Security Incidents mailing list archives
IE/WMP Exploit
From: "Carlos Kramer" <csk_1975 () hotmail com>
Date: Tue, 15 Jun 2004 00:19:49 +0000
I saw the 180solutions.com analysis and the stuff I've seen appears to be different and use a different exploit - maybe just a variation on a theme? But it overwrites wmplayer.exe and seems to use a WMP exploit as well as IE exploits. It comprimises a fully patched Windows 2000, IE6, WMP7 machine. FWIW attached is some information and a copy of the file which replaced Windows Media Player. Unfortunately I couldn't capture the actual exploit code but I'm sure its available to those who wish to dig. The URL which linked to the exploit was at:- http://www.celebritysearchengine.co.uk/fantasy/e/ellemc.htm This popped up six windows which installed both the default-homepage-networkhijacker and also some nasty stuff from www.news-depot.com. www.news-depot.com is bogus and moves quickly - when I got the executable it was on a compromised unused parked server at a large hosting company. It is currently resolving to
ip13-43-171-209.toro1.na.psigh.com - 209.171.43.13. These URLs were used to do the compromise:- http://207.44.156.26/~admin3/ron/ron.php? http:/// http://207.44.156.26/~admin3/ron/adsredir.php? http://207.44.156.26/~admin3/ron/adsredir.php? http://www.news-depot.com/ http://www.news-depot.com//main.chm http://www.news-depot.com/msits.exe This crashed Windows Media Player and then it was overwritten with a small windows executable (I have it if you want it) - this was called wmplayer.exe and was in the Windows Media Player folder. The real Windows Media Player had been deleted. Windows Media Player showed this error:-Invalid name: mmsu:///. The file name specified is incorrect. (Error=C00D001C) Invalid name: http:///. The file name specified is incorrect. (Error=C00D002B) Cannot open. Please verify that the path and filename are correct and try again. (Error=C00D002B)
The next time a WMP media file was accessed the new wmplayer.exe file ran and installed lots of adware, junkware, spyware etc, etc. BetterInternet, ClockSync, Internet Speed Check, and much more... Anyway attached is a decription of the various windows which popped up and their contents. I don't know if this is of interest to anyone or even the correct forum - but hopefully its of use. (I put them in an attachment as they have scripts and HTML which email clients may try to render). _________________________________________________________________Looking to buy a house? Get informed with the Home Buying Guide from MSN House & Home. http://coldwellbanker.msn.com/
Attachment:
spy.txt
Description:
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040614 ----------------------------------------------------------------------------
Current thread:
- IE/WMP Exploit Carlos Kramer (Jun 15)
- Re: IE/WMP Exploit Axel Pettinger (Jun 15)
- <Possible follow-ups>
- Re: IE/WMP Exploit caldcv (Jun 15)
- Re: IE/WMP Exploit Axel Pettinger (Jun 16)
- Re: IE/WMP Exploit Carlos Kramer (Jun 16)
- Re: IE/WMP Exploit Axel Pettinger (Jun 16)