sms-vishing for your bank info
I have recently become aware of and involved in researching sms vishing attacks. As part of that research I came across an automated toolkit that appears to have been cobbled together for sms spamming and vishing (phishing using voice networks instead of data networks). The name of the main tool was SmssmtpSender.
SmssmtpSender consisted of several individual tools cobbled together to create a single toolkit to compromise, manage and control a set of systems for sending SMS spam via compromised popaccounts that had weak passwords. Here is a "short" analysis of the elements of that tool kit.
| Name | File type | description |
|---|---|---|
| Top_level_dir | directory | Top level directory. |
| /greetingisland.gsm | data |
Greeting Message used to vish customers this version was for North Island Credit Union. Contents of welcome message; “Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services” |
| /hello.wav | RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 16000 Hz | Greeting Message used to vish customers for North Island Credit Union. Contents of welcome message; “Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services” |
| /horde | directory> | Top level directory for horde remote compromise tool. |
| /horde/.dc | perl script text | “Data Cha0s Connect Back Backdoor” This could be used as a backdoor control channel however in the systems analyzed ssh on a high numbered ports was used for management instead. |
| /horde/gwee | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped.
|
From the man page "gwee (generic web exploitation engine) is a small program written in C designed to exploit arbitrary command execution vulnerabilities in web scripts, such as Perl, CGIs, PHP, etc. gwee is much like an exploit, except more general purpose."
This appears to have been tested for remote web based shell access using .dc above. The systems that I am aware of were compromised via the horde.pl script not gwee with .dc. |
| /horde/gwee-1.36 | directory | Top Level directory for gwee. |
| /horde/gwee-1.36/binaries | directory | Directory for binaries created in the compile of gwee. |
| /horde/gwee-1.36/binaries/gwee.exe | PE executable for MS Windows (console) Intel 80386 32-bit | gwee executable for windows. |
| /horde/gwee-1.36/gwee | ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5,; stripped | gwee executable for linux on intel >= 2.2.5 |
| /horde/gwee-1.36/gwee.1 | troff or preprocessor input text | man page for gwee |
| /horde/gwee-1.36/gwee.c | ASCII C program text, with very long lines | gwee source code |
| /horde/gwee-1.36/Makefile | ASCII text | gwee makefile |
| /horde/gwee-1.36/mktarball.sh | Bourne shell script text executable | script to create a tarball for gwee |
| /horde/gwee-1.36/README | ASCII English text | Installation notes for gwee |
| /horde/gwee-1.36.tar.gz | gzip compressed data, from Unix | gzipped tar ball of gwee |
| /horde/horddy.pl | perl script text executable | Horde help module remote execution perl exploit. This was used to compromise horde hosts to use as the smtp -> sms senders. |
| /horde/root.txt | Bourne shell script text executable |
“ PRCTL local root exp By Sunix effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.Elsmp” A local privilege escalation root exploit for LINUX kernals 2.6.13-2.6.17. The horde.pl exploit often would not provide direct root access so a privilege escalation tool was included in this tool kit. |
| /horde/try | Bourne shell script text executable | script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell. |
| /horde/try.bak | Bourne shell script text executable | Script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell. Appears to be used after horddy.pl to check for success of the remote exploit to see if the backdoor port was opened. |
| /hordetry.tgz | gzip compressed data, from Unix | gzipped tar ball of the horde tool. |
| /netstatx.c | ASCII C program text, with escape sequences | “ps.c,v 1.11 2001/09/03” trojaned ps replacement style root kit. Wraps ps filtering the output via egrep –v for the set of hidden words. Any word in the hidden word set is removed from the ps output. Effectively hiding any process in the “Hidden Word” set on a compromised system. Hidden words are stored in /usr/lib/.lib/libps or libph. |
| /popprober | directory | Top level directory for popprober tool. |
| /popprober/checked.txt | ASCII text | File with accounts that have been tested. |
| /popprober/copy.txt | ASCII text | List of accounts with status such as “Unread”. Appears to be a list of active but unused accounts. These are post processed via probe.pl. |
| /popprober/message.txt | ASCII text | Probe.pl looks for this message to validate the account is still unused. |
| /popprober/popvuln.txt | ASCII text | List of vulnerable pop accouts with account, password, ip address of pop/smtp server and type of login {LOGIN|CRAM-MD5} |
| /popprober/probe.pl | perl script text executable | Tool used to post process copy text for unread/unmonitored accounts. |
| /popprober/smtp-client.pl | perl script text executable | Simple SMTP client with STARTTLS and AUTH support. Tool used to send the smpt commands. |
| /popprober/Test.pl | perl script text executable | “Meca smtp Test v1.0” Wrapper for smtp-client.pl to send to accounts listed in popvuln.txt. |
| /smssmtpsender | directory | The sms smtp sending tools main directory. |
| /smssmtpsender/message.txt | ASCII text | Spam text to be sent via smtp to an smtp->sms gateway. This is the actual messege being sent to sms enabled devices. |
| /smssmtpsender/poplist.txt | ASCII text | List of accounts to use when sending smtp messeges. Same format as popvuln.txt. |
| /smssmtpsender/send.pl | perl script text executable | “Meca smtp sender v1.0”. Used to send smtp SPAM messages. |
| /smssmtpsender/smtp-engine.pl | perl script text executable | Another perl script that can be used to send the smpt commands + spam messeges. This one spoofs Outlook by using a Xmailer variable of Microsoft Outlook Express 6.00.2600.0000 |
| /smssmtpsender.tgz | gzip compressed data, from Unix | Gzipped tar ball of smssmtpsender tool kit. |
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments