Educause Security Discussion mailing list archives
Re: malware in images
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Thu, 24 Jun 2004 11:38:00 -0500
There's a bunch of folks scrambling at AV vendors, US-CERT, etc. to figure this one out. Some snippets of information include: - A large number of web servers were compromised with the malware, including many prominent sites. Those are being cleaned up as identified. The "RFI - Russians IIS Hacks?" described at http://isc.sans.org/diary.php appears to be related to this. - The URL (reported below) varies it's response according to the User-Agent string. From Mozilla or wget you get a broken link. If the User-Agent string is IE's, you get new.html which is a variation on the recent 0day using the redirection injection bug and java-script loaders. - Unconfirmed, but -possible- indication of infection is files Jjjknk32.exe, Edhmifcj.dll, and surf.dat files in the /windows/system32 directory. It appears that the site/URL listed below is still active. Highly recommend blocking at your network border. Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ----- At 10:32 PM 6/23/2004 -0500, Doug Pearson wrote: There's *early* report of lots of sites infected with images that contain malware. The Javascript appended to the images reaches back to "http: // 217.107.218.147/ dot.php" to get the next dose of malware. The embedded spaces in the URL are mine to prevent accidental launches. I'm running a current Symantec AV on my desktop. SAV catches what's at the URL as: Scan type: Realtime Protection Scan Event: Virus Found! Virus name: Download.Ject File: [obfuscated by Doug P]new[1].htm [and so forth...] Sites may wish to apply local network filters to block 217.107.218.147! Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- malware in images Doug Pearson (Jun 23)
- <Possible follow-ups>
- Re: malware in images Doug Pearson (Jun 24)
- Re: malware in images Kathy Bergsma (Jun 24)
- Re: malware in images Brian Eckman (Jun 24)
- Re: malware in images Jordan Wiens (Jun 24)
- Re: malware in images Jeff Kell (Jun 24)