Security Incidents mailing list archives
Re: E-Card Remote Code Execution Scam
From: Jeff Jirsa <jeff () unixconsults com>
Date: Sat, 28 Sep 2002 18:10:33 -0700 (PDT)
On Sat, 28 Sep 2002, Jonathan A. Zdziarski wrote:
This seems an aweful lot to me like a Remote Code Execution Scam... I received an email addressed to "Undisclosed Recipients" notifying me that I received an E-Card today, so I went to the site http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick +up to view the card. Oddly, I received a security warning asking me if I wanted to allow some code to run on my machine. Noticing the odd choice of form variables as opposed to other e-card sites (not to mention the fact that I could type in any number and get the same screen), and with an eyebrow now raised I went to the main website http://www.surprisecards.net to find "Welcome to the future home of richardoliver.web.aplus.net". So I figure, if there's no way to send a card from this website then chances are nobody sent me a valid card. I took a look at the Thawte certificate for the card viewer "code" and got www.cytron.com, some no-name development website with nothing more than a phone number. At the moment I'm not in front of any sacrificial machine to test the card out on, but I suspect this email is being mailed out as a scam in an attempt to run arbitrary code on the user's machine using a valid Thawte certificate. What the code does when it loads I've no idea as I'm not dumb enough to try it on my home machine. Perhaps someone in front of some extra hardware can take this and roll with it.
The source of the page contains an object tag: codebase="e-card_viewer.cab#version=1,0,0,1" Obtaining that file and running strings reveals the following of interest: 1) There are numerous references to both thawte and verisign certificates 2) There is a reference to potd.dll 3) There are references to "Cytron" A google search for "potd.dll" returns the following page: http://and.doxdesk.com/parasite/Cytron.html
From that page:
Description Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected. Also known as POTD, after the filename and BHO name; Burnaby, the internal object name; TargetingSource, the name used to describe the control in Downloaded Program Files. Distribution Installed by ActiveX drive-by download on a page pointed to by mail claiming you have received an 'e-card'. The ActiveX control purports to be a viewer for e-cards. There you have it, adware. - Jeff -- Jeff Jirsa jeff () unixconsults com -- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- RE: E-Card Remote Code Execution Scam Jason Robertson (Sep 29)
- <Possible follow-ups>
- E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- Re: E-Card Remote Code Execution Scam Jeff Jirsa (Sep 29)
- Re: E-Card Remote Code Execution Scam Axel Pettinger (Sep 29)
- RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
- RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 29)
- RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
- RE: E-Card Remote Code Execution Scam H.Karrenbeld (Sep 29)