Circuit City forum hacked to infect users with spam bots

Circuit City learned today that their customer forum was recently hacked, exposing their users to malware. The forum software, Invision Power Board, had a security vulnerability that was patched on May 17. Initial reports indicated from May 13 until today, Circuit City estimated that about 200 registered users visited. A later article at CNET stated the forum was most likely hacked on May 30 and estimated the number of users at about 80. Those forum users were likely infected with a nasty piece of malware called Galapoper, description here by Panda.

Galapoper.C is a backdoor that connects to several websites that host a PHP script, in order to download a file that contains remote control commands, such as download and run other files or update itself. This file could be different for each affected computer, which opens the door to launching custom attacks.

Galapoper contains a spam bot that can send email at a fast rate and can vary the email every 10 minutes or every time it sends 70,000.  No information seemed to be available on the contents of the spammed email.

Brian Krebs did a great write up on this and brings up the fact that the site using the exploit to infect users is on the same Russian IP block as a group of servers that he investigated recently, servers known to host sites with content that looks like borderline child porn and sites used to force download rogue anti-spyware/security applications like WinAntivirus Pro, WinFixer, BraveSentry, SpyAxe, Spy Falcon and the like.  See my list of top ten rogue anti-spyware programs for 2005. Krebs also writes about these web servers:

This group of Web servers also is home to many of the sites that were taking advantage of the flaw even before Microsoft issued its patch. Allow me to take you back: This security update was the very first that Microsoft shipped in 2006. Hundreds of malicious Web sites had been exploiting in the final weeks of 2005 and early 2006 to install password-stealing Trojan horse programs on IE users' computers. Hundreds more innocent Web sites were hacked and seeded with the exploit code, including at least two I found in my own reporting.

SANS has some details on the sites used in the Invision Power Board hackings. The forums are being injected with iframe links to these sites, which, in turn, serve up a WMF exploit according to the write up. Whois link to one of the sites mentioned here, at IP address 85.249.23.119, (link to IP whois). Windows users are advised not to visit these sites unless in a virtual machine.

In doing spyware research, I've run into any number of sites with iframe links to these same servers, only the sites I visited were not hacked sites -- they were sites deliberately designed to run exploits, and, in many cases they were sites hosted in the US, in fact, hosted at a California ISP I wrote about previously, InterCage, formerly known as Atrivo. See Webhelpers CWS domains in the Atrivo IP block.

I find it very troubling that the ISPs, groups and individuals involved with these websites well known and well documented for running exploits continue to operate apparently unhampered. The activities going on from these sites are clearly illegal under US laws and there's no international effort that I'm aware of to shut down these criminals.