copyright | disclaimer | privacy | contact

HOME   About AusCERT   Membership   Contact Us   PKI Services   Training   Publications   Sec. Bulletins   Conferences   News & Media   Services   Web Log   Site Map   Site Help   Member login Login »  Become a member »   Home » AusCERT N... » AL-2006.0049 -- [Win] -- Malicious "National Bank ba...   AL-2006.0049 -- [Win] -- Malicious "National Bank bankrupt" email links to sites targeting multiple web browsers Date: 02 August 2006 References: AU-2006.0022  AU-2006.0019   Click here for printable version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2006.0049 -- AUSCERT ALERT [Win] Malicious "National Bank bankrupt" email links to sites targeting multiple web browsers 15 June 2006 =========================================================================== AusCERT Alert Summary --------------------- Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Confidential Data Access: Remote/Unauthenticated OVERVIEW: A new malicious email with subject line "National Bank goes bankrupt?!" is currently in circulation, offering a link to a web page for further information. Any users visiting this web page will be targeted with exploits for both Internet Explorer and Firefox, in order to automatically install trojan software on the user's computer. As with previous malicious sites, simply visiting the page with a vulnerable web browser is sufficient to infect the computer. IMPACT: The malware installed is a Haxdoor variant that is currently not detected by most antivirus products. This trojan is expected to steal personal data and in particular online banking passwords. MITIGATION: Users should always avoid clicking on any links in emails, unless the email was already expected. Many current email viewers have stricter policies on web access than web browsers, and enticing users to follow a link outside an email and onto the web through a browser is a common way for attackers to install malicious code onto a machine. [2, 3, 4] System administrators may consider configuring web proxy servers or firewalls to block HTTP connections to the sites listed below and to files named "ie0606.cgi" or scripts with parameters such as: exploit=MS03-11 exploit=MS04-013 exploit=MS05-002 exploit=MS05-054 exploit=MS06-006 exploit=MSFA2005-50 exploit=0day Checking proxy logs for those URLs will also help in revealing which client computers may have been affected. Email that matches the description below can also be blocked at the gateway. DETAILS: The malicious email is plain text with the following content: Subject: National Bank goes bankrupt?! with body text: People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: http://[MALICIOUS DOMAIN]/news.php Well, hope that isn't true... Anyway You'd rather check your balance... The URLs observed so far hosting the malicious page are as follows: h**p://www,suriko,net/news.php (now down) h**p://www,saltnlight-e,com/news.php (active) The final trojan is downloaded from domain www,powwowtowel,com. (Here URLs have been modified such that 'http' becomes 'h**p' and all periods within a URL have been replaced with commas.) On infected computers the following files are created and most of these are then hidden by the trojan: C:\WINDOWS\system32\klo5.sys (visible) C:\WINDOWS\system32\pptp16.dll C:\WINDOWS\system32\qz.dll C:\WINDOWS\system32\pptp24.sys C:\WINDOWS\system32\qz.sys C:\WINDOWS\system32\ms87.dat C:\WINDOWS\system32\config\SSL C:\WINDOWS\Temp\01083070 %userprofile%\local settings\Temp\01083070 REFERENCES: [1] Protecting Your Computer from Malicious Code http://www.auscert.org.au/3352 [2] AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan targets multiple web browsers http://www.auscert.org.au/6028 [3] AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan http://www.auscert.org.au/6028 [4] AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan http://www.auscert.org.au/6195 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRJC4JCh9+71yA2DNAQIc8AP/ZKNjgB/iR4324A8rKdncBJ3xf8r77wxp DLqvUy7x+HhasL3+HNoeds01416tCaw44tH2dybUFTClib7xkVwN+Vb7vlqjls3O M9gPQMgd5fc3luxvvBGk2kAUxnVwCtVVVOzib9CHEsWPV6/hoOx5EzwfL7sA/1BF 2UflyUasA38= =urrY -----END PGP SIGNATURE-----

Comments? Click here http://www.auscert.org.au/render.html?cid=2998&it=6398