RE: E-Card Remote Code Execution Scam

["Jonathan A. Zdziarski" <jonathan () networkdweebs com>]

Well that is good to know that this is not some kind of trojan wanting
to do damage (although installing adware on someone's machine without
their knowing is almost as bad).  Hopefully nobody will try and use an
idea like this for any worse purposes.

I'd still be interested in knowing how someone using a fake address that
doesn't exist was able to get a valid thawte certificate.  I thought
they verified that information; I suppose it's possible they could've
changed it after obtaining the certificate.  I find it odd that thawte's
front-page propoganda is based on the word 'trust' and yet their own
verification disclosure on their website claims that you should never
assume anyone with a certificate is trustworty.  Go figure.


-----Original Message-----
From: Fulton Preston [mailto:fulton () prestons org] 
Sent: Saturday, September 28, 2002 9:13 PM
To: 'Jonathan A. Zdziarski'; incidents () securityfocus com
Subject: RE: E-Card Remote Code Execution Scam


Using wget to grab the HTML I found the following in the html:

<OBJECT width=0 height=0 ID="POTD"
CLASSID="clsid:3750BFA3-1392-4AF3-AF86-9D2D4776E5A4"  
         codebase="e-card_viewer.cab#version=1,0,0,1">


Using wget again, I grabbed e-card_viewer.cab from the site and unziped
it.  It contained only one file: potd.dll

I did a yahoo search for potd.dll and came across this at:
http://and.doxdesk.com/parasite/Cytron.html

Description
Cytron is an Internet Explorer Browser Helper Object. It scans the
content of pages being viewed for keywords and opens pop-up advertising
when they are detected. 

Also known as
POTD, after the filename and BHO name; Burnaby, the internal object
name; TargetingSource, the name used to describe the control in
Downloaded Program Files. 

Distribution
Installed by ActiveX drive-by download on a page pointed to by mail
claiming you have received an 'e-card'. The ActiveX control purports to
be a viewer for e-cards. 

What it does
Advertising
Yes. When IE is started for the first time it attempts to connect to
Cytron's servers to download a list of keywords to look for, and URLs of
pop-ups to open. 

Privacy violation
No. 

Security issues
No. 

Stability problems
None known. 

Removal
First deregister the Cytron BHO. Open a DOS command prompt
(Start->Programs->Accessories) and enter the following commands: 

cd "%WinDir%\System" 
regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll" 
You should then be able to delete the 'TargetingSource' entry in
Downloaded Program Files (in the Windows folder), and the registry key
HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit). 



Ran strings against the dll and it confirms the above stated.

HKCR
Burnaby.TargetingSource.1 = s 'TargetingSource Class'
CLSID = s '{3750BFA3-1392-4AF3-AF86-9D2D4776E5A4}'
Burnaby.TargetingSource = s 'TargetingSource Class'
CLSID = s '{3750BFA3-1392-4AF3-AF86-9D2D4776E5A4}'
CurVer = s 'Burnaby.TargetingSource.1'
NoRemove CLSID
ForceRemove {3750BFA3-1392-4AF3-AF86-9D2D4776E5A4} = s 'TargetingSource
Class' ProgID = s 'Burnaby.TargetingSource.1' VersionIndependentProgID =
s 'Burnaby.TargetingSource' ForceRemove 'Programmable' InprocServer32 =
s '%MODULE%'
            val ThreadingModel = s 'Apartment'
'TypeLib' = s '{4F80F72C-D6AE-412E-B859-E3EE4478BBC3}'
HKLM 
   SOFTWARE 
   {
      Microsoft 
      {   
         Windows 
         {
            CurrentVersion 
            {
               Explorer 
               {
                  'Browser Helper Objects'
                  {
                     ForceRemove {3750BFA3-1392-4AF3-AF86-9D2D4776E5A4}
= s 'POTD Helper'
                  }
               }
            }
         }
      }
   }
HKLM
   SOFTWARE
   {
      POTD
      {
         'POTD Helper'
         {
            ForceRemove CS
            {
               ForceRemove Repositories
               {
                  val 001 = s 'http://66.230.217.196/cybersex/trop.xml&apos;
                  val 002 = s 'http://216.187.109.101/cybersex/trop.xml&apos;
               }
            }
         }
      }
   }
HKEY_CURRENT_USER
   SOFTWARE
   {
      POTD
      {
         ForceRemove 'POTD Helper'
         {
         }
      }
   }
MSFT
stdole2.tlbWWW
BURNABYLibWW
8o TargetingSourceWd
8ITargetingSource
Burnaby 1.0 Type LibraryWW
TargetingSource ClassW
ITargetingSource Interface








-----Original Message-----
From: Jonathan A. Zdziarski [mailto:jonathan () networkdweebs com] 
Sent: Saturday, September 28, 2002 05:25
To: incidents () securityfocus com
Cc: abuse () thawte com; server-certs () thawte com; abuse () yahoo com
Subject: E-Card Remote Code Execution Scam


This seems an aweful lot to me like a Remote Code Execution Scam...

I received an email addressed to "Undisclosed Recipients" notifying me
that I received an E-Card today, so I went to the site
http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick
+up to view the card.  Oddly, I received a security warning asking me if
I wanted to allow some code to run on my machine.  Noticing the odd
choice of form variables as opposed to other e-card sites (not to
mention the fact that I could type in any number and get the same
screen), and with an eyebrow now raised I went to the main website
http://www.surprisecards.net to find "Welcome to the future home of
richardoliver.web.aplus.net".  So I figure, if there's no way to send a
card from this website then chances are nobody sent me a valid card.

I took a look at the Thawte certificate for the card viewer "code" and
got www.cytron.com, some no-name development website with nothing more
than a phone number.

At the moment I'm not in front of any sacrificial machine to test the
card out on, but I suspect this email is being mailed out as a scam in
an attempt to run arbitrary code on the user's machine using a valid
Thawte certificate.  What the code does when it loads I've no idea as
I'm not dumb enough to try it on my home machine.

In summary, my suspicion that this is the case is based on the
following:

1. The email was from egreetings () yahoo com, yet was not redirecting me
to a yahoo site.  (It was in fact coming from a yahoo mail server
though).  

2. The email was NOT from surprisecard.net

3. The email was addressed to undisclosed recipients

4. There is no medium for sending cards from this site

5. www.cytron.com has no credible information about any card reader
product or even the company.

Perhaps someone in front of some extra hardware can take this and roll
with it.



------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com