lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 22 Jul 2006 11:59:55 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Cc: 
Subject: Re: 70 million computers are using Windows
	98rightnow

On 13 Jul 2006 at 14:25, Dude VanWinkle wrote:

> > I'd like to see someone discus the plan of execution of exactly how a
> > hacker would go about compromising 70 million Windows 98 computers.
> 
> Put the exploit on your myspace account ;-)

http://news.yahoo.com/s/nf/20060721/tc_nf/44765;_ylt=AvWqoQc0U._mqKuSrX.znHUDW7oF;_ylu=X3oDMTBhZDhxNDFzBHNlYwNtZW5ld3M-


MySpace Banner Ad Infects Million Users

Walaika K. Haskins, newsfactor.com 
Fri Jul 21, 12:28 PM ET

A banner advertisement posted on the MySpace Web site may have 
infected more than one million users with adware, according to 
security firm iDefense. The advertisement was included in user 
profiles on MySpace and could have been operating for about one week. 
 
The deckoutyourdeck.com advertisement exploited a flaw in the way 
Microsoft's Internet Explorer (IE) browser handles Windows Metafile 
(WMF) image files. Users running unpatched versions of IE would never 
have realized that the banner ad had silently installed programs that 
generate pop-up ads on their system.  

"This is a criminal act," said Hemanshu Nigam, chief security office 
at MySpace, in a statement. "This ad is being delivered by ad 
networks who distribute these ads to over a thousand sites across the 
Internet in addition to ours. We are working to have these ad 
networks remove this ad so that they do not appear on our site."  

Banner Patch  

An iDefense spyware analyst, Michael La Pilla, told The Washington 
Post that he discovered the attack on Sunday as he browsed the 
MySpace site. When he came across a page with the offending ad, he 
received a message from his browser asking him if he wanted to open a 
file named exp.wmf.  

After a brief investigation, La Pilla found out that the spyware 
installation program contacted a Russian-language Web server in 
Turkey that tracks the PCs on which the program has been installed. 
The tally had climbed to 1.07 million machines, though La Pilla said 
the seven Internet addresses contacted by the downloader seem to be 
inactive now.  

According to La Pilla, the ad also attempted to infect users of 
Webshots.com, a photo-sharing site. Though he cannot pinpoint the 
date the ads began sending out their spyware, it is believed that it 
coincided with the occurrence on MySpace on July 12.  

The WMF vulnerability was originally discovered last December after 
hackers exploited the flaw using a specially created WMF image 
distributed via e-mail, instant message links, and Web sites. When 
users opened the image, the hacker could take control of the infected 
PC. Microsoft released a patch for the bug back in January, but many 
people did not install the patch.  

PCs with unpatched systems can become infected simply by accessing a 
Web page with the deckoutyourdeck.com ad. The exp.wmf Trojan horse 
program could upload automatically without the warning prompt that La 
Pilla received.  

Once installed, PCs running the Trojan horse will contact multiple 
Web sites and download a slew of unwanted programs such as PurityScan 
advertising software. PurityScan is an adware program that can cause 
pop-up windows containing unsolicited ads to appear. The application 
also keeps track of the user's online activity.  

Two Wrongs  

Rob Ayoub, an analyst at the research firm Frost & Sullivan, said two 
facts stand out regarding the MySpace infections. First, home users 
are clearly not as educated about the need to make sure they have up-
to-date patches and other security fixes installed. Second, MySpace 
needs to have a better security system to identify dangers hidden in 
the ads they serve.  

If you are a legitimate business with a legitimate Web site hosting 
banner ads, you have a responsibility to keep the service clean, 
Ayoub said. "MySpace has some problems and this is a real blunder on 
their part. I can't believe any business would not scan or take more 
caution with banner ads posted on their sites. Ad network or not, 
there is no excuse for them not having a checking system."  

One million people is a very large number, Ayoub said, and it 
demonstrates that the technology industry, and security firms and 
software makers in particular, might not have done enough to impress 
upon home users the importance of downloading patches. PCs that have 
not been updated exponentially increase problems with viruses, 
spyware and adware.  

"MySpace should have been checking and users should have been 
patching," Ayoub said. "And because of that combination you have a 
million downloads."  

Some PC users have said their reluctance to install patches and 
updates centers around the fear that any changes will negatively 
impact their computers. However, Ayoub pointed out, unwanted changes 
or problems with updates is relatively rare these days.  

"There was a time when you had to watch and be very careful with your 
patches," Ayoub said. "And some of the big ones are a problem, but 
there haven't been big problems with patches for ages."  

Home users, Ayoub predicted, will not start to take security 
seriously until Internet service providers start to make antivirus 
and antispyware software compulsory. That may or may not be the best 
solution, he said, but incidents like this are a "perfect storm" for 
users not protecting themselves.  

"That's extremely dangerous," Ayoub said. "Maybe what we need to do 
is run public service announcements."  

MySpace is "strongly" urging all Internet users to "follow basic 
Internet security practices such as running the latest version of the 
Windows operating system, installing the latest security patches, and 
running the latest anti-spyware and anti-adware software."  


---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ