Please Read - Major Exploit Underway

[njustice]

Posted by Eric Howes on DSLReports.com: (partial quote)

http://www.dslreports.com/forum/remark,119...04374~mode=flat

Hi All:

Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:

»www.benedelman.org/news/111804-1.html

Included with Ben's write-up is an eye-opening video. 

I thought you all might like some additional information about the exploit that Ben documented.

This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.

It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2fucked.biz

splitinfinity.info

xpire.info

Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

69.50.168.147

195.178.160.30

213.159.117.133

b00gle.info

coolsearch.biz

newiframe.biz

pizdato.biz

Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:

180solutions

BlazeFind

BookedSpace

BullsEye Networks

CashBack (Bargain Buddy)

ClickSpring

CoolWebSearch

DyFuca

Hoost

IBIS Toolbar

Internet Optimizer

ISTbar

Power Scan

SideFind

TIB Browser

WebRebates (TopMoxie)

WhenU (VVSN)

Window AdControl

WindUpdates

YourSiteBar

The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.

Be sure to watch Ben's video linked on this page:

http://www.benedelman.org/news/111804-1.html

This exploit has been showing up in HijackThis logs in various places on the web, including here at Spyware Warrior:

http://spywarewarrior.com/viewtopic.php?p=41144

http://forums.spywareinfo.com/index.php?sh...showtopic=34220

http://forums.tomcoyote.org/index.php?showtopic=21650

Reports about the exploit:

http://www.gossamer-threads.com/lists/full...isclosure/27857

http://seclists.org/lists/fulldisclosure/2...4/Oct/1031.html

http://sourceforge.net/mailarchive/forum.p...&forum_id=24754

Comments from Wayne Porter:

http://www.revenews.com/wayneporter/archiv...00285.html#more

And as Eric stated here:

I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:

http://www.aluriasoftware.com/forum/thread351.html

And last but extremely important - make sure that people know how to protect their computers from these exploits and possibly being used in a malicious attack.

IE-SPYAD and AGNIS from Eric Howes will protect from the domains and IP addresses shown in Eric's post.

http://spywarewarrior.com/viewtopic.php?t=7625

http://spywarewarrior.com/viewtopic.php?t=7626

Download links here:

https://netfiles.uiuc.edu/ehowes/www/resource.htm

A good firewall, (and not just the Windows firewall) is also necessary to prevent unauthorized use of a computer to participate in a denial of service attack.

Folks, please help spread the word about this! Post this on any and all forums and sites related to security and spyware/malware!

[echobay]

WOW...Who was that masked man?...jk..jk i'm just kidding...Thanks njustice.