Re: [Full-disclosure] Sending spam via sites and creating spam-botnets



Hello Eddie!

Are you asking about PoC about conducting CSRF, DoS and DDoS attacks via
sites to others sites (which I wrote in about previous articles) or PoC
about sending spam via sites (which I wrote about in last article)? As I
see, you asked about last case.

As I mentioned in my brief description, in article Sending spam via sites
and creating spam-botnets (http://websecurity.com.ua/4382/) I mentioned many
vulnerable web sites (where I found such holes) and also vulnerable
plugins - WP-ContactForm for WordPress and Contact Form ][ for WordPress (in
which I found such Abuse of Functionality holes in 2008) and com_alfcontact
for Joomla (in which I found such Abuse of Functionality hole in 2009). And
when the time will come I'll write about other plugins with such
vulnerabilities which I found in 2010.

To not let you spent much time on looking through my site to find all these
PoC (for plugins) and real examples (on vulnerable sites), I'll give you
such example in this letter.

One of the latest such holes which I posted were vulnerabilities at
news.yahoo.com (http://websecurity.com.ua/3723/). These are Abuse of
Functionality, Insufficient Anti-automation and HTML Injection (Link
Injection) vulnerabilities. Which Yahoo still not fixed from 2009 (which is
common behavior for them - during 2006-2010 I informed Yahoo many times
about holes at their sites, but they mostly always ignored).

About that HTML Injection vulnerability I already mentioned before
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075372.html) -
it's where I used redirector for bypassing of restrictions on URL at HTML
Injection attacks, particularly Link Injection.

So look at other holes at news.yahoo.com - Abuse of Functionality and
Insufficient Anti-automation.

The Abuse of Functionality hole at
http://m2f.news.yahoo.com/mailto/?prop=news&locale=us allow to send spam
(with faking From name and e-mail) and with using option "Send me a copy of
this message" it's possible to send spam to more addresses at one request.
And due to Insufficient Anti-automation hole, it's possible to create entire
Spam Gateway from this functionality at Yahoo's site.

Regarding spam-botnets. As I showed on example of DAVOSET, the tools for
conducting of DDoS attacks via Abuse of Functionality vulnerabilities could
be creating. And similarly to them the tools for mass spam sending can be
created. To use large amount of web sites with such vulnerabilities for
sending spam.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message -----
From: "McGhee, Eddie" <Eddie.McGhee@xxxxxxx>
To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>;
<full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, July 21, 2010 3:14 PM
Subject: RE: [Full-disclosure] Sending spam via sites and creating
spam-botnets


POC?

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of MustLive
Sent: 20 July 2010 19:51
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Sending spam via sites and creating spam-botnets

Hello participants of Full-Disclosure!

In continue to my last month's article Using of the sites for attacks on
other sites and my previous article about creating of botnet from
zombie-servers and program DDoS attacks via other sites execution tool
(DAVOSET), I want to draw your attention to another aspect of Abuse of
Functionality vulnerabilities. At the end of last week I wrote new article
Sending spam via sites and creating spam-botnets
(http://websecurity.com.ua/4382/). Which I'll tell you briefly about.

Similarly to using of the sites for attacks on other sites via Abuse of
Functionality vulnerabilities, it's also possible via Abuse of Functionality
to use sites for sending spam.

There are many such vulnerabilities in Internet, which I wrote about many
times, as vulnerable sites, as vulnerable plugins (which used at many
sites). So many sites can be used for sending spam.

Using of Abuse of Functionality for sending spam.

Researching of such vulnerabilities I begun already in 2007. From that time
I found many web sites with such vulnerabilities and also vulnerable plugins
for popular web applications. Particularly such plugins as WP-ContactForm
for WordPress, Contact Form ][ for WordPress and com_alfcontact for Joomla.

Creating of spam-botnets from sites.

Similarly to tools for conducting of DDoS attacks via Abuse of Functionality
vulnerabilities, as for example DAVOSET, in exactly the same way the tools
for mass spam sending can be created. Via multiple Abuse of Functionality
vulnerabilities at different sites. I.e. these vulnerabilities can be used
for creating of spam-botnets with zombie-servers. And taking into account
that spam will be sending from servers of well-known companies, then very
likely that these letters will bypass spam-filters.

Taking into account widespread of Abuse of Functionality vulnerabilities at
the sites, which allow to send spam, and ignoring of sites' admins of this
problem, it's actual. And taking into account that network from these
zombie-servers can be created without wasting of resources (including
financial), as it occurs in classical botnets, then this type of botnets is
very profitable from financial side. So with time spammers can draw
attention at this method of sending spam and at this type of spam-botnets.

P.S.

If your site will be DDoSed from Google's servers or you will receive spam
from IBM's servers, than you will be knowing what type of botnets it is.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/