In association with heise online

08 November 2006, 14:04

Poor recognition of the Wikipedia forgery site bug

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A wave of spam mails emerged last week warning of the Blaster worm and attempting to use Wikipedia's good name to distribute malware. Wikipedia's initiators quickly cleaned out the rigged pages. Last Tuesday, however, more spam mails appeared advertising the external address that was previously used to store the specially prepared downloads. In the interim, the criminal masterminds have completely recreated the original Wikipedia article there. One graphic was initially being drawn from the Wikipedia servers; Wikipedia administrators reacted by implementing referal monitoring to deliver a warning image instead of the Wikipedia logo.

The forged site is still partially reachable, although some providers appear to have blocked the DNS resolution to it. When surfing to the site, the surfer is no longer shown the provided address but rather the complete hostname of the server holding the pages. The Wikipedia crew are currently trying to get to the source of the domain registered by the software manipulators.

The manipulated patches offered on the forged pages were still not recognised by a single virus scanner as of yesterday afternoon. Only after heise Security sent samples to several anti-virus vendors were the first signature updates released to recognise and delete the trojans.

As of Wednesday morning, only the AntiVir, AVG, ClamAV, F-Prot, Kaspersky and Microsoft OneCare virus scanners recognised the bug; other scanners tested by Virustotal remained blind. There is no data about the dissemination of the malware as yet. Because virus scanners have given the green light for the files, many users might have been made less suspicious of the files and hence been more liable to execute them.

The current belief is that the bug contains an original patch from Microsoft in an archive embedded in the file. The only modification comes in the routines for extracting the CAB archive. When executed, new user accounts are created on the computer, among other steps. This is known as a trojan dropper, designed to sneak trojan horse software onto computers and then execute them. It remains unclear which malicious routines the injected trojan possesses.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit