[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40A23E34.7060906@outpost24.com>
Date: Wed, 12 May 2004 17:09:40 +0200
From: David Jacoby <dj@...post24.com>
To: Bojan.Zdrnja@....hr
Cc: bugtraq@...urityfocus.com, incidents@...urityfocus.com
Subject: Re: Somebody exploiting (badly designed) yahoo service?
Howdy!
This is probably the W32/Wallon.A@mm
<https://www.outpost24.com/ops/virus/3583> worm. Its massmailer and it
uses the following vulnerabilities:
http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
It arrives in a email with the following body:
http://drs.ahoo.com/<domainname>/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.ahoo.com/<domainname>/NEWS/
//David
Bojan Zdrnja wrote:
>Hi Alex :)
>
>
>
>>-----Original Message-----
>>From: Aleksandar Milivojevic [mailto:alex@...ivojevic.org]
>>Sent: Wednesday, 12 May 2004 4:25 a.m.
>>To: bugtraq@...urityfocus.com
>>Subject: Somebody exploiting (badly designed) yahoo service?
>>
>>I don't know if this is something new, or something old.
>>
>>
>
>I got the same thing couple of days ago.
>It always uses the same link as you had, but it puts destination domain in
>it, so the resulting link is like:
>
>http://drs.yahoo.com/RECIPIENT_DOMAIN/NEWS/*http:// .....
>
>
>
>
>>loads terra.html from the same site. Downloading terra.html using wget,
>>there's some more JavaScript (again after several empty screens) and some
>>obfuscating code inside that I haven't analyzed in depth.
>>
>>
>
>Terra.html file has some simple obfuscation. One obvious link that it opens
>is at www.danni.com.
>The other part is obfuscated by javascript.
>After decoding this you get the following HTML code:
>
><iframe width=0 height=0
>DEFANGED_src="http://counter.spros.com/1/count.htm"></iframe>
>
>Which essetianlly opens an invisible frame and goes to some counter site.
>That count.htm is completely empty and is probably used to enumerate users
>which click on this.
>
>
>
>>Anybody seen this before? Is this some kind of virus, worm, spyware, or
>>simply a spam? Looking at received headers of emails, it doesn't look
>>like spam. When I contacted the people who were listed as senders, they
>>said they never sent it (but that they suspect they might be infected by
>>some virus).
>>
>>
>
>Same thing happened here. I didn't find any elements on that web page which
>could auto run some things so I suspect on something else.
>This would look to me like some kind of phishing, as it looks like it's at
>least checking how many users clicked on this link - but it arrived from
>legitimate users (headers confirm this) so it's really strange.
>
>
>
>>I'll be contacting Yahoo about this (obviously, whatever they have at
>>drs.yahoo.com isn't designed with security in mind), however I'm
>>interested if anybody else saw/got this, and if he/she knows
>>what it is.
>>
>>
>
>That's a pretty well known (and old) feature at Yahoo, which I don't know
>why they provide - *a lot* of phishing e-mails I saw use this redirection
>feature in an attempt to fool users.
>
>I CC:ed this e-mail to incidents mailing list, I think it's more appropriate
>there.
>
>Cheers,
>
>Bojan Zdrnja
>CISSP
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
>
>
--
Best regards,
David Jacoby
Security Analysist
Outpost24 Security Team
Email : dj@...post24.com
Tel : +46 455 612311
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Powered by blists - more mailing lists