Truemors
is reporting from
Member
NP Rank:
NP Rank:
SpamBots Are Exploiting Forums Which Use vBulletin Software.
Share:
by Art_By_Alida | March 4, 2009 at 11:01 am
1222 views | 71 Recommendations | 22 comments
Photos
PORNOGRAPHY and PHARMACUETICAL SPAM EPIDEMIC HITTING THE INTERNET.
USERS ARE BEING LURED WITH PORNO AND ADVERTISEMENT FOR PHARMACUETICALS, THEN IF THEY HIT THE USER PROFILE ON THE FORUMS, AN EXE PROGRAM IS SOMETIMES DOWNLOADED ON THEIR COMPUTERS. ONLINE GAMING AND MEDIA SHARING SITES HIT HARD. COULD IT BE THE CONFLICKER WORM?
March 4, 2009,
March 27, 2009 UPDATE vBulletin Released a Patch on March 5th, 2009. Users must have now updated their software because the problem seems resolved. Thank you to webmasters who updated and to vBulletin for the Patch!
Alida Antonia Cornelius
Spambots are infecting website forums using vBulletin software. Rogue user profiles are made on various sites in the forums. Many of the user profiles contain executable exe file downloads. When other members of the forums click on the profile the download begins on their computers. Users may be lured to click on the user profiles with sex advertising or for buying pharmaceuticals. Hey, kids really are very gullible on many of these sites. They don't know that just clicking on one of these rogue user profiles can infect their computers.
I have observed that many of the profiles on some sites have been viewed by over 1000 users. If 1000 computers get infected from each site, then infect other computers, the problem just continues to grow. This is happening on sites many kids visit.
Recently, spam started arriving to my professional website in the form of links to various website forums from the United Kingdom and from sites in the United States.
Viewing the source code from the links in the spam, I noticed that all of the spam was coming from sites using the vBulletin software.
So, it appears that the spambots and botnets have found a way to compromise the software.
A world wide computer worm has security people concerned all over the world. It's called the Conflicker Worm and so far, the security people have not come up with the solution. The worm can take over your computer and get all your information and then use your computer to infect others.
Some of the websites which were hit recently are:
showhype.com
gigposters.com (Fixed the problem)
slimdevices.com (I have contacted these people numerous times. They can't stop it. And it's the Logitech software site. You would think Logitech of ALL people would fix this problem)
donstayin.com (Fixed the problem)
justin.tv.com (These people refuse to do anything to fix the problem . I have alerted them also.)
gooruze.com (Fixed the problem)
limespot.com (I received an email from limespot. They are shutting their site down.)
gamesville.com (owned by Lycos-inc.com) (Fixed the problem)
poptent.com (Fixed the problem)
treemo.com (Fixed the problem)
fileradar.net (Fixed the problem)
motime.com (Fixed the problem)
ysn.com (Fixed the problem)
jewcy.com (A Brooklyn, NY Jewish website. Added March 5th) (Fixed the problem)
streetfire.net ( Automotive forum website. Hasn't fixed the problem)
driverheaven.net (Fixed the problem)
aeriagames.com (Fixed the problem)
answergenesis.org (This site is a fundamentalist Christian website. How they accessed the online courses, I will never know, lol. The website admins have disabled the link already. March 14. They were the only one not using vBulletin software. They were using the opensource educational software called Moodle.)
ironruby.net (Fixed the problem )
ibibo.com (Fixed the problem)
nvidia.com (Tech forums. March 21) (Fixed the problem)
The sites listed above are only a drop in the bucket of infected gaming, media, and other types of websites.
Users of vBulletin forum software should contact vBulletin.com for answers. One website admin is trying to fix the problem by making new users do some extra things before they register so the spam bots are stopped.
I wonder how far this is going to spread and I wonder who is behind it? Is the Conficker Worm spreading through vBulletin forum software?
WHENEVER you post on forums, make sure that your password is the strongest you can devise. And always update your antivirus software BEFORE you visit any sites.
These newer spambots can also bypass the Captcha software, which is now being used to try to thawrt hackers.
Read about spambots here:
http://en.wikipedia.org/wiki/Spambot
Read about the Conficker Worm here:
http://www.networkworld.com/news/2009/012309-downadup-conflicker-worm.html
I will update this list daily of the websites affected. However, these are only a drop in the bucket of infected sites.
Let the spambot wars begin.
What is NowPublic?
NowPublic lets people work together to cover news events around the world.
Crowd Power
Art_By_Alida
Ohio River Valley, Indiana, United States
Recommendations (71)
Amy Judd
Vancouver, Canada
Jordan Yerman
Vancouver, British Columbia, Canada
mudricky
Glasgow, Scotland, United Kingdom
Anonymous users (17)
azzayindia
mussoorie,distt dehradun, Uttarakhand, India
Rhonda J Mangus
North Tonawanda, New York, United States
Barry Artiste
Vancouver, Canada
Paschen
Narita, Chiba, Japan
Most RecentMost Recommended Comments (22)
at 11:59 on March 4th, 2009
If this is the same vBulletin issue that I'm thinking of, then the exploit is a simple one: running usernames against passwords that equal usernames, i.e.
username: jordanrules
pswd: jordanrules
Lots of people set up their accounts like this. I call them "victims".
Site administrators can use tools to prevent users from using their usernames as passwords, but common sense is a far better tool for the job.
More detail here.
at 12:28 on March 4th, 2009
Yes, that is part of the problem...I remember about a year ago, a similar thing happened on a tech forum I was posting on. And it was caused by people who didn't use good passwords and is does contribute to the site getting exploited.
But, this spam is coming in one email with about 13 different links to different websites...it's not your common spam.
I get two a day, regularly.
They changed lately however. The spam before this week was all coming from a server in Utrecht, Netherlands hosted by WebaZilla.com
I found the website coming from St. Kitts. It was all porno.
So, I kept complaining to WebaZilla and finally, that porno spam from adult-empire stopped. (I had never visited that site, lol...)
However, the spam continued in the exact same manner, only now it's the exploited forum links to porno and the "Scan My Computer" exe file download. All the links are together in one email.
Because all the spammed links are grouped together in one email, I know this is some different type of exploitation.
I sent a report to CERT with the source code, etc.
I just want these people to get caught.
And I want to alert the people who are monitoring their websites to get more aggressive about securing their sites.
I received two more today with new websites.
And I am sure I will get two more tomorrow.
I am redesigning my website with CSS language and Captcha's...so I hope I can get rid of these pests.
But, I spent hours trying to contact the website owners to alert them.
Most of them ignored me. So, I thought I would post the info here in case any readers use those forums.
The funny thing about it is that the spambots are also trying to exploit the vBulletin forums of the company itself!
at 13:54 on March 4th, 2009
I like to think I have a good password, but it's still scary to think that this can happen to any computer really.
at 18:23 on March 4th, 2009
Changing the password every week and long complex words such as unconstitutional.
at 18:36 on March 4th, 2009
You know what is really, really embarrassing, is showing an archery video from Youtube to your grandmother, and when you hit the link it's Transvestites and Strapons! Yep, good times! NOT!
at 08:34 on March 11th, 2009
that is sad barry although i think my archery video at nowpublic is good one
at 20:00 on March 4th, 2009
LOL! That's a good analogy, Barry!
What was so funny to me was when I went to the vBulletin.com site to tell them what was happening, I noticed that the top forum topic was that they knew that THEY were having attempts to compromise their very own forums. You have to update all your software with patches quite often, just like the recent update for Flash Player.
I have a MAC, and I don't worry as much about security issues. But, I am still very cautious.
at 21:38 on March 4th, 2009
I wonder if this is connected in anyway to hackers putting adding advertising banners to websites and if you click on them, it goes to pornography.
Time Warner Cable, owner of Road Runner Services has also said that they have been under attack by hackers in the last week. I saw it on their homepage about the porno banners and also the hacking attacks.
at 21:52 on March 4th, 2009
I wonder if this is related to the problem. Evidently porno spam is all over hotmail now as reported on C-net
http://news.cnet.com/Hotmail-porn-spam-reported/2100-1023_3-200802.html
at 21:55 on March 4th, 2009
I am getting porno spam in my emails at hotmail.
Read about it here at C-Net:
http://news.cnet.com/Hotmail-porn-spam-reported/2100-1023_3-200802.html
at 22:03 on March 4th, 2009
I read the article from C-Net. It seems like there is porno spam being a problem now and it's not just with hotmail. One would think if you could find the source of the porno websites, you could trace it to the spammers. I wonder why the hackers are focusing on pornography so much?
at 05:37 on March 5th, 2009
UPDATE: I found out that spammers use "proxy servers" and that makes them difficult to track.
Also interesting is the list of the Top Ten Spammers. Those guys are strange...read about them here:
http://www.spamhaus.org/statistics/spammers.lasso
at 10:09 on March 5th, 2009
yep spammers/bots/hackers have been using proxys for years, as well as other ip address spoofing techniques. One of the best ways not to get hooked it never have your email address on any public/internet facing website that a bot could read, ie, using john {at} smith (d0t) com etc.. kinda a no brainer, especially on those high-traffic forums.
at 09:32 on March 5th, 2009
I get porno spam and spam tryin to get me to buy drugs all the time in my yahoo mail.
It drives me crazy. I am thinking about dropping my yahoo account
at 21:37 on March 5th, 2009
Porno spam should be against the law...just like marketing phone calls...if your name is on the list, they are not allowed to call you to sell something.
Why can't porno spam be against the law?
at 08:41 on March 11th, 2009
It turns out that porno spam IS against the law in the United States.
But, if the porno spam is coming from overseas, how would the criminals be prosecuted, I wonder?
at 20:49 on March 6th, 2009
Thanks for this information, Art_By_Alida!
at 12:33 on March 7th, 2009
You welcome, Rhonda. What is terrible is that thousands of people are visiting the links and if you click on one of the links in their forums, an automatic exe file gets downloaded onto your computer and who knows what's in that file?
at 08:01 on March 27th, 2009
the spammers are not comprimising user names and passwords. they are creating profiles with the software. if you add more steps to the register process this will cause errors in the software and they wont be able to register at the forums.
at 08:40 on March 27th, 2009
Yes, you are correct. That is what I have been telling the webmasters at the infected sites.
The problem now seems resolved with the new patch for vBulletin software users. However it took awhile before webmasters installed the patch.
However, there is still the problem of some sites which have legitimate looking pharmacuetical sales user profiles. I am still reporting some to webmasters. The only way I know how to bust those sites is to try to buy something from them, get ripped off, and then delete that user. How many webmasters would resort to that sort of detective work?
A problem remains.
at 08:33 on May 6th, 2009
the spammers are not comprimising user names and passwords.
at 10:00 on May 6th, 2009
Hi,
What brook has said is correct spamming has become one of the major issue in this technological era. This could be stopped either by increasing the security or else the spammers should stop.
http://www.seoblogcentral.com