Interesting People mailing list archives
more on compromised ad servers?
From: David Farber <dave () farber net>
Date: Fri, 26 Aug 2005 09:57:00 -0400
Begin forwarded message: From: Dan Updegrove <updegrove () mail utexas edu> Date: August 26, 2005 8:32:25 AM EDT To: dave () farber net Subject: Re: [IP] compromised ad servers? Dave & Dave,According to our Information Security Office, these are known as droppers and are widely used by IRC/Web bots. They are the precursor to the actual trojan, etc. that will eventually be installed on the machine if the dropper is downloaded..
Droppers tend to utilize e-mail/IM as their initial attack vector (e.g., click on my funny vacation pics site, doh), however, you can also nav to a "dirty" site and be handed the dropper as well.
The droppers are oftentimes one-offs and aren't normally detected by most AVware. Once the dropper is installed, it really doesn't matter all that much what your patch level might be, etc. If a keylogger needs to be installed it will; if a command&control mechanism needs to be installed it will, etc, etc..
This is a widespread problem that has been going on since the firstmajor IMworm released (at least 8-9mos ago), likely much earlier. IDS does a decent job of detecting these, but the IRC/Web botnets are typically small and quite dynamic. One problem with dropper detection, however, is that more and more droppers are being built into .png and .jpg files and can be very hard to detect on networks with large flows.
Just for perspective, here are a few of the droppers identified by our ISO for a single day this week (links are broken, and most are already dead):
http:/ 165.246.151.191 /link/.serasa/cartao.scr http:/ 67.43.156.75 /~master/s.exe http:/ 67.43.156.75 /~zs/embratel/SegundaVia.scr http:/ coracao002.tripod.com.br /cartao.zip http:/ cretzu.idilis.ro /postcard19832.jpg.exe http:/ delta.isnx.org /~line/piada.exe http:/ file01.atspace.com /cartao.exe http:/ firebirdll.atspace.com /birdmess.exe http:/ firebirdll.atspace.com /cartao.exe http:/ galeon.hispavista.com /paravidio/zip/veja.zip http:/ hometown.aol.co.uk /carataohumortad/humocard.exe http:/ hometown.aol.co.uk /cliqeveja/cartaomusical.exe http:/ hometown.aol.co.uk /guguchiba/gucgi.exe http:/ hometown.aol.co.uk /humortcard/vejaocartao.exe http:/ hometown.aol.co.uk /newcardeshumor/-ww.humortandelacard.exe http:/ hometown.aol.co.uk /noisnafitas/kusent.exe http:/ hometown.aol.co.uk /terraelindo/Cartao_Terra.exe http:/ hometown.aol.co.uk /vidaepaixao/ursinho.exe http:/ hometown.aol.co.uk /virtualcuseta/kusent.exe http:/ hometown.aol.co.uk /visubird/birdnetphp.exe http:/ hometown.aol.co.uk /voxcards 0nn/Voxcads.exe http:/ justforme.bestdeals.at /Cartao01.exe http:/ justforme.bestdeals.at /SoVoce.exe http:/ manchoo.net /zboard/include/.bash_history/.../cartao0512863526.scr http:/ net-gurl.com /cartaovoxcardsFYT31V4IKFD03C1HG381W3948X3Y3V3.exe http:/ perso.wanadoo.es /terracartoes/terracartoes.exe http:/ uol.atspace.com /uol_gif.exe http:/ uolmesseger.atspace.com /uolmsns_gif.exe http:/ -ww.buffetbrunochele.com.br /.imagem/amigo.exe http:/ -ww.ffms.info /amigo.scr http:/ -ww.ffms.info /amor0022.scr http:/ -ww.fkahec.org /images/CartaoVirtual22082005.scr http:/ -ww.foroswebgratis.com /fotos/1/6/6/0/1//47945Charges.exe http:/ -ww.foroswebgratis.com /fotos/1/6/6/0/1//48448Charges.exe http:/ -ww.gulg.de //herbi/pic/redirect-photos-security.scr http:/ -ww.noti-auto.com.ar /cartaodecarol.scr http:/ -ww.zander-yachting.com /images/CoceiraNoToba.scr http:/ 68.178.159.101 /edinandoadvogado/update.exe http:/ 69.6.215.172 /yahoocards/JRE348Z334FR1.com http:/ 80.254.167.42:8080 /productions/wonargo/theman/home.p http:/ banners.topcities.com /popup.html http:/ discforum.com /urgente.exe http:/ firebirdll.100free.com /Cartao.exe http:/ furions.atspace.us /videoslegais.exe http:/ humortadellaa.com /piadaanimada.scr http:/ musicalcards.pass.as:8080 /card05021.exe http:/ no.comunidades.net /myfrend1000/galeria/parabenscard.exe http:/ post-cardz.com?017312068 / http:/ post-cardz.com?017312068&037052 / http:/ post-cardz.com?044656393 / http:/ post-cardz.com?044656393&434434 / http:/ post-cardz.com?1065876065 / http:/ post-cardz.com?1065876065&638413413 / http:/ post-cardz.com?1080970646 / http:/ post-cardz.com?1080970646&0656993 / http:/ post-cardz.com?1135007883 / http:/ post-cardz.com?1135007883&9249792 / http:/ post-cardz.com?1184778504 / http:/ post-cardz.com?1184778504&53099807 / http:/ post-cardz.com?1243279010 / http:/ post-cardz.com?1243279010&085662 / http:/ post-cardz.com?1293266135 / http:/ post-cardz.com?1293266135&4922135 / http:/ post-cardz.com?1368769901 / http:/ post-cardz.com?1368769901&270989739 / http:/ post-cardz.com?1371339574 / http:/ post-cardz.com?1371339574&26922022 / http:/ -ww.home.ro /common/boom.phtml http:/ -ww.home.ro /common/trafic.phtml http:/ -ww.voxvoxcards.1br.net / http:/ -ww.web-a-photo.com /Resellers.exe At 06:17 AM 8/26/2005, you wrote:
I got piles and piles of that djf Begin forwarded message: From: Dave Wilson <dave () wilson net> Date: August 25, 2005 6:59:40 PM EDT To: dave () farber net Subject: compromised ad servers? I visited a mainstream Web site Wednesday and an infected ad server apparently pushed down a bit of malware, asdf.exe. The file was extremely small -- less than 1.6 K -- and appeared to be trying to install some more complex bit of malware, presumably a keylogger. What fascinated me was that this occured on a box with all standard security measures in place: Windows XP system (all critical patches installed) using Mozilla Firefox 1.0.6 (latest version, "Allow Web sites to install software" unchecked) and running Norton Antivirus and Norton Firewall, also current and updated. Norton AV didn't even recognize this thing as malovolent; I noticed it after it was inside at c:\asdf.exe clawing frantically at my firewall trying to get back out.. Even more amusing, I didn't actually do anything: Didn't click on an advertisement, close a Windows, etc. One Web site that was apparently serving up infected ads was The Onion (London's Observer had a simlar problem last year). Because this malware is passed along through a compromised ad server, not every visitor will get hit, since the ads rotate each time the page is called up. Anyway, I've contacted AV vendors, but I'm worried about how widespread this problem is. Google searchers turn up people puzzling similar incidents starting three weeks ago. I'm wondering if IPers can do a file search for "asdf.exe" and report back positive results? Thanks -dave ------------------------------------- You are subscribed as updegrove () mail utexas edu To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/interesting- people/
VP for Information Technology Phone (512) 232-9610 The University of Texas at Austin Fax (512) 232-9607 FAC 248 (Mail code: G9800) d.updegrove () its utexas eduP.O. Box 7407 http:// web.austin.utexas.edu/dau2
Austin, TX 78713-7407 ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on compromised ad servers? David Farber (Aug 26)
- <Possible follow-ups>
- more on compromised ad servers? David Farber (Aug 26)