The Return of Hacking for "Fun"?
We regularly find malicious web sites and, nowadays, most of these attacks are run by organized criminals or malware affiliates trying to steal your information or infect your system with rogue software. The days of teenage hackers sitting in garages testing out their computer savvy while fighting acne seem to be waning. So it is always intriguing to find an attack that seems to serve no purpose but to Shock n' Awe, especially when it doesn't even rely on any browser vulnerabilities or sophisticated tricks.
Harry Sverdlove, the developer of our exploit crawl, found one recently that is too "good" not to share. It's reminiscent of the shock sites we looked at recently and remarkably easy to execute. The tricks begin with the domain itself -- http(colon)//www777.bravehost.com. By creating a cleverly named sub-domain, the creator of the hack borrows the legitimacy of the parent domain. But that's a minor point.
Take a look at the following video (7.5MB .mov file) and then read Harry's analysis of what's going on behind the screen.
The Exploited
It's actually amazing how simple this little puppy is. It doesn't seem to actually cause any permanent damage (aside from possibly crashing your system and annoying the heck out of you). It doesn't even seem to rely on any actual browser vulnerabilities – just stupid things the browser allows, and references to various other sites. Even calling this an "exploit" is probably a stretch.
The Ads
Before the fun can begin, three copies of the same hoster advertising are shown, containing some random banners ads (from mercury.bravenet.com) and popup advertising windows (from jupiter.bravenet.com).
The Gross
Then three truly offensive pictures are shown (taken from some user's home page at geocities.jp). If you want to see them – and please be warned these are just gross – replace the word 'colon'.
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/sexy_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/kawaii_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/albarosa_good.JPG
Followed by 99 repeats of a blood curdling scream. Again, replace the word 'colon'.
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/bittkuri_voice.wav
The Taunt
Then you get treated to four copies of a flash movie singing about what an idiot you are. See:
http(colon)//www.albinoblacksheep.com/flash/you.html
(Note: Many anti-virus engines will flag on the above link, including McAfee (which detects this as "JS/Winbomb trojan"). This is because the JavaScript contains commands to move the browser window around making it hard to close. If you are using IE6 or later, or FireFox, that functionality is no longer allowed so you will not see this behavior. In any case, the behavior is not damaging, just annoying.)
The Visual
Then the fun begins, and it's really too bad – because this occurs too soon after the above prelude, so most people won't even see what happened above.
A script opens 200 telnet windows, all of them trying to contact www.warez.com. In and of itself, this probably doesn't do anything damaging to your system (except to eat up resources and bandwidth, and possibly overload warez.com) but it does make for a rather dramatic visual effect.
Aside from the distraction, it could serve another purpose – there are a number of exploits which can be used to overwrite the default telnet.exe program. If that were accomplished by the earlier code, then the new/infected "telnet.exe" would be easy to launch from a browser by simply embedding "telnet://" urls as is being done here. In our tests, we did not observe telnet.exe being overwritten.
It's amazingly simple how this can be achieved using two lines of JavaScript. (Contact us directly for details).
The Finale
After the "telnet effect", there is a simple piece of JavaScript that enters an infinite loop trying to view random files on drive A: (typically the floppy disk drive). This basically will hang the browser, likely open an infinite number of Notepad windows, display an infinite number of "Drive not ready" messages (assuming there actually isn't some readable media in A:) and eventually just start displaying crash dialog boxes. The combination of this and the earlier telnet windows, songs, and nasty images and you are likely to just throw the computer away if it hasn't already crashed on you.
What is remarkable is how easy it is to hose a system with another short piece of JavaScript code. (Contact us directly for details). That's all it takes to grind a browser to a halt, pound your A: drive into submission, and overload Windows by launching too many processes.
