Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday and details about the information follows:
http://www.lurhq.com/iframeads.html
Release Date
November 21, 2004
IFRAME Vulnerability Being Exploited Through Banner Ads
Analysis 1: Virtumonde Adware
Virtumonde is a well-known adware trojan that hijacks victim browsers and forces them to display popup ads based on keywords in the sites they are visiting. For instance, a user visiting a page with keywords related to travel may display popup ads for sites such as vipfares.com, a discount-travel site with a long list of customer complaints about fraudulent practices.
***************************************************************
Warning: Do not visit any of the URLs provided below in Internet Explorer or you will become infected. URLs have spaces added to prevent accidental click-throughs.
*****************************************************************
The infection process uses from the following 8 steps:
1. as.adwave.com / asFrame.aspx?GU=http:%2F%2Fwww.matchservice.com%2F?aid=tsmatch&lid=1&PT=Match+Service&SC=YES - banner ad
2. www.matchservice.com / ?aid=tsmatch&lid=1 - redirect to 4hotstocks.com / dating.php
3. 4hotstocks.com / dating.php - uses iframe to include URL #4
4. 83.149.86.132 / header.html - encrypted jscript which uses iframe to include URL #5
5. 83.149.86.132 / indexms.html - latest IE exploit - downloads and runs exe file at URL #6
6. 83.149.86.132 / minst.exe (2,560 bytes) - small downloader trojan - downloads and runs exe file at URL #7
7. 62.4.84.45 / minst.exe (40,960 bytes) - slightly larger downloader trojan. Checks to see if system has a .gov or .mil domain name, and exits if it does. If not, downloads and runs exe file at URL #8
8. 62.4.84.41 / mmdom.exe - Virtumonde adware trojan. Other code may be downloaded, such as updates.virtumonde.com / bkinst.exe
Another banner ad server is also serving up the infections:
oas-central.realmedia.com / RealMedia/ads/click_lx.ads/www.ap.com/ringtonegoldnovio3657abb/ 288414746/x01/ExactAdv/ringtonegold_io3657a_bbringtonegold_io3657a_bb.html/ 34316435643739393431323335313630?http:// www.ringtonegold.com /?aid=exact&lid=pp
- which downloads www.ringtonegold.com / ?aid=exact&lid=pp
- which includes in an iframe 4hotstocks.com / header.html?adsw
- which is the same as step #4 above.
Despite the references to "RealMedia", the site above is not connected to RealNetworks.
Analysis 2: Trojan.Agent.EC
There is another group using the IE IFRAME exploit to install a backdoor downloader trojan known as Trojan.Agent.EC. This scheme uses the following steps:
1. freeringers . net - includes base64-encoded javascript and a javascript base64 decoder. When the appended script is decoded, it uses an iframe to include URL #2
2. [hacked site]/u/c.html - IE IFRAME buffer overflow exploit. Shellcode downloads trojan from URL #3
3. [hacked site]/u/l.exe - downloader trojan - retrieves exe from URL #4
4. [hacked site]/u/w.php - Delivers a backdoor trojan known as Trojan.Agent.EC. Listens on a random port for another executable of the attacker's choice to be uploaded and executed.
The sites above are being rotated frequently and are not just small, unknown sites - one of the hacked sites included a well-known Hollywood film studio's website.
Solution
If you are unable to avoid using Internet Explorer due to corporate policy or other obstacles, disable Active Scripting in the Internet Zone of Internet Explorer and only enable it for trusted sites until a patch is released from Microsoft. Note that this does not remove your exposure to the vulnerability, only from these threats which utilize javascript to exploit it. At this time XP SP2 is not affected due to buffer-overflow protection incorporated in the service pack. However, a new, unrelated exploit has just been released that allows remote code installs on SP2, and it is expected that adware vendors/trojan authors will begin to use it in the near future.
About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ has built a strong business protecting the critical information assets of more than 400 customers by offering managed intrusion prevention and protection services. LURHQ's 24X7 Incident Handling capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ's OPEN Service Delivery? methodology facilitates a true partnership with customers by providing a real time view of the organization's security status via the Sherlock Enterprise Security Portal. For more information visit http://www.lurhq.com.
Copyright (c) 2004 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail advisories@lurhq.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
http://www.lurhq.com/iframeads.html
Release Date
November 21, 2004
IFRAME Vulnerability Being Exploited Through Banner Ads
Analysis 1: Virtumonde Adware
Virtumonde is a well-known adware trojan that hijacks victim browsers and forces them to display popup ads based on keywords in the sites they are visiting. For instance, a user visiting a page with keywords related to travel may display popup ads for sites such as vipfares.com, a discount-travel site with a long list of customer complaints about fraudulent practices.
***************************************************************
Warning: Do not visit any of the URLs provided below in Internet Explorer or you will become infected. URLs have spaces added to prevent accidental click-throughs.
*****************************************************************
The infection process uses from the following 8 steps:
1. as.adwave.com / asFrame.aspx?GU=http:%2F%2Fwww.matchservice.com%2F?aid=tsmatch&lid=1&PT=Match+Service&SC=YES - banner ad
2. www.matchservice.com / ?aid=tsmatch&lid=1 - redirect to 4hotstocks.com / dating.php
3. 4hotstocks.com / dating.php - uses iframe to include URL #4
4. 83.149.86.132 / header.html - encrypted jscript which uses iframe to include URL #5
5. 83.149.86.132 / indexms.html - latest IE exploit - downloads and runs exe file at URL #6
6. 83.149.86.132 / minst.exe (2,560 bytes) - small downloader trojan - downloads and runs exe file at URL #7
7. 62.4.84.45 / minst.exe (40,960 bytes) - slightly larger downloader trojan. Checks to see if system has a .gov or .mil domain name, and exits if it does. If not, downloads and runs exe file at URL #8
8. 62.4.84.41 / mmdom.exe - Virtumonde adware trojan. Other code may be downloaded, such as updates.virtumonde.com / bkinst.exe
Another banner ad server is also serving up the infections:
oas-central.realmedia.com / RealMedia/ads/click_lx.ads/www.ap.com/ringtonegoldnovio3657abb/ 288414746/x01/ExactAdv/ringtonegold_io3657a_bbringtonegold_io3657a_bb.html/ 34316435643739393431323335313630?http:// www.ringtonegold.com /?aid=exact&lid=pp
- which downloads www.ringtonegold.com / ?aid=exact&lid=pp
- which includes in an iframe 4hotstocks.com / header.html?adsw
- which is the same as step #4 above.
Despite the references to "RealMedia", the site above is not connected to RealNetworks.
Analysis 2: Trojan.Agent.EC
There is another group using the IE IFRAME exploit to install a backdoor downloader trojan known as Trojan.Agent.EC. This scheme uses the following steps:
1. freeringers . net - includes base64-encoded javascript and a javascript base64 decoder. When the appended script is decoded, it uses an iframe to include URL #2
2. [hacked site]/u/c.html - IE IFRAME buffer overflow exploit. Shellcode downloads trojan from URL #3
3. [hacked site]/u/l.exe - downloader trojan - retrieves exe from URL #4
4. [hacked site]/u/w.php - Delivers a backdoor trojan known as Trojan.Agent.EC. Listens on a random port for another executable of the attacker's choice to be uploaded and executed.
The sites above are being rotated frequently and are not just small, unknown sites - one of the hacked sites included a well-known Hollywood film studio's website.
Solution
If you are unable to avoid using Internet Explorer due to corporate policy or other obstacles, disable Active Scripting in the Internet Zone of Internet Explorer and only enable it for trusted sites until a patch is released from Microsoft. Note that this does not remove your exposure to the vulnerability, only from these threats which utilize javascript to exploit it. At this time XP SP2 is not affected due to buffer-overflow protection incorporated in the service pack. However, a new, unrelated exploit has just been released that allows remote code installs on SP2, and it is expected that adware vendors/trojan authors will begin to use it in the near future.
About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ has built a strong business protecting the critical information assets of more than 400 customers by offering managed intrusion prevention and protection services. LURHQ's 24X7 Incident Handling capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ's OPEN Service Delivery? methodology facilitates a true partnership with customers by providing a real time view of the organization's security status via the Sherlock Enterprise Security Portal. For more information visit http://www.lurhq.com.
Copyright (c) 2004 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail advisories@lurhq.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.