MAJOR WWW SERVER EXPLOIT BY HACKERS

From DSLR, by Eric Howes:

Everyone needs to read this thread and spread the word about.
http://www.broadbandreports.com/forum/rema...04374~mode=flat

 

This exploit proves just how serious a threat spyware is.
Vey disturbing indeed!!!

 

Also shows that having an AV can save your ass. AV are not the perfect solution, but if youre not the first person to find new threats then you will usually be safe.

 

Spyware seems to be getting worse day by day.

 

I think we are going to be seeing more and more of heuristics and other methods that don't use signatues in the near future. Seems like there will soon be too much to keep up with otherwise.

 

https://www.wilderssecurity.com/showthread.php?t=55861
discussion from here... being continued here (mods closed that thread and talk should continue here)

 

Hacked websites ued to install parasites.

Hacked Web Sites Used To Install Parasites


Security researchers are warning of a new method of installing unwanted parasitic software onto the computers of unsuspecting victims who use Microsoft Internet Explorer (MSIE).

How It Works

Most of the following information is based upon a detailed write-up of the process which is available at vitalsecurity.org.

The process starts with a flaw in the OpenSSL module which is installed alongside most Apache web servers. Apache is the software that serves up web pages on most of the world's web sites. By exploiting this flaw, an attacker can install a rootkit on the web server. The rootkit allows the attacker to take over the server completely. It has been modified to avoid detection by most available rootkit detectors.

Once installed, the compromised web server will attach a javascript to every HTTP packet sent to a browser used to surf the site. This javascript causes the surfer's browser to open an IFrame, a small inline window which loads a page different from the one in the surfer's address bar.

The IFrame loads a page from one of three sites. One of the sites hosting these pages is owned by someone using an email address associated with CoolWebSearch (coolsearch.biz).

The pages which are loaded in the IFrame causes the browser to load several additional pages, each of which tries a different method of installing parasitic software. Once the browser encounters an exploit for which it is not patched, the browser will download and execute a variety of parasite installers. Any of the following parasitic software may be installed on the victim's computer:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar


The installers for each of these have been modified to make them harder to detect with antivirus and antispyware software. At no time is the user presented with a EULA ( End User Licencing Agreement), privacy policy or any other disclosure or the ability to opt out of installing these parasites.

There is evidence to suggest that an infected PC could be used by an attacker to participate in a distributed denial of service attack.

Protect Yourself

There is no complete defense for MSIE users. There is no patch for the IFrame vulnerability. However, you can set Internet Explorer to disable IFrames.

Go to your control panel and double-click on the Internet Options icon. Click the Security tab. Click on the Internet icon to highlight it, then click the Custom Level button near the bottom. On the next screen, scroll about 2/3 down until you find the following options: "Launching programs and files in an IFRAME" and "Navigate sub-frames across different domains". Set both of these options to Disable and click OK. On the Security tab, click Apply.

This advice is untested so I cannot guarantee that it will protect you. However, it should work just fine. It will not protect you if your browser directly loads one of the pages that start the infection process.

Non-MSIE browsers are safe from this attack. I recommend either FireFox or Opera. However, these browsers still may experience pop-ups on infected web sites. There is evidence to suggest that these pop-up windows somehow may infect MSIE. Immediately close any pop-up windows that slip past the pop-up blocking features of these browsers. Do not click any links or buttons within the pop-up window.

If you are using Windows XP, install Service Pack 2 if you have not already done so. This will protect you from most of the exploits involved but not all.

I don't know what is being done about the people responsible for this situation. It is illegal to break into a web server. Unfortunately, it currently is not illegal to use a security hole to install parasitic software in most places. This is a strong argument for the need to pass antispyware legislation that would punish behavior such as this.

The US Congress wants to pass such legislation. The Federal Trade Commission opposes the idea. It might be a good idea to contact your Congressperson or Senator and urge them to pass the antispyware bills now under consideration. Feel free to point them here for a good example of the need for it.

 

Guest\Claudio....I have moved your post into it's own thread to the SpywareBlaster Forum. Please continue your troubleshooting problems with SpywareBlaster in the below thread.

This thread---> https://www.wilderssecurity.com/showthread.php?t=56070