Re: Update: malware in images

[Brian Eckman <eckman () UMN EDU>]

Brian Eckman wrote:
> Doug Pearson wrote:
>  > There's *early* report of lots of sites infected with images that
>  > contain malware. The Javascript appended to the images reaches back
>  > to "http: // 217.107.218.147/ dot.php" to get the next dose of
>  > malware. The embedded spaces in the URL are mine to prevent
>  > accidental launches.
>
> When hosts visit the compromised Web sites, they are taken to that page
> Doug mentions, which loads another couple of pages which downloads and
> installs what Symantec detects as Backdoor.Berbew.F. As Doug mentioned,
> Symantec detects the exploit code within the Web page itself, which will
> prevent the exploit from running on Symantec-protected machines (with AV
> defs newer than roughly April 1st 2004).
>
> The Web site in question uses a poor coding choice and it targets only
> hosts running Windows in C:\Windows. Therefore Win2k systems will not
> get the Berbew trojan installed on them when visiting the URL. The
> install method that it uses is something that I believe will only work
> on Windows XP.
>
> I would recommend that infected machines be quarantined immediately. You
> can find them doing POST /index.php to www.redline.ru. I did not observe
> the open backdoor ports that Symantec noted, but I was running it in
> VMWare in NAT mode, so it may not have fully activated itself.

Confirmed working Snort rule to detect machines that were successfully
compromised by this specific exploit:

alert tcp $HOME_NET any -> 217.144.97.162 80 (msg:"Berbew Infected
Computer"; flow:to_server,established; content:"POST |2F|index.php";
content:"Host|3A| www.redline.ru";  classtype:misc-activity;
sid:260709091295; rev:1;)

You can put the rule in now and find those machines that were already
compromised. At some point they'll do another POST and trigger the rule.
It will also notice them at the time of compromise as they perform a
similar POST at that time.

If www.redline.ru changes IP addresses, you'll need to update the rule.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.