[THIN] OT: FW: New trojan turns home PCs into porno Web site hosts

• From: "Chris Lynch" <lynch00@xxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 11 Jul 2003 11:44:32 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Very interesting...

Chris

- -----Original Message-----
From: Richard M. Smith [mailto:rms@xxxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, July 10, 2003 7:49 PM
To: BUGTRAQ@SECURITYFOCUS. COM
Subject: New trojan turns home PCs into porno Web site hosts

Hi,

Some individual appears to have hijacked more than a 1,000 home computers
starting in late June or early July and has been installing a new trojan
horse program on them. The trojan allows this person to run a number of
small Web sites on the hijacked home computers.  These Web sites consists of
only a few Web pages and apparently produce income by directing sign-ups to
for-pay porno Web sites through affiliate programs.  Spam emails messages
get visitors to come to the small Web sites.

To make it more difficult for these Web sites to be shut down, a single home
computer is used for only 10 minutes to host a site.  After 10 minutes, the
IP address of the Web site is changed to a different home computer.  The
hacker is able to do this quick switching because he has installed DNS name
servers for his domains on other home computers under his control.  The DNS
name servers specify that a hostname-to-IP-address mapping should only live
for 10 minutes.
 
Over the long July 4th weekend, some of these same Web servers were used in
an apparent phishing scam to collect stolen PayPal passwords and credit card
numbers.  Silicon.com has an article about this scam:

   Russian hackers behind fake PayPal email scam?
   http://silicon.com/news/500013-500001/1/5061.html

Joe Stewart of LURHQ has obtained a copy of the trojan which he has named
Migmaf.  His analysis of the trojan can be found on the LURHQ Web
site:

   http://www.lurhq.com/migmaf.html

The initial theory was that the trojan was installing a mini-Web server on
hacked computer to host the porno Web sites.  However, Joe's analysis shows
that the Trojan is actually a reverse HTTP proxy that makes a home computer
act as a front for a home base Web server.

The New York Times is also running an article about the trojan in its July
11th edition of the paper:

   http://www.nytimes.com/2003/07/11/technology/11HACK.html?hp

Some of the domain names used by the Web sites of the trojan are:

   onlycoredomains.com
   pizdatohosting.com
   bigvolumesites.com
   wolrdofpisem.com
   arizonasiteslist.com
   nomorebullshitsite.com
   linkxxxsites.com

I've been monitoring these domains since July 5th and found over 2,000
unique IP address used by hosts in these domains.  Almost all of these IP
addresses are for commercial ISPs used by home computer users.
AOL.COM was the most used ISP. 

One interesting feature of the trojan is that it times the connection speed
of a home computer that it is running on and reports the connection speed
back to home base.  The home base computer seems to only select a computer
to run a reverse proxy server or the DNS name server if the computer has a
high-speed cable or DSL Internet connection.

It is not known at the present time how the trojan gets installed on
people's computers.  My theory is that the Sobig.e virus might be involved,
but the evidence is not strong at the moment.

Richard M. Smith
http://www.ComputerBytesMan.com


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch

iQA/AwUBPw8Fj29fg+xq5T3MEQI5bQCeI/vYN3TTSKvwg/vsns66PkX/ObAAn2rJ
CP4a8O1GbBrot/0i5PgpoZf4
=D5ec
-----END PGP SIGNATURE-----


********************************************************
This weeks sponsor - RTOSoft TScale 
Complaints about applications response time - DO SOMETHING ABOUT IT!
TScale 2.0 improves applications response time and increases terminal
server capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

• Follow-Ups:
  • [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
    • From: Jim Kenzig

Other related posts:

• » [THIN] OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts
• » [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts

1. Home
2. thin
3. Archive
4. 07-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---