Channels ▼
RSS

New Download.Ject Attack Serves Up Porn


A new version of June's Download.Ject attack is hitting users through a pair of instant messaging services, planting backdoors on fully-patched Windows XP PCs, and serving victims with a diet of porn ads.

According to Thor Larholm, a senior security researcher at Newport Beach, Calif.-based PivX Solutions, the new attack is probably the work of the same group of hackers who launched the original Download.Ject assault in June.

In that brief-but-high-profile attack, a group of Russian attackers compromised numerous Web servers running Microsoft software, then used a variety of vulnerabilities in the Internet Explorer browser to drop password- and bank account-stealing key loggers on systems whose users had simply surfed to sites hosted on the infected servers.

This attack, said Larholm, is different. "The attacks comes in via AIM or ICQ instant messages, either from random users or users you may know," he said. If the users clicks on the link that reads "My personal home page http://XXXXXXX.X-XXXXXX.XXX/" the server attempts to download the Trojan using several IE vulnerabilities, including Object Data, Ibiza CHM, and MHTML Redirect, he added.

And rather than try to hijack financial data, the object of the new attack appears to be to display porn advertising on end users' machines. "It's still a financial motivation," said Larholm. "And since there's a back door installed, it could be used for other purposes later."

The most noticeable impact of an infection is a modified IE home page and changed search pane. In place of the user's designated home page, the new Download.Ject plants a porn ad page.

The servers delivering the Trojan and backdoor are based in Russia, Uruguay, and the U.S., said Larholm, who said that the U.S.-based server appears to be a compromised machine. The Russian servers, however, appear to be deliberating serving up pages linked in the IMs.

Larholm said that a fully-patched edition of Internet Explorer 6 running on Windows XP SP1 can be compromised by this newest attack, but that machines which have been updated with Windows XP Service Pack 2 (SP2) are safe.

Although there's no definitive proof, Larholm suspects that the same Russian-based HangUP hacker team behind the original Download.Ject attack is also running this show.

"It's not like they use signatures, but there are a lot of similarities, including similar code and even identical file names," he said.

"It doesn't surprise me at all that there's been another Download.Ject attack," added Ken Dunham, the director of malicious code research at iDefense. "There are multiple ways to code attacks against IE's vulnerabilities, and I think we'll continue to see more through the summer and early fall, at least until they prove to be unsuccessful."


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video