Remember the recent news about spyware programs coming with Creative Labs products? Brace yourselves, it gets worse. Seems at least one of the servers that the spyware "phones home" to--http://tg.creativeinspire.com--is infected with the Sadmind/IIS worm. This worm infects Solaris systems and Microsoft IIS, cracking root privileges on the server, changing the homepage, then trying to spread itself to other servers.
Connecting to the server listed using a Web browser returns the following message, which will display in MS Internet Explorer and some other browsers:
fuck CHINA Government
In short, Creative's NewsUpd.exe spyware is now connecting thousands (or many more) blissfully unsuspecting users to a compromised server. The truly disturbing part is if the following two conditions are met:
- The worm has opened a 'backdoor' on the compromised server, allowing a third party access to the root privileges it has obtained
- The spyware program that contacts this server has an AutoUpdate capability
then this third party could in practice compromise every internet user that has the spyware running on their machine. The third party would be able to execute arbitrary code on these users' systems, installing any software or Trojan horses, or even turning their PCs into "zombies" for use in distributed denial-of-service attacks.
In this particular case condition (1) is met, as the same vulnerability used by the Sadmind worm to break into the system can be used by any malicious user. However, I have no information as to whether NewsUpd.exe posseses AutoUpdate capabilities.
AutoUpdate capabilities have increasingly become a standard feature in spyware programs. The idea behind this feature is that the spyware vendor can update the program remotely, without making the user download any new files. Instead, the spyware periodically checks for updates and downloads them as they become available.
But if the vendor's server comes under the control of a malicious third party, this party can send updates as well.
It would work like this:
1) The third party places an executable file, containing malicious payload, on the server
2) The third party instructs the client software to download and run the file using an AutoUpdate feature built into the software. This is typically accomplished by adding the proper directive to a file on the server, which the software periodically checks for instructions
3) The malicious "update" is then downloaded and executed on the user's PC.
The hostile takeover of Creative's server hammers home an important lesson about the hazards of spyware. This has got to stop! You would be amazed how many hidden spyware programs are tucked away in the software we download--or even buy off the shelf. Now it appears they have the power to do more than send private information OUT of your PC. They can be used to send malicious payloads IN as well.