Educause Security Discussion mailing list archives
Update: malware in images
From: Brian Eckman <eckman () UMN EDU>
Date: Thu, 24 Jun 2004 13:31:50 -0500
Doug Pearson wrote: > There's *early* report of lots of sites infected with images that > contain malware. The Javascript appended to the images reaches back > to "http: // 217.107.218.147/ dot.php" to get the next dose of > malware. The embedded spaces in the URL are mine to prevent > accidental launches. When hosts visit the compromised Web sites, they are taken to that page Doug mentions, which loads another couple of pages which downloads and installs what Symantec detects as Backdoor.Berbew.F. As Doug mentioned, Symantec detects the exploit code within the Web page itself, which will prevent the exploit from running on Symantec-protected machines (with AV defs newer than roughly April 1st 2004). The Web site in question uses a poor coding choice and it targets only hosts running Windows in C:\Windows. Therefore Win2k systems will not get the Berbew trojan installed on them when visiting the URL. The install method that it uses is something that I believe will only work on Windows XP. I would recommend that infected machines be quarantined immediately. You can find them doing POST /index.php to www.redline.ru. I did not observe the open backdoor ports that Symantec noted, but I was running it in VMWare in NAT mode, so it may not have fully activated itself. FWIW, I see no evidence that "images" are involved in the exploit. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Update: malware in images Brian Eckman (Jun 24)
- <Possible follow-ups>
- Re: Update: malware in images Brian Eckman (Jun 24)