Interesting People mailing list archives

more on compromised ad servers?

From: David Farber <dave () farber net>
Date: Fri, 26 Aug 2005 09:57:00 -0400



Begin forwarded message:

From: Dan Updegrove <updegrove () mail utexas edu>
Date: August 26, 2005 8:32:25 AM EDT
To: dave () farber net
Subject: Re: [IP] compromised ad servers?


Dave & Dave,

According to our Information Security Office, these are known asdroppers and are widely used by IRC/Web bots. They are the precursorto the actual trojan, etc. that will eventually be installed on themachine if the dropper is downloaded..

Droppers tend to utilize e-mail/IM as their initial attack vector(e.g., click on my funny vacation pics site, doh), however, you canalso nav to a "dirty" site and be handed the dropper as well.

The droppers are oftentimes one-offs and aren't normally detected bymost AVware. Once the dropper is installed, it really doesn't matterall that much what your patch level might be, etc. If a keyloggerneeds to be installed it will; if a command&control mechanism needsto be installed it will, etc, etc..

This is a widespread problem that has been going on since thefirstmajor IMworm released (at least 8-9mos ago), likely muchearlier. IDS does a decent job of detecting these, but the IRC/Webbotnets are typically small and quite dynamic. One problem withdropper detection, however, is that more and more droppers are beingbuilt into .png and .jpg files and can be very hard to detect onnetworks with large flows.

Just for perspective, here are a few of the droppers identified byour ISO for a single day this week (links are broken, and most arealready dead):


http:/  165.246.151.191 /link/.serasa/cartao.scr
http:/  67.43.156.75            /~master/s.exe
http:/  67.43.156.75            /~zs/embratel/SegundaVia.scr
http:/  coracao002.tripod.com.br        /cartao.zip
http:/  cretzu.idilis.ro                /postcard19832.jpg.exe
http:/  delta.isnx.org          /~line/piada.exe
http:/  file01.atspace.com      /cartao.exe
http:/  firebirdll.atspace.com  /birdmess.exe
http:/  firebirdll.atspace.com  /cartao.exe
http:/  galeon.hispavista.com   /paravidio/zip/veja.zip
http:/  hometown.aol.co.uk      /carataohumortad/humocard.exe
http:/  hometown.aol.co.uk      /cliqeveja/cartaomusical.exe
http:/  hometown.aol.co.uk      /guguchiba/gucgi.exe
http:/  hometown.aol.co.uk      /humortcard/vejaocartao.exe
http:/  hometown.aol.co.uk      /newcardeshumor/-ww.humortandelacard.exe
http:/  hometown.aol.co.uk      /noisnafitas/kusent.exe
http:/  hometown.aol.co.uk      /terraelindo/Cartao_Terra.exe
http:/  hometown.aol.co.uk      /vidaepaixao/ursinho.exe
http:/  hometown.aol.co.uk      /virtualcuseta/kusent.exe
http:/  hometown.aol.co.uk      /visubird/birdnetphp.exe
http:/  hometown.aol.co.uk      /voxcards       0nn/Voxcads.exe
http:/  justforme.bestdeals.at  /Cartao01.exe
http:/  justforme.bestdeals.at  /SoVoce.exe
http:/  manchoo.net
/zboard/include/.bash_history/.../cartao0512863526.scr
http:/  net-gurl.com
/cartaovoxcardsFYT31V4IKFD03C1HG381W3948X3Y3V3.exe
http:/  perso.wanadoo.es        /terracartoes/terracartoes.exe
http:/  uol.atspace.com /uol_gif.exe
http:/  uolmesseger.atspace.com /uolmsns_gif.exe
http:/  -ww.buffetbrunochele.com.br     /.imagem/amigo.exe
http:/  -ww.ffms.info   /amigo.scr
http:/  -ww.ffms.info   /amor0022.scr
http:/  -ww.fkahec.org  /images/CartaoVirtual22082005.scr
http:/  -ww.foroswebgratis.com  /fotos/1/6/6/0/1//47945Charges.exe
http:/  -ww.foroswebgratis.com  /fotos/1/6/6/0/1//48448Charges.exe
http:/  -ww.gulg.de     //herbi/pic/redirect-photos-security.scr
http:/  -ww.noti-auto.com.ar    /cartaodecarol.scr
http:/  -ww.zander-yachting.com /images/CoceiraNoToba.scr
http:/  68.178.159.101  /edinandoadvogado/update.exe
http:/  69.6.215.172    /yahoocards/JRE348Z334FR1.com
http:/  80.254.167.42:8080      /productions/wonargo/theman/home.p
http:/  banners.topcities.com   /popup.html
http:/  discforum.com   /urgente.exe
http:/  firebirdll.100free.com  /Cartao.exe
http:/  furions.atspace.us      /videoslegais.exe
http:/  humortadellaa.com       /piadaanimada.scr
http:/  musicalcards.pass.as:8080       /card05021.exe
http:/  no.comunidades.net      /myfrend1000/galeria/parabenscard.exe
http:/  post-cardz.com?017312068        /
http:/  post-cardz.com?017312068&037052 /
http:/  post-cardz.com?044656393        /
http:/  post-cardz.com?044656393&434434 /
http:/  post-cardz.com?1065876065       /
http:/  post-cardz.com?1065876065&638413413     /
http:/  post-cardz.com?1080970646       /
http:/  post-cardz.com?1080970646&0656993       /
http:/  post-cardz.com?1135007883       /
http:/  post-cardz.com?1135007883&9249792       /
http:/  post-cardz.com?1184778504       /
http:/  post-cardz.com?1184778504&53099807      /
http:/  post-cardz.com?1243279010       /
http:/  post-cardz.com?1243279010&085662        /
http:/  post-cardz.com?1293266135       /
http:/  post-cardz.com?1293266135&4922135       /
http:/  post-cardz.com?1368769901       /
http:/  post-cardz.com?1368769901&270989739     /
http:/  post-cardz.com?1371339574       /
http:/  post-cardz.com?1371339574&26922022      /
http:/  -ww.home.ro     /common/boom.phtml
http:/  -ww.home.ro     /common/trafic.phtml
http:/  -ww.voxvoxcards.1br.net /
http:/  -ww.web-a-photo.com     /Resellers.exe


At 06:17 AM 8/26/2005, you wrote:

I got piles and piles of that djf

Begin forwarded message:

From: Dave Wilson <dave () wilson net>
Date: August 25, 2005 6:59:40 PM EDT
To: dave () farber net
Subject: compromised ad servers?

I visited a mainstream Web site Wednesday and an infected ad server
apparently pushed down a bit of malware, asdf.exe. The file was
extremely small -- less than 1.6 K -- and appeared to be trying to
install some more complex bit of malware, presumably a keylogger.
What fascinated me was that this occured on a box with all standard
security measures in place: Windows XP system (all critical patches
installed)  using Mozilla Firefox 1.0.6 (latest version, "Allow Web
sites to install software" unchecked) and running Norton Antivirus
and Norton Firewall, also current and updated. Norton AV didn't even
recognize this thing as malovolent; I noticed it after it was inside
at c:\asdf.exe clawing frantically at my firewall trying to get back
out.. Even more amusing, I didn't actually do anything: Didn't click
on an advertisement, close a Windows, etc. One Web site that was
apparently serving up infected ads was The Onion (London's Observer
had a simlar problem last year). Because this malware is passed along
through a compromised ad server, not every visitor will get hit,
since the ads rotate each time the page is called up.

Anyway, I've contacted AV vendors, but I'm worried about how
widespread this problem is. Google searchers turn up people puzzling
similar incidents starting three weeks ago. I'm wondering if IPers
can do a file search for "asdf.exe" and report back positive results?

Thanks

-dave

-------------------------------------
You are subscribed as updegrove () mail utexas edu
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/



VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu

P.O. Box 7407 http://web.austin.utexas.edu/dau2

Austin, TX 78713-7407


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Current thread:

more on compromised ad servers? David Farber (Aug 26)
- <Possible follow-ups>
- more on compromised ad servers? David Farber (Aug 26)