Trojan uses MS hole to hijack browsers
Spinner
Birmingham, UK
A specially designed attack Web site is being used to install a Trojan horse program onto visiting vulnerable Windows machines. The Trojan then proceeds to change the DNS (Domain Name System) config on that computer so that requests for the popular Web search engines like www.google.co.uk and www.altavista.com bring the Web surfer in question, to a site run by the hackers instead.
Source - InfoworldThe attacks are just the latest in a string of online scams that rely on an easy-to-exploit flaw in IE known as the "ObjectData" vulnerability. Earlier attacks that relied on the vulnerability include a worm that spreads using American Online Inc.'s Instant Messenger network.
Microsoft released a patch for the ObjectData vulnerability, MS03-032, in August. However, even machines that applied that patch are vulnerable to the latest attack because of holes in that security patch, according to a bulletin posted by Network Associates Inc.
The Trojan horse program is called Qhosts-1 and rated a "low" threat, Network Associates (NAI) said. Trojan horse programs do not attempt to find and infect other systems. However, they do give attackers access to a compromised computer, often allowing a remote hacker to control the machine as if he or she were sitting in front of it.
Microsoft issued a statement Thursday saying that it was investigating reports of exploits for a variation on a vulnerability originally patched in Microsoft Security Bulletin MS03-032 and would release a fix for that hole shortly. A company spokesman could not say when the patch update will be released.
The Redmond, Washington, company recommended that customers worried about attacks install the latest Windows updates and change their IE Internet security zone settings to notify the user when suspicious programs are being run.
Qhosts-1 was installed on vulnerable Windows machines using attack code planted in a pop-up ad connected to a Web page set up by the hackers on a free Web hosting site, www.fortunecity.com, NAI said. The DNS servers used in the attack resided on systems owned by Houston, Texas hosting firm Everyone's Internet, according to Richard Smith, an independent computer security consultant in Boston.
Those servers, as well as the fortunecity.com site used to install the Trojan, have been taken offline since the attack caught the attention of security experts. That will stop the DNS hijackings, but will also make it impossible for users on infected computers to browse the Web until their DNS configuration is restored, he said. However, as long as the Microsoft hole remains unpatched, similar attacks could be launched.
To be attacked, Windows machines had to be running Internet Explorer versions 5.01, 5.5 or 6.0, which contain the ObjectData vulnerability, and visit the Web site that launched the pop-up. The pop-up ad exploited the ObjectData vulnerability then downloaded the Qhosts-1 Trojan from a Web site in Seattle, Smith said.
Counterpane Internet Security Inc., of Cupertino, California, said in a statement that it was tracking three possible infections by the Qhosts-1 Trojan on networks that it monitors.
There are still questions about how users were lured to the fortunecity.com site that installed the Trojan, but unsolicited commercial ("spam") e-mail with links to the site was a likely suspect and economic gain was a likely motive, Smith said.
Hackers used the DNS changes to drive Web surfers to a site that launched a variety of pop-up advertisements, resulting in increased Web traffic and advertising revenue for the individuals behind the scheme, he said.
The latest attack is an example of the increasingly sophisticated strategies used by malicious hackers, who adopt the strategies of legitimate online businesses, cobbling together available Web technologies in a "Tinker Toy" fashion to create sophisticated attacks, Smith said.
By relying on a network of sites hosted on free and fee-based Internet hosting sites, hackers also make it more difficult for authorities to follow their tracks. Identity theft frequently plays a role in the latest scams as well. Hackers use stolen credit card information to set up hosting accounts which are then used as part of Internet based attacks, he said.
0
Comments
The Virus has been cleaned but my Hosts file no-longer works at all.......
I also havn't been to any suspect sites, so I am wondering where I got it from too......
NS
criminal case.
Would you like to review materials and give your opinion what possible
to do now. I have consequences hard to live now.
My lawyer John Leunig did nothing to defend me. I paid him $15,000 for
couple hour of work.
My case are getting public attention now as an example of miscarriage
of justice. I could not defend myself, because I did not have enough
money for computer expert.
Now I have computer expert compant willing to work on Pro bono basis.
They are defeating 75% cases. This case may become high profile case
I was forced to confess for possession of child porn. I got browser
hijackers while browsing the web. I was redirected to illigal sites
against my will. Some illigal pictures were found on my hard drive only after
recovering in unallocated clusters, without dates of files
creation/download.
I do not know how can courts press widely on people to convict them,
while whole Internet is a mess.
This is publication in Wired news
http://www.wired.com/news/infostructure/0,1377,63391,00.html
This is publication in Theregester
http://www.theregister.co.uk/2004/05/13/browser_hijacking_risks/
This is article in Washington Times, May 22, 2004
There is information about my case.
http://www.washtimes.com/commentary/20040521-084242-5633r.htm
This is publication in Globe and Mail
http://www.globeandmail.com/servlet/story/RTGAM.20040617.gttwhijac17/BNStory/Technology/
This is my story in www.inquisition21.com
http://www.inquisition21.com/article~view~7~page_num~3.html
The problems with my case were police forensics never searched for
Trojans. They even did not provide Dates of files creation/downloaded.
All they wrote in criminal complaint: all pictures found in unallocated
clusters. Illigal pictures were deleted. Probably they were deleted
from Internet cash, manually.
I usually did this. I think there was not the same hard drive clusters
allocated to Internet Cash all the time. So after they are deleted,
pics may be found in unallocated space.
May be I am wrong? My computer was held at Mitsubishi Electric office
from July 29 to September 13, when they took off hard drive and sent it
to police. HR person was angry with me. She later called the police and
made false statement that I told her I had illigal porn on my laptop.
If I was an idiot, I could do this. Why worker of Mitsubishi did this
terrible thing, I do not know. But this is crime too, and may be much
terrible crime.
Police searched my house on september 17, 2002, and found nothing. The
confiscated PC, and laptop My friend ordered for me on Ebay. I was
owner of this laptop only 4 weeks. In criminal complaint they put 16
pictures found in unallocated clusters,
again without files names, folders, Dates. How it was possible to link
those images to me. How It could be from forensic point of view. Also
Police officer put in criminal complaint that I told him I downloaded
child porn. Again I am not an idiot.
They just needed to create case.
Fima.
I'm sorry about your trouble, but I guess I just don't understand what exactly you want some total strangers on a forum site to do for you? Are you even asking a question? Or are you just venting... because if you are venting, that's fine, this is a supportive community.. But as far as legal advice, I'm afraid you've come to the wrong place ....