Date: 17 May 2007
References: AU-2007.0016
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0066 -- AUSCERT ALERT
[Win]
"Dell online Store" trojan emails
17 May 2007
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
OVERVIEW:
AusCERT has observed recent email activity containing malicious
links purporting to be from "Dell online Store".
IMPACT:
A user visiting the links contained in these emails is potentially
vulnerable to infection from malicious software. Initial analysis
and similar incidents indicate this is a Trojan designed to steal
online credentials.
MITIGATION:
Users should avoid clicking on any links in email, unless the email
was already expected. Unsolicited e-mail should always be treated
with suspicion. Additional countermeasures for protecting Windows
systems can be found on the AusCERT web site [1].
Block the IP 147,202,42,249 (note: full stops changed to commas) at
your perimeter and block the infection emails (see below for
samples) at mail gateways. Also, adminsitrators may wish to examine
logs for connections to this IP which may indicate infections.
Note that the exploit code on the webpages is encoded JavaScript
and exploit attempts may not be detected/blocked by IDS systems.
DETAILS:
The text of the "Dell online Store" email is:
--------- SAMPLE EMAIL --------
Subject: Your order #[number] has been accepted for the amount
865.00 AUD
From: Dell online Store <order_[number]@dell.co.uk>
Thank you for shopping with us.
Your order #[number] Canon DF-E037 8.0 MP Digital Camera has been
accepted for the amount 865.00 AUD.
Your card will be charged in that amount.
Thank you for your purchase.
You can check the order in your profile.
hxxp://147,202,42,249/
Thank you.
Dell Online Store.
--------- END SAMPLE ---------
Where [number] is a random 8 digit number, kept consistent for
the entire email.
This IP address has been linked to other recent malware
incidents, such as the "Sexy lady" Trojan:
--------- SAMPLE EMAIL --------
From: Sexy lady <Goldie@lansheng.net>
Subject: Sexy lady looking for some fun in Australia!
Hi, My name is Vicky Hatchetson, I'm just a college girl who just
arrived in Australia and looking for a sex partner. All what I need
is a good man, you must be serious and honest, let me know if you
wish to meet.
You may see my pics at my web page: hxxp://147,202,42,249/
ONLY SERIOUS OFFERS PLEASE.
Kis
--------- END SAMPLE ---------
Please note that URLs have been obfuscated in the above samples.
REFERENCES:
[1] Protecting your computer from malicious code
http://www.auscert.org.au/3352
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRkulgih9+71yA2DNAQK7KAQAnPS1HMEaNVCW0+Ux8t9xz6siTMxWIPE1
XzwkZBj0kq4+Vbe4huhMiit9QfL5YyICn7wQzpTU2d8C/hxgdVkwtUZKOEn8+9wh
6eEsY4tnsOIWmPK8blrJsCOLXepq1uGuL1jBNv7GyvvQuoIy6irLMV/bQz6RZgi/
y55PZOSJ2MQ=
=DHf4
-----END PGP SIGNATURE-----
|