New Trojan Stealing PW? Non-FFXI sites.

[Falisa]

A person from my linkshell posted this on our forums today and I just wanted to post it here just incase this is kinda big. I'll quote the post directly.

new trojan stealing PASSWORD.. located over 10,000 NON FFXI RELATED, LEGIT SITES. YOU COULD BE FUCKD RIGHT NOW. i didnt know about this until i went to creative.com tryin to shop for sound card. story goes:

Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

BLOCK 2117966.net from your host FILE NOW!

Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98/ME = C:\WINDOWS

your host file is located in one of those

simply add
127.0.0.1 2117966.net
to the bottom of your host file, now.

more details can be read here: http://www.shadowserver.org/wiki/pmwiki ... r.20080313

[Antithesis]

GG @ the article.

Thankies for info falisia.

[AlexRuzhyo]

Thank you for the warning, although I'm somewhat of a noob. What program do i open "hosts" with? >..

[Mansin]

For the less technically inclined:

new trojan stealing PASSWORD.. located over 10,000 NON FFXI RELATED, LEGIT SITES. YOU COULD BE FUCKD RIGHT NOW. i didnt know about this until i went to creative.com tryin to shop for sound card. story goes:

Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

BLOCK 2117966.net from your host FILE NOW!

Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98/ME = C:\WINDOWS

your host file is located in one of those

simply add
127.0.0.1 2117966.net
to the bottom of your host file, now.

Find your operating system and copy and paste whatever C:\ extension into Run. (Press window+R to open run).
After pressing enter you should see something similar to this:
http://img406.imageshack.us/img406/4669/folderjw7.png
Right Click Hosts, and go to Properties. It will look like this:
http://img262.imageshack.us/img262/6...pertieswp5.png
Make sure that read only is unchecked.
Now, Open hosts in Wordpad or Notepad. Scroll down to the very bottom and add this text to it:
http://img262.imageshack.us/img262/1466/wordpadqm9.png

Now you are protected. Also, if you haven't already installed Firefox and Noscript, do it. People are getting hacked constantly, over and over. By this time there are people who have fallen victim and people who haven't taken the necessary preventions to protect themselves.


Note: this is for windowsXP but i'm imagining it can't be much different for 2K/vista

[Izzy]

Has anyone went to the site to see what it actually does?

[Koga]

Seems to do a preload, then jumps to a google search to make it seem like nothing happened.

[Senoska]

Why does china not do anything about this? Fuck.

[Shadowhusky]

China doesn't have a fuck.

fix'd

[The Stig]

If only I had the resources (and maybe influence others to do the same) to setup dummy terminals and then make some sort of script to reload a page with a $_POST password thing ...

The trojan does not appear to do anything at all and makes no outbound connections if your machine is idle. However, if Internet Explorer is launched and makes a POST request involving an password field, the the trojan will spring into action sending encrypted traffic to another server in China. The trojan appears to specifically look for password input tags (<input type="password">). It does not appear to send off POST data unless there is a password input tag. If it detects a qualifying POST request it will immediately begin sending encrypted traffic to a Chinese server at 61.188.39.175 on port 2034. It does not appear to be using DNS to find this IP address.

You know, get enough doing it, either confuse them so much or completely hammer them.

Doubt it'll work. Just an evil thought really. It's like that spammer who spams people with e-mails but somehow someone discovered his (real physical/home) address. (read it in a newspaper some time ago). Result? His mailbox/home was absolutely flooded with mail. In the end he somehow got the attention of the press/media and had to apologise to everyone.

[Deband]

What does the hosts file do?

[RKenshin]

What does the hosts file do?

http://www.mvps.org/winhelp2002/hosts.htm

Summary: blocks unwanted parasites by preventing the specified websites from loading.

[BerenTebogo]

If I never type my password in, do I really care?

Honest question, I save my password for everything because I'm lazy

[Falisa]

I'd think this is more of a virus than a keylogger, so I'd assume it'd be able to get your password if you have it saved but I'm not very smart with computers so don't believe what I say.

[The Stig]

If I never type my password in, do I really care?

Honest question, I save my password for everything because I'm lazy

Unsure 100% myself, but from the description, from that link, it's (the trojan/virus/thing) activated when a POST password is triggered on the site. Just bearing in mind that this warning isn't for FFXI specifically, I would think that it's designed to steal passwords from other sites. So if you mean you saved your password within POL -only-, I think you don't need to care. But if you stored your password on these forums and other stuff, i.e. e-mail, then yes you should care, up to a point. So everytime you login somewhere (NOT FFXI, unless FFXI uses $_POST too (lol)), if you have the thing on your machine, the password will be sent to the people on the specified server.

I'll need clarification from others here, but this is what I believe/think based on the knowledge of HTML/PHP coding. Not too sure how they'll get usernames or other details, but it sounds kinda iffy regardless. Still open for discussion.

[Thorny]

POL saved passwords are stored(encoded) in a file and locked by your hardware ID. POL will not decode your password and load it as saved unless the hardware ID matches the current computer, however a half decent programmer could likely simulate hardware ID to POL or break the encoding depending on how it's done.
Simple Version: Even if you never type your password if a keylogger could get on your computer then a program that snatches the file can be written as easily. It may take a while to learn how to get your password out of that file though.

[BerenTebogo]

I'm retarded ignore me

[LinktheDeme]

I'm retarded ignore me

doodled and noted

[XanthePandy]

Speaking of passwords... anyone else noticed the constant ActiveX warnings from ffxiah again? I'm on lolIE and they get blocked (security is higher than default, not sure if they get blocked normally)

Their forums mentioned moving away from strictly google ads. It happened for nearly every page I visited D:

If this is mentioned anywhere else, please direct me to the thread.

[THEPANDA]

If only I had the resources (and maybe influence others to do the same) to setup dummy terminals and then make some sort of script to reload a page with a $_POST password thing ...

The trojan does not appear to do anything at all and makes no outbound connections if your machine is idle. However, if Internet Explorer is launched and makes a POST request involving an password field, the the trojan will spring into action sending encrypted traffic to another server in China. The trojan appears to specifically look for password input tags (<input type="password">). It does not appear to send off POST data unless there is a password input tag. If it detects a qualifying POST request it will immediately begin sending encrypted traffic to a Chinese server at 61.188.39.175 on port 2034. It does not appear to be using DNS to find this IP address.

You know, get enough doing it, either confuse them so much or completely hammer them.

Doubt it'll work. Just an evil thought really. It's like that spammer who spams people with e-mails but somehow someone discovered his (real physical/home) address. (read it in a newspaper some time ago). Result? His mailbox/home was absolutely flooded with mail. In the end he somehow got the attention of the press/media and had to apologise to everyone.

Want to know how to fuck someone in China up?

Simply figure out their e-mail, and start signing them up for anti-Chinese govt. newsletters, etc. Sending them e-mails about potential coups/assassinations, etc.

=) Unlike the US spammer, the Chinese Govt. doesn't take too kindly to stuff like that. Makes Carnivore seem tame.

[Dolmen]

Betelgeuse on Sylph has created an executable that makes IE and Firefox a lot more secure. Basically, you install this program, and receive new icons on your desktop for IE and Firefox. By running those browsers through this executable, it prevents the program from being able to write to your c:\Windows\ directory. Any web app that tries to write there won't be able to, seeing as a lot of keyloggers are writing to the \Windows\ directory.

Overall, this is just another addition to the long list of protective devices to be used, and we're trying to get Betel's app more known (available starting April 11th on Download.com). In the meantime, I set up a mirror for it at:

http://www.nemlod.com/betel/