Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phederal Phishing Offenses (FBI and a Census report)

Published: 2005-05-19
Last Updated: 2005-05-20 01:26:53 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Contributors to the ISC effort have been sending in a load of information on issues affecting their systems and networks;


We have recieved two reports from contributors to the ISC efforts involving US federal agencies being used as the basis for phishing.

"PH"BI (FBI) phishing

One contributor submitted information on a hack involving a php flame module ending in a phishing scam. According to the submission he was notified that a co-worker "was looking at a notice claiming to be from the FBI that they were monitoring this range of IP addresses for suspicious activity regarding financial transactions" and sure enough at the end of the phish you were asked "that you re-enter your payment data to help them track the fraudsters." The site was reported to dish up the phish intermittently "as you could hit reload 10 times before it appears again". According to the contributor "The correct URL always appeared unchanged in the browser's address bar, but the content I was looking at was nowhere in the actual documentroot directory for that domain." The contributor asked for some assistance, and any contributor who cares to toss out recommendations on security issues related to "any configuration settings that would disallow modules from being loaded" will be thanked and I'll pass them on to the person who reported this "PH"BI (FBI) phish.

The second report involves the Census Bureau. It describes a complaint that was received where "the email recipient was asked to fill out a survey after which they would be credited $5 to their bank account. At the end of the survey they were asked what bank account they would like the money deposited in." If any of our readers comes into contact with users or customers that have received this phish please email us a copy as an attachment. Thanks!

Mailbag IM attack items and family variant naming contest

A number of the submissions were about IM attack malware resulting from users being socially engineered into downloading and installing malware. So many that checking your favorite AV sites a few times daily is a good idea. As noted on Kaspersky's Diary (link below) the variants are coming out pretty often and continue to have a costly impact at networks. The most interesting IM messages that I read included "hey, this your pic" and then "hey, is this your pic on this site." the contributor went on to point out that "These message lines are followed by a URL from a site that hosts a picture rating service. If the user clicks the URL, an application disguised as a server-side PHP script downloads. The application is a variant of the Agobot / SDBOT / GaoBot Trojan Horse, which opens a backdoor on the local machine and connects the user to BOT network.".

Another interesting one was ""lmao you dumbass!" (Thanks Ed!). I think both will generate quite a few infections ( ; ^ ). There are
already quite a few names for these IM attacks, but there's no family name in popular use yet that I've noticed. Since "spam" is a meat, and lead to "spim", and since Oscar is in a name of a relatively famous meat product and it's also used in the name of malware directed at AOL IM users (Oscarbot) I was tossing around ideas for a "family" convention for this malware, something along the lines of a name variation of "Oscar Mayer IM" (as in B O L O G N A!) but that doesn't have real cachet. Other ideas for naming this family of IM attacks would be welcome, and I have to warn you, that based on previous submissions to other questions that we have asked, I will not be able to respond to each and every suggestion we'll recieve. But I'll try and get the best ones posted into a future Diary.

IM's in Kaspersky's "Analyst's
Diary"

New Mytobs, and generic detections at http://www.viruslist.com/en/weblog

More on Social Engineering:

Security Update for MSN Messenger 6.1 or 6.2 (KB890261)
"A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it."

**NOTE** This is NOT the "Apr 12, 2005 Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597): MS05-022 Affected Software: MSN Messenger 6"

An additional note of clarification for another MS patch, we have been advised that "The issue described in Microsoft's Security Advisory (899480) is related to a Windows TCP/IP implementation flaw
http://www.frsirt.com/english/advisories/2005/0567 and NOT the IPv6 flaw which remains unpatched. See http://www.frsirt.com/english/advisories/2005/0559 "
Thanks Gilles!

I've included the link next/below for a number of reasons, principally because it's a stellar example of comprehensive information on what the malware does, thus it allows you to consider where you can implement the most detect/protect/response options suitable for your environment. Getting your own "team" to consider implementing the options is always another story. IMHO there are only a few or so vendors that publish analysis that is this good and I'd just like to thank the people at F-Secure and the other few that do this for setting such a high standard.
http://www.f-secure.com/v-descs/sober_q.shtml
NAME: Sober.Q

"The All New Netscape Browser 8.0
Speed, Flexibility and More Security Choices Than Any Other Browser" Thanks Juha Matti!

http://browser.netscape.com/ns8/

Patrick Nolan, with other Handler assists and our great team of contributors!
Keywords:
0 comment(s)
Diary Archives