Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:
Included with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.
I thought you all might like some additional information about the exploit that Ben documented.
This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:
Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.
The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:
CashBack (Bargain Buddy)
The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.
We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:
There have been a few other public discussion threads on the Net about this exploit. In particular, see:
Wayne Porter has some interesting comments on this exploit:
I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:
In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.
I'll be posting with more information as it becomes available.
Eric L. Howes