POUET.NET is hacked / infected with a javascript worm
category: general [glöplog]
Any idea which browsers are affected ?
Does anyone have a TCPDUMP of a request to http://www.googleanalitics.net/__utb.js?http://foo.bar.b.az ?
Does anyone have a TCPDUMP of a request to http://www.googleanalitics.net/__utb.js?http://foo.bar.b.az ?
This appears to be this trojan, not detected by current virus scanners it seems:
http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html
http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html
According to this:
http://rbnexploit.blogspot.com/2008/01/rbn-out-with-new-and-in-with-old.html
GMER might be able to remove the rookit behind the trojan:
http://www.gmer.net/
http://rbnexploit.blogspot.com/2008/01/rbn-out-with-new-and-in-with-old.html
GMER might be able to remove the rookit behind the trojan:
http://www.gmer.net/
sparcus: What makes you think so? At least I don't see the javascript code on the starting page of demoparty.net?
woops, sorry, my fault, it's some code for the real www.google-analytics.com, not these imposters :-)
Ok. It was my stupid antivirus which kept deleting it.
Sceners most likely infected with the trojan/root kit according to untergrund.net logs:
virgill, litwin, dva, cycor
virgill, litwin, dva, cycor
oh, and KB of course ;)
On the scene.org server only 2 hosted sites were infected:
pouet.net and pain.scene.org
pouet.net and pain.scene.org
pretty impressive. i'm still dying to figure out how that javascript file can automatically download and run an executable on my computer :)
good going scamp!
good going scamp!
Damn. That RBN study was really interesting. The scale of the operation is incredible, they really know what they're doing.
when accessing breakpoint.untergrund.net this morning i got some "buy anti spyware software" window openend in firefox, really suspicious. i got it when coming from wurstcaptures.untergrund.net but it only popped up one time... is it related to this hack?
skrebbel: most likely it scans your system, identifies all the plugins etc with their versions, finds one that has a flaw and then embeds something that causes a buffer overflow or whatever. They're getting clever.
Any suggestion on what it's installing, and what systems it affects? I'm sure it'll be infecting windows boxes, but how about linux, osx and whatever?
Any suggestion on what it's installing, and what systems it affects? I'm sure it'll be infecting windows boxes, but how about linux, osx and whatever?
Skrebbel: Considering to start Dutch Business Network? :)
I don't think that this exploit affects all browsers... and it certainly is an exploit cause otherwise there's no explanation for getting though to your hdd via javascript.... and I guess, if at all, only IE users need to panic ;-)
hashdash: if it's like the others recently, it'll also affect firefox, quicktime, flash, or whatever else it can find a hole in
kusma: naturally so. but really, i can quite appreciate the genius behind the more clever viruses and hacks that we come across every once in a while. especially as this one does not seem to be based on any social engineering, it seems to me as being one of the first decent viruses in a very long while (ever since they stopped spreading on floppies and in tiny file modifications and stuff).
hashdash: 2002 called.
psonice: if that's it, then that's pretty neat (and evil). and an awful lot of work. imagine being the manager of the team that found and cracked all those little thingies in all those plugins and crap, and getting asked what you do for a living by some chick in a bar. oh yeah i run a team of twenty russian sociopaths who find exploits in coincidental versions of browser plugins so that eventually my boss can empty peoples' bank accounts.
hashdash: 2002 called.
psonice: if that's it, then that's pretty neat (and evil). and an awful lot of work. imagine being the manager of the team that found and cracked all those little thingies in all those plugins and crap, and getting asked what you do for a living by some chick in a bar. oh yeah i run a team of twenty russian sociopaths who find exploits in coincidental versions of browser plugins so that eventually my boss can empty peoples' bank accounts.
Saga Musix: Yes, it is.
skrebbel: The url the javascript stuff tries to load more stuff from is 404 since we detected all this. Therefore we can't know what actually happens, and if browser exploits are being used. Appears that since about 14:00 GMT, they disabled the attack code. Maybe it will come back later so we can find out more...
skrebbel: The url the javascript stuff tries to load more stuff from is 404 since we detected all this. Therefore we can't know what actually happens, and if browser exploits are being used. Appears that since about 14:00 GMT, they disabled the attack code. Maybe it will come back later so we can find out more...
scamp: so was there any danger after pressing cancel and closing this strange website? i mean, you normally can't hide file downloads etc. to firefox...
me browser wanted to redirect to http://e.pepato.org/e/adsr.php?t=0 dunno if its info for the admins
yeti: yes, that's interesting info, thanks. However, that site now also is 404.
saga musix: I can't tell. I suggest running a virus scanner (with latest signatures) now. As long as those sites are 404, nobody can find out what they actually are doing. It might be simply "download and run this"-stuff, but otoh - quite a bunch of sceners who I don't expect to be so dumb to do such a thing obviously previously have been infected.
And of course there are exploits that work with firefox - the RBN for example is known to have used the QuickTime exploits for infections in 2007. Those QuickTime exploits also work with the FireFox QT plugin.
And of course there are exploits that work with firefox - the RBN for example is known to have used the QuickTime exploits for infections in 2007. Those QuickTime exploits also work with the FireFox QT plugin.
saga: most of the exploits install silently rather than downloading an installer or something, so yes.
skrebbel: they'll use known exploits rather than sitting down and trying to find them (a good reason to keep everything patched up on your box), plus any zero day exploits that they may even have bought the rights to.
skrebbel: they'll use known exploits rather than sitting down and trying to find them (a good reason to keep everything patched up on your box), plus any zero day exploits that they may even have bought the rights to.
psonice, that would be a really bad exploit than since i've never heard of something that could be done secretly in Firefox... anyway, i'll just scan my system but i doubt i will find anything \o/
saga: no doubt there are a few ways of doing it in firefox, take a look back through their update details for security fixes. There's probably not anything that serious being exploited in the latest version, but you can never tell if it's not made public. But besides, that kind of infection can be done through any of the dozens of plugins like quicktime, flash, realplayer, media player, ...