McAfee SiteAdvisor Blog

Our automated crawlers detect thousands of exploits every day. Recently, we have detected a spike in the number of exploits spreading across certain hosting sites. The worst offender seems to be proboards.com, an Internet forum provider, which hosts over two million online forums. We have also seen spikes in active exploits on hosting sites like neosite.ro.

The examples above may be indicative of a trend of hosters being targeted for attack. That, in turn, is affecting hundreds or even thousands of their sub-domains. In the wake of this threat, hosting providers need to be more vigilant, so that they’re not putting their users at undue risk the way that ProBoards seems to be doing.

On proboards.com, we have detected hundreds of unique exploits, and we estimate thousands of sub-domains may actually be affected. When we visited one of the hacked ProBoards sub-domains we were redirected to advancedhunt.com, which hijacked our browser to display deceptive warnings of spyware infestation followed by a stealth installation of the rogue anti-spyware program PestTrap.

We are contacting the providers and will keep you posted. In the meantime, users should be very cautious of any sub-domains on these sites.

We will soon be marking these sites red until the providers clean up their acts. The irony is that many providers have recently proclaimed increased concern about anti-malware. We wish they would direct some of that concern to themselves and spend some time to clean up their own sites.

Permalink | Comments (9) | TrackBacks (0)

The Return of Hacking for "Fun"?
We regularly find malicious web sites and, nowadays, most of these attacks are run by organized criminals or malware affiliates trying to steal your information or infect your system with rogue software. The days of teenage hackers sitting in garages testing out their computer savvy while fighting acne seem to be waning. So it is always intriguing to find an attack that seems to serve no purpose but to Shock n' Awe, especially when it doesn't even rely on any browser vulnerabilities or sophisticated tricks.

Harry Sverdlove, the developer of our exploit crawl, found one recently that is too "good" not to share. It's reminiscent of the shock sites we looked at recently and remarkably easy to execute. The tricks begin with the domain itself -- http(colon)//www777.bravehost.com. By creating a cleverly named sub-domain, the creator of the hack borrows the legitimacy of the parent domain. But that's a minor point.

Take a look at the following video (7.5MB .mov file) and then read Harry's analysis of what's going on behind the screen.

The Exploited
It's actually amazing how simple this little puppy is. It doesn't seem to actually cause any permanent damage (aside from possibly crashing your system and annoying the heck out of you). It doesn't even seem to rely on any actual browser vulnerabilities – just stupid things the browser allows, and references to various other sites. Even calling this an "exploit" is probably a stretch.

The Ads
Before the fun can begin, three copies of the same hoster advertising are shown, containing some random banners ads (from mercury.bravenet.com) and popup advertising windows (from jupiter.bravenet.com).

The Gross
Then three truly offensive pictures are shown (taken from some user's home page at geocities.jp). If you want to see them – and please be warned these are just gross – replace the word 'colon'.

http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/sexy_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/kawaii_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/albarosa_good.JPG

Followed by 99 repeats of a blood curdling scream. Again, replace the word 'colon'.

http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/bittkuri_voice.wav

The Taunt
Then you get treated to four copies of a flash movie singing about what an idiot you are. See:

http(colon)//www.albinoblacksheep.com/flash/you.html

(Note: Many anti-virus engines will flag on the above link, including McAfee (which detects this as "JS/Winbomb trojan"). This is because the JavaScript contains commands to move the browser window around making it hard to close. If you are using IE6 or later, or FireFox, that functionality is no longer allowed so you will not see this behavior. In any case, the behavior is not damaging, just annoying.)

The Visual
Then the fun begins, and it's really too bad – because this occurs too soon after the above prelude, so most people won't even see what happened above.

A script opens 200 telnet windows, all of them trying to contact www.warez.com. In and of itself, this probably doesn't do anything damaging to your system (except to eat up resources and bandwidth, and possibly overload warez.com) but it does make for a rather dramatic visual effect.

Aside from the distraction, it could serve another purpose – there are a number of exploits which can be used to overwrite the default telnet.exe program. If that were accomplished by the earlier code, then the new/infected "telnet.exe" would be easy to launch from a browser by simply embedding "telnet://" urls as is being done here. In our tests, we did not observe telnet.exe being overwritten.

It's amazingly simple how this can be achieved using two lines of JavaScript. (Contact us directly for details).

The Finale
After the "telnet effect", there is a simple piece of JavaScript that enters an infinite loop trying to view random files on drive A: (typically the floppy disk drive). This basically will hang the browser, likely open an infinite number of Notepad windows, display an infinite number of "Drive not ready" messages (assuming there actually isn't some readable media in A:) and eventually just start displaying crash dialog boxes. The combination of this and the earlier telnet windows, songs, and nasty images and you are likely to just throw the computer away if it hasn't already crashed on you.

What is remarkable is how easy it is to hose a system with another short piece of JavaScript code. (Contact us directly for details). That's all it takes to grind a browser to a halt, pound your A: drive into submission, and overload Windows by launching too many processes.

Permalink | Comments (5) | TrackBacks (0)

NASCAR is one of the most popular and fastest-growing spectator sports in the United States, but that doesn't stop the occasional race track from going under, like Tioga Motorsports Park did in 2005. It looks like their troubles started before that, though: as far back as 2002, someone had registered the domain "tiogamotorsportspark dot com" and set up a different kind of racy site-- one we rate red.

Actually, they did something a little trickier than that: They set up a redirect from there to another red site, impliedscripting dot com, and then from there to the red site repuc dot info and finally from that to the security-risk porno site advancedhunt dot com. On Advanced Hunt, files continue to load from a series of sites identified only by IP address.

Unfortunately for any unsuspecting race fans, the trouble doesn't end there. Our exploit expert Harry says the site is also host to Spy Sheriff, a program that pretends to be anti-spyware and is nearly impossible to remove once it's installed. Spy Sheriff, also known as "Pest Trap," tries to trick computer users into buying the program by warning them about made-up threats to their systems.

Here's a video-- watch the status bar in the lower left corner of the window as it cycles through the different risky websites. Then, notice the dialog that pops up warning about infections: that's Spy Sheriff.

Permalink | Comments (3) | TrackBacks (0)

This isn't strictly SiteAdvisor-related, but be sure to update your Windows to protect you from a new attack based on animated cursors. The latest variation is appearing in spam messages that feature naked celebrities. Secure Computing has more details.

Permalink | TrackBacks (0)

Over the last few weeks, prominent blogger Kathy Sierra has been making headlines when she was the recipient of a series of increasingly violent threats on her blog and other websites. Internet pundits gathered together to try to promote civility online. Tim O'Reilly and others have proposed a blogger code of conduct.

It's an extreme example of an issue the Web has long struggled with -- how to deal with trolls: people who derive a special joy in annoying, offending, disrupting, and threatening other people online. One (non-violent) kind of trolling is called crapflooding -- joining a blog or forum to provoke controversy or just crowd out conversation by posting nonsense. The sheer volume of comments can sometimes overwhelm servers.

In other words, they're jerks.

SiteAdvisor's take on shock sites

SiteAdvisor flags trolls as "red," not for obnoxious behavior, but for noxious coding. In a favorite tactic, trolls trick people into visiting shock sites, web pages designed to horrify. For example, someone might join a technical discussion to say "I've found a relevant whitepaper on the topic over here..." and then link to the shock site instead. The best-known is "goatse" which prominently features a man's distended anus. Links to the goatse page were so common in Slashdot discussions that the site owners had to develop a series of countermeasures aimed at making it more obvious where links were headed. They were only somewhat effective.

Perhaps the most ambitious shock site yet was produced in 2005 by the trolling group GNAA. Called "Last Measure," it combines JavaScript, Java, and Flash exploits to open hundreds or thousands of browser windows which move around the screen. Each window displays a randomly selected medical or sexual anomaly from around the world, and a dozen or so embedded media players which scream "Hey everybody! I'm looking at gay porno!" If you've accidentally clicked on it at work, and happen to have speakers on, expect everyone to come see just what you've done. Then be prepared to try to undo some damage: it's probably gotten into your registry. On some systems, Last Measure will also attempt to start email and IRC clients. Even on our relatively secure Windows XP test machine, with popup-blocking turned on, we had to reboot to get rid of the page.

Want to see what it looks like? Here's a video. We've clipped the porn out, but left in the unsettling medical photos and screaming.

Taking the Last Measure to MySpace

Mirrors of the Last Measure code have cropped up on a few sites around the web, including this one, flagged as red by SiteAdvisor. Message-board pranksters have been playing the same games with it as usual: we spotted a MySpace group where all the links are switched to Last Measure sites (click here if you really want to see it). They achieved this not through some secret hack, but with relatively simple HTML: MySpace lets users post linked images in messages. GNAA posted a message with a transparent image set to cover the entire page, and linked that image to Last Measure.

Images on this MySpace Forum re-direct to a Last Measure mirror site

Note in particular the "u=" argument on the linked URL. It allows the GNAA member "timecop" to take credit for everyone who clicks through to Last Measure from this page.

What's the motivation of the Last Measure gang? It's hard to tell. There might be a financial angle: if the registry changes create security holes, GNAA members could come back later and install adware or spyware, or simply sell the addresses of compromised systems to third party attackers. On the other hand, they could be doing it because they enjoy ruining it for everyone else. Taking credit in the URL argument seems to point to some kind of a contest between timecop and other GNAA members over who can trick more people into visiting the shock sites.

Whatever the motivation, the losers in this battle are clear -- forums and blogs that become unusable and the consumers, often kids, who are exposed to hateful content. SiteAdvisor will continue to flag these kinds of sites red.

Permalink | Comments (1) | TrackBacks (0)