lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 May 2004 17:13:35 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: Somebody exploiting (badly designed) yahoo service?


"Aleksandar Milivojevic" <alex@...ivojevic.org> wrote:

> I don't know if this is something new, or something old.

Well, part of it is old and part of it quite new...

> Yeasterday I received couple of emails (apperently from people I know). 
> Emails were text/html, and contained only this text:
> 
> http://drs.yahoo.com/milivojevic.org/NEWS
> 
> Text was acutally linked to:
> 
> http://drs.yahoo.com/milivojevic.org/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/milivojevic.org/NEWS

This is the self-mailing part of Wallon.A -- a new mass-mailer that 
distributes itself simply by sending Emails with links to itself to 
everyone in the victim's (Outlook) address book (not fully analysed 
yet...).

BTW -- the "milivojevic.org" part of that bogo-URL is customized to 
each recipient, based on their Email address.

> Downloading the above link using wget, drs.yahoo.com redirects to:
> 
> http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/

Yes -- URLs like that (and some other, related forms) have been not 
uncommopnly used by spammers for quite some time now (in general it 
seems these Yahoo redirector pages parse off everything to the left of 
and the including the asterisk and redirect to the remainder).

> This page contains some JavaScript (after couple of empty screens) that
> seems to open off-screen window (or at least it looks like that to me) ...

It's a porn page and the link includes an affiliate reference so the 
perp may get paid for each recipient of the "viral" Email that cllicks 
on the link in the Email...

> ... and
> loads terra.html from the same site.  Downloading terra.html using wget,
> there's some more JavaScript (again after several empty screens) and some
> obfuscating code inside that I haven't analyzed in depth.

There is a simple a decode routine that de-obfuscates an iframe tag 
directed to a Compiled Help file (.CHM) which, by exploiting the MHTML 
URL Processing vulnerability in (unpatched copies of) IE, silently d/ls 
the .CHM, opening it in the local computer zone where some scripting 
inside the .CHM then exploits the ADODB.Stream vulnerability in 
(unpatched copies of) IE to overwrite and execute Media Player with a 
.EXE file retrieved from the same site as the .CHM.  I've not analysed 
that .EXE yet and information from various AV developers about it is 
somewhat contradictory -- it is probably the component that mass-mails 
the target URL from the new victim's machine and may download and 
install a porn-dialer (there are also conflicting claims as to whether 
the .EXE sets itself up to run on startup and some claim it also Emails 
the list of its mail addresses its mailing routine compiles to 
1@...pics.cjb.net).  Different descriptions have somewhat different 
filenames, suggestng that the pages served from the target URLs may 
have changed "overnight" and slightly different variants (or even 
radically components) may have been available at different times.

> Anybody seen this before?  Is this some kind of virus, worm, spyware, or
> simply a spam?  Looking at received headers of emails, it doesn't look
> like spam.  When I contacted the people who were listed as senders, they
> said they never sent it (but that they suspect they might be infected by
> some virus).

Seen before -- yes and no.  "Self-spamming mass-mailers", where all 
that is mailed is a link to a location for the mass-mailer (or at least 
to another component in a chain that ultimately closes a replication 
loop) are not new.  Use of the MHTML and .CHM tricks are not, neither 
is use of ADODB.Stream exploits new, nor is the joint use of those two 
exploits.  Address harvesting by a mass-mailer is not new either.  All 
that leaves is the specifics of this implementation and the actual .EXE 
file(s) that are d/l'ed from the target site and even some of these 
appear to be already-known dialers (though many "virus scanners" will 
not detect them).

> I'll be contacting Yahoo about this (obviously, whatever they have at
> drs.yahoo.com isn't designed with security in mind), however I'm
> interested if anybody else saw/got this, and if he/she knows what it is.

I doubt you'll get much assistance from Yahoo -- as far as it is 
concerned, those pages are working as designed.

You'd probably do more help by complaining to http://www.security-
warning.biz/ about their "personal6" and/or "maljo24" user _AND_ CC'ing 
that to their upstream provider's abuse address (and the DHS and/or 
your pet FBI "cyber-crime" contact if you have one).

> Thanks for any info/pointers

You're welcome.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854



Powered by blists - more mailing lists