copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » Windows ME » AU-2006.0022 -- AusCERT Update - [Win] - New domain ...
 

AU-2006.0022 -- AusCERT Update - [Win] - New domain names used by "NAB Bankrupt" trojan
Date: 22 June 2006
References: AL-2006.0049  AU-2006.0019  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2006.0022 - [Win]
New domain names used by "NAB Bankrupt" trojan
22 June 2006

        AusCERT Update Summary
        ----------------------

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

Ref:                  AL-2006.0049
                      AU-2006.0019

Revision History:  June 22 2006: Fixed erroneous domain in mitigation
                                 section - worldbankinginformation,com
                                 should have been worldbankinformation,com
                   June 22 2006: Initial Release

OVERVIEW:

        The recent "National Bank bankrupt?!" trojan [1][2] spam has been
        re-released, this time with a subject of "National Bank Closing
        and Blocking Accounts without a notice!". It also now references
        four new fraudulent domains. The payload itself remains the same.


IMPACT:

        A user visiting the referenced sites may be infected with a
        password stealing trojan known as Haxdoor, as per AL-2006.0049 [1].


MITIGATION:

        Ensure that all systems have the latest patches for both their
        operating system and web browsers.

        System administrators are recommended to look through their proxy
        logs for access to:

            worldbankinformation,com/news,php
            worldbanknews,net/news,php
            worldbanktimes,org/news,php
            theworldnews,org/news,php

        as well as the domains from AL-2006.0049 [1] and AU-2006.0019 [2]:

            cnruggiero,com.au
            totalfontes,net
            powwowtowel,com
            suriko,net
            saltnlight-e,com

        Please note that these domains have been altered to protect against
        accidental clicking. Full-stops (.) have been replaced with commas
        (,).

        These new domains began appearing early Tuesday the 20th of June.
        At the time of writing, all malicious sites above except
        worldbanknews,net have been disabled.

        Otherwise, mitigation as per AL-2006.0049 [1].


DETAILS:

        The trojan email has a subject line of:

            National Bank Closing and Blocking Accounts without a notice!

        The body appears as below. Note that the URL changes between
        messages to one of the domains listed above.

            Recently many accounts have been reported closed without even
            a notice from the bank officials! Mostly it’s
            business accounts but regular checkings are also in trouble.  
  
            Latest Bank’s Report showed much lower profit than
            expected and their stocks hit lows for the last 5 years! But
            can it be really a reason for breaking relations with
            entrepreneurs?

            The list of customers affected and their stories could be
            found here: [URL]

            Also there is a report form to fill if you have the same
            issue.  
  
            Well, my account is fine and customer service representative
            refused to comment on these stories. Hope your savings are
            also safe...


REFERENCES:

        [1] AusCERT Alert AL-2006.0049
            http://www.auscert.org.au/6398

        [2] AusCERT Update AU-2006.0019
            http://www.auscert.org.au/6411

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRJodHih9+71yA2DNAQJPEgP/YW8Hq6f4pUL/TStNqoonolq1Ra0ehMrL
CoNbLDXqMIQFP3zpt8yDmeBmKiw2BHrGcdoTeXGYq4OibjvVvPHhHfHMi9IflMvJ
581ObDLSGB3Nf657ZLcKTP18or/9sPi86eUmSBsB+xZuUmeUPWC1mYYOnGqtl9/Z
ajrss8zl61s=
=DnjD
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/6418