Full Disclosure mailing list archives
Re: First WMF mass mailer ItW (phishing Trojan)
From: Lance James <bugtraq () securescience net>
Date: Sun, 19 Feb 2006 20:51:42 -0800
Lance James wrote:
Gadi Evron wrote:The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in Australia.
Also to quickly reply to my own post (sorry) - but a quick historical analysis of the exploit and trojan itself demonstrates this: Bulk Mailing via a mass-mailer was sent out (basically a phishing email) to lure victims to click on a link with: http://[censored]/xpl.wmf This will then make a request to http://[censored]/1.exe which is downloader packed with FSG. Bleeding Snort sigs would detect this immediately from both the WMF and the FSG packing itself. (http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/MALWARE/MALWARE_Corpsespyware?rev=1.7&view=markup) 1.exe will then download installer.exe from the site. This file in short puts the trojan on the system as %system32%\msnscps.dll and registers it as a Browser Helper Object. (this DLL file is packed with UPX). It names it in the Add-Ins extensions as: Software Installation Snapin Extenstion (typo included) There is no sign of mass-mailing within the trojan itself, it's a standard Remote Admin Tool used to steal data. The format which is stored in %system32%/form.txt looks like this when you log into submission forms: --------------------------------------------- CompID: 8746B936FCAF484AA9D2D49B60EBD47B1B945D4B00874879853470B023A0B9C3 Ver: 2.0RC49 host: sandbox-1 if1 : 172.16.234.128 --------------------------------------------- --------------------------------------------- --------------------------------------------- Sun Feb 19 18:55:05 2006 URL: https://www.banksite.com/ Action: https://banksite.com/signon Method: post userid(text): 234234234234 password(password): 23423423423 destination(select): AccountSummary [checked] Action: /search/search.html Method: get query(text): REQ: userid=234234234234&password=23423423423&destination=AccountSummary&screenid=SIGNON ----------(EOF) It also has some TAN Grabbing Features, Email account theft, and so on. This data will get sent to a remote HTTP host (in this case it appears to be http://european-business-organization.com/chat.php) This is the standard ol' blended threat attacks seen by phishers since '03. They used the WMF exploit because it's available to them, but before that they have used hta, chm/adb, and other object/ActiveX exploits to get the user into downloading the payload. This information and type of attack is old school, and no mass-mailing worms or 0day WMF techniques were used. Thanks. -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/
Respectfully speaking: There are a few corrections to this that need to be expressed. The language you're using describing it as a mass-mailing worm is coming off confusing to some. The WMF exploit is actually seeded on a website, and the mass-mailing is used to get people to go to that site. Stating that it's a worm is similar to saying that phishing emails and spam are worms. I have seen some actual phishing worms, and this is definitely not it. A correction also needs to be made on this comment "Abusing websites is mostly how WMF is exploited, but no much in the way of emails before today." This is grossly incorrect - here are the dates we started seeing this activity: January 3rd - WMF exploit distributing identified phishing trojan January 9/10th - WMF exploit distributing identified phishing trojan Jan 18th/19th - WMF exploit distributing identified phishing trojan Jan 22nd-25th - WMF exploit distributing identified phishing trojan Jan 24th - WMF exploit distributing identified phishing trojan I can go into February but we get the point. This same phishing group works in regions, so it's not surprising that they are now targeting Australia. They are also targeting Europe as well in February. Summary: WMF Mass-Mailing phishing has not been uncommon, just in small distributions, so it may have not been seen on the radar. Since the public discovery of the WMF exploit, there have been a few mass-mailings taking users to a site that distributed WMF exploits to date.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- First WMF mass mailer ItW (phishing Trojan) Gadi Evron (Feb 16)
- Re: First WMF mass mailer ItW (phishing Trojan) Vulnerability Management (Feb 16)
- Re: First WMF mass mailer ItW (phishing Trojan) Gadi Evron (Feb 16)
- Re: First WMF mass mailer ItW (phishing Trojan) bkfsec (Feb 17)
- Re: First WMF mass mailer ItW (phishing Trojan) Valdis . Kletnieks (Feb 16)
- Re: First WMF mass mailer ItW (phishing Trojan) Gadi Evron (Feb 16)
- Re: First WMF mass mailer ItW (phishing Trojan) Lance James (Feb 17)
- Re: First WMF mass mailer ItW (phishing Trojan) Lance James (Feb 20)
- RE: First WMF mass mailer ItW (phishing Trojan) - think singularities Ken Kousky (Feb 21)
- Re: First WMF mass mailer ItW (phishing Trojan) - think singularities Lance James (Feb 21)
- <Possible follow-ups>
- RE: First WMF mass mailer ItW (phishing Trojan) Gadi Evron (Feb 16)
- Re: First WMF mass mailer ItW (phishing Trojan) Vulnerability Management (Feb 16)