Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: 0x01 trojan update (ev1.net host), openssl proof of concept exploit, HP mystery ssh patch SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
0x01 trojan update (ev1.net host), openssl proof of concept exploit, HP mystery ssh patch
ev1.net trojan (was: Yahoo.fr)

A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.

The virus spreading this email is smart enough to tailor the 'From' address
to match the users domain. So for example, if your email address is 'user@example.com', the from address will read:

Example.com's Virus Department.
The fake URL will show up as 'http://example.com' followed by the 0x01 character and a randomized URL.

Likely in an effort to dwarf attempts to capture the trojan and shut down the
site, the site uses multiple redirects and will only deliver the trojan if the
user is using Microsoft Internet Explorer. In order to accomplish this, java script and cgi scripting is used.

The trojan is only delivered once to a given IP address. The final URL used
to download the trojan is http:/ /66.98.208.24/cgi-bin/page.cgi at this point, but it has been changing.

The ISP hosting this site, EV1.net, was notified via e-mail to abuse, and
replied that the virus has been removed. However, even after this reply was
received, the trojan was still accessible via this URL.

A phone call to the customer service department of ev1.net was answered. The ev1.net representative was not able to respond to the case and was not able to provide a phone contact for the ev1.net abuse department.

Later today (early afternoon EST), the host was shut down. Another user reported
to us, that a very similar URL was used at ev1.net back in December 2003:

http://66.98.188.67:180/cgi-bin/page.cgi

Back then, the e-mail claimed to include a "Gift Card from Sears".
OpenSSL POC exploit

Exploit code for the older ASN.1 vulnerability in OpenSSL has been posted to
various mailing lists. Please double check that your openssl installs are
current. Remember, some software may not use the dynamic library. Such
software has to be recompiled to link it against the new version.

HP Mystery SSH patch

HP released a patch for ssh on Tru64 Unix. The patch does not state what vulnerability it fixes.
-------------------

Johannes Ullrich, SANS Inst., jullrich at sans.orgI will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3697 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!