 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 29 Jul 2010
Posts: 10702
Location: sunny California
|
 Posted: Fri Nov 19, 2004 10:47 pm Post subject: News: Major Exploit Underway - Please Read! |
 |
|
Posted by Eric Howes on DSLReports.com: (partial quote)
http://www.dslreports.com/forum/remark,11904374~mode=flat
| Quote: |
Hi All:
Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:
»www.benedelman.org/news/111804-1.html
Included with Ben's write-up is an eye-opening video.
I thought you all might like some additional information about the exploit that Ben documented.
This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
sp2fucked.biz
splitinfinity.info
xpire.info
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:
69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz
Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.
The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar
The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed. |
Be sure to watch Ben's video linked on this page:
http://www.benedelman.org/news/111804-1.html
This exploit has been showing up in HijackThis logs in various places on the web, including here at Spyware Warrior:
http://spywarewarrior.com/viewtopic.php?p=41144
http://forums.spywareinfo.com/index.php?showtopic=34220
http://forums.tomcoyote.org/index.php?showtopic=21650
Reports about the exploit:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857
http://seclists.org/lists/fulldisclosure/2004/Oct/1031.html
http://sourceforge.net/mailarchive/forum.php?thread_id=5829740&forum_id=24754
Comments from Wayne Porter:
http://www.revenews.com/wayneporter/archives/000285.html#more
And as Eric stated here:
And last but extremely important - make sure that people know how to protect their computers from these exploits and possibly being used in a malicious attack.
IE-SPYAD and AGNIS from Eric Howes will protect from the domains and IP addresses shown in Eric's post.
http://spywarewarrior.com/viewtopic.php?t=7625
http://spywarewarrior.com/viewtopic.php?t=7626
Download links here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
A good firewall, (and not just the Windows firewall) is also necessary to prevent unauthorized use of a computer to participate in a denial of service attack.
Folks, please help spread the word about this! Post this on any and all forums and sites related to security and spyware/malware!
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
 |
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 4049
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
pcm
Newbie
Joined: 03 Dec 2004
Last Visit: 03 Dec 2004
Posts: 1
|
| Posted: Fri Dec 03, 2004 10:46 am Post subject: StopGuard |
|
|
HI, all
I am new to this forum; I work on other people's computers, and am prone to rely on my own experience in fixing things. One thing that has occurred lately on three machines I have worked on (of course, the owner simply says "it doesn't work") is an infestation of what has obviously been viewed as malware, but in my humble opinion should be upgraded to outright VIRUS. The last mach. I worked on infested with this piece of s**t actually had the BIOS overwritten on the motherboard; investigation on a "don't care" machine also revealed unrecoverable boot sector corruption. I was able, after talking to the owner, to determine a source (reported or unreported?) for this stuff. Both Norton and Trend Micro offer on-line virus scans, and Norton offers an on-line security scan. The hijacked browsers ( AOL, Netscape, and Mozilla; stand-alone IE6 was not hijacked) sent the owner (and me; both sites) to a page that spoofed a safe address on the address bar, but was in fact a site that invited you to download various "spyware removers, pop-up blockers, internet security products", etc. that included StopGuard and several other products that are mentioned in other BLOGs for OTHER PRODUCTS. Maybe these buys are ganging up on us, or maybe they are just hitchhiking. Who knows? BE CAREFUL!!!!
_________________
anotherhardwarejunkie |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 29 Jul 2010
Posts: 10702
Location: sunny California
|
| Posted: Fri Dec 03, 2004 1:13 pm Post subject: |
|
|
Hi pcm,
What you wrote is very interesting and I wonder if you have any more details from what happened with these 3 machines.
You wrote:
| Quote: |
| I was able, after talking to the owner, to determine a source (reported or unreported?) for this stuff. Both Norton and Trend Micro offer on-line virus scans, and Norton offers an on-line security scan. The hijacked browsers ( AOL, Netscape, and Mozilla; stand-alone IE6 was not hijacked) sent the owner (and me; both sites) to a page that spoofed a safe address on the address bar, but was in fact a site that invited you to download various "spyware removers, pop-up blockers, internet security products", etc. that included StopGuard and several other products that are mentioned in other BLOGs for OTHER PRODUCTS. |
I'd really be interested in knowing that source you refer too. If you don't want to post it here, you can PM me.
Did Norton or TrendMicro detect anything and if so, what?
So AOL, Netscape and Mozilla were hijacked, but not IE? That is strange. Can you tell us what the "safe address' was and what site it took you to?
Do you remember the names of the other products besides StopGuard?
And you said they were mentioned in BLOGs for OTHER PRODUCTS.
What blogs or sites are they?
We have been collecting info on StopGuard since August and are also collecting info about the exploit. Anything you can add would be helpful.
Thanks.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
3162
Honorary Site Admin
Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 6522
|
| Posted: Fri Dec 03, 2004 1:55 pm Post subject: |
|
|
Suzi, you beat me to it LOL!
pcm, I would also like to get details of any particular websites you may have documented regarding the infections.
Thanks
_________________
Proud member of the Chest Zipper Club! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
