages.]]> http://www.dslreports.com/forum/remark,11913248 Sat, 20 Nov 2004 14:01:14 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913131 jaykaykay :
said by Zhen-Xjell See Profile:

»www.aluriasoftware.com/forum/thread351.html
»www.prnewswire.com/cgi-bin/stori···6&EDATE=

I shudder.
"Aluria Announces First-of-Its-Kind Spyware Hotline Designed to Protect the Public From the Latest Spyware Threats".........

Oh, yeah. Now tell me another story!!! And just how many have already been fooled by this kind of tommy rot. :(]]> http://www.dslreports.com/forum/remark,11913131 Sat, 20 Nov 2004 13:28:10 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11913126 toddbs98 : Ok I am a little confused. From reading Ben Edelman's page he was running an unpatched version of XP does this exploit effect fully updated systems too?]]> http://www.dslreports.com/forum/remark,11913126 Sat, 20 Nov 2004 13:27:39 EDT Re: video recording method http://www.dslreports.com/forum/remark,11913116 Nerdtalker :
said by Ben Edelman:

I use Windows Media Encoder, free from »www.microsoft.com/windowsmedia . It generally does a good job. Sometimes my test machine gets so badly infected that the encoder crashes, though. I doubt that MS ever tested the encoder under such conditions, or designed it to cope with such conditions.
I use that encoder as well.

Excellent write-up and video Ben! :D That was pretty alarming.

Were you running that copy of XP in vmware or something?
--
Touch a thistle timidly, and it pricks you; grasp it boldly, and its spines crumble. -William S. Halsey

I'm testing Gmail's spam filters, fill it up: Broadbandreports1@gmail.com
Spam to date: 548]]> http://www.dslreports.com/forum/remark,11913116 Sat, 20 Nov 2004 13:25:35 EDT video recording method http://www.dslreports.com/forum/remark,11912707 anon : I use Windows Media Encoder, free from »www.microsoft.com/windowsmedia . It generally does a good job. Sometimes my test machine gets so badly infected that the encoder crashes, though. I doubt that MS ever tested the encoder under such conditions, or designed it to cope with such conditions.]]> http://www.dslreports.com/forum/remark,11912707 Sat, 20 Nov 2004 12:25:23 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912424 EGeezer : You're right about that - out in the real business world, where companies have thousands of workstations to deploy and maintain, and where a firm's customers, vendors or business partners may require IE or IE based applications to conduct e-commerce, simply loading a copy of FF, Netscape, Opera etc is not a practical cost-justifiable option. What an IT department may feel is the "best" solution is often not an option for business reasons.
--
IEC703 DISK ERROR ABEND]]> http://www.dslreports.com/forum/remark,11912424 Sat, 20 Nov 2004 11:40:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912272 antdude :
said by nirvansk815 See Profile:

wow. spread the news.
I just sent it to /., Blue's News, AQFL (»aqfl.net -- my site), and my friends. Hopefully, /. and BN will post it! ;)]]> http://www.dslreports.com/forum/remark,11912272 Sat, 20 Nov 2004 11:18:31 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912248 eburger68 : Anon43:

You asked:

said by Anonymous See Profile:

I wonder what spyware companies have to say about this?

I would really like to see WhenU's comment...:uhh:
Well, you could ask in the Aluria thread where Andrew Clover first revealed this exploit:

»www.aluriasoftware.com/forum/thread351.html

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,11912248 Sat, 20 Nov 2004 11:14:43 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912164 mabus : i went to all those sites, and amazingly enough my SuSe box didn't get infected. :D]]> http://www.dslreports.com/forum/remark,11912164 Sat, 20 Nov 2004 11:01:46 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912148 Anonymous : I wonder what spyware companies have to say about this?

I would really like to see WhenU's comment...:uhh:
--
anon43@gmail.com ]]> http://www.dslreports.com/forum/remark,11912148 Sat, 20 Nov 2004 10:59:03 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912144 TheJoker :
said by eburger68 See Profile:

....The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2fucked.biz
splitinfinity.info
xpire.info

..... Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz....
I'd just like to point out that the version of IE-SPYAD that Eric updated yesterday (19th) does have all the sites he listed above involved in this exploit. So while MS may not have a fix for this exploit yet, there is something that you can use to help protect your system (at least from malware from sites listed in IE-SPYAD).
--
TheJoker]]> http://www.dslreports.com/forum/remark,11912144 Sat, 20 Nov 2004 10:57:52 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11912039 SP_Writer : Thanks, big guy!
I'm gonna do a round-up of these solutions for my boss to have a gander at. We are about to do a major roll-out of a 2003 AD Domain w/XP boxes....and he's starting to rethink IE as the browser choice....and looking into Firefox. He is a real Linux/Unix head, but there some proggies that won't work under Linux, so it's got to be Windoze.]]> http://www.dslreports.com/forum/remark,11912039 Sat, 20 Nov 2004 10:41:20 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11911921 eburger68 : jonkman:

Could you email me at:

eburger68@myrealbox.com

We're working on this at Spyware Warrior and it would be useful to share the information that we're putting together.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,11911921 Sat, 20 Nov 2004 10:13:45 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11911866 anon : We've got a good set of snort signatures up written from what this installs.

»www.bleedingsnort.com

More contributions welcome.]]> http://www.dslreports.com/forum/remark,11911866 Sat, 20 Nov 2004 10:03:39 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11911644 eburger68 : SP_Writer:

There are some "enterprise" solutions that are becoming available. See here for a list of the ones I know of:

»https://netfiles.uiuc.edu/ehowes/www/soft6.htm#Enter

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,11911644 Sat, 20 Nov 2004 08:56:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11911566 SP_Writer : At work more and more computers are being infected with spyware/adware. I clean them out, and had to drop an image on a few, but it is starting to put a drain on me. Any cheap (we r a nonprofit company) solutions for a 200+ computer network?

If only I had a gun....
I would need bullets.]]> http://www.dslreports.com/forum/remark,11911566 Sat, 20 Nov 2004 08:34:13 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11911272 Tyreman : yes between Ms and Norton fighting for your computer, digital rights management,palladium(pablum),over the pond cyber freaks, thats about it in a nutshell]]> http://www.dslreports.com/forum/remark,11911272 Sat, 20 Nov 2004 06:57:51 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11911015 nirvansk815 : wow. spread the news.]]> http://www.dslreports.com/forum/remark,11911015 Sat, 20 Nov 2004 04:28:02 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910944 Khaine : Thanks for the write up, I fear that this is the future of the internet, with gangs of cyber thugs intimidating web site operators

:(]]> http://www.dslreports.com/forum/remark,11910944 Sat, 20 Nov 2004 03:54:54 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910920 BQuick : Oh,i was using Avant though]]> http://www.dslreports.com/forum/remark,11910920 Sat, 20 Nov 2004 03:46:42 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910916 BQuick : I went to coolsearch.biz site with activeX set to prompt and Abtrusion Protector installed,and apart ActiveX prompts that i denied and 2-3 install software requests nothing happened.AP didn't signal anything.]]> http://www.dslreports.com/forum/remark,11910916 Sat, 20 Nov 2004 03:45:31 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910868 suzi : SANS is reporting this and has linked to this thread.

»isc.sans.org/diary.php

It's in the handler's diary for Nov. 19th.

They are asking for logs, files, and observations.
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,11910868 Sat, 20 Nov 2004 03:20:28 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910783 PeeWee : A good video to save and show. Some people I know will recognize some of the steps the user was forced through (myself included).
--
Nemo me impune lacessit. [No one provokes me with impunity] -- Motto of the Crown of Scotland]]> http://www.dslreports.com/forum/remark,11910783 Sat, 20 Nov 2004 02:51:06 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910721 NetFixer :
said by blacksky See Profile:

When I go to the Cool search page I get this in firefox.

"To protect your computer, firefox prevented this site (www.coolsearch.biz) from installing software on your computer.

Doing a virus scan and it looks like I have a trojan horse dialer...
You will be very lucky if that trojan dialer is all you picked up from that site.
--
Never explain- your friends do not need it and your enemies will not believe it anyhow.]]> http://www.dslreports.com/forum/remark,11910721 Sat, 20 Nov 2004 02:31:09 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910687 wowok1234 : I can't view the video...I'm on a Mac and Windows Media player is crappy on the mac... can some kind soul transcode it to MPEG or AVI?

BTW, Thanks for the informative site, Ben. maybe in the future you should encode the videos in a format Mac and Linux users can view as well as Windows users?]]> http://www.dslreports.com/forum/remark,11910687 Sat, 20 Nov 2004 02:18:50 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910636 blacksky : When I go to the Cool search page I get this in firefox.

"To protect your computer, firefox prevented this site (www.coolsearch.biz) from installing software on your computer.

Doing a virus scan and it looks like I have a trojan horse dialer... ]]> http://www.dslreports.com/forum/remark,11910636 Sat, 20 Nov 2004 02:08:20 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910624 eburger68 : Jig:

I believe Ben uses the Windows Media Player program, Windows Movie Maker.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,11910624 Sat, 20 Nov 2004 02:05:25 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910612 jig :

what was used to record the desktop? it seems to work quite well, even under bot-load.]]> http://www.dslreports.com/forum/remark,11910612 Sat, 20 Nov 2004 02:01:53 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910572 TeMerc : So, if I read this right, once the server have been hacked, any sites hosted on said server are vulnerbale to having this code executed when a user visits said site, whatever it is.

Has anyone been able to find out which server(s), and which sites are affected yet?

EDIT: Sadly, only a couple of those logs originally listed by Eric are resolved.
Bump:D
--]]> http://www.dslreports.com/forum/remark,11910572 Sat, 20 Nov 2004 01:51:37 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910249 Marilla :
said by loopy2003 See Profile:

Hackers attacking servers (HTTP, FTP, SMTP) is old news.
Problem is, servers that perhaps might otherwise be expected to be safe are being used here. Even those who can smell a phish a mile away can be caught when they happen to visit a site that's been hacked to be used to spread this stuff.

I would also be interested in how the servers got hit myself. Likely this will be a similar case to the situation where Windows servers had been used to spread previous malware by similar means; There wasn't really a 'worm' infecting the servers... it seemed it was just people targetting attacks based on a recently patched server vulnerability to install something (document footers) which targetted a recently patched CLIENT vulnerability... etc etc..

Icky!

And bump!
--
Windows, Mac, Linux, BSD - just use the right tool for the right job... end the OS Politics!]]> http://www.dslreports.com/forum/remark,11910249 Sat, 20 Nov 2004 00:37:45 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11910067 Dustyn : Excellent post. :)
One good bump from S.Wolfie. ;) :D]]> http://www.dslreports.com/forum/remark,11910067 Sat, 20 Nov 2004 00:04:58 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11908576 mrchris : Ben should register :)]]> http://www.dslreports.com/forum/remark,11908576 Fri, 19 Nov 2004 20:56:46 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11908128 BudBob : maybe ben is the hacker]]> http://www.dslreports.com/forum/remark,11908128 Fri, 19 Nov 2004 20:00:44 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11907973 ctrip :
said by Mele20 See Profile:

Isn't this just IE users? Who uses IE these days?
About 90% of the browsing world.
--
I actually voted for John Kerry... before I voted against him.]]> http://www.dslreports.com/forum/remark,11907973 Fri, 19 Nov 2004 19:45:47 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11907793 Mele20 : Isn't this just IE users? Who uses IE these days? ]]> http://www.dslreports.com/forum/remark,11907793 Fri, 19 Nov 2004 19:26:19 EDT Re: Is sp2fucked shut down or not? http://www.dslreports.com/forum/remark,11906861 suzi : I think that the index page of the site is shut down or that message is to through people off track. The other parts of the site are still active as far as I know.

Edit- oops sorry, I see Ben already posted about that.

--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,11906861 Fri, 19 Nov 2004 17:42:28 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11906262 anon : is there sp2 fix for this?]]> http://www.dslreports.com/forum/remark,11906262 Fri, 19 Nov 2004 16:29:25 EDT Re: Is sp2fucked shut down or not? http://www.dslreports.com/forum/remark,11906088 Sysadmin :
said by Ben Edelman:

Matrix, notwithstanding the "This site has been posponded due to breaking rules" wording, I think the sp2fucked site is still operational. I'd say the folks running that site have put up this front-page text as a sort of decoy, e.g. to throw us off the track. The actual exploit pages are still in place.
They are tricky little sh!ts, aren't they? I will remember not to take what I see on the surface as the truth.

Thank you Ben!

-Mike]]> http://www.dslreports.com/forum/remark,11906088 Fri, 19 Nov 2004 16:10:19 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11905985 Lloydr : heh

"Sorry, Your browser is not WIN32 Compatible"]]> http://www.dslreports.com/forum/remark,11905985 Fri, 19 Nov 2004 15:59:09 EDT Is sp2fucked shut down or not? http://www.dslreports.com/forum/remark,11905900 anon : Matrix, notwithstanding the "This site has been posponded due to breaking rules" wording, I think the sp2fucked site is still operational. I'd say the folks running that site have put up this front-page text as a sort of decoy, e.g. to throw us off the track. The actual exploit pages are still in place.]]> http://www.dslreports.com/forum/remark,11905900 Fri, 19 Nov 2004 15:49:52 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11905690 loopy2003 : Excellent video Eric. We need more of these to spread awareness of the problems that client-side scripting/attacks can cause.

Hackers attacking servers (HTTP, FTP, SMTP) is old news. Nowadays its all about the client.]]> http://www.dslreports.com/forum/remark,11905690 Fri, 19 Nov 2004 15:26:33 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11905626 Zhen-Xjell :
said by eburger68 See Profile:

I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:

»www.aluriasoftware.com/forum/thread351.html
»www.prnewswire.com/cgi-bin/stori···6&EDATE=

I shudder.
--
Lee Ho Fook's]]> http://www.dslreports.com/forum/remark,11905626 Fri, 19 Nov 2004 15:21:25 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11905584 justin : not just that, but the PC would also be ready to take part in bot nets for spamming or extortion or phishing. One of those trojans could watch for e-commerce site use and pass back all credit card information typed into forms. Stolen identities both online and offline.
MS should have thought more deeply about Java and the sandbox concept. Whomever was over there that thought it would be cool to let IE do things to your computer at the command of a remote web site, and whomever signed off on that idea, was either nuts, or totally inexperienced. They shipped (and evidently still ship) a trojan writers dream toolbox and guarded it with kittens.]]> http://www.dslreports.com/forum/remark,11905584 Fri, 19 Nov 2004 15:17:00 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11905436 claudeo : Very interesting little video. Looks like when the porn site asked for your country, it was to configure the parasitic dialing out using the modem, probably dialing to one of those super expensive offshore numbers with automatic back charges and astronomical termination costs. This then failed when no modem was found. Someone with a vanilla computer and a modem going to that site would start bleeding some real money within seconds.]]> http://www.dslreports.com/forum/remark,11905436 Fri, 19 Nov 2004 14:58:20 EDT Re: bandwidth / site http://www.dslreports.com/forum/remark,11905395 Sysadmin :
said by justin See Profile:

does "sp2fucked" imply what it seems to imply?
It looks as though that site was removed by the provider.

"This site has been posponded due to breaking rules of hosting services
Please come later."]]> http://www.dslreports.com/forum/remark,11905395 Fri, 19 Nov 2004 14:53:02 EDT Re: bandwidth / site http://www.dslreports.com/forum/remark,11905279 suzi : My take on that domain name was that someone was mad because Service Pack 2 effed up their business model - probably using active x controls. So now they using a more evil and malicious mode of attack using these exploits.

JMO.
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,11905279 Fri, 19 Nov 2004 14:39:34 EDT Re: bandwidth / site http://www.dslreports.com/forum/remark,11905012 anon : One of the exploits from that site indicated by AV is a MS04-013 exploit (MHTML redirect...)

My computer has not been patched, luckily AV picked it up...]]> http://www.dslreports.com/forum/remark,11905012 Fri, 19 Nov 2004 14:04:50 EDT Re: bandwidth / site http://www.dslreports.com/forum/remark,11904751 justin : does "sp2fucked" imply what it seems to imply?]]> http://www.dslreports.com/forum/remark,11904751 Fri, 19 Nov 2004 13:36:59 EDT Re: bandwidth / site http://www.dslreports.com/forum/remark,11904731 jaykaykay : Apparently, I am not the only one wanting to get on to your site. It's timing out for me so would guess that it is mighty popular now. always glad to see popularity but not necessarily for this kind of thing.

Never mind. It just came up for me, so now I must go learn.]]> http://www.dslreports.com/forum/remark,11904731 Fri, 19 Nov 2004 13:35:10 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11904729 suzi : Excellent post, Eric!

Ben, I'm glad to hear your site is back up. :)
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/remark,11904729 Fri, 19 Nov 2004 13:34:57 EDT bandwidth / site http://www.dslreports.com/forum/remark,11904470 anon : Just a quick note to report that my site is back up. My web host was concerned about the traffic spike, but upon further review they're going to be kind to me. :) Sorry for the inconvenience to those who wanted to see the video when the site was down.]]> http://www.dslreports.com/forum/remark,11904470 Fri, 19 Nov 2004 13:05:38 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11904425 B : Thank you, Eric!

Let's keep this one bumped to the top for a while.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,11904425 Fri, 19 Nov 2004 13:01:13 EDT News: Major Exploit Underway... http://www.dslreports.com/forum/remark,11904374 eburger68 : Hi All:

Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:

»www.benedelman.org/news/111804-1.html

Included with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.

I thought you all might like some additional information about the exploit that Ben documented.

This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.

It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2fucked.biz
splitinfinity.info
xpire.info

Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz

Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar

The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.

We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:

http://forums.spywareinfo.com/index.php?showtopic=34630
http://forums.spywareinfo.com/index.php?showtopic=34220
http://forums.spywareinfo.com/index.php?showtopic=34146
http://forums.spywareinfo.com/index.php?showtopic=34002
http://forums.spywareinfo.com/index.php?showtopic=34016
http://forums.spywareinfo.com/index.php?showtopic=32999
http://castlecops.com/postlite85832-sp2fucked.html
http://castlecops.com/postlite86439-sp2fucked.html
http://castlecops.com/postlite86459-sp2fucked.html
http://castlecops.com/postlite87626-sp2fucked.html
http://computercops.biz/postp364469.html
http://computercops.biz/postp364553.html
http://forums.tomcoyote.org/index.php?showtopic=21640
http://forums.tomcoyote.org/index.php?showtopic=21886
http://forums.tomcoyote.org/index.php?showtopic=21650
http://forum.aumha.org/viewtopic.php?t=9340
http://www.trojaner-board.de/archive/index.php/t-9590.html

There have been a few other public discussion threads on the Net about this exploit. In particular, see:

http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857
http://seclists.org/lists/fulldisclosure/2004/Oct/1063.html

Wayne Porter has some interesting comments on this exploit:

http://www.revenews.com/wayneporter/archives/000285.html#more

I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:

http://www.aluriasoftware.com/forum/thread351.html

In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.

I'll be posting with more information as it becomes available.

Best,

Eric L. Howes
Click for full size
]]> http://www.dslreports.com/forum/remark,11904374 Fri, 19 Nov 2004 12:56:03 EDT