Spam Opt-out Link Triggers Malicious Code Attack

Maestro4k writes "The Register is reporting on a new spam E-mail circulating out there. In it, clicking on the 'Click here to remove' link launches a site, that when the user scrolls the page, triggers a drag-drop javascript exploit. Scarily the E-mail actually complies with the CAN-SPAM act as it only requires spammers to put an opt-out link in their mailings. As The Reg says "It comes as little surprise that this feature is been taken advantage of in a social engineering exploit; but it does illustrate the security problems of the opt-out approach that were always apparent to security experts - and ignored by legislators." The link in questions points to www. xcelent.biz (As in The Reg story, space intentionally included) so even if you can't block the mail yet it should be easy to block access to the site with the exploit. I suspect this is just the beginning and most spam will include "features" such as this in the near future."

Microsoft says "No Problem"

Don't worry, this isn't a real problem:

"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.

I mean, using a scrollbar. Come on, what kind of ignorant user is going to use a scrollbar an a site they don't trust? ;-)

Re:Microsoft says "No Problem"

Here is the pertinent CERT advisory for this flaw.

The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

Even with SP2 installed.

Re:Microsoft says "No Problem"

[bheerssen]

Yep, exactly right.

For the curious, here is an interesting post that describes the exploit at some length. Essentially, it uses an HTML 'dynsrc' attribute (proprietary Microsoft extension) to allow IE to download the executable, and javascript to use the 'shell:' protocol to execute it. It's not a particularly new flaw, but this is the slickest exploit of it I've seen.

Greeting from Malaysia

[politicsie04]

Whois says that the website is operated by Anandan Krishan from Malaysia, so lets all send him an email, win2save@yahoo.com , complaining that he has discrimnated against Firefox, and Linux users of his website, and that in future he should have a more inclusive virus.

Dumb

[sl8r]

Also, the programmer seems to have had fun writing the javascript on that xcelent.biz page. From the source:

// probably the dumbest scrollbar emulation on this planet ;)

Re:Dumb

[Benanov]

That comment means it was ripped from a proof-of-concept website published a while ago: http://www.mikx.de/scrollbar/ Amazingly shameless. They stole this guy's code, AND they're using it for phishing attacks.

New News?

[Kartik3]

Spammers have often used an "unsubscribe" link or something similar only to verify your email address and send you more spam. While not the same as triggering an exploit, I've been under the impression that spammers have taken advantage of users with an "opt out" type of link in this way for quite a while now.

Re:Why is the site still up?

[gorbachev]

Two possible reasons:

1. Law enforcement agencies asked to keep it up

2. Hinet Taiwan doesn't give a shit

I'm betting on option #2.

Exploit

[jargoone]

The article didn't give much explanation about the drag-and-drop exploit itself. Understandably, given the audience, but I was curious. Here's a good link: http://xforce.iss.net/xforce/xfdb/13679

interesting ports on the spammer's site

[Indy1]

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-22 09:54 MDT
Interesting ports on 61-218-79-53.HINET-IP.hinet.net (61.218.79.53):
(The 1651 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
135/tcp filtered msrpc
443/tcp open https
445/tcp filtered microsoft-ds
3306/tcp open mysql
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 54.453 seconds

Re:interesting ports on the spammer's site

[caluml]

bash-2.05b$ mysql -h 61-218-79-53.HINET-IP.hinet.net
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 658 to server version: 3.23.54

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+-----------------+
| Database |
+-----------------+
| earth_bizzads |
| herbalmarketing |
| mysql |
+-----------------+
3 rows in set (0.45 sec)

mysql>

Re:More Legislation Needed.

[stratjakt]

There's nothing legal about this.

It's not specifically illegal under the CAN-SPAM act, but it's just as illegal as any other exploit, trojan or worm.

But then again . . .

[harley_frog]

it is a site worthy of a good slashdotting, if just to keep the unwary from reaching it.

Re:But then again . . .

[mdfst13]

http://www.xcelent.biz/d/ is a link to another page in that domain. Also has more graphics for better slashdotting potential.

P.S. Still be careful. They could always move the pages around.

Re:Use your powers for good

[ElNeo]

Like this nice link?
(click link below to show link...)