Spam Opt-out Link Triggers Malicious Code Attack

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

devious

[hendridm]

Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!

Microsoft says "No Problem"

Don't worry, this isn't a real problem:

"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.

I mean, using a scrollbar. Come on, what kind of ignorant user is going to use a scrollbar an a site they don't trust? ;-)

Re:Microsoft says "No Problem"

Here is the pertinent CERT advisory for this flaw.

The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

Even with SP2 installed.

Re:Microsoft says "No Problem"

[bheerssen]

Yep, exactly right.

For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.

I dont know about you

[OverlordQ]

but my AntiVirus has detected this exploit for a *long* time.

JS/Exploit-DragDrop.b.gen

Re:I dont know about you

[orangesquid]

A simple string analysis of the trojan reveals some intimidating-looking strings:
GetSystemDirectoryA, xProxyBot v 1.0.0, 1.0.0 , w32.exe,
Windows Service Application, www.earthlabs.biz,
sockproxy/rec.php.
Software\M icrosoft\Windows\ CurrentVersion\Run
Software\Microsoft\Windows\ CurrentVersion\RunServices
%s?&p=%d&v=%s
VisitWe bPageThread , Socket4RandomThread, Socket4ServerThread
SYSTEM\CurrentControlSet\ Control\SafeBoot\
explorer.exe
Mozilla/4.0 (compatible)
InternetCloseHandle, InternetGetLast ResponseInfoA
InternetReadFile , InternetCrackUrlA
InternetOpenUrlA
InternetOpenA , InternetConnectA
FtpPutFileA, FtpGetFileA
HttpSendRequestA, HttpOpenRequestA
InternetGet ConnectedStateEx, InternetGetConnected State

interesting strings

the executable contains the strings "xProxyBot v 1.0.0" and www.earthlabs.biz/sockproxy/rec.php.

More Legislation Needed.

[FearTheFrail]

So now that we have a legal, malicious attack, we'll only have to wait a few -more- years for bills to be passed to have the law catch up with some watermark of digital exploitation. Super.

Re:More Legislation Needed.

[auzy]

Actually, I think thats the wrong approach. I just think vendors like Microsoft need to take responsibility for the poor security in their products.. Many exploits against windows products for instance were long known to come out before they were released, amongst many others. There was a time when eeye had serious exploits listed that took Microsoft longer then 100 days to fix.

Also, from past experience, legislation is often abused in computer cases (as demonstrated by people like the RIAA). Personally, its been pretty rare to see decent laws against computer crimes (I haven't heard of any I agree with so far).

I think the development of sender verification frameworks for Email will also eventually help, provided that MS is willing to accept the open standards for once.

Re:More Legislation Needed.

[stratjakt]

There's nothing legal about this.

It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.

Re:More Legislation Needed.

[gcaseye6677]

The government could crack down on most spam sources anytime they feel like taking the problem seriously. With all the business, tax code, interstate commerce, and other regulations on the books already, any spammer is bound to be violating a bunch of existing laws. And since many spamvertized products and services are fraudulent or blatantly illegal, simply prosecuting with traditional laws would be adequate.

If the IRS started auditing every known spammer with operations or residence in the United States, that would have a very chilling effect on spam. I'd bet my life savings that spammers don't report all of their income for tax purposes. If other countries then followed suit, spam would be relegated to the far corners of the world and easily firewalled.

Re:More Legislation Needed.

[Red+Alastor]

And many situations don't need a completely different law when it happens with computers. A fraud is a fraud no matter what the medium you use is and there is already good laws about it.

Re:More Legislation Needed.

[mdfst13]

"You went to the web page of your own free will, using something known to be bad. Caveat Emptor."

Obviously people here are aware that the site is bad. However, people who actually get the link in an email would be under the impression that the site is an opt out link. Providing them a virus instead is fraud and illegal.

If "known to be bad" refers to IE, that doesn't excuse anything. That's like saying that if you forget to lock your door, then it's all right for people to steal your stuff. In reality, it's still just as illegal.

Another good reason...

[Three+Headed+Man]

...to get SpamAssassin.

Re:Another good reason...

..to get SpamAssassin.

No. A good reason to hire a Spammer Assassin,
perhaps.

Violent, painful death is, after all, the only thing these sleaseballs fear.

Greeting from Malaysia

[politicsie04]

Whois says that the website is operated by Anandan Krishan from Malaysia, so lets all send him an email, win2save@yahoo.com , complaining that he has discrimnated against Firefox, and Linux users of his website, and that in future he should have a more inclusive virus.

Re:Greeting from Malaysia

[Nos.]

I tried to post the whois for the site as well as the whois for the IP that it's hosted on but gave up when /. said I had too many "junk" characters. Sheesh... here's a quick summary of the IP owner though:

Yu, Shao
4F, No. 7, Aly. 7, Lane 355, Sec. 2, Neihu Rd.
Taipei City
TW
Shao Yu (SY167-TW) hn87788676@hn.hinet.net
+886-9-36-045496

Dumb

[sl8r]

Also, the programmer seems to have had fun writing the javascript on that xcelent.biz page. From the source:

// probably the dumbest scrollbar emulation on this planet ;)

Re:Dumb

[Benanov]

That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.

Why is the site still up?

[jarich]

The article says they know the name of the website... why is it still there? Why is the EXE still available?

I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.

Re:Why is the site still up?

[gorbachev]

Two possible reasons:

1. Law enforcement agencies asked to keep it up

2. Hinet Taiwan doesn't give a shit

I'm betting on option #2.

Useful slashdotting!!

[Evan+Meakyl]

The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included)

There should be a real link, in order to /. it!!!

Use your powers for good

[Mignon]

Why don't we non IE-users use the Slashdot effect for good? Let's all visit the evil site and soon it will be a steaming pile of rubble.

Re:Use your powers for good

[ElNeo]

Like this nice link?
(click link below to show link...)

New News?

[Kartik3]

Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.

lamer is hosted on hinet.com

[Indy1]

host www.xcelent.biz
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net

and people wonder why i firewall 60/7

Exploit

[jargoone]

The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

interesting ports on the spammer's site

[Indy1]

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds

Re:interesting ports on the spammer's site

[TCM]

$ telnet 61.218.79.53 22
Trying 61.218.79.53...
Connected to 61-218-79-53.HINET-IP.hinet.net.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1

Hmm.. Isn't 3.5p1 vulnerable to some exploit? Not that I'm implying anything!

Re:interesting ports on the spammer's site

[caluml]

bash-2.05b$ mysql -h 61-218-79-53.HINET-IP.hinet.net
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 658 to server version: 3.23.54

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+-----------------+
| Database |
+-----------------+
| earth_bizzads |
| herbalmarketing |
| mysql |
+-----------------+
3 rows in set (0.45 sec)

mysql>

Re:interesting ports on the spammer's site

earth_bizzads
Interesting, one of the string literals in the downloaded binary is "www.earthlabs.biz/sockproxy/rec.php", a database of infected clients perhaps?

Re:interesting ports on the spammer's site

[ravydavygravy]

Heh - this is what it looked like a few minutes ago...

mysql> use test;
Database changed
mysql> show tables;
+----------------+
| Tables_in_test |
+----------------+
| SPAMMERS_SUX0r |
| w00t |
+----------------+
2 rows in set (0.84 sec)

send it to the MCSE boys

[codepunk]

I just sent a link to that to the MCSE slags at work. How long till they figure out they just got owned.

Slightly OT-Malicious spam opt-outs and MYPOINTS

[CdBee]

I recenived an email from MyPoints asking me to activate an account set up on my Gmail address a few days ago, and hit the CAN-spam opt-out link (I hadn't signed up for it)

Since then I'm getting a LOT of spam, I received none prior. All have the same recipient name as the Mypoints mail and some other common characteristics, but none of the opt-out stuff. Thankfully, gmail is autofiltering them without any need for intervention, but I can't help but feel MyPoints are behind it.

Has anyone else had the same thing happen?

Even better - choose a link with graphics on.

[cliveholloway]

After a little guessing:

a b c d. "d" looks pretty heavy on graphics.

.02

cLive ;-)

Why is this a surprise?

[mykepredko]

Seriously.

It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.

So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.

Users should always follow these simple instructions with regards to email spam:

1. Make sure you have an incoming mail spam filter, like SpamAsassin.
2. Delete any spam that gets through.
3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.

myke

Other sites on same server doing the same thing.

[Chatmag]

There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe

But then again . . .

[harley_frog]

it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.

Re:But then again . . .

[mdfst13]

http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.

P.S. Still be careful. They could always move the pages around.

Hazardous link

[abb3w]

Now, now, there might be someone who might go to that page with IE. However, no doubt the Slashdot community would be interested in attempting their own effort at reverse engineering the trojan that they want you to download.

Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)

Quick .EXE Analysis

[terrencefw]

As one other poster pointed out, running 'strings' on the executable reveals itself it be 'xProxyBot'.

Some other strings give a few clues about what it does:

• Software\Microsoft\Windows\CurrentVersion\Run - It installs itself in the registry.
• Mozilla/4.0 (compatible) - It grabs stuff of the web and tries to look like IE in the logs.
• SYSTEM\CurrentControlSet\Control\SafeBoot - Tries to get started in safe mode too.

It installs itself in Software\Microsoft\Windows\CurrentVersion\Run as 'w32.exe'. I don't see it doing very much though. I've let it loose on a VMWare '98 session. No opened ports (unless it responds to portknocking), no attempts at outbound communication, maybe '98 is too old for it!

I just got exploited

[iMaple]

I decided to try it out on my Windows machine, so opened the link in IE. I had Win XP SP2 and an updated Norton Antivirus and the (new ) Win XP firewall on.
But the exploit worked !! I was expecting to get a pop up from NAV with an exciting alarm sound .
(Un)Fortunately since it worked now I know what it does :
1) Add thw windows-update.exe in the startup folder
2) Add a new file cmd.dat to the startup folder.
Anyway since I had gone so far, I tried running the Windows-udpadte , but that gave me the error that it was not a valid exe file. I ran it in the protected moded (available when u slecet run as.. in Win XP). Then I renamed the dat file to .exe and ran that in the protected mode too. It ran !! It tried to access the internet but I hope the WinXP 2 firewall stoppped it. Anyway got sort of scared since my Win Laptop is not junk and I use it whenever I need a Laptop with standby and Powerpoint. So now I have deleted the files. Cant see any new services in the registry either so hopefully my machine isnt yet a spam mail relay.
BTW if anyone else has tried it out and know about something else that should be done pls let me know. And does anyone have a clue why NAV does not detect this ?? Maybe u need to activate it for IE or make IE the default browser ???

Fill his database

[caffeine_monkey]

It looks like he's not checking the field length of that "email addr" input before inserting it into the DB, so it should be a simple matter for someone to write a script to continuously loop through a POST to http://61.218.79.53/o/cgi-bin/removeme.cgi with a large amount of data in the field name "email". If a few people do this, his DB should fill up pretty quick.

DNS trace - Lets give the address' owner a call

[Honest+Man]

Well, we could always call the owner of the site and tell him how much we 'so' appreciate his exploit being used on ppl.

Domain Name: XCELENT.BIZ
Domain ID: D7752456-BIZ
Sponsoring Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status: clientTransferProhibited
Registrant ID: CNEU-105661
Registrant Name: Anandan Krishan
Registrant Organization: Iscon & Krishan
Registrant Address1: Suite 50-12
Registrant Address2: Jalan Yap Kwan Seng.
Registrant City: Kuala Lumpur
Registrant State/Province: KL
Registrant Postal Code: 50450
Registrant Country: Malaysia
Registrant Country Code: MY
Registrant Phone Number: +603.27756842
Registrant Facsimile Number: +603.27756642
Registrant Email: win2save@yahoo.com
Administrative Contact ID: CNEU-105617
Administrative Contact Name: Anandan Krishan
Administrative Contact Organization: Iscon & Krishan
Administrative Contact Address1: Suite 50-12
Administrative Contact Address2: Jalan Yap Kwan Seng.
Administrative Contact City: Kuala Lumpur
Administrative Contact State/Province: KL
Administrative Contact Postal Code: 50450
Administrative Contact Country: Malaysia
Administrative Contact Country Code: MY
Administrative Contact Phone Number: +603.27756842
Administrative Contact Facsimile Number: +603.27756642
Administrative Contact Email: win2save@yahoo.com
Billing Contact ID: CNEU-105617
Billing Contact Name: Anandan Krishan
Billing Contact Organization: Iscon & Krishan
Billing Contact Address1: Suite 50-12
Billing Contact Address2: Jalan Yap Kwan Seng.
Billing Contact City: Kuala Lumpur
Billing Contact State/Province: KL
Billing Contact Postal Code: 50450
Billing Contact Country: Malaysia
Billing Contact Country Code: MY
Billing Contact Phone Number: +603.27756842
Billing Contact Facsimile Number: +603.27756642
Billing Contact Email: win2save@yahoo.com
Technical Contact ID: CNEU-105617
Technical Contact Name: Anandan Krishan
Technical Contact Organization: Iscon & Krishan
Technical Contact Address1: Suite 50-12
Technical Contact Address2: Jalan Yap Kwan Seng.
Technical Contact City: Kuala Lumpur
Technical Contact State/Province: KL
Technical Contact Postal Code: 50450
Technical Contact Country: Malaysia
Technical Contact Country Code: MY
Technical Contact Phone Number: +603.27756842
Technical Contact Facsimile Number: +603.27756642
Technical Contact Email: win2save@yahoo.com
Name Server: NS1.GRAITHBOADER.BIZ
Name Server: NS2.GRAITHBOADER.BIZ
Name Server: NS2.TIKONDES.BIZ
Created by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Last Updated by Registrar: CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date: Wed Sep 15 03:53:27 GMT 2004
Domain Expiration Date: Wed Sep 14 23:59:59 GMT 2005
Domain Last Updated Date: Wed Sep 15 04:03:16 GMT 2004

**