4 edits | News: Major Exploit Underway... Hi All:
Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:
»www.benedelman.org/news/111804-1.html
Included with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.
I thought you all might like some additional information about the exploit that Ben documented.
This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
sp2fucked.biz
splitinfinity.info
xpire.info
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:
69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz
Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.
The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar
The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.
We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:
http://forums.spywareinfo.com/index.php?showtopic=34630
http://forums.spywareinfo.com/index.php?showtopic=34220
http://forums.spywareinfo.com/index.php?showtopic=34146
http://forums.spywareinfo.com/index.php?showtopic=34002
http://forums.spywareinfo.com/index.php?showtopic=34016
http://forums.spywareinfo.com/index.php?showtopic=32999
http://castlecops.com/postlite85832-sp2fucked.html
http://castlecops.com/postlite86439-sp2fucked.html
http://castlecops.com/postlite86459-sp2fucked.html
http://castlecops.com/postlite87626-sp2fucked.html
http://computercops.biz/postp364469.html
http://computercops.biz/postp364553.html
http://forums.tomcoyote.org/index.php?showtopic=21640
http://forums.tomcoyote.org/index.php?showtopic=21886
http://forums.tomcoyote.org/index.php?showtopic=21650
http://forum.aumha.org/viewtopic.php?t=9340
http://www.trojaner-board.de/archive/index.php/t-9590.html
There have been a few other public discussion threads on the Net about this exploit. In particular, see:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857
http://seclists.org/lists/fulldisclosure/2004/Oct/1063.html
Wayne Porter has some interesting comments on this exploit:
http://www.revenews.com/wayneporter/archives/000285.html#more
I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:
http://www.aluriasoftware.com/forum/thread351.html
In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.
I'll be posting with more information as it becomes available.
Best,
Eric L. Howes |
|
BPremium,MVM
join:2000-10-28 | Thank you, Eric!
Let's keep this one bumped to the top for a while.
-- B
--
In a realm outside causality and function |
|
approval from:
PloKoon 
StreetSpirit
MagMan
| reply to eburger68
bandwidth / site Just a quick note to report that my site is back up. My web host was concerned about the traffic spike, but upon further review they're going to be kind to me.  Sorry for the inconvenience to those who wanted to see the video when the site was down. |
|
|
|
suziPremium
join:2004-05-01 | reply to eburger68
Re: News: Major Exploit Underway... Excellent post, Eric!
Ben, I'm glad to hear your site is back up.
--
aka Suzi, Spyware Warrior |
|
 jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:19
 ·Speakeasy
1 edit | reply to Ben Edelman
Re: bandwidth / site Apparently, I am not the only one wanting to get on to your site. It's timing out for me so would guess that it is mighty popular now. always glad to see popularity but not necessarily for this kind of thing.
Never mind. It just came up for me, so now I must go learn. |
|
 justinAustralian
join:1999-05-28
New York, NY
kudos:7 | reply to Ben Edelman
does "sp2fucked" imply what it seems to imply? |
|
| One of the exploits from that site indicated by AV is a MS04-013 exploit (MHTML redirect...)
My computer has not been patched, luckily AV picked it up... |
|
suziPremium
join:2004-05-01 | reply to justin
My take on that domain name was that someone was mad because Service Pack 2 effed up their business model - probably using active x controls. So now they using a more evil and malicious mode of attack using these exploits.
JMO.
--
aka Suzi, Spyware Warrior |
|
 SysadminNoBamaPremium,MVM
join:2000-07-07
Elk Grove, CA | reply to justin
said by justin:does "sp2fucked" imply what it seems to imply? It looks as though that site was removed by the provider.
"This site has been posponded due to breaking rules of hosting services
Please come later." |
|
| reply to eburger68
Re: News: Major Exploit Underway... Very interesting little video. Looks like when the porn site asked for your country, it was to configure the parasitic dialing out using the modem, probably dialing to one of those super expensive offshore numbers with automatic back charges and astronomical termination costs. This then failed when no modem was found. Someone with a vanilla computer and a modem going to that site would start bleeding some real money within seconds. |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Console Tech
Home/Office setup ..
| not just that, but the PC would also be ready to take part in bot nets for spamming or extortion or phishing. One of those trojans could watch for e-commerce site use and pass back all credit card information typed into forms. Stolen identities both online and offline.
MS should have thought more deeply about Java and the sandbox concept. Whomever was over there that thought it would be cool to let IE do things to your computer at the command of a remote web site, and whomever signed off on that idea, was either nuts, or totally inexperienced. They shipped (and evidently still ship) a trojan writers dream toolbox and guarded it with kittens. |
|
 Zhen-XjellProlific BunnyPremium,VIP,ExMod 2001-04
join:2000-10-08
Bordentown, NJ | reply to eburger68
»www.prnewswire.com/cgi-bin/stori···6&EDATE=
I shudder.
--
Lee Ho Fook's |
|
| reply to eburger68
Excellent video Eric. We need more of these to spread awareness of the problems that client-side scripting/attacks can cause.
Hackers attacking servers (HTTP, FTP, SMTP) is old news. Nowadays its all about the client. |
|
| reply to Sysadmin
Is sp2fucked shut down or not? Matrix, notwithstanding the "This site has been posponded due to breaking rules" wording, I think the sp2fucked site is still operational. I'd say the folks running that site have put up this front-page text as a sort of decoy, e.g. to throw us off the track. The actual exploit pages are still in place. |
|
 LloydrSeawolf
join:2001-11-27
Milton, FL | reply to eburger68
Re: News: Major Exploit Underway... heh
"Sorry, Your browser is not WIN32 Compatible" |
|
SysadminNoBamaPremium,MVM
join:2000-07-07
Elk Grove, CA | reply to Ben Edelman
Re: Is sp2fucked shut down or not? said by Ben Edelman:
Matrix, notwithstanding the "This site has been posponded due to breaking rules" wording, I think the sp2fucked site is still operational. I'd say the folks running that site have put up this front-page text as a sort of decoy, e.g. to throw us off the track. The actual exploit pages are still in place.
They are tricky little sh!ts, aren't they? I will remember not to take what I see on the surface as the truth.
Thank you Ben!
-Mike |
|
| reply to eburger68
Re: News: Major Exploit Underway... is there sp2 fix for this? |
|
suziPremium
join:2004-05-01
1 edit | reply to Sysadmin
Re: Is sp2fucked shut down or not? I think that the index page of the site is shut down or that message is to through people off track. The other parts of the site are still active as far as I know.
Edit- oops sorry, I see Ben already posted about that.
--
aka Suzi, Spyware Warrior |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to eburger68
Re: News: Major Exploit Underway... Isn't this just IE users? Who uses IE these days? |
|
 ctripIslam is a Religion of PeacePremium
join:2002-07-16
New Cumberland, PA
 ·Comcast
| said by Mele20:Isn't this just IE users? Who uses IE these days? About 90% of the browsing world.
--
I actually voted for John Kerry...before I voted against him. |
|
