pouët.net

Go to bottom

POUET.NET is hacked / infected with a javascript worm

category: general [glöplog]
saga: Here's one example of an exploit that work(ed) in Firefox using the QuickTime plugin: http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
added on the 2008-02-02 18:45:49 by scamp scamp
luckily, i've not installed any media plugins except flash... well, let's see how things develop.
Saga Musix: JYSK, the first/only? exploit there was on Opera on Wii was in fact in the Flash plugin. Thank you Adobe.

Flash is not exempt of exploits and it's massively spread, which makes it a very tempting target for russian sociopaths.
added on the 2008-02-02 18:55:17 by p01 p01
yeah, i'm aware of that...
Darn!. I should not have leeched so much russian pron...
added on the 2008-02-02 19:03:18 by Virgill Virgill
aaah, greetings, victim of the RBN \o/
beware, we can't be sure anymore it's really Virgill, it could be an RBN bot :-)
added on the 2008-02-02 19:41:20 by sparcus sparcus
Saga: I once read about some shit you referred, the "buy antispyware software" and such (sometimes it was about registry file fixers). This was specially harmful for Explorer users IIRC, and stated that either pressing Accept or Cancel could led to infection (maybe it is a popup box instead of a page the thing that appeared to you?) so the best way to avoid contagion was to manually stop/killing the process, or trying to close it with right button->close.

So even pressing the Cancel button might have not been a good idea :(
added on the 2008-02-02 20:14:14 by stage7 stage7
wurstcaptures seems clean. can't see any suspicious javascript shit in the code. I updated my virus definitions and am doing a full system scan now.

Actually earlier this week my bowels caught a virus that made me puke and piss out of my ass for 3 days straight. now this... life truly sucks.
added on the 2008-02-02 20:37:47 by raer raer
whoopsie doopsie. I have no idea if I was infected. Well, the AV says nowt anyway, but that damn thing finds false positives all the time anyway. A quick fixmbr changed back my mbr if it was knackered. Who knows what else be lurking on this old machine of mine? Best remember to use another pc for wanking...er...banking then.

The scene lives on. Those sin waves and blitter objects must be giving the russians a good show anyway.
added on the 2008-02-02 20:39:50 by Gmitts Gmitts
For server admins etc who wish to block the RBN to prevent further attempts for now, I highly recommend null-routing the following netblocks owned by RBN cover entities, as we've just done for our backbone:

85.249.128.0/20
58.65.232.0/21

Those are the two netblocks currently used by RBN. They've got a whole bunch more. I recommend null-routing at least those two blocks above.

If you are running a linux server, you may use iptables to filter traffic from these netblocks:

Code: iptables -A INPUT -s 85.249.128.0/20 -j DROP iptables -A INPUT -s 58.65.232.0/21 -j DROP


However, keep in mind that they've got several AS with a big bunch of more rogue netblocks that they'll probably switch over to in the future.

Here's info about the two AS currently used by them and the announced blocks:
http://www.cidr-report.org/cgi-bin/as-report?as=AS27595
http://www.cidr-report.org/cgi-bin/as-report?as=AS30968

Especially AS27595 is known to hijack netblocks for years already and all announcements coming from there probably should be dropped.
added on the 2008-02-02 20:39:54 by scamp scamp
from my outpost web log :

01/02/2008 13:08:31 58.65.238.60 458 Bytes 262 Bytes
01/02/2008 13:08:29 www.pouet.net 4,0 KB 1 20,4 KB
01/02/2008 13:08:28 www.pouet.net 5,0 KB 58,4 KB

so FYI the attack began at least yesterday before 13h.

i'm glad i haven't installed quicktime (type 'about:plugins' in firefox to see which plugins you've got), does anyone know more about the flash vulnerability ?
added on the 2008-02-02 20:53:44 by Zest Zest
the QT vulnerability was patched ages ago for Firefox so I believe. This worm may have infected older firefox installations that don't have autoupdate on or IE installations. It may also have done bugger all. We'll know eventually, I suppose.
added on the 2008-02-02 21:24:49 by Gmitts Gmitts
I don't think anyone knows what exploit it was using, and most likely it was using a range of them against various software anyway.
added on the 2008-02-02 21:27:39 by psonice psonice
rarefluid: the messages appeared when clicking on the breakpoint banner, so it had to be the breakpoint site i guess...

stage7: if the script does not use a plugin exploit, i guess the cancel button could not have done anything. and i rather suspect that it download would have started even when i wouldn't have clicked anything, but i honestly don't want to try it again :P system seems to be clean anyways...
Please let us know what we (visitors to this site) should do to clean the virus that we now all have. eg. let us know when this virus actually has a name and is recognized by some virus scanner.
added on the 2008-02-03 03:08:08 by yesso yesso
Opera users are also affected?! This is damn scary, guys! I have loads of confidental data on my box related to our customers, I don't even want to imagine the disastrous effect if they come into the wrong hands. Anyone has an idea what should I do now? Scanned the system with NOD32 and it says shit.
added on the 2008-02-03 03:45:01 by Jailbird Jailbird
well, i have both AntiVir and AVG (with latest updates) chewing-up my harddrives right now - for what good it's worth :/
added on the 2008-02-03 04:00:29 by button button
first of all, DON'T PANIC. sit back and take a deep breath. thanks.

now, here are the actual facts (as far as I know right now. scamp and others, please correct me if I forget something or get some details wrong):

first and most important, you are only in danger if the "buy anti spyware software" window/pop-under ad appeared while/after visiting pouet, pain, demoparty.net, breakpoint.untergrund.net or any of the other 4 infected untergrund.net-hosted sites (virgill, litwin, dva, cycor). if that didn't appear, there's no reason to assume anything bad happened and you can officially relax now. furthermore, the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET (part of the code comes from a site that now produces a 404 for some reason). it has since been removed from all affected sites and the ftp passwords have been changed (at least for the bigger scene sites). so if you didn't access any of the sites mentioned during that timeframe, you're definitely safe too.
added on the 2008-02-03 04:19:06 by ryg ryg
now, what actually happened:

  • apparently, the (ftp) logins used to insert the javascript code were obtained around january 8th. we know that the IPs the hacks to untergrund.net originated from belong to RBN. we also know that some sceners with ftp access to the sites mentioned above apparently have a sniffer/trojan/rootkit installed, because they definitely didn't give their logins to RBN voluntarily. because of the timeframe and the links to RBN, it seems very likely that this trojan is mebroot (http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html), though i'm not sure whether that has been confirmed yet.
  • around the 10th of january, ftp.untergrund.net was accessed with these logins from an IP linked to RBN, presumably to verify whether they worked. some days later, a file was uploaded and immediately deleted, with the connection originating from RBN again. i assume the timeframe for other scene websites was similar.
  • as mentioned, the actual code injection happened sometime friday evening (don't know the exact time, i guess scamp can give a precise answer).


unresolved issues so far:

  • we don't know for sure how the logins were leaked in the first place. as said, the most likely candidate seems to be mebroot, but to my knowledge this hasn't been confirmed yet. so everyone with ftp access to the sites mentioned should definitely run a virus scan and a rootkit detector. re-writing the mbr just in case might be a good idea tool.
  • we don't know what exactly the injected javascript code did/does, because a significant portion went offline before anyone could look into it. what was left after that was definitely harmless. it seems likely that the missing part is a trojan downloader, but this is impossible to confirm right now.


we'll keep you posted as soon as we know more.
added on the 2008-02-03 04:37:01 by ryg ryg
Quote:
the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET

That's good to hear, I was either drunk and/or sleeping during that time.
So here's to alcohol, the cause and solution to all of life's problems!
added on the 2008-02-03 05:57:43 by Jailbird Jailbird
Is there any assumption which plugin / leak may have been abused? antivir didn't find anything here, but I want to be sure...
RBN should stick to fake porn and warez sites and noob botnetization instead of poisoining sites like pouet, their malware/rootkit invasion is due to be detected and this is attracting too much attention to their filthy bizness...

added on the 2008-02-03 13:10:39 by Zest Zest
BB Image
oh well... does this come from the rootkit (if there is one :P) or is it just GParted? Message: "MBR may be invalid or non-standard."
Has anyone here ever tried to remove/disable all plugins in FireFox ?

I have found no UI dialog for that so I simply renamed all the dlls that are listed on the about:plugins page (wtf?!).

This was possible for all plugins but the Windows Media Player npdsplay.dll and npwmsdrm.dll files: When I rename/delete them, they keep coming back:

Code: 13:37:08 System:4 IRP_MJ_WRITE* C:\Programme\Windows Media Player\npdsplay.dll.new SUCCESS Offset: 327680 Length: 36864 13:37:08 System:4 IRP_MJ_WRITE* C:\Programme\Windows Media Player\npwmsdrm.dll.new SUCCESS Offset: 0 Length: 12288


WTF??! can anyone explain this to me ?

I tried to rename/delete the npwmsdrm.dll in the System32/dllcache directory but its still re-written as soon as I delete it!

When I delete the files in the ServicePackFiles/i386 directory a dialog popped up telling me to insert my XP CD to restore the files (it said that certain files required to run windows have been replaced.. sure...whatever)

[rant] This whole idea of browser plugins suxxxxx !! [/rant]
added on the 2008-02-03 13:53:57 by xyz xyz

login

Go to top