Update: malware in images

[Brian Eckman <eckman () UMN EDU>]

Doug Pearson wrote:
> There's *early* report of lots of sites infected with images that
> contain malware. The Javascript appended to the images reaches back
> to "http: // 217.107.218.147/ dot.php" to get the next dose of
> malware. The embedded spaces in the URL are mine to prevent
> accidental launches.

When hosts visit the compromised Web sites, they are taken to that page
Doug mentions, which loads another couple of pages which downloads and
installs what Symantec detects as Backdoor.Berbew.F. As Doug mentioned,
Symantec detects the exploit code within the Web page itself, which will
prevent the exploit from running on Symantec-protected machines (with AV
defs newer than roughly April 1st 2004).

The Web site in question uses a poor coding choice and it targets only
hosts running Windows in C:\Windows. Therefore Win2k systems will not
get the Berbew trojan installed on them when visiting the URL. The
install method that it uses is something that I believe will only work
on Windows XP.

I would recommend that infected machines be quarantined immediately. You
can find them doing POST /index.php to www.redline.ru. I did not observe
the open backdoor ports that Symantec noted, but I was running it in
VMWare in NAT mode, so it may not have fully activated itself.

FWIW, I see no evidence that "images" are involved in the exploit.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.