Slashdot Mirror
Spam Opt-out Link Triggers Malicious Code Attack
Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."
Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!
I mean, using a scrollbar. Come on, what kind of ignorant user is going to use a scrollbar an a site they don't trust?
Your hair look like poop, Bob! - Wanker.
the executable contains the strings "xProxyBot v 1.0.0" and www.earthlabs.biz/sockproxy/rec.php.
So now that we have a legal, malicious attack, we'll only have to wait a few -more- years for bills to be passed to have the law catch up with some watermark of digital exploitation. Super.
___ In the words of Gen. Douglas McArthur: "I'll be right back."
...to get SpamAssassin.
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
Whois says that the website is operated by Anandan Krishan from Malaysia, so lets all send him an email, win2save@yahoo.com , complaining that he has discrimnated against Firefox, and Linux users of his website, and that in future he should have a more inclusive virus.
I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.
Agile Artisans
The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included)
/. it!!!
There should be a real link, in order to
Why don't we non IE-users use the Slashdot effect for good? Let's all visit the evil site and soon it will be a steaming pile of rubble.
Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.
host www.xcelent.biz
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net
and people wonder why i firewall 60/7
Lawyers, MBA's, RIAA? A jedi fears not these things!
This is a good reason to use mime_defang with spamassassin. Either do that or what I do, have it actually attach the message as a .eml file(rfc 822 or whatever) and then you can view it in whatever you want and even reimport it into your mailbox.
I hate spam, but I haven't had a false positive or negative in forever combining the bayes inside spamassassin with the bayes inside thunderbird.
Chris
The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds
Lawyers, MBA's, RIAA? A jedi fears not these things!
The only thing you should be clicking on, in a spam message, is the delete icon/key.
CAN-SPAM may require an opt-out option in the e-mail to remain legal. However, the legislation DOESN'T protect you from the consequences of using that opt-out option.
It's legislated social engineering at its finest. Good luck out there.
IT Geeks - 1
Politicos without "tech savvy" - 0
This is the way it will always be unfortunately. Unless the whole population eventually can understand all the technical aspects of computers and the internet, or computers and the internet become so rock solid/secure AND easy to use, it will always be this way.
Un-news
Firefox's Javascript console reports many errors:
n ov&opt=hjj&rw=468&rh=60&cv=220&uid=673 475
Line: 3, Column: 17
Source Code:
document.writeln('
1 &adtype=over&affiliate=ultimate-guitar&suba=ultima te-guitar&channel=music&subchannel=tic&category=ti c&PT=ct&CR=ei&pez=tic
Line: 11
...and many more similar to this
Error: unterminated string literal Source File: http://focusin.ads.targetnet.com//ad/id=dmitryiva
Error: newPopup has no properties Source File: http://mediamgr.ugo.com/js.ng/Network=ugo&size=1x
Error: document.getElementById("clientcall").click is not a function Source File: http://www.xcelent.biz/o/ Line: 74
Error: event is not defined Source File: http://www.xcelent.biz/o/frame.html Line: 84
-P@
signal_connect(0, "test_top.dut.my_sig", "clk");
I just sent a link to that to the MCSE slags at work. How long till they figure out they just got owned.
Got Code?
I recenived an email from MyPoints asking me to activate an account set up on my Gmail address a few days ago, and hit the CAN-spam opt-out link (I hadn't signed up for it)
Since then I'm getting a LOT of spam, I received none prior. All have the same recipient name as the Mypoints mail and some other common characteristics, but none of the opt-out stuff. Thankfully, gmail is autofiltering them without any need for intervention, but I can't help but feel MyPoints are behind it.
Has anyone else had the same thing happen?
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
a b c d. "d" looks pretty heavy on graphics.
.02
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
Didn't get that far. Just loading the page launched it. Anti-virus kicked in with a warning, home page was attempted to change, and then I got a call from headquarters to follow the delousing drill, since they also get all of our warnings.
Well that was fun. Didn't get to see any scroll bar :(
Windows 2000 - IE 5.50.4807.2300
Why are there only 19 people folding@home for slashdot?
39,936 bytes
Added to Computer Associates database 9/21/04
What do other vendors call this?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Seriously.
It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.
So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.
Users should always follow these simple instructions with regards to email spam:
1. Make sure you have an incoming mail spam filter, like SpamAsassin.
2. Delete any spam that gets through.
3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.
myke
Mimetics Inc. Twitter
This is dangerous stuff. Mod the parent article down (which includes a working link to the malicious address) so that people don't click on it.
There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe
Pete Carr Owner Chatmag.com
it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.
It's all fun and games until someone loses the key to the handcuffs.
Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)
//Information does not want to be free; it wants to breed.
Some other strings give a few clues about what it does:
- Software\Microsoft\Windows\CurrentVersion\Run - It installs itself in the registry.
- Mozilla/4.0 (compatible) - It grabs stuff of the web and tries to look like IE in the logs.
- SYSTEM\CurrentControlSet\Control\SafeBoot - Tries to get started in safe mode too.
It installs itself in Software\Microsoft\Windows\CurrentVersion\Run as 'w32.exe'. I don't see it doing very much though. I've let it loose on a VMWare '98 session. No opened ports (unless it responds to portknocking), no attempts at outbound communication, maybe '98 is too old for it!Like tinyurl, but one letter less! http://qurl.co.uk/
I decided to try it out on my Windows machine, so opened the link in IE. I had Win XP SP2 and an updated Norton Antivirus and the (new ) Win XP firewall on. . .exe and ran that in the protected mode too. It ran !! It tried to access the internet but I hope the WinXP 2 firewall stoppped it. Anyway got sort of scared since my Win Laptop is not junk and I use it whenever I need a Laptop with standby and Powerpoint. So now I have deleted the files. Cant see any new services in the registry either so hopefully my machine isnt yet a spam mail relay.
But the exploit worked !! I was expecting to get a pop up from NAV with an exciting alarm sound
(Un)Fortunately since it worked now I know what it does :
1) Add thw windows-update.exe in the startup folder
2) Add a new file cmd.dat to the startup folder.
Anyway since I had gone so far, I tried running the Windows-udpadte , but that gave me the error that it was not a valid exe file. I ran it in the protected moded (available when u slecet run as.. in Win XP). Then I renamed the dat file to
BTW if anyone else has tried it out and know about something else that should be done pls let me know. And does anyone have a clue why NAV does not detect this ?? Maybe u need to activate it for IE or make IE the default browser ???
Flash Lynch Mobs.
---If you can't trust a nerd, who can you trust?
I like a good practical joke as much as the next person. Can we just track down one of these people, drag him/her outside chop them up with bolo knives hunt down their families, rape mutiliate and murder them set fire to their houses, kill their dogs and piss all over the corpses already?
I figure 10, 20 thousand of these losers tops and the problem will go away.
If SA 3.0 is running with SUBL support, how can we add: www.xcelent.biz to the SUBL list? In that case, SA 3.0 would block this email alltogether. I think this is a killer feature of SA now, and I'm waiting to learn more about it so I can update my current 2.x version running on my home mailserver.
PCB$@#
free ipod and free gmail!
I don't have to worry about Windows viruses *and* fake scroll-bars will stick out like sore thumbs :)
Thank you ICANN! :)
[Set Cain on fire and steal his lute.]
what, you dont have a .com?
get over it.
comment directly in my journal
They hired Slashdot to take it down, and we are working on it even as I type this.
Wow, you mindlessly repeated the mistaken conclusion of the article submitter.
If the link doesn't allow you to opt out, it's not an opt out link, is it?
If the law requires that I have a valid licence when driving, is it OK if I call my dog "a valid licence" and have him sit in the back seat? "Everything is in order, officer. I have 'a valid licence' back here..." Just because you call a thing something, doesn't make it that thing.
With that reward money, I could afford this life-sized chocolate God, filled with an infinite number of smarties.
It looks like he's not checking the field length of that "email addr" input before inserting it into the DB, so it should be a simple matter for someone to write a script to continuously loop through a POST to http://61.218.79.53/o/cgi-bin/removeme.cgi with a large amount of data in the field name "email". If a few people do this, his DB should fill up pretty quick.
asking that they revisit the CAN-SPAM act. When they click the scrollbar in the forwarded message, they'll finally understand why we didn't think the original bill was tough enough.
The brain-dead apache admin that put this box together made all the pages available over the SSL connection. So from your browser (preferably FireFox) use this link.
https://61.218.79.53/d/
Or if you have OpenSSL on your box (most *nix boxes do or you can download it from www.openssl.org) use this line in your favorite looped script:
openssl s_client -connect 61.218.79.53:443
This sets up an SSL connection. Even if they are using a HSM (Hardware Security Module) they cannot service more than 300-400 or so connections/sec with an HSM rated for 600 connections/sec. They aren't using an HSM, so it shouldn't take more than about 50-100 of these per second to fully tax the processor.
Why anyone would use an e-mail program that allows clicking on something is beyond me. All the comfortable features that come with clickability have their price -- which in in this case is far too high IMHO.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
Well, we could always call the owner of the site and tell him how much we 'so' appreciate his exploit being used on ppl.
Domain Name: XCELENT.BIZ
Domain ID: D7752456-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status: clientTransferProhibited
Registrant ID: CNEU-105661
Registrant Name: Anandan Krishan
Registrant Organization: Iscon & Krishan
Registrant Address1: Suite 50-12
Registrant Address2: Jalan Yap Kwan Seng.
Registrant City: Kuala Lumpur
Registrant State/Province: KL
Registrant Postal Code: 50450
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +603.27756842
Registrant Facsimile Number: +603.27756642
Registrant Email: win2save@yahoo.com
Administrative Contact ID: CNEU-105617
Administrative Contact Name: Anandan Krishan
Administrative Contact Organization: Iscon & Krishan
Administrative Contact Address1: Suite 50-12
Administrative Contact Address2: Jalan Yap Kwan Seng.
Administrative Contact City: Kuala Lumpur
Administrative Contact State/Province: KL
Administrative Contact Postal Code: 50450
Administrative Contact Country: Malaysia
Administrative Contact Country Code: MY
Administrative Contact Phone Number: +603.27756842
Administrative Contact Facsimile Number: +603.27756642
Administrative Contact Email: win2save@yahoo.com
Billing Contact ID: CNEU-105617
Billing Contact Name: Anandan Krishan
Billing Contact Organization: Iscon & Krishan
Billing Contact Address1: Suite 50-12
Billing Contact Address2: Jalan Yap Kwan Seng.
Billing Contact City: Kuala Lumpur
Billing Contact State/Province: KL
Billing Contact Postal Code: 50450
Billing Contact Country: Malaysia
Billing Contact Country Code: MY
Billing Contact Phone Number: +603.27756842
Billing Contact Facsimile Number: +603.27756642
Billing Contact Email: win2save@yahoo.com
Technical Contact ID: CNEU-105617
Technical Contact Name: Anandan Krishan
Technical Contact Organization: Iscon & Krishan
Technical Contact Address1: Suite 50-12
Technical Contact Address2: Jalan Yap Kwan Seng.
Technical Contact City: Kuala Lumpur
Technical Contact State/Province: KL
Technical Contact Postal Code: 50450
Technical Contact Country: Malaysia
Technical Contact Country Code: MY
Technical Contact Phone Number: +603.27756842
Technical Contact Facsimile Number: +603.27756642
Technical Contact Email: win2save@yahoo.com
Name Server: NS1.GRAITHBOADER.BIZ
Name Server: NS2.GRAITHBOADER.BIZ
Name Server: NS2.TIKONDES.BIZ
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date: Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 15 04:03:16 GMT 2004
**