Security Incidents mailing list archives
Re: Malware(?) inserting porn links into registration/profile data for unsuspecting users
From: Joe Stewart <jstewart () lurhq com>
Date: Fri, 16 Jul 2004 15:06:22 -0400
On Thursday 15 July 2004 8:47 am, SF Lists wrote:
At this point, I suspect that this is the work of some sort of malware or virus that detects the presence of an input field with the name "homepage" and inserts one of these addresses upon submitting the form, however have been unsuccessful in finding any references to a known application that uses this behavior. Keep in mind that this is simply based on observation and I have not attempted to change the fields in the registration form to see if the affected registrations stop. Are there any known viruses or malware that exhibit this type of behavior?
Your culprit is a little-known DLL called "submithook.dll" that is bundled with CWS/WinShow/IEFeats among other browser-hijacker trojans. Submithook is a BHO that searches your outgoing HTTP requests for web form post fields with the name "url", "homepage", "page", "www", ".cl1", and "site". In the background it queries a site such as http://www.fdadfswr.com/?r=%url&i=%nid where it receives a URL to insert into the the named field in the form. The request then continues to the destination site with the newly inserted data. This is probably being done in an attempt increase the inserted site's Google ranking. Symantec calls it "Adware.FreeComm", and it is also known as "LizardBar" or "Free Community" http://sarc.com/avcenter/venc/data/pf/adware.freecomm.html http://www.kephyr.com/spywarescanner/library/lizardbar/index.phtml However, I haven't seen a correct writeup of it on any site, which explains why you were unable to find any descriptions that matched its behavior. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/
Current thread:
- Malware(?) inserting porn links into registration/profile data for unsuspecting users SF Lists (Jul 16)
- Re: Malware(?) inserting porn links into registration/profile data for unsuspecting users Joe Stewart (Jul 16)