Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - sms-vishing for your bank info InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

sms-vishing for your bank info

Published: 2008-06-02
Last Updated: 2008-06-02 19:41:35 UTC
by donald smith (Version: 3)
0 comment(s)
I have recently become aware of and involved in researching sms vishing attacks. As part of that research I came across an automated toolkit that appears to have been cobbled together for sms spamming and vishing (phishing using voice networks instead of data networks). The name of the main tool was SmssmtpSender.

SmssmtpSender consisted of several individual tools cobbled together to create a single toolkit to compromise, manage and control a set of systems for sending SMS spam via compromised popaccounts that had weak passwords. Here is a "short" analysis of the elements of that tool kit.

NameFile typedescription
Top_level_dir directory Top level directory.
/greetingisland.gsm data Greeting Message used to vish customers this version was for North Island Credit Union.
Contents of welcome message;
“Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services”
/hello.wavRIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 16000 Hz Greeting Message used to vish customers for North Island Credit Union.
Contents of welcome message;
“Welcome to North Island Credit Union Financial department. Please follow the next steps to renew your payments and transfer services”
/hordedirectory>Top level directory for horde remote compromise tool.
/horde/.dc perl script text “Data Cha0s Connect Back Backdoor” This could be used as a backdoor control channel however in the systems analyzed ssh on a high numbered ports was used for management instead.
/horde/gweeELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped.

 

From the man page "gwee  (generic web exploitation engine) is a small program written in C designed to exploit arbitrary command  execution  vulnerabilities  in  web scripts, such as Perl, CGIs, PHP, etc. gwee is much like an exploit, except  more  general purpose."

This appears to have been tested for remote web based shell access using .dc above. The systems that I am aware of were compromised via the horde.pl script not gwee with .dc.

/horde/gwee-1.36 directory Top Level directory for gwee.
/horde/gwee-1.36/binaries directory Directory for binaries created in the compile of gwee.
/horde/gwee-1.36/binaries/gwee.exe PE executable for MS Windows (console) Intel 80386 32-bit gwee executable for windows.
/horde/gwee-1.36/gwee ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5,; stripped gwee executable for linux on intel >= 2.2.5
 /horde/gwee-1.36/gwee.1 troff or preprocessor input text man page for gwee
 /horde/gwee-1.36/gwee.c ASCII C program text, with very long lines gwee source code
 /horde/gwee-1.36/Makefile ASCII text gwee makefile
 /horde/gwee-1.36/mktarball.sh Bourne shell script text executable script to create a tarball for gwee
 /horde/gwee-1.36/README ASCII English text Installation notes for gwee
 /horde/gwee-1.36.tar.gz gzip compressed data, from Unix gzipped tar ball of gwee
 /horde/horddy.pl perl script text executable Horde help module remote execution perl exploit. This was used to compromise horde hosts to use as the smtp -> sms  senders.
 /horde/root.txt Bourne shell script text executable

“ PRCTL local root exp By Sunix effected systems 2.6.13<= x <=2.6.17.4 + 2.6.9-22.Elsmp”

A local privilege escalation root exploit for LINUX kernals 2.6.13-2.6.17. The horde.pl exploit often would not provide direct root access so a privilege  escalation tool was included in this tool kit.

 /horde/try Bourne shell script text executable script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell.
 /horde/try.bak Bourne shell script text executable Script with gwee parameters used to exploit remote systems. It appears to use .dc for a remote shell. Appears to be used after horddy.pl to check for success of the remote exploit to see if the backdoor port was opened.
 /hordetry.tgz gzip compressed data, from Unix gzipped tar ball of the horde tool.
 /netstatx.c ASCII C program text, with escape sequences  “ps.c,v 1.11 2001/09/03” trojaned ps replacement style root kit. Wraps ps filtering the output via egrep –v for the set of hidden words. Any word in the hidden word set is removed from the ps output. Effectively hiding any process in the “Hidden Word” set on a compromised system. Hidden words are stored in /usr/lib/.lib/libps or libph.
 /popprober directory Top level directory for popprober tool.
 /popprober/checked.txt ASCII text File with accounts that have been tested.
 /popprober/copy.txt ASCII text List of accounts with status such as “Unread”. Appears to be a list of active but unused accounts. These are post processed via probe.pl.
 /popprober/message.txt ASCII text Probe.pl looks for this message to validate the account is still unused.
 /popprober/popvuln.txt ASCII text List of vulnerable pop accouts with account, password, ip address of pop/smtp server and type of login {LOGIN|CRAM-MD5}
 /popprober/probe.pl perl script text executable Tool used to post process copy text for unread/unmonitored accounts.
 /popprober/smtp-client.pl perl script text executable Simple SMTP client with STARTTLS and AUTH support. Tool used to send the smpt commands.
 /popprober/Test.pl perl script text executable  “Meca smtp Test v1.0” Wrapper for smtp-client.pl to send to accounts listed in popvuln.txt.
 /smssmtpsender directory  The sms smtp sending tools main directory.
/smssmtpsender/message.txt ASCII text Spam text to be sent via smtp to an smtp->sms gateway. This is the actual messege being sent to sms enabled devices.
/smssmtpsender/poplist.txt ASCII text List of accounts to use when sending smtp messeges. Same format as popvuln.txt.
/smssmtpsender/send.plperl script text executable“Meca smtp sender v1.0”. Used to send smtp SPAM messages.
/smssmtpsender/smtp-engine.pl perl script text executable Another perl script that can be used to send the smpt commands + spam messeges. This one spoofs Outlook by using a Xmailer variable of Microsoft Outlook Express 6.00.2600.0000
/smssmtpsender.tgz gzip compressed data, from Unix Gzipped tar ball of smssmtpsender tool kit.
Keywords:
0 comment(s)
Diary Archives