I've included an analysis of the attack in one thread I'm using at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. It's right down the bottom. As you'll see it's not Bofra but Backdoor.Win32.Agent.ec. The Register and several other news sources haven't taken the time to contact those involved and are publishing rubbish. This was a carefully planned attack and not the work of a virus.
By Falk eSolutions Published Monday 22nd November 2004 10:04 GMT
Site notice On Saturday, The Register suspended service by third party ad serving supplier, Falk, following security issues detailed here.
Falk fixed the problem within six hours of notificatin. Here is its account of what went wrong:
Summary Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on Saturday, 20th November 2004 Falk sSolutions clients using AdSolution Global experienced problems with banner delivery. This started on Saturday morning with a hacker attack on one of our load balancers. This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated. The results are outlined in this document.
Description of the problem The use of a weak point in one of our load balancers type FLB02/CP lead to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect. This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users' computer.
Problem analysis The weak point occurred due to a memory leak on the load balancer concerned. After the load balancer was taken out of service on Saturday at 11:30 AM (GMT) this was no longer possible. Because of this it was difficult at the beginning to find an error on our side. The servers that deliver the banners were not affected at all. Only afterwards we were able to find the error on the load balancer by analysing its log files.
Results of investigation By attacking a single load balancer type FLB02/CP it was possible for users to be redirected to 'search.comedycentral.com' which tried to install the exploit type 'Bofra/IFrame-Expoit'. With approximately every 30th request for banner media this redirect occurred.
Further measures The load balancer concerned has been taken out of service indefinitely and has been replaced with a newer model. An additional monitoring has been instated that supervises the load balancing process and whether this has been interrupted of manipulated. Further, a policing tool that supervises redirects to unknown, erroneous or infected files has been deployed.
It all seems rather strange. The Register posted a report from Falk AG as to what happened. They blamed it on a memory leak that caused the server to be attacked. A memory leak? WTF? No sooner did I update my diary of the incident then they change their tune and shorten the statement. If anyone has a copy of the statement before The Register changed it then please contact me. http://www.finlandforum.org/bb/viewtopic.php?t=768 5
Yes it's a lie. They haven't suspended the service. When I first contacted the Falk AG support team in Germany they were clueless. It took them several hours before I received a response after I'd sent them an e-mail documenting the attack and where the exploit was on their site. I forwarded the same e-mail to several people at The Register too. Later today the article appeared on their site. I don't think The Register had any idea what was going on until much later. The original infection was in http://f.as-eu.falkag.net/server/asldata.js?rdm=01 684246 which was ad based just below the banner. What's there now is I think just data mining.
The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.
Slashdot Mirror
I've included an analysis of the attack in one thread I'm using at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. It's right down the bottom. As you'll see it's not Bofra but Backdoor.Win32.Agent.ec. The Register and several other news sources haven't taken the time to contact those involved and are publishing rubbish. This was a carefully planned attack and not the work of a virus.
I wonder why after first posting an explanation The Register would then back out of what was said and change their story?
a _statement. It looks a little different to what was said earlier.
The current story can be found on their site. http://www.theregister.co.uk/2004/11/22/falk_bofr
Falk statement on Bofra attack
By Falk eSolutions
Published Monday 22nd November 2004 10:04 GMT
Site notice On Saturday, The Register suspended service by third party ad serving supplier, Falk, following security issues detailed here.
Falk fixed the problem within six hours of notificatin. Here is its account of what went wrong:
Summary
Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on Saturday, 20th November 2004 Falk sSolutions clients using AdSolution Global experienced problems with banner delivery. This started on Saturday morning with a hacker attack on one of our load balancers. This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated. The results are outlined in this document.
Description of the problem
The use of a weak point in one of our load balancers type FLB02/CP lead to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect. This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users' computer.
Problem analysis
The weak point occurred due to a memory leak on the load balancer concerned. After the load balancer was taken out of service on Saturday at 11:30 AM (GMT) this was no longer possible. Because of this it was difficult at the beginning to find an error on our side. The servers that deliver the banners were not affected at all. Only afterwards we were able to find the error on the load balancer by analysing its log files.
Results of investigation
By attacking a single load balancer type FLB02/CP it was possible for users to be redirected to 'search.comedycentral.com' which tried to install the exploit type 'Bofra/IFrame-Expoit'. With approximately every 30th request for banner media this redirect occurred.
Further measures
The load balancer concerned has been taken out of service indefinitely and has been replaced with a newer model. An additional monitoring has been instated that supervises the load balancing process and whether this has been interrupted of manipulated. Further, a policing tool that supervises redirects to unknown, erroneous or infected files has been deployed.
It all seems rather strange. The Register posted a report from Falk AG as to what happened. They blamed it on a memory leak that caused the server to be attacked. A memory leak? WTF? No sooner did I update my diary of the incident then they change their tune and shorten the statement. If anyone has a copy of the statement before The Register changed it then please contact me. http://www.finlandforum.org/bb/viewtopic.php?t=768 5
Check the root of your C: for a file named bla.exe.
Weird the URL got screwed. Don't forget the 5 at the end. http://www.finlandforum.org/bb/viewtopic.php?t=768 5
Yes it's a lie. They haven't suspended the service. When I first contacted the Falk AG support team in Germany they were clueless. It took them several hours before I received a response after I'd sent them an e-mail documenting the attack and where the exploit was on their site. I forwarded the same e-mail to several people at The Register too. Later today the article appeared on their site. I don't think The Register had any idea what was going on until much later. The original infection was in http://f.as-eu.falkag.net/server/asldata.js?rdm=01 684246 which was ad based just below the banner. What's there now is I think just data mining.
The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.