News: Major Exploit Underway...

hayc59 · Nov 22, 2004

http://img100.exs.cx/img100/9766/exploitinstalled.jpg

Hi All:

Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:
http://www.benedelman.org/news/111804-1.html

Included with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.

I thought you all might like some additional information about the exploit that Ben documented.

This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.

It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2****ed.biz
splitinfinity.info
xpire.info

Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz

Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar

The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.

We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:

http://www.spywareinfoforum.com/index.php?showtopic=34220
http://www.spywareinfoforum.com/index.php?showtopic=34220
http://www.spywareinfoforum.com/index.php?showtopic=34146
http://www.spywareinfoforum.com/index.php?showtopic=34002
http://www.spywareinfoforum.com/index.php?showtopic=34016
http://www.spywareinfoforum.com/index.php?showtopic=32999
http://castlecops.com/postlite85832-sp2****ed.html
http://castlecops.com/postlite86439-sp2****ed.html
http://castlecops.com/postlite86459-sp2****ed.html
http://computercops.biz/postp364469.html
http://castlecops.com/postlite87626-sp2****ed.html
http://computercops.biz/postp364469.html
http://computercops.biz/postp364553.html
http://forums.tomcoyote.org/index.php?showtopic=21640
http://forums.tomcoyote.org/index.php?showtopic=21886
http://forum.aumha.org/viewtopic.php?t=9340
http://www.trojaner-board.de/archive/index.php/t-9590.html

There have been a few other public discussion threads on the Net about this exploit. In particular, see:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857
http://seclists.org/lists/fulldisclosure/2004/Oct/1063.html

Wayne Porter has some interesting comments on this exploit:
http://www.revenews.com/wayneporter/archives/000285.html#more

I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:
http://www.aluriasoftware.com/forum/thread351.html

In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.

I'll be posting with more information as it becomes available.

Best,

Eric L. Howes
Click to expand...

nick s · Nov 22, 2004

More info here: IFRAME Exploit via Banner Ads. Apparently XP SP2 is not affected.

Nick

hayc59 · Nov 22, 2004

would not want to test that!![xp-sp2]

nick s · Nov 22, 2004

hayc59 said:

would not want to test that!![xp-sp2]
Click to expand...

I did, but with Opera . I was able to grab a dialer executable from one of those IPs.

Nick

hayc59 · Nov 22, 2004

you have bigger Huevos's than me!!

bigc73542 · Nov 22, 2004

Or me!

no13 · Nov 23, 2004

mentioned it over at kye-u's unofficial Proxomitron forums www.kye-u.com....
Most garbage was pre-blocked by his config pack for proxo...he's released a new config pack targetting this vuln.
http://www.kye-u.com/proxo/forums/index.php?showtopic=297&st=0&
Proxo users should update ASAP
[post no 13 in that thread ]

no13 · Nov 23, 2004

Firefox BLOCKS the download calling it a popup. NOD32 detects it as Win32/Dialer.NAD.Trojan... It's on a friend's PC (he just IMed me...)
If u want the url... PM me...can't post it on public board...
filename: gdnAU208.exe
filesize:10.2 KB (10,512 bytes)
file from: 82.179.166.72 (download grabbed by Free Download Manager after I clicked on open ~this~ popup in the top bar of "blocked a poup" in Firefox 1.0)
page I had opened : coolsearch.biz

Edit: Huevos is a word I just looked up. hmm... the power of google increases...
-----
*something's amiss, or a mister?*

Bubba · Nov 23, 2004

Please feel free to continue the discussion in the below thread from the other day concerning this same news.

This thread---> MAJOR WWW SERVER EXPLOIT BY HACKERS

Log in or Sign up

News: Major Exploit Underway...

hayc59 Guest

nick s Registered Member

hayc59 Guest

nick s Registered Member

hayc59 Guest

bigc73542 Retired Moderator

no13 Retired Major Resident Nutcase

no13 Retired Major Resident Nutcase

Bubba Updates Team

Log in or Sign up

News: Major Exploit Underway...

hayc59 Guest

nick s Registered Member

hayc59 Guest

nick s Registered Member

hayc59 Guest

bigc73542 Retired Moderator

no13 Retired Major Resident Nutcase

no13 Retired Major Resident Nutcase

Bubba Updates Team

Useful Searches