Re: [Fwd: Re: AIM Password theft]

[Mark Coleman <markc () uniontown com>]

This issue has been confirmed via a telephone conversation with an 
anonymous party who saw my email to the list.  This was a person 
involved with one of the systems/services remotely involved, and was 
very credible and knowledgeable.  This appears to be an exploit that is 
live in the wild.

This is an exploit that apparently abuses an IE vulnerability to pull 
usernames/passwords from the registry, where I guess it then uses the 
newly obtained buddy list to attempt to "spread" by sending a link to 
itself to the buddies.  Any who click on the link are also "infected" 
(for lack of a better word).

I haven't visited this MS link yet, but this is a link that supposedly 
describes the problem according to the tech I spoke with:

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/overview/htaoverview.asp

The exploit itself is not new, but the delivery mechanism to steal an 
AIM account to deliver the link is (from what I understand).

For the list's reference, the sequence of events I have so far is as 
follows:

An AIM user received this email message (including headers) to the 
account registered with their AIM (username hidden):

-----------------(Start Email Message)---------------------------------
Received: from newman-d02.blue.aol.com ([205.188.210.41])
         by sccrmxc13.comcast.net (sccrmxc13) with SMTP
         id <2003xxxxxx854s1300qcljue>; Tue, 23 Sep 2003 13:38:54 +0000
From: AOL Instant Messenger
<changeold_4_85xxxxxxxxxxxxxxxxxxxxxxxxxxx(usernamehidden)@newman.oscar.aol.com>
To: (usernamehidden)
Subject: AIM Address Change
Date: Tue, 23 Sep 2003 09:38:54 EDT
Message-ID: <20030xxxxxxx854.17121.06113570 () newman-d02 aol com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Dear AIM(SM) user,

(usernamehidden) has asked to change the e-mail address for the 
following screen
name
from (usernamehidden) to dent2aim () yahoo com:


(usernamehidden)

If you DO NOT wish to make this change, PLEASE REPLY to this e-mail
and type 'OK' as the text of your message.  If we receive your reply
within 72 hours the change request will be canceled.

If you want this change to take place, you can ignore this e-mail.
Instead, go to your new e-mail address and confirm the e-mail we are
sending there.  Only reply to this e-mail if you do not want to change
your AOL Instant Messenger e-mail address.

Thank you for using the AOL Instant Messenger(SM) service.
-----------------(End Email Message)------------------------

Being suspicious of this email, he did nothing. 

At some point during the same morning (this a.m.), this user was also 
sent a link via AIM to visit a web page, www.haxr.org from someone in 
his buddy list. (not known if this was before or after the above email 
arrived, I would conclude the email came after this AIM solicitation, as 
that would make sense for the infection to happen after he visited the URL)

I believe this user visited the link, but they claim no recollection of it.

Shortly afterwards, all members of this user's buddy list also received 
solicitations to visit www.haxr.org, and this user's AIM account was 
compromised and he was locked out.  At least one other user visited the 
site.  This second user subsequently had their AIM account locked out, 
saying it was in use elsewhere.  About this time I blocked all access to 
www.haxr.org.  All users who have visited the link appear to have had 
their AIM accounts compromised, as they are all unable to log in.  I 
have instructed them all to contact the members of their buddy lists and 
ask them to not visit any sites that get advertised to them.

Viewing the logs in the email server, it appears that the above email 
was legitimately from AOL, at least from their network.  I went ahead 
and formed a reply to prevent the address/password change from 
happening, no word yet on the success/failure of the reply.

The second infected user used an option on the AIM website to have their 
password emailed to them, and surprisingly they received an email 
response, and their password was the letter "a" followed by several 
lines of whitespace.  This user continues to try to regain control of 
their AIM account, but they are in a pinch because the AOL system will 
not allow them to do anything without the password EXCEPT retrieve the 
password via email, and it's an invalid password in the compromised 
format of the letter "a" followed by all the whitespace.

The CRC of the AIM executables are unchanged on the workstation.  We 
watch processes on all machines and check CRCs of them, and there have 
been no additional executables running on the machine, and no changes to 
any existing executables.  A sniffer currently sees no additional 
suspicious traffic to/from this machine.  These machines are in the care 
and control of another department, but I have them checking the registry 
entries and such, haven't heard anything yet from them.  These machines 
do pass through my various Intruder Detection Systems, and they are 
showing no suspicious traffic whatsoever.

I am in the process of creating a snort rule that will trigger on static 
portions of the malicious vbs code as my first step, and will be 
checking the patch level of IE of those workstations from their 
administrator.

Questions: is it normal practice for AOL to change an email 
address/password without email confirmation, sending confirmation to 
only ABORT the change by replying to an email?   Also, can anyone on the 
list make a suggestion to help mitigate damages, and/or detect other 
domains/pages from having similar malicious code?

Thanks.. more to come as the answers reveal themselves...

-Mark Coleman

Please note that this is my personal email address, none of the above 
activities or events occured on the network or hosts providing service 
for this email account.


Cullen, Michael wrote:

> I did some searching in the registry of Windows XP and 2000 machines with
> AIM loaded on it.  They did not have any of the keys indicated in the
> 'code.txt' file.  This would lead me to think that either:
>
> 1. Users would have to have the client version of AOL installed and then
> install the AIM client (not sure since I have never had AOL)
>
> 2. Maybe this was written for Windows 95/98.
>
>
> -Michael Cullen
>
> -----Original Message-----
> From: Mark Coleman [mailto:markc () uniontown com] 
> Sent: Tuesday, September 23, 2003 9:43 AM
> To: bugtraq () securityfocus org
> Subject: [Fwd: Re: AIM Password theft]
>
>
> Hi, can anyone shed some light on this for me?  If this is new, its 
> going to spread like wildfire.  AOL or incidents lists have yet to 
> reply....  it appears to be a legitimate threat as I have at least one 
> user "infected" already..  Thank you..
>
> -Mark Coleman
>
> --------------
>
> Hi, please find attached the vbs code that appears to be running when 
> visitors hit www.haxr.org.
>
> This reportedly pulls username/password from registry of AIM accounts, 
> then something elsewhere gets buddy lists through this password theft 
> and sends links to them via AOL to start the process again.
>
> We've had at least one "infection" if you want to call it that, and a 
> user's AIM account was hijacked and this link sent to all users in his 
> buddy list which then propelled the "infection" as they click the link 
> to www.haxr.org.
>
> Does anyone have any information about this issue?  Any help on this 
> would be greatly appreciated. Still chasing it down..
>
> -Mark Coleman
>
>
>
> Mark Coleman wrote:
>
>  
>
> > I just started investigating a report that appears to have merit of a
> > username/password theft of AIM accounts.
> >
> > Users are being directed to a web page located at www.haxr.org where
> > the source appears to run a javascript program that is proportedly 
> > stealing AIM usernames/passwords/buddy lists.
> >
> > Does anyone have any information related to www. haxr.org or the
> > technique being used?
> > Please be careful when visiting the page, it pulls script off of a 
> > yahoo site.
> >
> > I am finding nothing in any of the initial searches that I am doing.
> >
> > Any help/insight would be greatly appreciated.
> >
> > -Mark Coleman
> >
> >
> >
> >    
>
>  



---------------------------------------------------------------------------
----------------------------------------------------------------------------