lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040512041401.3A58D42F73@maja.zesoi.fer.hr>
Date: Wed, 12 May 2004 16:14:00 +1200
From: "Bojan Zdrnja" <Bojan.Zdrnja@....hr>
To: "'Aleksandar Milivojevic'" <alex@...ivojevic.org>,
  <bugtraq@...urityfocus.com>
Cc: <incidents@...urityfocus.com>
Subject: RE: Somebody exploiting (badly designed) yahoo service?


Hi Alex :) 

> -----Original Message-----
> From: Aleksandar Milivojevic [mailto:alex@...ivojevic.org] 
> Sent: Wednesday, 12 May 2004 4:25 a.m.
> To: bugtraq@...urityfocus.com
> Subject: Somebody exploiting (badly designed) yahoo service?
> 
> I don't know if this is something new, or something old.

I got the same thing couple of days ago.
It always uses the same link as you had, but it puts destination domain in
it, so the resulting link is like:

http://drs.yahoo.com/RECIPIENT_DOMAIN/NEWS/*http:// .....


> loads terra.html from the same site.  Downloading terra.html using wget,
> there's some more JavaScript (again after several empty screens) and some
> obfuscating code inside that I haven't analyzed in depth.

Terra.html file has some simple obfuscation. One obvious link that it opens
is at www.danni.com.
The other part is obfuscated by javascript.
After decoding this you get the following HTML code:

<iframe width=0 height=0
src="http://counter.spros.com/1/count.htm"></iframe>

Which essetianlly opens an invisible frame and goes to some counter site.
That count.htm is completely empty and is probably used to enumerate users
which click on this.

> Anybody seen this before?  Is this some kind of virus, worm, spyware, or
> simply a spam?  Looking at received headers of emails, it doesn't look
> like spam.  When I contacted the people who were listed as senders, they
> said they never sent it (but that they suspect they might be infected by
> some virus).

Same thing happened here. I didn't find any elements on that web page which
could auto run some things so I suspect on something else.
This would look to me like some kind of phishing, as it looks like it's at
least checking how many users clicked on this link - but it arrived from
legitimate users (headers confirm this) so it's really strange.

> I'll be contacting Yahoo about this (obviously, whatever they have at
> drs.yahoo.com isn't designed with security in mind), however I'm
> interested if anybody else saw/got this, and if he/she knows 
> what it is.

That's a pretty well known (and old) feature at Yahoo, which I don't know
why they provide - *a lot* of phishing e-mails I saw use this redirection
feature in an attempt to fool users.

I CC:ed this e-mail to incidents mailing list, I think it's more appropriate
there.

Cheers,

Bojan Zdrnja
CISSP


---------------------------------------------------------------------------
----------------------------------------------------------------------------



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ