• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Hacked WebSites used to install parasites

 
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This makes use of a vulnerability in Apache combined with a vulnerability in MSIE:

Security researchers are warning of a new method of installing unwanted parasitic software onto the computers of unsuspecting victims who use Microsoft Internet Explorer (MSIE).

How It Works
Most of the following information is based upon a detailed write-up of the process which is available at vitalsecurity.org.

The process starts with a flaw in the OpenSSL module which is installed alongside most Apache web servers. Apache is the software that serves up web pages on most of the world's web sites. By exploiting this flaw, an attacker can install a rootkit on the web server. The rootkit allows the attacker to take over the server completely. It has been modified to avoid detection by most available rootkit detectors.

Once installed, the compromised web server will attach a _javascript to every HTTP packet sent to a browser used to surf the site. This _javascript causes the surfer's browser to open an IFrame, a small inline window which loads a page different from the one in the surfer's address bar.

The IFrame loads a page from one of three sites. One of the sites hosting these pages is owned by someone using an email address associated with CoolWebSearch (coolsearch.biz).

The pages which are loaded in the IFrame causes the browser to load several additional pages, each of which tries a different method of installing parasitic software. Once the browser encounters an exploit for which it is not patched, the browser will download and execute a variety of parasite installers. Any of the following parasitic software may be installed on the victim's computer:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar


The installers for each of these have been modified to make them harder to detect with antivirus and antispyware software. At no time is the user presented with a EULA ( End User Licencing Agreement), privacy policy or any other disclosure or the ability to opt out of installing these parasites.

There is evidence to suggest that an infected PC could be used by an attacker to participate in a distributed denial of service attack.

Protect Yourself
There is no complete defense for MSIE users. There is no patch for the IFrame vulnerability. However, you can set Internet Explorer to disable IFrames.


Full story including details of how to block exploitation:
http://www.spywareinfo.net/nov24,2004#hacked
 
Ranch Hand
Posts: 5093
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
remote scripting vulnerability. Old old news. The options to disable remote scripts from starting 0-sized iframes have been turned on by default for several years now AFAIK.
Same as Apache security holes of course.

Guess the Microsoft haters couldn't find anything new so they rehashed something old?
 
Thomas Paul
mister krabs
Posts: 13974
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Old news as in November 20, 2004. IE was not patched for this vulnerability. The defaults still allow it. If you use IE change your defaults.

Jeroen, if you don't know what you are talking about, it is best to keep your mouth shut rather than lead people into a false sense of security.
 
This tiny ad is guaranteed to be gluten free.
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic