Download.Ject Detection and Recovery -- New Phishing Attack Technique

Published: 2004-06-26
Last Updated: 2004-06-27 15:58:12 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Download.Ject Detection and Recovery
Microsoft released more information on their website relating to detecting and recovering from the compromises related to the berbew/scob worm that has been going around in the past week. The web page for more information is .

Updated 6/27: If you are absolutely positive that your IIS Server was patched yet was still hit with the recent Download.Ject issues of the past several days, please let the Internet Storm Center know or contact Microsoft Product Support Services at 1-866-PCSafety. There has been reports out of Microsoft (on the patchmanagement mailing list) that all of the infected computers were not patched, or rebooted before the outbreak. If there were cases that were infected and were patched, MS needs to hear about it as that may represent a need to fix the patch itself.
New Phishing Attack Technique

Over the last many users on my campus have received a new style of phishing emails. The email purports to be from a major national bank group, and attempts to hook the end user into confirming your data with this bank. There were a couple of things that make this attack different.

First, the entirety of the body message was an image file. This in and of itself is not unusual as this technique has been used by spammers to evade lexical analysis in mail server filters. In the phishing arena this may not be unusual as this does lend itself to maintaining a consistent look and feel of the email no matter what graphical mail browser the end user may be using which is necessary to maintain the illusion of the email being valid.

The new technique noticed is the use of image map html code. If the end user is using a complaint browser and attempts to click on the image near the URL text, then the user is taken to an obfuscated URL of the hackers choosing and will eventually be asked for all the private information as normal. If the end user is not using a browser that supports image maps, then the user is taken to a login page for the national bank on one of their many servers. Once the end user is on the hackers site, there appears to be some low level web browser detection and will either kick the user to the national bank website, or attempt to play games with the browser to maintain the illusion that you are on the true website.

Using the image map technique appears to be a new trick, and using some sophistication of other techniques, this may make it extremely hard for end users to know the difference between real email from their respective banks and the hackers. Continue to recommend that end users not click on these URLs in bank or other "secure" sites but instead directly enter the main URL for the company in question, or contact the company through the regular customer service phone number.

Scott Fendley

ISC Handler on Duty

0 comment(s)


Diary Archives