Security Incidents mailing list archives

Re: AIM-based worm?

From: Midkaemia <midkaemia () midkaemia fsnet co uk>
Date: Sun, 29 Sep 2002 23:06:32 +0100

On Friday 27 Sep 2002 9:48 pm, Troy Ablan wrote:

-- BEGIN SOURCE --

<html><head><title>Browser Plugin Requried</title><meta
http-equiv="refresh" content="1;
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Bro
wser Plugin Required:</h1><br>You may need to restart your browser for
changes to take affect.<br>Security Certificate by <a
href="http://www.verisign.com";>Verisign</a> 2002.<br>MD5:
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and
choose "Run" to install.</body></html>

-- END SOURCE --

I don't think so.  I think it's just the text of the HTML page saying
that -- part of the social engineering in play to get the user to execute
the worm.

-Troy


Ditto, that's what I thought as well. 

Basically the hacker is trying to fool the end user into thinking the page 
they have been asked to view (by whatever means) requires a plugin to run. 
The user thinks that by accepting to install the "plugin" they are being 
given a valid plugin signed by verisign. It isn't, and they shouldn't run it. 
But hey, people will. I suspect the "plugin" modifies the home page of the 
browser, or installs some other activeX control to make this thing work, 
hence the restart your browser bit.

If I had a spare winxx box I would be tempted to have a look at this thing to 
provide more info, unfortunately I'm mid rebuild of my entire systems so I 
can't atm :( 

It's a quite simple play on basic human ignorance, and nothing more.

Mike
-- 
_______________________________________________________________________
 "In their capacity as a tool, computers will be but a ripple on the 
   surface of our culture. In their capacity as intellectual challenge, 
   they are without precedent in the cultural history of mankind." 
        Edsger Wybe Dijkstra on Computers

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

AIM-based worm? Troy Ablan (Sep 26)
- Re: AIM-based worm? De Velopment (Sep 27)
  - Re: AIM-based worm? Troy Ablan (Sep 27)
    - Re: AIM-based worm? Midkaemia (Sep 29)
- Re: AIM-based worm? Adam Young (Sep 27)
- <Possible follow-ups>
- RE: AIM-based worm? webbi (Sep 27)
- RE: AIM-based worm? Ralph Emery (Sep 27)
- RE: AIM-based worm? MH Michael Hammer (5304) (Sep 27)
- RE: AIM-based worm? x x (Sep 27)
  - Re: AIM-based worm? skipper (Sep 28)
- RE: AIM-based worm? Ron Yount (Sep 27)