FYI

[Helen]

A Russian based business is paying websites for each machine the websites
infect with adware or spyware. IframeDollars.biz pays Webmasters to place a
one-line exploit on their sites. The code exploits a number of patched
Windows and Internet Explorer vulnerabilities. Analysis by the SANS
Institute's Internet Storm Center reveals that the exploit drops at least
nine pieces of malicious code to include back doors, other Trojans, spyware,
and adware; on any PC whose user surfs to a site that hosts the exploit
code.

 

[Mel]

A Russian based business is paying websites for each machine the websites
infect with adware or spyware. IframeDollars.biz pays Webmasters to place a
one-line exploit on their sites. The code exploits a number of patched
Windows and Internet Explorer vulnerabilities. Analysis by the SANS
Institute's Internet Storm Center reveals that the exploit drops at least
nine pieces of malicious code to include back doors, other Trojans, spyware,
and adware; on any PC whose user surfs to a site that hosts the exploit
code.

Keep your AV and software (Windows) promptly updated!

Which AntiVirus/Adware/Spyware Company owns this Russian Based Business?

 

[Helen]

Which Russian company owns....?

I have no idea nor other info...the subject info is from our IT/IM dept.

 

[David]

A Russian based business is paying websites for each machine the websites
infect with adware or spyware. IframeDollars.biz pays Webmasters to place a
one-line exploit on their sites. The code exploits a number of patched
Windows and Internet Explorer vulnerabilities. Analysis by the SANS
Institute's Internet Storm Center reveals that the exploit drops at least
nine pieces of malicious code to include back doors, other Trojans, spyware,
and adware; on any PC whose user surfs to a site that hosts the exploit
code.

Good advice. Do you have a cite for your claim?

 

[Helen]

Good advice. Do you have a cite for your claim?

It is a TASK from my work and no, there is nothing more than the above. The
paragraph
was extracted from the e-mail and the redacted part is N/A here, but the
info is important
and I suspect you (plural) will be hearing more about it in the future.

 

[dak]

Good advice. Do you have a cite for your claim?

It states "Analysis by the SANS Institute's Internet Storm Center..."
From <http://isc.sans.org/diary.php?date=2005-05-23>:

##### BEGIN QUOTE #####
iframeDOLLARS dot biz partnership maliciousness

After fellow Storm Center handler Tom Liston's investigation into a
report received from a SANS ISC reader named Checker today, we find
ourselves examining what appears to be an awful business practice
based on the wholesale attempted exploit of Internet Explorer browsers
via multiple vulnerabilities for any IE client that happens to visit a
'partner' in this business venture. The exploits are hosted via
hundreds of unique URL's on the website at www dot iframedollars dot
biz including the (MS03-014) MHTML (.chm) exploit
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp>,
(MS03-011) Java ByteVerify exploit
<http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx>,
(MS05-002) MS ANI exploit
<http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx>,
and an Mhtredir trojan exploiting MS04-013
<http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx>.
The successful exploit of any browser would result in the installation
of at least nine additional samples of malicious code including
backdoors, trojans, and spy/adware. So how much is your compromised
workstation worth to website administrators that participate in this
revenue generation scheme? A whopping $0.61(USD).

LATE DIARY ADDITION: Michael Ligh wrote in notifying us of his
involvement in investigating a compromise that involved an
iframedollars partner. His excellent writeup is hosted on Michael's
personal website <http://www.mnin.org/write/2005_trimode.html>.

The question is: How much satifaction can one organization achieve by
null-routing all traffic to this host at 81.222.131.59?
Answer: You tell us.
##### END QUOTE #####

There's more, but you can access the information yourself. A visit
to the Internet Storm Center <http://isc.sans.org/> and a site search
on "iframedollars.biz" yields positive results.

 

[Mel]

It states "Analysis by the SANS Institute's Internet Storm Center..."
From <http://isc.sans.org/diary.php?date=2005-05-23>:

##### BEGIN QUOTE #####
iframeDOLLARS dot biz partnership maliciousness

After fellow Storm Center handler Tom Liston's investigation into a
report received from a SANS ISC reader named Checker today, we find
ourselves examining what appears to be an awful business practice
based on the wholesale attempted exploit of Internet Explorer browsers
via multiple vulnerabilities for any IE client that happens to visit a
'partner' in this business venture. The exploits are hosted via
hundreds of unique URL's on the website at www dot iframedollars dot
biz including the (MS03-014) MHTML (.chm) exploit
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp>,
(MS03-011) Java ByteVerify exploit
<http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx>,
(MS05-002) MS ANI exploit
<http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx>,
and an Mhtredir trojan exploiting MS04-013
<http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx>.
The successful exploit of any browser would result in the installation
of at least nine additional samples of malicious code including
backdoors, trojans, and spy/adware. So how much is your compromised
workstation worth to website administrators that participate in this
revenue generation scheme? A whopping $0.61(USD).

LATE DIARY ADDITION: Michael Ligh wrote in notifying us of his
involvement in investigating a compromise that involved an
iframedollars partner. His excellent writeup is hosted on Michael's
personal website <http://www.mnin.org/write/2005_trimode.html>.

The question is: How much satifaction can one organization achieve by
null-routing all traffic to this host at 81.222.131.59?
Answer: You tell us.
##### END QUOTE #####

There's more, but you can access the information yourself. A visit
to the Internet Storm Center <http://isc.sans.org/> and a site search
on "iframedollars.biz" yields positive results.

While this information may be good to know, and the previous advice:

<quote>
Keep your AV and software (Windows) promptly updated!
</quote>

is good to do, the best defense against these exploits is to use a
fairly good HOSTS file. http://www.mvps.org/winhelp2002/hosts.htm

I checked my HOSTS File and found entries for iframedollars.biz, so I'm
already protected and didn't know it! <g> And all the emotion upon
reading the orginal post and this more recent post was for nothing.

 

[Vic Dura]

Which AntiVirus/Adware/Spyware Company owns this Russian Based Business?

Micro$haft

 

[dak]

While this information may be good to know, and the previous advice:

"David" asked "Helen" if there was a citation for the information she
posted. She responded with her source, which was internal, but the
information did contain the original source. So I posted the original
source, with a gentle chide.

is good to do, the best defense against these exploits is to use a
fairly good HOSTS file. http://www.mvps.org/winhelp2002/hosts.htm

I don't use a HOSTS file for blocking. My preference is for eDexter
and DNSKong. I think they accomplish the job better than the HOSTS
file.

I checked my HOSTS File and found entries for iframedollars.biz, so I'm
already protected and didn't know it! <g> And all the emotion upon
reading the orginal post and this more recent post was for nothing.

I'm sure others will be glad to hear that site is already included.
I disagree it was for nothing, the information was confirmed, you
learned it was blocked in your HOSTS file, and someone else may have
learned how easy it is to use given information to track down the
original statement or more information when it can't be easily given
to them (that's meant generally, it's NOT a swipe at "David." I think
he was right to ask "Helen" if she had a citation for it).

 

[Mel]

Micro$haft

Why are people that bash Microsoft still running Windows instead of some
other Operating System?

 

[Mel]

"David" asked "Helen" if there was a citation for the information she
posted. She responded with her source, which was internal, but the
information did contain the original source. So I posted the original
source, with a gentle chide.

Googling for "iframeDollars" turns up all kinds of hits (mostly recent),
but the problem with "iframeDollars" has existed for quite a while (at
least 6 months, maybe 1 year), and their has been very little mention of
it until now.

I don't use a HOSTS file for blocking. My preference is for eDexter
and DNSKong. I think they accomplish the job better than the HOSTS
file.

I don't know if eDexter/DNSkong does site blocking better, but it sure
seems more complicated and requires additional System Resources not
required by using only the HOSTS File.

I'm sure others will be glad to hear that site is already included.
I disagree it was for nothing, the information was confirmed, you
learned it was blocked in your HOSTS file, and someone else may have
learned how easy it is to use given information to track down the
original statement or more information when it can't be easily given
to them (that's meant generally, it's NOT a swipe at "David." I think
he was right to ask "Helen" if she had a citation for it).

It just seems to be a waste of time following up on old news which has
already been addressed, but a lot of that has to do with the media,
their untimely news articles cause a frenzie when their should be none.

 

[David]

Which Russian company owns....?

I have no idea nor other info...the subject info is from our IT/IM dept.

Sounds like another unsubstantiated rumour to me in that case,
probably designed to stop employees from accessing porn sites.

 

[David]

It states "Analysis by the SANS Institute's Internet Storm Center..."
From <http://isc.sans.org/diary.php?date=2005-05-23>:

Thank you for that information.

 

[Helen]

Sounds like another unsubstantiated rumour to me in that case,
probably designed to stop employees from accessing porn sites.

WRONG! WRONG! WRONG! Teeny-boopers are such a nusiance!
I was passing on some helpful information to those who had be of help to me.
If you don't want the info, then pass the post by. Others may have been
assisted
by it. It is code that not all AVs, spy-bots, etc can easily detect. Of
course we
all know that there are newbies in this group who erroneously consider
themselves
omniponent. Just ignore them: their fragile egos speak volumes of their
apparent impotence.
And tells where their head is!

 

[David]

Why are people that bash Microsoft still running Windows instead of some
other Operating System?

Because they don't write games for other operating systems.

 

[David]

WRONG! WRONG! WRONG! Teeny-boopers are such a nusiance!
I was passing on some helpful information to those who had be of help to me.
If you don't want the info, then pass the post by. Others may have been
assisted
by it. It is code that not all AVs, spy-bots, etc can easily detect. Of
course we
all know that there are newbies in this group who erroneously consider
themselves
omniponent. Just ignore them: their fragile egos speak volumes of their
apparent impotence.
And tells where their head is!

Thank you, Helen. If you had supplied the citation in the first
instance then none of the above would have happened. I would not
describe myself as a Teeny-booper especially since I am sixty-four and
I have been involved with computers since the early '70s.
Unsubstantiated rumours do more to harm your credibility than worry me
but if something is serious then I, like most people, like to have
confirmation from some credible source. Just because your IT
department says something does not make it a fact. I have been
involved with enough IT departments to know that sometimes they
mislead users to avoid work.

 

[Helen]

Thank you, Helen. If you had supplied the citation in the first
instance then none of the above would have happened. I would not
describe myself as a Teeny-booper especially since I am sixty-four and
I have been involved with computers since the early '70s.
Unsubstantiated rumours do more to harm your credibility than worry me
but if something is serious then I, like most people, like to have
confirmation from some credible source. Just because your IT
department says something does not make it a fact. I have been
involved with enough IT departments to know that sometimes they
mislead users to avoid work.

--
David
Remove "farook" to reply
At the bottom of the application where it says
"sign here". I put "Sagittarius"

Not my IT....it is extremely RARE when they send an e-mail of any type...
by rare, I mean an average of two per year! So when they send one, it's
not to be shrugged off. If you knew by whom I'm employed I think you'd
understand.
I did not have a site at the time and I shall not post again. I apologize
for the post.
I'll just keep things to myself and read the post as things fall out.

Regards,
Helen

 

[old jon]

Not my IT....it is extremely RARE when they send an e-mail of any type...
by rare, I mean an average of two per year! So when they send one, it's
not to be shrugged off. If you knew by whom I'm employed I think you'd
understand.
I did not have a site at the time and I shall not post again. I apologize
for the post.
I'll just keep things to myself and read the post as things fall out.

Regards,
Helen

Now now Helen, don`t get your kn***ers in a twist, life`s too short to be

 

[Vic Dura]

I did not have a site at the time and I shall not post again. I apologize
for the post.
I'll just keep things to myself and read the post as things fall out.

No need to apologize. The information was useful as originally posted.

 

[Mike Bourke]

Speaking as someone who (1) is reasonably educated and aware (IT Pro for 22
years) and (2) was completely unaware of the stuation you reported, despite
the age of the story, I found the information both interesting and helpful.
And, while I initially found it hard to believe - it sounded so much like an
extract from a conspiracy theory - the supporting evidence provided by both
yourself and others made it fairly clear that this was one case where the
truth was stranger than fiction. Therefore I for one would like to thank you
for taking the time to post the information, and to encourage you to post
again in the future if you have anything to contribute. If the know-it-alls
know it all already, they can just skip the post.

And to those who have been critical of the post because the original report
was old, remember that there will always be someone to whom any given fact
is being encountered for the first time. Most of the group are sensitive to
this, which is one reason why ACF has remained active and viable for so many
years. A few others did not show the same restraint, in particular the
individual who used the thread as an excuse to launch an attack on everyone
who used a Microsoft operating system without making any meaningful
contribution to the debate, and who is now on my "blocked senders" list as a
result.

Bottom Line: I didn't know about this before. Now I do. Thank you, Helen.

Mike Bourke