I found this rather amusing, as it has been happening on IRC for more than a decade now. (Perhaps on ICQ and AIM as well, but the majority of people on my lists are clued users.)
Anyway, last night I get a strange IM.
Message from infecteduser at 21:08:14
damn gr8 picture for me http://urbansoot.net/show.php?file=img924.jpg
Making little sense, but trusting the sender, I check it out. Doesn’t load up in Konqueror, but instead asks me for an appropriate application for viewing. Not to be dissuaded, I opened a new browser. I was told the content type was other than that of a JPEG.
Finally, I pulled down the image using wget. I ran a quick file on it to see what it actually was. (strings didn’t have any interesting strings to return from the binary.)
jasonb@faith:~$ file show.php\?file\=img924.jpg show.php?file=img924.jpg: MS-DOS executable (EXE), OS/2 or MS Windows
I found nothing yesterday for the phrase above, so I submitted the file to a virus scan site for evaluation. It was undetected as of yesterday directly. VBA32 made a heuristic match for Backdoor.Rbot.51.
I have decided it isn’t interesting enough to setup a host for infection to evaluate what this trojan does to a Windows host.
Update, October 2nd. The actual trojan, now that it’s been analyzed, as reported by virustotal is Trojan-Downloader.Win32.IstBar.lt by about half the products that tested the trojan. The other half still have no known signature for it. I found some more information about it at viruslist.com. I found no immediate mention of the AOL IM transport which was used in this instance to automatically attempt to propogate via social engineering, though.
Update, October 7th. The administrator of urbansoot.net emailed me, so I have a little additional information on this particular compromise.
so, on sept. 20th 2005 @ about 6:00pm (-0700) some guy/girl hacked into my website, planted a virus, and distributed it to over 27k people on aim.
likely, i stopped it soon enough to transfer all the bandwidth to a website i made before (we get a cut from sales =) )
now, he deleted all teh ftp logs but he still went to check if he was able to upload the virus by typing it in directly into a browser. that gave me his ip address (nobody else would know about that file on server except for him)
1.2.3.4 - - [20/Sep/2005:18:04:09 -0700] “GET /crkr.exe HTTP/1.1″ 200 65536 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; iebar; acc=jocker)”
1.2.3.4 - - [20/Sep/2005:18:05:00 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 57400 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; iebar; acc=jocker)”
x.x.x.x - - [20/Sep/2005:18:06:12 -0700] “GET /show.php?file=img924.jpg HTTP/1.0″ 200 150240 “-” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)”
x.x.x.x - - [20/Sep/2005:18:06:12 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 98400 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
x.x.x.x - - [20/Sep/2005:18:06:13 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 150396 “-” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; .NET CLR 1.0.3705)”
x.x.x.x - - [20/Sep/2005:18:06:13 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 150396 “-” “Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322)”
x.x.x.x - - [20/Sep/2005:18:06:13 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 150396 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6″
x.x.x.x - - [20/Sep/2005:18:06:14 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 90200 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
x.x.x.x - - [20/Sep/2005:18:06:14 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 150396 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)”
x.x.x.x - - [20/Sep/2005:18:06:14 -0700] “GET /show.php?file=img924.jpg HTTP/1.1″ 200 150396 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6″
The attack vector is not known, although the administrator believes the password for his FTP server was known already to the attacker. From the log above it’s clear once the trojan was live it was being downloading nearly immediately by unsuspecting AOL Instant Messager users.