Re: E-Card Remote Code Execution Scam

[Jeff Jirsa <jeff () unixconsults com>]

On Sat, 28 Sep 2002, Jonathan A. Zdziarski wrote:

> This seems an aweful lot to me like a Remote Code Execution Scam...
>
> I received an email addressed to "Undisclosed Recipients" notifying me
> that I received an E-Card today, so I went to the site
> http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick
> +up to view the card.  Oddly, I received a security warning asking me if
> I wanted to allow some code to run on my machine.  Noticing the odd
> choice of form variables as opposed to other e-card sites (not to
> mention the fact that I could type in any number and get the same
> screen), and with an eyebrow now raised I went to the main website
> http://www.surprisecards.net to find "Welcome to the future home of
> richardoliver.web.aplus.net".  So I figure, if there's no way to send a
> card from this website then chances are nobody sent me a valid card.
>
> I took a look at the Thawte certificate for the card viewer "code" and
> got www.cytron.com, some no-name development website with nothing more
> than a phone number.
>
> At the moment I'm not in front of any sacrificial machine to test the
> card out on, but I suspect this email is being mailed out as a scam in
> an attempt to run arbitrary code on the user's machine using a valid
> Thawte certificate.  What the code does when it loads I've no idea as
> I'm not dumb enough to try it on my home machine.
>
>
> Perhaps someone in front of some extra hardware can take this and roll
> with it.

The source of the page contains an object tag:

codebase="e-card_viewer.cab#version=1,0,0,1"

Obtaining that file and running strings reveals the following of interest:

1) There are numerous references to both thawte and verisign certificates
2) There is a reference to potd.dll
3) There are references to "Cytron"

A google search for "potd.dll" returns the following page:

http://and.doxdesk.com/parasite/Cytron.html

> From that page:

Description
Cytron is an Internet Explorer Browser Helper Object. It scans the content
of pages being viewed for keywords and opens pop-up advertising when they
are detected.

Also known as
POTD, after the filename and BHO name; Burnaby, the internal object name;
TargetingSource, the name used to describe the control in Downloaded
Program Files.

Distribution
Installed by ActiveX drive-by download on a page pointed to by mail
claiming you have received an 'e-card'. The ActiveX control purports to be
a viewer for e-cards.

There you have it, adware.

- Jeff

 --

Jeff Jirsa
jeff () unixconsults com

-- 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com