copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2007.0066 -- [Win] -- "Dell online Store" Trojan emails

Date: 17 May 2007
References: AU-2007.0016  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2007.0066 -- AUSCERT ALERT
                                   [Win]
                     "Dell online Store" trojan emails
                                17 May 2007

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

OVERVIEW:

        AusCERT has observed recent email activity containing malicious 
        links purporting to be from "Dell online Store".


IMPACT:

        A user visiting the links contained in these emails is potentially 
        vulnerable to infection from malicious software. Initial analysis 
        and similar incidents indicate this is a Trojan designed to steal 
        online credentials.


MITIGATION:

        Users should avoid clicking on any links in email, unless the email 
        was already expected. Unsolicited e-mail should always be treated 
        with suspicion. Additional countermeasures for protecting Windows 
        systems can be found on the AusCERT web site [1].

        Block the IP 147,202,42,249 (note: full stops changed to commas) at 
        your perimeter and block the infection emails (see below for 
        samples) at mail gateways. Also, adminsitrators may wish to examine
        logs for connections to this IP which may indicate infections.

        Note that the exploit code on the webpages is encoded JavaScript
        and exploit attempts may not be detected/blocked by IDS systems.


DETAILS:

        The text of the "Dell online Store" email is:

        --------- SAMPLE EMAIL --------

        Subject: Your order #[number] has been accepted for the amount 
                 865.00 AUD
        From:    Dell online Store <order_[number]@dell.co.uk>

        Thank you for shopping with us.

        Your order #[number] Canon DF-E037 8.0 MP Digital Camera has been 
        accepted for the amount 865.00 AUD.

        Your card will be charged in that amount.

        Thank you for your purchase.


        You can check the order in your profile.
 
        hxxp://147,202,42,249/

        Thank you.
        Dell  Online Store.

        --------- END SAMPLE ---------

        Where [number] is a random 8 digit number, kept consistent for 
        the entire email.

        This IP address has been linked to other recent malware 
        incidents, such as the "Sexy lady" Trojan:

        --------- SAMPLE EMAIL --------

        From: Sexy lady <Goldie@lansheng.net>
        Subject: Sexy lady looking for some fun in Australia!

        Hi, My name is Vicky Hatchetson, I'm just a college girl who just 
        arrived in Australia and looking for a sex partner. All what I need 
        is a good man, you must be serious and honest, let me know if you 
        wish to meet.

        You may see my pics at my web page: hxxp://147,202,42,249/

        ONLY SERIOUS OFFERS PLEASE.

        Kis

        --------- END SAMPLE ---------

        Please note that URLs have been obfuscated in the above samples.


REFERENCES:

	[1] Protecting your computer from malicious code
	    http://www.auscert.org.au/3352


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRkulgih9+71yA2DNAQK7KAQAnPS1HMEaNVCW0+Ux8t9xz6siTMxWIPE1
XzwkZBj0kq4+Vbe4huhMiit9QfL5YyICn7wQzpTU2d8C/hxgdVkwtUZKOEn8+9wh
6eEsY4tnsOIWmPK8blrJsCOLXepq1uGuL1jBNv7GyvvQuoIy6irLMV/bQz6RZgi/
y55PZOSJ2MQ=
=DHf4
-----END PGP SIGNATURE-----