Malware(?) inserting porn links into registration/profile data for unsuspecting users

[SF Lists <sfmailinglists () yahoo com>]

Hi,

I run a web site featuring a vBulletin forum (v3.0.3)
running on a debian woody system with apache 1.3.x
which allows users to register accounts and include
basic profile information such as interests,
occupation, etc. One of these fields allows for the
input of a home page web address, identified by:

<input type="text" name="homepage" size="25"
maxlength="200">

The registration process involves correctly entering
in the text present in a randomly generated image as
well as an e-mail confirmation process. I have found
that a significant number, although small minority
(between 20-30), of users registering out of roughly
20,000 registrations, have included pornographic web
sites that seem to be randomly generated based off of
a list of valid sites and these users appear to be
real people that go on to post constructively,
apparently
oblivious to the content of their profiles. Given the
quality of the posts and the interaction that occurs
with these users, I am confident that these are not
automated registrations and that they are in fact
humans which are somehow having this data inserted.
Also, the vast majority of these affected users are
completing the registration process which involves
receipt of the registration e-mail and authentication
via an encoded link.

When contacted, the individuals with the offending
content in their profiles do not know how the sites
ended up in their profiles. One individual has
indicated that she was able to see the site listed in
her profile and had suspected a virus before we
contacted her, however has not been able to provide me
with a name of a program responsible or the result of
an updated anti-virus/adware scan.

There are no signs that our server has been
compromised and we have not found anything in apache
logs that would suggest this, however I am open to
further exploration of that issue.

At this point, I suspect that this is the work of some
sort of malware or virus that detects the presence of
an input field with the name "homepage" and inserts
one of these addresses upon submitting the form,
however have been unsuccessful in finding any
references to a known application that uses this
behavior. Keep in mind that this is simply based on
observation and I have not attempted to change the
fields in the registration form to see if the affected
registrations stop. Are there any known viruses or
malware that exhibit this type of
behavior? I've searched Symantec and Trend Micro for
information regarding this but have turned up nothing
thus far. Google seems to also be a lost cause,
finding other sites that report similar problems
without any mention of what this could be attributed
to.

It seems unlikely to me, as pointed out by the
Incidents list moderator, that this behavior would go
unnoticed for long without having been attributed to a
specific virus or malware, and those of us who have
run across the issue have been reporting it since the
beginning of this year. There is an ongoing thread at
vBulletin's support forums on the subject:

http://www.vbulletin.com/forum/showthread.php?t=96331 

Note that both the 2.x and 3.x branches of vBulletin
seem to be equally affected and both use "homepage" as
the name of the input field.

I am simply trying to get a name and point these users
to information about maintaining a safe computing
environment including updated anti-virus definitions
and any specific removal instructions that might
accompany whatever this is. I do realize, however,
that it's not unlikely that if they'd become infected
with this that they might have other compromises to
deal with.

A small sampling of the sites that appear in user
profiles:
http://hardcore-porn-1.net/porn_video_white_slut_black_dick_daaughter/
(sic) 
http://teen-porn-1.com/hot_free_teen_pics/ 
http://pornfree18.com/porn_pictures_girls_free/ 

Others are listed in the vBulletin thread linked
above.

Many thanks,
-B


                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail