Re: malware in images

[Brian Eckman <eckman () UMN EDU>]

Kathy Bergsma wrote:
> In addition to 217.107.218.147, we detected similar exploits from the following
> addresses.
>
> 64.46.100.96
> 65.254.51.42
> 66.98.190.22
> 67.15.42.34
> 67.18.79.20
> 69.50.170.214
> 69.93.54.158
> 81.211.105.24
> 195.208.235.66
> 207.150.192.12
> 213.159.117.131
>
> =============
> Kathy Bergsma
> UF Information Security Manager
> 352-392-2061

Am I mistaken, or is that just a list of IP addresses that have at least
one Web site on them that is exploiting the unpatched IE flaw outlined
at http://62.131.86.111/analysis.htm ?

What Doug is reporting is that a bunch of legitimate Web sites were
hacked and had a specific piece of malware installed on them that
pointed users to a specific URL. This means users visiting "legitimate"
sites are being exploited, which is significant news. The other IP
addresses have Web sites on them that are not what I would call
"legitimate", and are typically getting people to visit them via Spam.

FWIW, See
http://securityfocus.com/archive/1/365693/2004-06-09/2004-06-15/0 for
details on how to make IE not vulnerable to this or just about any other
currently working unpatched exploit.

Thanks,
Brian


> On Thu, 24 Jun 2004, Doug Pearson wrote:
>
>
> > There's a bunch of folks scrambling at AV vendors, US-CERT, etc. to figure
> > this one out. Some snippets of information include:
> >
> > - A large number of web servers were compromised with the malware, including
> > many prominent sites. Those are being cleaned up as identified. The "RFI -
> > Russians IIS Hacks?" described at http://isc.sans.org/diary.php appears to be
> > related to this.
> >
> > - The URL (reported below) varies it's response according to the User-Agent
> > string. From Mozilla or wget you get a broken link. If the User-Agent string
> > is IE's, you get new.html which is a variation on the recent 0day using the
> > redirection injection bug and java-script loaders.
> >
> > - Unconfirmed, but -possible- indication of infection is files Jjjknk32.exe,
> > Edhmifcj.dll, and surf.dat files in the /windows/system32 directory.
> >
> > It appears that the site/URL listed below is still active. Highly recommend
> > blocking at your network border.
> >
> > Regards,
> >
> > Doug Pearson
> > Research and Education Networking ISAC
> > http://www.ren-isac.net
> > Watch Desk 24x7: +1(317)278-6630
> >
> > -----
> >
> > At 10:32 PM 6/23/2004 -0500, Doug Pearson wrote:
> > There's *early* report of lots of sites infected with images that contain
> > malware. The Javascript appended to the images reaches back to "http: //
> > 217.107.218.147/ dot.php" to get the next dose of malware. The embedded spaces
> > in the URL are mine to prevent accidental launches.
> >
> > I'm running a current Symantec AV on my desktop. SAV catches what's at the URL
> > as:
> >  Scan type:  Realtime Protection Scan
> >  Event:  Virus Found!
> >  Virus name: Download.Ject
> >  File:  [obfuscated by Doug P]new[1].htm
> >  [and so forth...]
> >
> > Sites may wish to apply local network filters to block 217.107.218.147!
> >
> > Regards,
> >
> > Doug Pearson
> > Research and Education Networking ISAC
> > http://www.ren-isac.net
> > Watch Desk 24x7: +1(317)278-6630
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> > http://www.educause.edu/cg/.
>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.



--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.