Winamp Vulnerability / IFrame - more info / Following the Bouncing Malware - IV

Published: 2004-11-24
Last Updated: 2004-11-30 14:06:40 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Winamp unpatched Vulnerability


Yesterday was released an advisory about a critical and unpatched vulnerability on Winnamp.


According to Secunia, The vulnerability has been reported in versions 5.05 and 5.06. Prior versions may also be affected.

As a solution, uninstall Winamp or disassociate .cda and .m3u extensions from winamp.
An exploit is already public available for this vulnerability.


Reference: http://secunia.com/advisories/13269/ and
http://www.k-otik.net/bugtraq/20041123.Winamp.php
IFrame - more info

After the IFrame exploitation event last Saturday, a lot of interesting informations are coming to the light.


One of the most interesting are that the majority of the Webservers that were hacked, were apache ones, and running on Unix/Linux systems. This is a really difference between the others attacks that were using the same vector. One recent attack using the same vector, were using IIS servers. Maybe the kidz are trying another tactic. My feeling is that some admins, used to hear about IIS vulnerabilities, are forgetting about all apache environment, like OpenSSL, PHP,etc...and are not patching as they should. These elements, are currently
the suspicious ones that the kidz used to explore and 0wn the machines.
The Register has a good description about that, as well one of our readers sent a detailed explanation about last saturday event.

The register - http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/

http://www.vitalsecurity.org/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf



And now, one of the most successful series of the Internet Storm Center:

Tom Liston´s Following the Bouncing Malware - Part IV:



-------------------------------------------------------------------------

(First, a quick "thank you" to Pedro for letting me use some space on his diary - Obrigado Pedro!)



FTBM - Part I - http://isc.sans.org/diary.php?date=2004-07-23

FTBM - Part II - http://isc.sans.org/diary.php?date=2004-08-23

FTBM - Part III - http://isc.sans.org/diary.php?date=2004-11-04



Follow The Bouncing Malware - Part IV



As this little expedition has wound its way among the malicious flotsam and jetsam of the Internet, I?ve received hundreds of emails echoing the same question:



"Tom, please tell us: who are these people?"



(Ok... I?ve actually gotten ONE email and it asked me to please stop rambling so much. Consider the above to be "artistic license.")



So, rather than diving headfirst into dissecting more code this time, I thought I would take a little "side trip" and see what I could find out about the people who have given us the "gifts that keep on giving." Who are the people profiting off of messing up Joe?s machine?



Since we?ve got a different goal, it calls for a different attitude-- a kinder, gentler approach. We?re going to roll-back the geek-factor a bit and spend a little time away from the hard-core code analysis. To celebrate, I?m all decked out in my fuzzy Garfield slippers (small children/Father?s Day/no choice/don?t ask...) and I?m ready to rock. To round things out, let?s even give this installment a cool Sub-Title:



Follow The Bouncing Malware IV: Mellowing In Fleecy Footwear



(Sorry, couldn?t help myself)



Ok... Let?s see what we can find out...



If you?ve been following along since the beginning, perhaps you noticed something odd. Perhaps after reading through the description of what happened to Joe?s machine, you?ve a feeling that there?s something bigger going on-- something amiss with what you?ve seen, but you just can?t quite put your finger on it.



I know how you feel. It?s that "something" that?s been slowly pecking away at my subconscious since this whole trip began and has finally surfaced into consciousness only recently. Here it is:



In FTBM-1:



1) Joe goes to "yahoogamez.com" and gets served up a banner ad from aim4media.com

2) That ad contains an IFRAME that loads mynet-MML.html from 205.236.189.58

3) mynet-MML.html contains a script that loads hp2.htm from 69.50.139.61

4) hp2.htm whacks Joe?s box with a CHM exploit named (originally enough) hp2.chm

5) hp2.chm goes out and grabs a file called (seeing a pattern?) hp2.exe

6) hp2.exe installs "TV media display" on Joe?s machine.



In FTBM-2:



1) A trip to Joe?s new default home page (changed in FTBM-1 to "http://default-homepage-network.com"... no one ever said that these guys were creative when it came to names...) results in the display of "http://default-homepage-network.com/newspynotice.htm," a warning that Joe?s computer might be (well, duh!) infected with spyware.

2) In "newspynotice.htm," we found some obfuscated JavaScript that pointed an IFRAME to a file called (hold on.. in case you?re just skimming through this, you need to really start paying attention now, because this is important...) "hp1.htm" from 69.50.139.61

3) hp1.html then whacks Joe's box with a CHM exploit named (originally enough) hp1.chm

4) hp1.chm goes out and grabs a file called (once again, seeing a pattern?) hp1.exe



Hey... HEY... HEY! What the heck is that all about?



Well, obviously, the folks who put mynet-MML.html on 205.236.189.58 and newspynotice.htm on "http://default-homepage-network.com" share the same stunted imagination when it comes to filenames.



Or something like that...



Therefore, our goal for today is to try to tie "http://default-homepage-network.com", 205.236.189.58, and 69.50.139.61 together.



So... where do we begin?



Doing a DNS lookup on "default-homepage-network.com" we find that it resolves to 205.236.189.57.



B-I-N-G-O!



Well, let?s see... who administers that block?:



Block: 205.236.189.0 - 205.236.189.255

Service Telematique Service Internet de Montreal

6187A Louis Veuillot

Montreal, QC H1M2N8

Canada



So how does 69.50.139.61 tie into this? They?re using that IP address to start the ball rolling, so to speak, but why use a different server?



Block: 69.50.139.0 - 69.50.139.127

OMEGABYTE Computer Corporation

205 West Ninth Street, Suite 201

Austin, TX 78701



A quick look at Omegabyte?s website shows us the beginnings of an answer: Omegabyte is a hosting provider. It appears that our "Canadian" friends at "default-homepage-network.com" rented themselves a server down in Texas. Why?



Well, if my little excursion into spyware-land has taught me anything, it?s that very little in this ever-shifting terrain stays static. The anti-spyware battle is fought with many of the same "rules" as the anti-virus battle: he who adapts the fastest survives. If you present a fixed target, you get filtered or blocked or "signatured" out of existence. At this point, many of the sites that I?ve mentioned in this chronicle are no longer spyware dumps, having long since been tossed aside once their useful lifetime had expired. In all likelihood, both the Canada and Texas sites are simply innocent hosting companies who were used for connectivity.



So it appears that the people in the spyware industry have taken a cue from the spammers and they use throwaway accounts and hosting services to do their dirty work. And just like with the spammers, by the time we get around to filtering and blocking a server, they?ve moved on to another.



While IP addresses may come and go, domain names are forever... So! What can we find out about "default-homepage-network.com"?



The domain name is registered to:



Seismic Entertainment Productions, Inc.

11 Farmington Road

Rochester, NH 03867



and a little searching on "Seismic Entertainment Productions, Inc." leads to:



http://www.ftc.gov/os/caselist/0423142/0423142.htm



Which is a document entitled: "Federal Trade Commission, Plaintiff, v. Seismic Entertainment Productions, Inc., SmartBot.net, Inc., and Sanford Wallace, Defendants., United States District Court, District of New Hampshire"



For those of you who have had any dealings in anti-spam circles, the name "Sanford Wallace" should ring a very VERY loud bell. Sanford "The Spam King" Wallace has had a very checkered past. His company, Cyber Promotions, was a target of much anti-spam rage in the late ?90s. Supposedly ol? "Spamford" had reformed his ways around the turn of the century and had gone "legit."



Apparently not...



It appears that Mr. Wallace has slipped into his old ways and gotten himself into a bit o? trouble with the U.S. Federal Trade Commission for alleged "deceptive practices affecting commerce."



Strangely enough, if you read through the complaint linked at the FTC?s site:



http://www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf



you?ll see that much of the badness that Mr. Wallace?s "Seismic Entertainment Products, Inc." is alleged to have done has been documented quite nicely in "Follow The Bouncing Malware." The complaint also specifies another of Mr. Wallace?s ventures, passthison.com, which is mentioned in FTBM-2.



According to the FTC?s complaint, the former Spam King's actions have placed him in the crosshairs of a Federal investigation carrying penalties "including, but not limited to, rescission of contracts and restitution, and the disgorgement of ill-gotten gains."



Personally, I?d pay foldin? money to watch that "disgorgement of ill-gotten gains" part.



So, now let?s return to the question that prompted this little side-trip: ?Who are these people??



Well, at least in this case, we?re able to put an alleged name (and an alleged face, if you?re so inclined: http://www.annonline.com/interviews/970522/biography.html ) to one the folks dumping spyware onto our computers.



Somehow, turning over this particular rock and finding a "reformed" spammer underneath it doesn?t seem so surprising. The ethical leap from spamming to spyware isn?t across a great chasm, but rather over a slight scratch in the pavement. Ethically challenged individuals, for whom the profit motive outweighs all else, seem quite at home in either category. What seems to be missing in their character boils down to a complete disregard for the legitimacy of property rights. To them, it?s not your inbox, your bandwidth, or your computer if they can figure out a way to sneak something past your defenses. In another time and place, they would be highwaymen, embezzlers, or con-artists.



Therefore, in honor of the season, I hereby nominate Sanford "The Spam King" Wallace for the first annual "ISC Tin-Pot Turkey" award for (allegedly) being both a low-life spammer and a scummy purvayor of spyware. Let's hope he spends some time in an orange jumpsuit, "married" to whoever has the most cigarettes.



In the next edition, I promise to editorialize a little less and return to analyzing malicious code. In the meantime, I?ll keep my eye on the FTC case and update you if anything happens.



Finally, before I once again take my leave and begin work on FTBM-5, I?d like to place a simple challenge onto the (virtual) table: Over the course of these articles, I?ve taken several jabs at the folks behind the crud that attempts to infest our computers each time we surf the web. I?ve questioned their skills and their ethics, and I stand behind every dang word I've written. If, however, you either work currently in the spyware industry or have in the past (and I know you guys are reading this...) and you would like to step forward (anonymously or not) and discuss or debate the ethics of what it is you do, please contact me using the ISC?s contact form, found at



http://isc.sans.org/contact.php



Yo Spamford! Care to chat?



---------------------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno /AT/ isc.sans.org ) and special story by Tom Liston.
Keywords:
0 comment(s)

Comments


Diary Archives