pouët.net

POUET.NET is hacked / infected with a javascript worm

category: general [glöplog]
Any idea which browsers are affected ?

Does anyone have a TCPDUMP of a request to http://www.googleanalitics.net/__utb.js?http://foo.bar.b.az ?
added on the 2008-02-02 16:51:47 by p01 p01
This appears to be this trojan, not detected by current virus scanners it seems:

http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html
added on the 2008-02-02 16:53:26 by scamp scamp
According to this:

http://rbnexploit.blogspot.com/2008/01/rbn-out-with-new-and-in-with-old.html

GMER might be able to remove the rookit behind the trojan:

http://www.gmer.net/

added on the 2008-02-02 16:57:28 by scamp scamp
sparcus: What makes you think so? At least I don't see the javascript code on the starting page of demoparty.net?
added on the 2008-02-02 16:57:54 by scamp scamp
woops, sorry, my fault, it's some code for the real www.google-analytics.com, not these imposters :-)
added on the 2008-02-02 16:59:31 by sparcus sparcus
Ok. It was my stupid antivirus which kept deleting it.
added on the 2008-02-02 17:01:56 by masterm masterm
Sceners most likely infected with the trojan/root kit according to untergrund.net logs:

virgill, litwin, dva, cycor
added on the 2008-02-02 17:04:13 by scamp scamp
oh, and KB of course ;)
added on the 2008-02-02 17:04:22 by scamp scamp
On the scene.org server only 2 hosted sites were infected:

pouet.net and pain.scene.org
added on the 2008-02-02 17:29:35 by Redhound Redhound
pretty impressive. i'm still dying to figure out how that javascript file can automatically download and run an executable on my computer :)

good going scamp!
added on the 2008-02-02 17:51:57 by skrebbel skrebbel
Damn. That RBN study was really interesting. The scale of the operation is incredible, they really know what they're doing.
when accessing breakpoint.untergrund.net this morning i got some "buy anti spyware software" window openend in firefox, really suspicious. i got it when coming from wurstcaptures.untergrund.net but it only popped up one time... is it related to this hack?
skrebbel: most likely it scans your system, identifies all the plugins etc with their versions, finds one that has a flaw and then embeds something that causes a buffer overflow or whatever. They're getting clever.

Any suggestion on what it's installing, and what systems it affects? I'm sure it'll be infecting windows boxes, but how about linux, osx and whatever?
added on the 2008-02-02 18:00:59 by psonice psonice
Skrebbel: Considering to start Dutch Business Network? :)
added on the 2008-02-02 18:01:01 by kusma kusma
I don't think that this exploit affects all browsers... and it certainly is an exploit cause otherwise there's no explanation for getting though to your hdd via javascript.... and I guess, if at all, only IE users need to panic ;-)
added on the 2008-02-02 18:04:09 by hashdash hashdash
hashdash: if it's like the others recently, it'll also affect firefox, quicktime, flash, or whatever else it can find a hole in
added on the 2008-02-02 18:05:49 by psonice psonice
kusma: naturally so. but really, i can quite appreciate the genius behind the more clever viruses and hacks that we come across every once in a while. especially as this one does not seem to be based on any social engineering, it seems to me as being one of the first decent viruses in a very long while (ever since they stopped spreading on floppies and in tiny file modifications and stuff).

hashdash: 2002 called.

psonice: if that's it, then that's pretty neat (and evil). and an awful lot of work. imagine being the manager of the team that found and cracked all those little thingies in all those plugins and crap, and getting asked what you do for a living by some chick in a bar. oh yeah i run a team of twenty russian sociopaths who find exploits in coincidental versions of browser plugins so that eventually my boss can empty peoples' bank accounts.
added on the 2008-02-02 18:10:56 by skrebbel skrebbel
Saga Musix: Yes, it is.

skrebbel: The url the javascript stuff tries to load more stuff from is 404 since we detected all this. Therefore we can't know what actually happens, and if browser exploits are being used. Appears that since about 14:00 GMT, they disabled the attack code. Maybe it will come back later so we can find out more...

added on the 2008-02-02 18:14:16 by scamp scamp
scamp: so was there any danger after pressing cancel and closing this strange website? i mean, you normally can't hide file downloads etc. to firefox...
me browser wanted to redirect to http://e.pepato.org/e/adsr.php?t=0 dunno if its info for the admins
added on the 2008-02-02 18:19:50 by the_Ye-Ti the_Ye-Ti
yeti: yes, that's interesting info, thanks. However, that site now also is 404.

added on the 2008-02-02 18:25:59 by scamp scamp
saga musix: I can't tell. I suggest running a virus scanner (with latest signatures) now. As long as those sites are 404, nobody can find out what they actually are doing. It might be simply "download and run this"-stuff, but otoh - quite a bunch of sceners who I don't expect to be so dumb to do such a thing obviously previously have been infected.

And of course there are exploits that work with firefox - the RBN for example is known to have used the QuickTime exploits for infections in 2007. Those QuickTime exploits also work with the FireFox QT plugin.
added on the 2008-02-02 18:30:14 by scamp scamp
saga: most of the exploits install silently rather than downloading an installer or something, so yes.

skrebbel: they'll use known exploits rather than sitting down and trying to find them (a good reason to keep everything patched up on your box), plus any zero day exploits that they may even have bought the rights to.
added on the 2008-02-02 18:31:41 by psonice psonice
psonice, that would be a really bad exploit than since i've never heard of something that could be done secretly in Firefox... anyway, i'll just scan my system but i doubt i will find anything \o/
saga: no doubt there are a few ways of doing it in firefox, take a look back through their update details for security fixes. There's probably not anything that serious being exploited in the latest version, but you can never tell if it's not made public. But besides, that kind of infection can be done through any of the dozens of plugins like quicktime, flash, realplayer, media player, ...
added on the 2008-02-02 18:36:23 by psonice psonice

login