POUET.NET is hacked / infected with a javascript worm
category: general [glöplog]
saga: Here's one example of an exploit that work(ed) in Firefox using the QuickTime plugin: http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
luckily, i've not installed any media plugins except flash... well, let's see how things develop.
Saga Musix: JYSK, the first/only? exploit there was on Opera on Wii was in fact in the Flash plugin. Thank you Adobe.
Flash is not exempt of exploits and it's massively spread, which makes it a very tempting target for russian sociopaths.
Flash is not exempt of exploits and it's massively spread, which makes it a very tempting target for russian sociopaths.
yeah, i'm aware of that...
Darn!. I should not have leeched so much russian pron...
aaah, greetings, victim of the RBN \o/
beware, we can't be sure anymore it's really Virgill, it could be an RBN bot :-)
Saga: I once read about some shit you referred, the "buy antispyware software" and such (sometimes it was about registry file fixers). This was specially harmful for Explorer users IIRC, and stated that either pressing Accept or Cancel could led to infection (maybe it is a popup box instead of a page the thing that appeared to you?) so the best way to avoid contagion was to manually stop/killing the process, or trying to close it with right button->close.
So even pressing the Cancel button might have not been a good idea :(
So even pressing the Cancel button might have not been a good idea :(
wurstcaptures seems clean. can't see any suspicious javascript shit in the code. I updated my virus definitions and am doing a full system scan now.
Actually earlier this week my bowels caught a virus that made me puke and piss out of my ass for 3 days straight. now this... life truly sucks.
Actually earlier this week my bowels caught a virus that made me puke and piss out of my ass for 3 days straight. now this... life truly sucks.
whoopsie doopsie. I have no idea if I was infected. Well, the AV says nowt anyway, but that damn thing finds false positives all the time anyway. A quick fixmbr changed back my mbr if it was knackered. Who knows what else be lurking on this old machine of mine? Best remember to use another pc for wanking...er...banking then.
The scene lives on. Those sin waves and blitter objects must be giving the russians a good show anyway.
The scene lives on. Those sin waves and blitter objects must be giving the russians a good show anyway.
For server admins etc who wish to block the RBN to prevent further attempts for now, I highly recommend null-routing the following netblocks owned by RBN cover entities, as we've just done for our backbone:
85.249.128.0/20
58.65.232.0/21
Those are the two netblocks currently used by RBN. They've got a whole bunch more. I recommend null-routing at least those two blocks above.
If you are running a linux server, you may use iptables to filter traffic from these netblocks:
However, keep in mind that they've got several AS with a big bunch of more rogue netblocks that they'll probably switch over to in the future.
Here's info about the two AS currently used by them and the announced blocks:
http://www.cidr-report.org/cgi-bin/as-report?as=AS27595
http://www.cidr-report.org/cgi-bin/as-report?as=AS30968
Especially AS27595 is known to hijack netblocks for years already and all announcements coming from there probably should be dropped.
85.249.128.0/20
58.65.232.0/21
Those are the two netblocks currently used by RBN. They've got a whole bunch more. I recommend null-routing at least those two blocks above.
If you are running a linux server, you may use iptables to filter traffic from these netblocks:
Code:
iptables -A INPUT -s 85.249.128.0/20 -j DROP
iptables -A INPUT -s 58.65.232.0/21 -j DROP
However, keep in mind that they've got several AS with a big bunch of more rogue netblocks that they'll probably switch over to in the future.
Here's info about the two AS currently used by them and the announced blocks:
http://www.cidr-report.org/cgi-bin/as-report?as=AS27595
http://www.cidr-report.org/cgi-bin/as-report?as=AS30968
Especially AS27595 is known to hijack netblocks for years already and all announcements coming from there probably should be dropped.
from my outpost web log :
01/02/2008 13:08:31 58.65.238.60 458 Bytes 262 Bytes
01/02/2008 13:08:29 www.pouet.net 4,0 KB 1 20,4 KB
01/02/2008 13:08:28 www.pouet.net 5,0 KB 58,4 KB
so FYI the attack began at least yesterday before 13h.
i'm glad i haven't installed quicktime (type 'about:plugins' in firefox to see which plugins you've got), does anyone know more about the flash vulnerability ?
01/02/2008 13:08:31 58.65.238.60 458 Bytes 262 Bytes
01/02/2008 13:08:29 www.pouet.net 4,0 KB 1 20,4 KB
01/02/2008 13:08:28 www.pouet.net 5,0 KB 58,4 KB
so FYI the attack began at least yesterday before 13h.
i'm glad i haven't installed quicktime (type 'about:plugins' in firefox to see which plugins you've got), does anyone know more about the flash vulnerability ?
the QT vulnerability was patched ages ago for Firefox so I believe. This worm may have infected older firefox installations that don't have autoupdate on or IE installations. It may also have done bugger all. We'll know eventually, I suppose.
I don't think anyone knows what exploit it was using, and most likely it was using a range of them against various software anyway.
rarefluid: the messages appeared when clicking on the breakpoint banner, so it had to be the breakpoint site i guess...
stage7: if the script does not use a plugin exploit, i guess the cancel button could not have done anything. and i rather suspect that it download would have started even when i wouldn't have clicked anything, but i honestly don't want to try it again :P system seems to be clean anyways...
stage7: if the script does not use a plugin exploit, i guess the cancel button could not have done anything. and i rather suspect that it download would have started even when i wouldn't have clicked anything, but i honestly don't want to try it again :P system seems to be clean anyways...
Please let us know what we (visitors to this site) should do to clean the virus that we now all have. eg. let us know when this virus actually has a name and is recognized by some virus scanner.
Opera users are also affected?! This is damn scary, guys! I have loads of confidental data on my box related to our customers, I don't even want to imagine the disastrous effect if they come into the wrong hands. Anyone has an idea what should I do now? Scanned the system with NOD32 and it says shit.
well, i have both AntiVir and AVG (with latest updates) chewing-up my harddrives right now - for what good it's worth :/
first of all, DON'T PANIC. sit back and take a deep breath. thanks.
now, here are the actual facts (as far as I know right now. scamp and others, please correct me if I forget something or get some details wrong):
first and most important, you are only in danger if the "buy anti spyware software" window/pop-under ad appeared while/after visiting pouet, pain, demoparty.net, breakpoint.untergrund.net or any of the other 4 infected untergrund.net-hosted sites (virgill, litwin, dva, cycor). if that didn't appear, there's no reason to assume anything bad happened and you can officially relax now. furthermore, the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET (part of the code comes from a site that now produces a 404 for some reason). it has since been removed from all affected sites and the ftp passwords have been changed (at least for the bigger scene sites). so if you didn't access any of the sites mentioned during that timeframe, you're definitely safe too.
now, here are the actual facts (as far as I know right now. scamp and others, please correct me if I forget something or get some details wrong):
first and most important, you are only in danger if the "buy anti spyware software" window/pop-under ad appeared while/after visiting pouet, pain, demoparty.net, breakpoint.untergrund.net or any of the other 4 infected untergrund.net-hosted sites (virgill, litwin, dva, cycor). if that didn't appear, there's no reason to assume anything bad happened and you can officially relax now. furthermore, the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET (part of the code comes from a site that now produces a 404 for some reason). it has since been removed from all affected sites and the ftp passwords have been changed (at least for the bigger scene sites). so if you didn't access any of the sites mentioned during that timeframe, you're definitely safe too.
now, what actually happened:
unresolved issues so far:
we'll keep you posted as soon as we know more.
- apparently, the (ftp) logins used to insert the javascript code were obtained around january 8th. we know that the IPs the hacks to untergrund.net originated from belong to RBN. we also know that some sceners with ftp access to the sites mentioned above apparently have a sniffer/trojan/rootkit installed, because they definitely didn't give their logins to RBN voluntarily. because of the timeframe and the links to RBN, it seems very likely that this trojan is mebroot (http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html), though i'm not sure whether that has been confirmed yet.
- around the 10th of january, ftp.untergrund.net was accessed with these logins from an IP linked to RBN, presumably to verify whether they worked. some days later, a file was uploaded and immediately deleted, with the connection originating from RBN again. i assume the timeframe for other scene websites was similar.
- as mentioned, the actual code injection happened sometime friday evening (don't know the exact time, i guess scamp can give a precise answer).
unresolved issues so far:
- we don't know for sure how the logins were leaked in the first place. as said, the most likely candidate seems to be mebroot, but to my knowledge this hasn't been confirmed yet. so everyone with ftp access to the sites mentioned should definitely run a virus scan and a rootkit detector. re-writing the mbr just in case might be a good idea tool.
- we don't know what exactly the injected javascript code did/does, because a significant portion went offline before anyone could look into it. what was left after that was definitely harmless. it seems likely that the missing part is a trojan downloader, but this is impossible to confirm right now.
we'll keep you posted as soon as we know more.
Quote:
the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET
That's good to hear, I was either drunk and/or sleeping during that time.
So here's to alcohol, the cause and solution to all of life's problems!
Is there any assumption which plugin / leak may have been abused? antivir didn't find anything here, but I want to be sure...
RBN should stick to fake porn and warez sites and noob botnetization instead of poisoining sites like pouet, their malware/rootkit invasion is due to be detected and this is attracting too much attention to their filthy bizness...
oh well... does this come from the rootkit (if there is one :P) or is it just GParted? Message: "MBR may be invalid or non-standard."
Has anyone here ever tried to remove/disable all plugins in FireFox ?
I have found no UI dialog for that so I simply renamed all the dlls that are listed on the about:plugins page (wtf?!).
This was possible for all plugins but the Windows Media Player npdsplay.dll and npwmsdrm.dll files: When I rename/delete them, they keep coming back:
WTF??! can anyone explain this to me ?
I tried to rename/delete the npwmsdrm.dll in the System32/dllcache directory but its still re-written as soon as I delete it!
When I delete the files in the ServicePackFiles/i386 directory a dialog popped up telling me to insert my XP CD to restore the files (it said that certain files required to run windows have been replaced.. sure...whatever)
[rant] This whole idea of browser plugins suxxxxx !! [/rant]
I have found no UI dialog for that so I simply renamed all the dlls that are listed on the about:plugins page (wtf?!).
This was possible for all plugins but the Windows Media Player npdsplay.dll and npwmsdrm.dll files: When I rename/delete them, they keep coming back:
Code:
13:37:08 System:4 IRP_MJ_WRITE* C:\Programme\Windows Media Player\npdsplay.dll.new SUCCESS Offset: 327680 Length: 36864
13:37:08 System:4 IRP_MJ_WRITE* C:\Programme\Windows Media Player\npwmsdrm.dll.new SUCCESS Offset: 0 Length: 12288
WTF??! can anyone explain this to me ?
I tried to rename/delete the npwmsdrm.dll in the System32/dllcache directory but its still re-written as soon as I delete it!
When I delete the files in the ServicePackFiles/i386 directory a dialog popped up telling me to insert my XP CD to restore the files (it said that certain files required to run windows have been replaced.. sure...whatever)
[rant] This whole idea of browser plugins suxxxxx !! [/rant]
