Date: 11 August 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0068 -- AUSCERT ALERT
[Win]
Greeting card trojan contains Haxdoor credential-stealing malware
11 August 2006
===========================================================================
OVERVIEW:
AusCERT has received reports over the last two days of a series of
"Greeting card" trojan emails which attempt to lure users into
installing a Haxdoor credential stealing trojan.
The emails ask the user to click a link to view a greeting card. The
web site at the link instructs the user to install a "software upgrade"
to view the card which is, in fact, malicious.
IMPACT:
This trojan logs personal data and in particular online banking
credentials.
AusCERT has published previous bulletins about other Haxdoor variants
which may be of interest [1] [2] [3].
MITIGATION:
Users should always avoid clicking on any links in emails, unless the
email was already expected.
'eCards' and 'ePostcards' should always be treated with suspicion,
especially if they appear to be from someone you do not know. Even in
the case of eCard messages that appear to be from someone you do know,
you should always verify with that person that it is actually from them.
System administrators may consider monitoring their proxy logs for
access to the following URLs, or blocking access completely:
h**p://greeting-ecards, org/
h**p://greeting-ecards, net/
h**p://greeting-e-cards, net/
h**p://aviationworkshops, co,uk/images
h**p://strand-agency, com/images/
h**p://glfloors, com/images/
h**p://amsterdam, 9966, org/
h**p://nokia-club, 6600, org/
h**p://crosfieldcobras, co, uk/downloads/
h**p://eventsint, co, uk/paypal_logo/
DETAILS:
Emails received appear as:
Subject: You've got an e-card at "greeting-cards"
Dear recipient !
Sender at 'Nikol' sent you an "e-card"
"Here's the Rub" from 'greeting-cards'.
<a href="[malicious url]">Click_here_to_view_the_"e-card".</a>
This "ecard" will be stored for one week, so
print or save the card as soon as possible.
Hope you enjoy our "e-cards"! Spread the love and send one of our
"e-cards"!
Brought to you by 'greeting cards' - a better way to greet!
REFERENCES:
[1] Media Release - Response to recent media coverage of the A-311
Death (aka: Haxdoor) trojan
https://www.auscert.org.au/6581
[2] Malicious "National Bank bankrupt" email links to sites targeting
multiple web browsers
https://www.auscert.org.au/6581
[3] Order WC2905036 Trojan
https://www.auscert.org.au/6537
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRNws8Ch9+71yA2DNAQLrSQP/c9UTr+qwc4cAipyLE0gijraTi8afwcf0
1VIeSumeA/AfBasKWg3z7WKQnCx9tdl4qlMgX3JC3zhOefJGKHA7HFkb5f1ya/Kq
tuQsbOnCCREZwoy9oLCJcSV50X4S8o0nLiTFEflEQaUJcDKzI18PDCZVtzRuU2GZ
IvRpsIt88OU=
=Gtoo
-----END PGP SIGNATURE-----
|