Hi All:
Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:
»
www.benedelman.org/news/111804-1.htmlIncluded with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.
I thought you all might like some additional information about the exploit that Ben documented.
This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
sp2fucked.biz
splitinfinity.info
xpire.info
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:
69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz
Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.
The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar
The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.
We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:
http://forums.spywareinfo.com/index.php?showtopic=34630
http://forums.spywareinfo.com/index.php?showtopic=34220
http://forums.spywareinfo.com/index.php?showtopic=34146
http://forums.spywareinfo.com/index.php?showtopic=34002
http://forums.spywareinfo.com/index.php?showtopic=34016
http://forums.spywareinfo.com/index.php?showtopic=32999
http://castlecops.com/postlite85832-sp2fucked.html
http://castlecops.com/postlite86439-sp2fucked.html
http://castlecops.com/postlite86459-sp2fucked.html
http://castlecops.com/postlite87626-sp2fucked.html
http://computercops.biz/postp364469.html
http://computercops.biz/postp364553.html
http://forums.tomcoyote.org/index.php?showtopic=21640
http://forums.tomcoyote.org/index.php?showtopic=21886
http://forums.tomcoyote.org/index.php?showtopic=21650
http://forum.aumha.org/viewtopic.php?t=9340
http://www.trojaner-board.de/archive/index.php/t-9590.html
There have been a few other public discussion threads on the Net about this exploit. In particular, see:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857
http://seclists.org/lists/fulldisclosure/2004/Oct/1063.html
Wayne Porter has some interesting comments on this exploit:
http://www.revenews.com/wayneporter/archives/000285.html#more
I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:
http://www.aluriasoftware.com/forum/thread351.html
In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.
I'll be posting with more information as it becomes available.
Best,
Eric L. Howes
Sorry for the inconvenience to those who wanted to see the video when the site was down.
