Results 1 to 7 of 7

Thread: visitor's to "the register" using IE urged to virus scan!

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546

    visitor's to "the register" using IE urged to virus scan!

    If you followed egghead's advice to stop using internet explorer you can ignore this post


    Worm Exploit Distributed by Advertising Network

    from slashdot.com

    Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.

    http://slashdot.org/article.pl?sid=0...47232&from=rss
    Last edited by egghead; November 22nd, 2004 at 01:14 AM.
    ------------------------------------------------------------



  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Just frickin awesome...

  3. #3
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    cheers to the register for being a brave trustworthy website that cares about their readers and one that will go the extra step to inform their readers of any dangers exen if those dangers were a result of visiting their website.

    My respect for the register has become higher from a previous thought high.

    cheers!

    now I wonder how many websites have hidden this info from their readers if their werbsite infected their users?

    I know 6 months months ago the inernet experienced this but they feared thousands of websites were compromised by a worm that scans ip address looking for and infecting iis servers and changing webpage scripts to install i keylogger silent installs on all internet explorer visitors.
    http://www.directionsonmicrosoft.com...4nsuoir_sb.htm

    http://www.washingtonpost.com/wp-dyn...referrer=email

    http://keithdevens.com/weblog/archive/2004/Jun/25/virus
    Last edited by egghead; November 22nd, 2004 at 06:06 AM.
    ------------------------------------------------------------



  4. #4
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,416
    Long live Mozilla/Firefox

  5. #5
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    The site in the UK has been fixed. Sans storm Center has received reports of sites in Sweden and the Netherlands that were also compromised. This may indicate a more wide-spread attack across Europe. One suggestion is that the advertising servers rather than the sites themselves contain the exploit, which of course means that perhaps hundreds of sites are affected.

    Marcus H. Sachs
    Director, SANS Internet Storm Center

    Since this vulnerability is easy to exploit, it is likely that malware for this issue will come in many flavors and colors. In addition to the possibility of becoming infected while surfing a website, there are e-mail propogration vectors. On November 8, we reported MyDoom.AG and MyDoom.AH (which spread via e-mail) utilize this exploit:

    http://us.mcafee.com/virusInfo/defau...virus_k=129631
    http://vil.nai.com/vil/content/v_129630.htm

    Note that some versions of MyDoom that are including the IFRAME exploit are being called Bofra (variants A - :

    http://www.sophos.com/virusinfo/analyses/w32bofraa.html
    http://www.sophos.com/virusinfo/analyses/w32bofrah.html

    More vulnerability details:

    http://secunia.com/advisories/12959/
    http://www.kb.cert.org/vuls/id/842160
    http://www.securityfocus.com/bid/11515/info/
    http://www.k-otik.net/bugtraq/200411...etExplorer.php
    http://lists.netsys.com/pipermail/fu...er/028286.html

    Joe Stewart has an excellent writeup of the IFRAMES exploit, and should be read by users and admins both.

    IFRAME Exploit via Banner Ads by LURHQ Threat Intelligence Group

    URL
    http://www.lurhq.com/iframeads.html
    Release Date
    November 21, 2004


    IFRAME Vulnerability Being Exploited Through Banner Ads

    Analysis 1: Virtumonde Adware

    Virtumonde is a well-known adware trojan that hijacks victim browsers and forces them to display popup ads based on keywords in the sites they are visiting. For instance, a user visiting a page with keywords related to travel may display popup ads for sites such as vipfares.com, a discount-travel site with a long list of customer complaints about fraudulent practices.

    Warning: Do not visit any of the URLs provided below in Internet Explorer or you will become infected. URLs have spaces added to prevent accidental click-throughs.

    The infection process uses from the following 8 steps:
    read more here
    http://www.lurhq.com/iframeads.html (this link is safe - egghead )

    egghead
    ------------------------------------------------------------



  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Guru3d has released a statement about the same thing that happened to the register.

    this story answers many questions:

    Virus infection through ad's at guru3d.com

    Duration of event:
    11.20.2004 GMT from 05:10 am- 11:30am


    Description of event:
    Early Saturday morning (11.20.2004) an unauthorized individual exploited a weakness in a load balancer on the European AdSolution network. The purpose of the exploit was to establish a redirect to malicious code through a javascript component of Falk’s ad delivery. The exploit resulted in a portion of the ad requests being answered with a redirect to the URL ‘search.comedycentral.com’ (199.107.184.146) where the malicious code could be accessed. The code, known as Bofra/IFrame-Exploit), takes advantage of an exploit in Microsoft Internet Explorer 6.0 browsers. Falk acknowledges that exploit may have also been maliciously placed on
    http://search.comedycentral.com.


    Impact of event
    The virus was found to impact AdSolution Global only and excluded AdSolution Classic, MailSolution, and AdSolution|fx. Falk has calculated the distribution of the malicious code and estimates that it affected a small percentage of the total ads delivered across its EU and US networks. In total, potential redirects to this exploit code represented less then 2% of EU ad requests and under 0.1% of US ad requests during this time period.

    Any unprotected user receiving the virus would be subject to the exploit described here:
    http://vil.nai.com/vil/content/v_129629.htm. According to the description, users who have Microsoft Service Pack 2 (SP2) , VSE8.0i with buffer overflow protection enabled, or certain virus protection software, would not have been subject to the affects of the exploit.


    How it occurred.....


    read more
    http://www.guru3d.com/newsitem.php?id=2101
    ------------------------------------------------------------



  7. #7
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    IFrame - more info

    After the IFrame exploitation event last Saturday, a lot of interesting informations are coming to the light.


    One of the most interesting are that the majority of the Webservers that were hacked, were apache ones, and running on Unix/Linux systems. This is a really difference between the others attacks that were using the same vector. One recent attack using the same vector, were using IIS servers. Maybe the kidz are trying another tactic. My feeling is that some admins, used to hear about IIS vulnerabilities, are forgetting about all apache environment, like OpenSSL, PHP,etc...and are not patching as they should. These elements, are currently the suspicious ones that the kidz used to explore and 0wn the machines. The Register has a good description about that, as well one of our readers sent a detailed explanation about last saturday event. The register -http://www.theregister.co.uk/2004/11...frame_exploit/
    http://www.vitalsecurity.org/xpire-s...-condensed.pdf

    source http://isc.sans.org/
    ------------------------------------------------------------



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •