An eBay auction for a Rolls-Royce Phantom contained a Java Applet designed to install malicious code on viewer's computers. The auction was listed on eBay.com by a seller located in the UK on December 28, 2005. The auction had a bid for 130,000 pounds (approximately $223,444) and was scheduled to end on January 7, 2006. A hit counter showed the auction had been viewed nearly 3,000 times before the auction was removed Monday afternoon, presumably by eBay.
eBay allows Javascript in listings so sellers can include tools useful to buyers. eBay offices were closed on Monday, but in the past, an eBay spokesperson has said the site automatically scans listings to detect possible problems.
When an eBay visitor clicked on the auction (Item #4600826228) to view it, the listing description page appeared. Users with up-to-date anti-virus software would see a warning, giving them the opportunity to immediately delete the file from their computer. Other visitors to the auction listing might never have realized their computers were infected. The Trojan included a keylogger that could record keystrokes and potentially send logs containing passwords to the perpetrator unbeknownst to the victim.
A programmer contacted by AuctionBytes explained how the Trojan worked. "When a person goes to the page the javascript runs and prints the Java Applet, that is when the fun begins. Since the Applet is embedded, it automatically downloads to your computer and then installs some malicious code -Trojan.ByteVerify. The diners.gif file that it calls is really the virus code. It is disguised as a GIF file. This is a very clever way to deliver a virus to one's computer."
According to anti-virus vendor Symantec, "Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability described in Microsoft Security Bulletin MS03-011 and could provide a hacker the ability to run arbitrary code on an infected system." Information and instructions on removing the Trojan from infected computers is available on the Symantec website (http://digbig.com/4ftpb).
The seller with the "Trojan auction" was not suspended Monday after the auction was removed, and could himself have been a victim of an account hijacking. Hijackings of eBay accounts are becoming more common due to the success of phishing attacks in which users reveal personal information to someone posing as a trusted source, such as eBay, PayPal, an Internet Service Provider, a financial institution or even an ecommerce retail site.
Last month, Michael Bazeley of the San Jose Mercury News newspaper reported another case where malicious Javascript appeared in eBay auctions. In those cases, phishers used malicious Javascript to infect eBay listings to redirect visitors off of the eBay site as part of their phishing activities. Bazeley reported, "EBay has tools that automatically scan new listings for computer viruses and malicious JavaScript, spokesman Hani Durzy said. In this instance, the hacker apparently used code that sneaked past the screening process. He added that this technique is "very rare'' on eBay's site. Durzy said the company would update its screening tools" (http://www.siliconvalley.com/mld/siliconvalley/13389212.htm).
Experts advise all computer-users with Internet access install anti-virus software and keep it up-to-date.
