(malware) How an ordinary PC got "0wned" by hackers

This is a detailed account of a security expert unravelling the trail of malicious changes that are forced on a computer, simply by visiting a site called yahoogamez.com.

IMPORTANT -- if you are running Windows, please do not attempt to simulate any of this unless you know EXACTLY what you are doing.

Unless you've wisened up and use Firefox, of course!

Mini-glossary of terms used in those articles:
"0wned" -- hacker-speak for breaking into a computer permanently and being able to do whatever the hacker wants on it

"exploit" -- a known vulnerability that can be used as an entry point into a system

"UPX" -- a way to pack executable files

Follow the Bouncing Malware -- part I


I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter.

Part I starts by visiting "yahoogamez.com". Even before the user actually clicks anything, ads and other content on the page cause a chain reaction of malicious downloads and a CHM (Windows Help system, I think) exploit, ending with the IE home page and default search engine getting changed, and a piece of spyware getting installed on his machine.

Then the user clicks on a link that requires Flash, which he doesn't have so he comes back to the main page. At this point a trojan (identified by AV software as Win32/TrojanDownloader.Rameh.C) is downloaded!

Go to http://isc.sans.org/diary.php?date=2004-07-23 for the gory details.

And remember that's just PART I.

Follow the Bouncing Malware -- part II


So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he'll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn't worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy.

Part II continues on the trail, showing exactly how all of the stuff described above happens! To add insult to injury, the "new" homepage installed in part I (see above) is a page that advertises... an anti-spyware program!!

And remember, part III is yet to come :-)

No comments: