Educause Security Discussion mailing list archives

Re: malware in images

From: Kathy Bergsma <kathya () NERSP NERDC UFL EDU>
Date: Thu, 24 Jun 2004 12:45:44 -0400

In addition to 217.107.218.147, we detected similar exploits from the following
addresses.

64.46.100.96
65.254.51.42
66.98.190.22
67.15.42.34
67.18.79.20
69.50.170.214
69.93.54.158
81.211.105.24
195.208.235.66
207.150.192.12
213.159.117.131

=============
Kathy Bergsma
UF Information Security Manager
352-392-2061

On Thu, 24 Jun 2004, Doug Pearson wrote:

There's a bunch of folks scrambling at AV vendors, US-CERT, etc. to figure
this one out. Some snippets of information include:

- A large number of web servers were compromised with the malware, including
many prominent sites. Those are being cleaned up as identified. The "RFI -
Russians IIS Hacks?" described at http://isc.sans.org/diary.php appears to be
related to this.

- The URL (reported below) varies it's response according to the User-Agent
string. From Mozilla or wget you get a broken link. If the User-Agent string
is IE's, you get new.html which is a variation on the recent 0day using the
redirection injection bug and java-script loaders.

- Unconfirmed, but -possible- indication of infection is files Jjjknk32.exe,
Edhmifcj.dll, and surf.dat files in the /windows/system32 directory.

It appears that the site/URL listed below is still active. Highly recommend
blocking at your network border.

Regards,

Doug Pearson
Research and Education Networking ISAC
http://www.ren-isac.net
Watch Desk 24x7: +1(317)278-6630

-----

At 10:32 PM 6/23/2004 -0500, Doug Pearson wrote:
There's *early* report of lots of sites infected with images that contain
malware. The Javascript appended to the images reaches back to "http: //
217.107.218.147/ dot.php" to get the next dose of malware. The embedded spaces
in the URL are mine to prevent accidental launches.

I'm running a current Symantec AV on my desktop. SAV catches what's at the URL
as:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Download.Ject
File: [obfuscated by Doug P]new[1].htm
[and so forth...]

Sites may wish to apply local network filters to block 217.107.218.147!

Regards,

Doug Pearson
Research and Education Networking ISAC
http://www.ren-isac.net
Watch Desk 24x7: +1(317)278-6630

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

malware in images Doug Pearson (Jun 23)
- <Possible follow-ups>
- Re: malware in images Doug Pearson (Jun 24)
- Re: malware in images Kathy Bergsma (Jun 24)
- Re: malware in images Brian Eckman (Jun 24)
- Re: malware in images Jordan Wiens (Jun 24)
- Re: malware in images Jeff Kell (Jun 24)