copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AL-2006.0049 -- [Win] -- Malicious "National Bank bankrupt" email links to sites targeting multiple web browsers

Date: 02 August 2006
References: AU-2006.0019  AU-2006.0022  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0049 -- AUSCERT ALERT
          Malicious "National Bank bankrupt" email links to sites
                      targeting multiple web browsers
                               15 June 2006


        AusCERT Alert Summary

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Confidential Data
Access:               Remote/Unauthenticated


	A new malicious email with subject line "National Bank goes bankrupt?!"
	is currently in circulation, offering a link to a web page for 
	further information. Any users visiting this web page will be targeted
	with exploits for both Internet Explorer and Firefox, in order to 
	automatically install trojan software on the user's computer.
	As with previous malicious sites, simply visiting the page with a 
	vulnerable web browser is sufficient to infect the computer.


	The malware installed is a Haxdoor variant that is currently 
	not detected by most antivirus products.
	This trojan is expected to steal personal data and in particular 
	online banking passwords.


	Users should always avoid clicking on any links in emails, unless 
	the email was already expected.

	Many current email viewers have stricter policies on web access than 
	web browsers, and enticing users to follow a link outside an email 
	and onto the web through a browser is a common way for attackers to 
	install malicious code onto a machine. [2, 3, 4]

	System administrators may consider configuring web proxy servers or 
	firewalls to block HTTP connections to the sites listed below and to
	files named "ie0606.cgi" or scripts with parameters such as:


	Checking proxy logs for those URLs will also help in revealing which 
	client computers may have been affected.

	Email that matches the description below can also be blocked at
	the gateway.


	The malicious email is plain text with the following content:

	    Subject: National Bank goes bankrupt?!

	with body text:

	    People starting panic withdrawals, some of the accounts were reported 
	    closed due to technical reasons, many ATMs are not operating. 
	    Does it seem that one of the Australia's greatest goes bankrupt? 
	    The full story could be found here: http://[MALICIOUS DOMAIN]/news.php
	    Well, hope that isn't true... Anyway You'd rather check your balance...

	The URLs observed so far hosting the malicious page are as follows:

	    h**p://www,suriko,net/news.php        (now down)
	    h**p://www,saltnlight-e,com/news.php  (active)
	    The final trojan is downloaded from domain www,powwowtowel,com.

	(Here URLs have been modified such that 'http' becomes 'h**p' and 
	 all periods within a URL have been replaced with commas.) 

	On infected computers the following files are created and most of these
	are then hidden by the trojan:

	    C:\WINDOWS\system32\klo5.sys (visible)

	    %userprofile%\local settings\Temp\01083070


	[1] Protecting Your Computer from Malicious Code

	[2] AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan targets multiple web browsers

	[3] AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan

	[4] AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.