lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000c01c343ce$3543b6e0$550ffea9__29912.1250551709$1057947416@rms>
Date: Thu, 10 Jul 2003 22:49:15 -0400
From: "Richard M. Smith" <rms@...puterbytesman.com>
To: "BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...URITYFOCUS.COM>
Subject: New trojan turns home PCs into porno Web site hosts


Hi,

Some individual appears to have hijacked more than a 1,000 home
computers starting in late June or early July and has been installing a
new trojan horse program on them. The trojan allows this person to run a
number of small Web sites on the hijacked home computers.  These Web
sites consists of only a few Web pages and apparently produce income by
directing sign-ups to for-pay porno Web sites through affiliate
programs.  Spam emails messages get visitors to come to the small Web
sites.

To make it more difficult for these Web sites to be shut down, a single
home computer is used for only 10 minutes to host a site.  After 10
minutes, the IP address of the Web site is changed to a different home
computer.  The hacker is able to do this quick switching because he has
installed DNS name servers for his domains on other home computers under
his control.  The DNS name servers specify that a
hostname-to-IP-address mapping should only live for 10 minutes.
 
Over the long July 4th weekend, some of these same Web servers were used
in an apparent phishing scam to collect stolen PayPal passwords and
credit card numbers.  Silicon.com has an article about this scam:

   Russian hackers behind fake PayPal email scam?
   http://silicon.com/news/500013-500001/1/5061.html

Joe Stewart of LURHQ has obtained a copy of the trojan which he has
named Migmaf.  His analysis of the trojan can be found on the LURHQ Web
site:

   http://www.lurhq.com/migmaf.html

The initial theory was that the trojan was installing a mini-Web server
on hacked computer to host the porno Web sites.  However, Joe's analysis
shows that the Trojan is actually a reverse HTTP proxy that makes a
home computer act as a front for a home base Web server.

The New York Times is also running an article about the trojan in its
July 11th edition of the paper:

   http://www.nytimes.com/2003/07/11/technology/11HACK.html?hp

Some of the domain names used by the Web sites of the trojan are:

   onlycoredomains.com
   pizdatohosting.com
   bigvolumesites.com
   wolrdofpisem.com
   arizonasiteslist.com
   nomorebullshitsite.com
   linkxxxsites.com

I've been monitoring these domains since July 5th and found over 2,000
unique IP address used by hosts in these domains.  Almost all of these
IP addresses are for commercial ISPs used by home computer users.
AOL.COM was the most used ISP. 

One interesting feature of the trojan is that it times the connection
speed of a home computer that it is running on and reports the
connection speed back to home base.  The home base computer seems to
only select a computer to run a reverse proxy server or the DNS name
server if the computer has a high-speed cable or DSL Internet
connection.

It is not known at the present time how the trojan gets installed on
people's computers.  My theory is that the Sobig.e virus might be
involved, but the evidence is not strong at the moment.

Richard M. Smith
http://www.ComputerBytesMan.com




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ