|
|
AL-2006.0049 -- [Win] -- Malicious "National Bank bankrupt" email links to sites targeting multiple web browsers |
|
Date: 02 August 2006 Original URL: http://www.auscert.org.au/render.html?cid=2998&it=6398 References: AU-2006.0022 AU-2006.0019 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0049 -- AUSCERT ALERT
[Win]
Malicious "National Bank bankrupt" email links to sites
targeting multiple web browsers
15 June 2006
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Access: Remote/Unauthenticated
OVERVIEW:
A new malicious email with subject line "National Bank goes bankrupt?!"
is currently in circulation, offering a link to a web page for
further information. Any users visiting this web page will be targeted
with exploits for both Internet Explorer and Firefox, in order to
automatically install trojan software on the user's computer.
As with previous malicious sites, simply visiting the page with a
vulnerable web browser is sufficient to infect the computer.
IMPACT:
The malware installed is a Haxdoor variant that is currently
not detected by most antivirus products.
This trojan is expected to steal personal data and in particular
online banking passwords.
MITIGATION:
Users should always avoid clicking on any links in emails, unless
the email was already expected.
Many current email viewers have stricter policies on web access than
web browsers, and enticing users to follow a link outside an email
and onto the web through a browser is a common way for attackers to
install malicious code onto a machine. [2, 3, 4]
System administrators may consider configuring web proxy servers or
firewalls to block HTTP connections to the sites listed below and to
files named "ie0606.cgi" or scripts with parameters such as:
exploit=MS03-11
exploit=MS04-013
exploit=MS05-002
exploit=MS05-054
exploit=MS06-006
exploit=MSFA2005-50
exploit=0day
Checking proxy logs for those URLs will also help in revealing which
client computers may have been affected.
Email that matches the description below can also be blocked at
the gateway.
DETAILS:
The malicious email is plain text with the following content:
Subject: National Bank goes bankrupt?!
with body text:
People starting panic withdrawals, some of the accounts were reported
closed due to technical reasons, many ATMs are not operating.
Does it seem that one of the Australia's greatest goes bankrupt?
The full story could be found here: http://[MALICIOUS DOMAIN]/news.php
Well, hope that isn't true... Anyway You'd rather check your balance...
The URLs observed so far hosting the malicious page are as follows:
h**p://www,suriko,net/news.php (now down)
h**p://www,saltnlight-e,com/news.php (active)
The final trojan is downloaded from domain www,powwowtowel,com.
(Here URLs have been modified such that 'http' becomes 'h**p' and
all periods within a URL have been replaced with commas.)
On infected computers the following files are created and most of these
are then hidden by the trojan:
C:\WINDOWS\system32\klo5.sys (visible)
C:\WINDOWS\system32\pptp16.dll
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\pptp24.sys
C:\WINDOWS\system32\qz.sys
C:\WINDOWS\system32\ms87.dat
C:\WINDOWS\system32\config\SSL
C:\WINDOWS\Temp\01083070
%userprofile%\local settings\Temp\01083070
REFERENCES:
[1] Protecting Your Computer from Malicious Code
http://www.auscert.org.au/3352
[2] AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan targets multiple web browsers
http://www.auscert.org.au/6028
[3] AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan
http://www.auscert.org.au/6028
[4] AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan
http://www.auscert.org.au/6195
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRJC4JCh9+71yA2DNAQIc8AP/ZKNjgB/iR4324A8rKdncBJ3xf8r77wxp
DLqvUy7x+HhasL3+HNoeds01416tCaw44tH2dybUFTClib7xkVwN+Vb7vlqjls3O
M9gPQMgd5fc3luxvvBGk2kAUxnVwCtVVVOzib9CHEsWPV6/hoOx5EzwfL7sA/1BF
2UflyUasA38=
=urrY
-----END PGP SIGNATURE-----
|