Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 06-29-2004, 09:28 PM   #1
KRL
Entrepreneur
 
Join Date: Oct 2002
Location: USA
Posts: 31,429
Watch Out For GIF Images Containing Hidden Malicious Code

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.
__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!

*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains
KRL is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:30 PM   #2
Spunky
I need a beer
 
Spunky's Avatar
 
Industry Role:
Join Date: Jun 2002
Location: ♠ Toiletville ♠
Posts: 133,944
Actually that has been happening for awhile...fucking weasels are really up on this...hope they all rot in hell
__________________
Spunky is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:31 PM   #3
Fletch XXX
GFY HALL OF FAME DAMMIT!!!
 
Fletch XXX's Avatar
 
Join Date: Jan 2002
Location: that 504
Posts: 60,840
"You can point your gun at me
And hope it will go away
But if God was alive,
He would hate you anyway."

Cheers!

just checking in on vacation

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me
Fletch XXX is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:31 PM   #4
StuartD
Sofa King Band
 
StuartD's Avatar
 
Join Date: Jul 2002
Location: Outside the box
Posts: 29,903
I love using Mozilla
StuartD is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:32 PM   #5
evildick
Guest
 
Posts: n/a
Great, how long before we will have to make our sigs static jpegs on gfy?
  Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:32 PM   #6
iwantchixx
Too lazy to set a custom title
 
iwantchixx's Avatar
 
Industry Role:
Join Date: Oct 2002
Location: The Boonies
Posts: 12,860
man this shit is getting more and more sinister with each exploit/hack/trojan that comes to light,
iwantchixx is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:32 PM   #7
gornyhuy
Chafed.
 
gornyhuy's Avatar
 
Join Date: May 2002
Location: Face Down in Pussy
Posts: 18,041
Anybody want me to write them a BHO?
Its gonna cost ya.
__________________

icq:159548293
gornyhuy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:34 PM   #8
webair
Confirmed User
 
webair's Avatar
 
Industry Role:
Join Date: Feb 2002
Location: NYC, NY
Posts: 8,531
any protection out on this one yet?
webair is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:36 PM   #9
brizzad
holla
 
Join Date: Jul 2003
Location: KFC
Posts: 11,769
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
brizzad is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:38 PM   #10
pimplink
Confirmed User
 
Join Date: Jun 2001
Location: Closer than you think
Posts: 9,535
Thanks for the info.
__________________

Need Mainstream Content and SEO?
SEO * Website Copy * Blogs
Blogging - PR Work - Forum Marketing - Social Marketing - Link building - Articles
100% Guaranteed Content!
pimplink is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:39 PM   #11
Groove
Confirmed User
 
Join Date: Jan 2003
Posts: 3,852
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
Groove is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:40 PM   #12
brizzad
holla
 
Join Date: Jul 2003
Location: KFC
Posts: 11,769
Quote:
Originally posted by Groove

get over it

money is money

people can download ad-aware if it bothers them
brizzad is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:46 PM   #13
kenny
Confirmed User
 
Industry Role:
Join Date: Mar 2002
Posts: 7,245
The surpreme court needs to stop wasting time with the porn sites and focus on shit like this
kenny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:48 PM   #14
KRL
Entrepreneur
 
Join Date: Oct 2002
Location: USA
Posts: 31,429
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
I don't even believe I'm seeing this.

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!

*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains
KRL is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:49 PM   #15
pxxx
First African GFY Member
 
Join Date: Mar 2004
Location: New Jersey
Posts: 12,114
Quote:
Originally posted by KRL
I don't even believe I'm seeing this.

Must be a dream
pxxx is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:49 PM   #16
KRL
Entrepreneur
 
Join Date: Oct 2002
Location: USA
Posts: 31,429
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
Yeh, one hot gallery on The Hun and you'd be a millionaire in a week.

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!

*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains
KRL is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 09:55 PM   #17
V_RocKs
Damn Right I Kiss Ass!
 
Industry Role:
Join Date: Dec 2003
Location: Cowtown, USA
Posts: 32,409
Back in my trojanning days I met a chick who did a similar job in GIF's and when I tried to discuss it with a professor or two they'd always laugh me out of the room. You can't execute code from inside of a gif, there is no compiler (blah blah blah) and yada yada... So finally someone has probably paired it with IRC bots to infect hundreds a day and now all of a sudden it IS possible... funny how shit turns out.
V_RocKs is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 10:00 PM   #18
Snake Doctor
I'm Lenny2 Bitch
 
Snake Doctor's Avatar
 
Join Date: Mar 2001
Location: On top of my soapbox
Posts: 13,449
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
Any coders want to hook me up on how to send this fucker a virus through his AIM?
__________________
sig too big
Snake Doctor is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 10:05 PM   #19
Tuna
Confirmed User
 
Join Date: May 2002
Location: Steeler Country
Posts: 1,307
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

you must be kidding
Tuna is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 10:07 PM   #20
StuartD
Sofa King Band
 
StuartD's Avatar
 
Join Date: Jul 2002
Location: Outside the box
Posts: 29,903
Quote:
Originally posted by KRL
Yeh, one hot gallery on The Hun and you'd be a millionaire in a week.

tough to spend a million from prison, unless it was offered as an alternative to his hairy ass
StuartD is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 10:15 PM   #21
Shoehorn!
Die With Your Boots On
 
Shoehorn!'s Avatar
 
Join Date: Oct 2003
Location: Hawaii
Posts: 22,872
Fuck, pretty soon they'll have to just abandon this internet as we know it and start all over again from scratch. Mark my words, it'll happen.
__________________
Shoehorn! is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 10:15 PM   #22
brizzad
holla
 
Join Date: Jul 2003
Location: KFC
Posts: 11,769
Quote:
Originally posted by MaskedMan
tough to spend a million from prison, unless it was offered as an alternative to his hairy ass

i'd set it up outside the u.s. lol
brizzad is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 10:57 PM   #23
FilthyRob
Confirmed User
 
Join Date: Feb 2004
Location: Anaheim - CA
Posts: 6,741
I have been battling fucked up spyware all week and I know it came from some TGP sites.

Fucking auto intalling mother fuckers. I can't see how screwing up my machine is making anyone money. I couldn't even buy something from them if I wanted to. It fucks the browser up so bad that even when you click on the search listings from the auto intalled hacked homepage, you just get ads to remove spyware.

The pay per click search engine traffic will become worthless at this rate really.
__________________
AKA - Clubsexy
FilthyRob is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 11:37 PM   #24
KRL
Entrepreneur
 
Join Date: Oct 2002
Location: USA
Posts: 31,429
Quote:
Originally posted by FilthyRob
I have been battling fucked up spyware all week and I know it came from some TGP sites.

Fucking auto intalling mother fuckers. I can't see how screwing up my machine is making anyone money. I couldn't even buy something from them if I wanted to. It fucks the browser up so bad that even when you click on the search listings from the auto intalled hacked homepage, you just get ads to remove spyware.

The pay per click search engine traffic will become worthless at this rate really.
Lose IE and use one of the more secure browsers.
__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!

*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains
KRL is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 11:38 PM   #25
spywareboard com
Registered User
 
Join Date: May 2004
Posts: 20
This is evil.
__________________
spyware instant help
spywareboard com is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 11:39 PM   #26
AMADude
Confirmed User
 
Join Date: Apr 2004
Posts: 3,875
Quote:
Originally posted by MaskedMan
I love using Mozilla
__________________
No sig, just here to fuck around.
AMADude is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 11:41 PM   #27
baddog
So Fucking Banned
 
Industry Role:
Join Date: Apr 2001
Location: the beach, SoCal
Posts: 107,089
Quote:
Originally posted by KRL
Lose IE and use one of the more secure browsers.
I don't think this is a viable option for someone that reviews sites. . . you have to see what your surfer/member is going to see, and they are using MSIE
baddog is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 11:41 PM   #28
Snake Doctor
I'm Lenny2 Bitch
 
Snake Doctor's Avatar
 
Join Date: Mar 2001
Location: On top of my soapbox
Posts: 13,449
Quote:
Originally posted by KRL
Lose IE and use one of the more secure browsers.
That doesn't really help us from a business standpoint though.
Most surfers barely know how to open internet explorer, much less install and use opera or mozilla.
If this stuff keeps up surfers will be afraid to go to adult sites period.
__________________
sig too big
Snake Doctor is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-29-2004, 11:46 PM   #29
gazool
Confirmed User
 
gazool's Avatar
 
Join Date: Aug 2003
Location: DK
Posts: 779
Mozilla Mozilla Mozilla Mozilla Mozilla
__________________
High Converting CCBILL Programs
Amateur/CFNM -> http://www.boozedwomen.com/tour/
Best Selling Granny Site -> http://www.excitedwives.com/tour/


If I had a hammer....
gazool is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 12:18 AM   #30
SmokeyTheBear
►SouthOfHeaven
 
SmokeyTheBear's Avatar
 
Join Date: Jun 2004
Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer
Posts: 28,609
mozilla stopped using gif's ?? news to me hahah

mozilla has more holes than a golf course
__________________
hatisblack at yahoo.com
SmokeyTheBear is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 01:13 AM   #31
EviLGuY
So Fucking Banned
 
Join Date: Apr 2003
Location: malta
Posts: 12,745
Hey Smokey did you even read the post?

"The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer. "

Does nothing at all to people on Mozilla . Mozilla is secure because not many people use it.. so who is going to bother wasting time trying to exploit it? That being said.. I am sure any holes that people do find will be patched with alacrity.
EviLGuY is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 01:16 AM   #32
chemicaleyes
UNSTOPPABLE
 
chemicaleyes's Avatar
 
Join Date: Aug 2003
Location: UK :: ICQ# 156068
Posts: 11,569
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
__________________
No way as way, No limitation as limitation. AmeriNOC formally PhatServers
chemicaleyes is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 03:05 AM   #33
AgentCash
Confirmed User
 
Join Date: Feb 2002
Posts: 720
Actually if you read the write-up at
http://isc.sans.org/presentations/banking_malware.pdf
you'll find that the image file needs to be renamed to install itself. They theorize that a .chm exploit is used to rename the GIF and run it. So the fact that it's a GIF file isn't really important, it could have any file extension the attacker would like. JPG would work just as well.
AgentCash is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 03:09 AM   #34
strobi
Confirmed User
 
Join Date: Nov 2002
Location: Belgium
Posts: 7,383
woa! Imagine the data that "listener" server gets! Thousands and thousands of CC numbers/passwords...
strobi is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 03:16 AM   #35
Mr. Marks
Confirmed User
 
Join Date: Jun 2001
Location: Wherever I want
Posts: 7,517
Thanks for the information!
Mr. Marks is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 03:32 AM   #36
grumpy
Too lazy to set a custom title
 
grumpy's Avatar
 
Join Date: Jan 2002
Location: Holland
Posts: 9,870
Quote:
Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile
Show you how elite that 420-4-L thing is. Now you know. Stay away.
__________________
Don't let greediness blur your vision | You gotta let some shit slide
icq - 441-456-888
grumpy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 03:37 AM   #37
chemicaleyes
UNSTOPPABLE
 
chemicaleyes's Avatar
 
Join Date: Aug 2003
Location: UK :: ICQ# 156068
Posts: 11,569
Quote:
Originally posted by grumpy
Show you how elite that 420-4-L thing is. Now you know. Stay away.
1. It's not about being elite.
2. Don't be so quick to open your mouth.
__________________
No way as way, No limitation as limitation. AmeriNOC formally PhatServers
chemicaleyes is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 03:42 AM   #38
pudcat
Confirmed User
 
Join Date: Mar 2003
Posts: 1,169
Quote:
Originally posted by SmokeyTheBear
mozilla stopped using gif's ?? news to me hahah

mozilla has more holes than a golf course
GFY getting thicker and thicker by the day.

If you actually read the post you'd see that it uses the BHO... now my guess is telling me that Mozilla doesn't have this BHO.

I'm glad I use Linux and Mozilla
__________________
SUBMIT YOUR BABE GALLERIES

PROMOTE YOUR BLOG HERE

always looking for hardlinks icq #207011694

Thunder-Ball.net, good for hardlink exchanges
pudcat is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 06-30-2004, 04:31 AM   #39
SmokeyTheBear
►SouthOfHeaven
 
SmokeyTheBear's Avatar
 
Join Date: Jun 2004
Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer
Posts: 28,609
Quote:
Originally posted by pudcat
GFY getting thicker and thicker by the day.

If you actually read the post you'd see that it uses the BHO... now my guess is telling me that Mozilla doesn't have this BHO.

I'm glad I use Linux and Mozilla
slip of the tongue , the argument is moot , the statement stands.
__________________
hatisblack at yahoo.com
SmokeyTheBear is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.