Slashdot Mirror
Spam Opt-out Link Triggers Malicious Code Attack
Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."
Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!
Your hair look like poop, Bob! - Wanker.
the executable contains the strings "xProxyBot v 1.0.0" and www.earthlabs.biz/sockproxy/rec.php.
Here is the pertinent CERT advisory for this flaw.
The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.
Even with SP2 installed.
Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.
host www.xcelent.biz
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net
and people wonder why i firewall 60/7
Lawyers, MBA's, RIAA? A jedi fears not these things!
The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679
Yu, Shao
4F, No. 7, Aly. 7, Lane 355, Sec. 2, Neihu Rd.
Taipei City
TW
Shao Yu (SY167-TW) hn87788676@hn.hinet.net
+886-9-36-045496
a b c d. "d" looks pretty heavy on graphics.
.02
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.
There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe
Pete Carr Owner Chatmag.com
Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)
//Information does not want to be free; it wants to breed.
I decided to try it out on my Windows machine, so opened the link in IE. I had Win XP SP2 and an updated Norton Antivirus and the (new ) Win XP firewall on. . .exe and ran that in the protected mode too. It ran !! It tried to access the internet but I hope the WinXP 2 firewall stoppped it. Anyway got sort of scared since my Win Laptop is not junk and I use it whenever I need a Laptop with standby and Powerpoint. So now I have deleted the files. Cant see any new services in the registry either so hopefully my machine isnt yet a spam mail relay.
But the exploit worked !! I was expecting to get a pop up from NAV with an exciting alarm sound
(Un)Fortunately since it worked now I know what it does :
1) Add thw windows-update.exe in the startup folder
2) Add a new file cmd.dat to the startup folder.
Anyway since I had gone so far, I tried running the Windows-udpadte , but that gave me the error that it was not a valid exe file. I ran it in the protected moded (available when u slecet run as.. in Win XP). Then I renamed the dat file to
BTW if anyone else has tried it out and know about something else that should be done pls let me know. And does anyone have a clue why NAV does not detect this ?? Maybe u need to activate it for IE or make IE the default browser ???
http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.
P.S. Still be careful. They could always move the pages around.Well, we could always call the owner of the site and tell him how much we 'so' appreciate his exploit being used on ppl.
Domain Name: XCELENT.BIZ
Domain ID: D7752456-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status: clientTransferProhibited
Registrant ID: CNEU-105661
Registrant Name: Anandan Krishan
Registrant Organization: Iscon & Krishan
Registrant Address1: Suite 50-12
Registrant Address2: Jalan Yap Kwan Seng.
Registrant City: Kuala Lumpur
Registrant State/Province: KL
Registrant Postal Code: 50450
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +603.27756842
Registrant Facsimile Number: +603.27756642
Registrant Email: win2save@yahoo.com
Administrative Contact ID: CNEU-105617
Administrative Contact Name: Anandan Krishan
Administrative Contact Organization: Iscon & Krishan
Administrative Contact Address1: Suite 50-12
Administrative Contact Address2: Jalan Yap Kwan Seng.
Administrative Contact City: Kuala Lumpur
Administrative Contact State/Province: KL
Administrative Contact Postal Code: 50450
Administrative Contact Country: Malaysia
Administrative Contact Country Code: MY
Administrative Contact Phone Number: +603.27756842
Administrative Contact Facsimile Number: +603.27756642
Administrative Contact Email: win2save@yahoo.com
Billing Contact ID: CNEU-105617
Billing Contact Name: Anandan Krishan
Billing Contact Organization: Iscon & Krishan
Billing Contact Address1: Suite 50-12
Billing Contact Address2: Jalan Yap Kwan Seng.
Billing Contact City: Kuala Lumpur
Billing Contact State/Province: KL
Billing Contact Postal Code: 50450
Billing Contact Country: Malaysia
Billing Contact Country Code: MY
Billing Contact Phone Number: +603.27756842
Billing Contact Facsimile Number: +603.27756642
Billing Contact Email: win2save@yahoo.com
Technical Contact ID: CNEU-105617
Technical Contact Name: Anandan Krishan
Technical Contact Organization: Iscon & Krishan
Technical Contact Address1: Suite 50-12
Technical Contact Address2: Jalan Yap Kwan Seng.
Technical Contact City: Kuala Lumpur
Technical Contact State/Province: KL
Technical Contact Postal Code: 50450
Technical Contact Country: Malaysia
Technical Contact Country Code: MY
Technical Contact Phone Number: +603.27756842
Technical Contact Facsimile Number: +603.27756642
Technical Contact Email: win2save@yahoo.com
Name Server: NS1.GRAITHBOADER.BIZ
Name Server: NS2.GRAITHBOADER.BIZ
Name Server: NS2.TIKONDES.BIZ
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date: Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 15 04:03:16 GMT 2004
**