Asus.com Compromised With Exploit Code 117
Juha-Matti Laurio writes in with news that the Web site of ASUSTeK Computer (asus.com) has been compromised to spread exploit code. The original report from Kaspersky Lab claimed that the compromise lead to code exploiting the recently patched Microsoft Windows Animated Cursor (.ANI) 0-day vulnerability, but sans.org found no evidence of this. Apparently a malicious iframe was added to one of the machines in asus.com's DNS round-robin.
Re:DNS needs improvment... (Score:5, Informative)
You DO know that www. is just another subdomain, right? The only reason it's special is because most/all websites mirror <hostname> onto www.<hostname>. But it doesn't HAVE to be like that. Slashdot doesn't do it like that, for instance.
It doesn't matter if the DNS entry has www. on it or not, the address is still owned by the same person and will get directed to a machine they specified (or nowhere).
Re:I heard rumors (Score:5, Informative)
It's spyware from an ad service. It's like those "Your computer is infected" ads on a Yahoo page.
The real carrier of the evil is dropspam.com, which pretends to be a spam filtering service. I fired up VMware and installed upgrade.exe out of morbid curiosity. The results are here:
Msg: 26529 of 26688 4/6/2007 6:57:44 AM Recs: 26 Sentiment: Not Disclosed
By: Boyle M. Owl Send PM Profile Ignore Add To Favorites
Posted as a reply to msg 26470 by sco_source_scam
Re: IV advertising malware? Dropspam.com
The tiny program is a downloader and installer. I have run it inside of VMware, the only way to run Windows...
It may be legitimate, but read on, and grok the implications of the license....
3. Licensee's Covenants
(a) The Licensee has read all information pertaining to the operation of the Software and expressly agrees that the Licensor shall be permitted to make any modifications, alterations and re-configurations to the Licensee's computer hardware and software including its email inbox and outbox as required for the normal operation of the Software, including but not limited to the re-routing of emails to the Licensor's server for the purposes of screening emails for spam and viruses and attaching a brief message promoting the Software to all out-going emails of the Licensee.
The licensor can kindly stay the fuck out of my computer, tyvm.
(b) The Licensee further agrees that the Licensor shall be permitted to send emails (Authentication Emails) on behalf of the Licensee to those email addresses which have been stored in the Licensee's computer or which appear as senders in incoming emails, for the purposes of authenticating these email addresses and providing the recipients with an opportunity to update the Licensor with additional authentic email addresses.
"We're going to examine your drive for email addresses, and then we're going to spam the shit out of your friends."
(c) If the Licensee wishes to delete or remove the Software for any reason, such deletion or removal must be carried out using either the program or software removal tool inherent in the Licensee's computer operating system including the Add/Remove tool provided by Microsoft® Windows, or such other similar program or software provided by the Licensor, which will be available to the Licensee through the Licensor's website. The Licensee acknowledges that if the deletion or removal of the Software is carried out by any other manner or by using any program or software other than those described above, the Licensee's email software or system may not be restored fully and/or may fail to start up and function properly, and as a result the Licensee may not be able to receive or send emails.
"Yeah, ya see, our program so severely fucks your system that if you try to remove us with something that might work, we'll break your smtp and pop3 server pointers."
As I wrote this, several other popups came up and want me to install shit. Ahahahah, I'm going to install all this and then I'm going to run a friend's malware scanner to see what it really does.
Ghod...this is what being a windows user is like?! I have forgotten!
--
BMO
Msg: 26531 of 26688 4/6/2007 7:18:35 AM Recs: 25 Sentiment: Not Disclosed
By: Boyle M. Owl Send PM Profile Ignore Add To Favorites
Posted as a reply to msg 26529 by Boyle M. Owl
Re: IV advertising malware? Dropspam.com
I do this shit so you don't have to...
Up until I installed upgrade.exe, the system was pristine except for an installation of OpenOffice and Opera....
BTW, this is just a _part_ of the log that goes on forever...
Checking system programs...
Checking Windows directory contents...
c:\windows\appupdate.exe: Version info not found (Suspicious)
c:\windows\ewwsetup.exe:
not the least bit surprised (Score:2, Informative)
All signs of poor admins.
Re:not the least bit surprised (Score:4, Informative)
Re:I heard rumors (Score:2, Informative)
VMware does that. To clean the virtual machine, you can pick any of the older images. I was asked if I tried uninstalling using the spyware company uninstaller and I said no. I picked the April 1 image out of a perverted sense of humor.
--
BMO
Re:Asus Site Is Always A Mess Anyway (Score:5, Informative)
It's not a DNS error-- it's a html page error (Score:3, Informative)
Re:Advice (Score:1, Informative)
so only IE users need to worry.
SANS DID find evidence of an ANI exploit: (Score:4, Informative)
Re:Advice (Score:3, Informative)
That said, your file explorer on windows also uses the said engine, so any files you download are a threat as soon as you browse to their location. If you have put these files somewhere you know of, try using the windows shell to move them into a directory you don't like to go to very often. Then wait until spyware/anti-virus removers get updated and you are "safe".
Re:I'm shocked... SHOCKED! (Score:3, Informative)