Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishes, Phlaws and Phurther Network Phollies

Published: 2006-06-16
Last Updated: 2006-06-16 17:16:51 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Pay Pal Phlaw?

We've recieved a report of a potential flaw in the PayPal website that is being used to steal credit card and other personal information from PayPal users.

The scam works by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal.

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, (apparently somewhere in Korean IP space) which presents a very convincing fake PayPal Member log-In page.

Logging in sends the PayPal username and password to the bad guys and causes another page asking for more information (social security number, credit card number ...) to remove the limits on the access of thier account.

More to come as we confirm information.


FDIC Phish

Juha-Matti dropped us a link to a newly added US-Cert Advisory detailing a scam targeting customers of FDIC insured institutions.






Keywords:
0 comment(s)

Reports of Excel 0-Day

Published: 2006-06-16
Last Updated: 2006-06-16 17:16:11 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Microsoft has received a report of a new 0-day vulnerability involving Excel.  They are currently investigating this issue and will issue more information on workarounds as it becomes available.  They are currently blogging about it at http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx so check that site for more information as it becomes available.

In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at http://isc.sans.org/diary.php?storyid=1347. These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.


Update - We've recieved reports (Thanks Juha-Matti) that Symantec is detecting this attack.

 Trojan.Mdropper.J is the detection for the malicious .xls which uses the 0-day exploit to drop Downloader.Booli.A.

The Symantec website also reports ..

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:

%System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

  1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
  2. Attempts to download a file from the following location:
    [http://]210.6.90.153:7890/svcho[REMOVED]
    Note: At the time of writing the remote file was not available.
  3. Saves the file as the following and if the download was successful, executes the file:
    c:\temp.exe
  4. Creates an empty file before exiting:
    c:\bool.ini

We'll pass on more information as we receive it.

-Chris

Keywords:
0 comment(s)

Adobe Reader Update

Published: 2006-06-16
Last Updated: 2006-06-16 13:16:40 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Adobe has released an update for reader in which "several security bug fixes have been made, with one considered critical for the Macintosh OS and several considered to have a low rating for Windows."

Details can be found on Adobe Support Knowledgebase article 327817
Keywords:
0 comment(s)
Diary Archives