TeamSpeak server hijacked to send Malware
By Steve Ragan Apr 16, 2007, 9:20 GMT
The popular gaming communications platform, TeamSpeak, was the victim of a SQL Injection attack over the weekend. This attack resulted in Spam sent to users, which contained Malware. The Malware located in the file named ‘patch.exe’ is reported by several Anti-Virus vendors to be suspect in nature, or a member of the LdPinch Trojan family.
The email headers for the rouge message detail where the exploit originated. Looking at the X-Mailer line you can see the source of the problem.
X-Mailer: vBulletin Mail via PHP
Date: Sat, 14 Apr 2007 21:12:57 +0200
The email, form the address noreply [at] goteamspeak.com, offered some advice to TeamSpeak users, “Now you can download new Team Speak patch. It will help you to use our Team Speak servers. We advise you to download it now.” The file was hosted on the TeamSpeak servers for several hours according to forum posts, which allowed for an unknown number of downloads.
The exploit centers on the websites forum software vBulletin. The attack uses SQL Injection code released by a person known only as “SekoMirza” online. The code attacks vBulletin version 3.6.5 or earlier, the same version used on the TeamSpeak forums. TeamSpeak addressed the issue, by removing the file and for a short time Saturday, it appeared as though they took down the forum for maintenance.
“If you participate in our forums, you may have recently received an email asking you to download a patch.exe file. Please do not download or execute this file. Recently a security exploit on our website allowed an intruder to send a mass-email to all registered forums users, informing them of a supposed patch for TeamSpeak. The email was malicious in nature. We have been working around the clock to address this issue and as of this moment it is now resolved. Please keep in mind we take these matters very seriously and are always doing everything we possibly can to ensure that your visit to our website is safe and secure,” they announced on their website.
Anti-Virus coverage for the malicious attachment was strong and many caught the potential infection almost instantly.