Spam Opt-out Link Triggers Malicious Code Attack
Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds
Lawyers, MBA's, RIAA? A jedi fears not these things!
Yep, exactly right.
For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.
(Score: -1, Stupid)