lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 May 2004 17:09:40 +0200 From: David Jacoby <dj@...post24.com> To: Bojan.Zdrnja@....hr Cc: bugtraq@...urityfocus.com, incidents@...urityfocus.com Subject: Re: Somebody exploiting (badly designed) yahoo service? Howdy! This is probably the W32/Wallon.A@mm <https://www.outpost24.com/ops/virus/3583> worm. Its massmailer and it uses the following vulnerabilities: http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx It arrives in a email with the following body: http://drs.ahoo.com/<domainname>/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.ahoo.com/<domainname>/NEWS/ //David Bojan Zdrnja wrote: >Hi Alex :) > > > >>-----Original Message----- >>From: Aleksandar Milivojevic [mailto:alex@...ivojevic.org] >>Sent: Wednesday, 12 May 2004 4:25 a.m. >>To: bugtraq@...urityfocus.com >>Subject: Somebody exploiting (badly designed) yahoo service? >> >>I don't know if this is something new, or something old. >> >> > >I got the same thing couple of days ago. >It always uses the same link as you had, but it puts destination domain in >it, so the resulting link is like: > >http://drs.yahoo.com/RECIPIENT_DOMAIN/NEWS/*http:// ..... > > > > >>loads terra.html from the same site. Downloading terra.html using wget, >>there's some more JavaScript (again after several empty screens) and some >>obfuscating code inside that I haven't analyzed in depth. >> >> > >Terra.html file has some simple obfuscation. One obvious link that it opens >is at www.danni.com. >The other part is obfuscated by javascript. >After decoding this you get the following HTML code: > ><iframe width=0 height=0 >DEFANGED_src="http://counter.spros.com/1/count.htm"></iframe> > >Which essetianlly opens an invisible frame and goes to some counter site. >That count.htm is completely empty and is probably used to enumerate users >which click on this. > > > >>Anybody seen this before? Is this some kind of virus, worm, spyware, or >>simply a spam? Looking at received headers of emails, it doesn't look >>like spam. When I contacted the people who were listed as senders, they >>said they never sent it (but that they suspect they might be infected by >>some virus). >> >> > >Same thing happened here. I didn't find any elements on that web page which >could auto run some things so I suspect on something else. >This would look to me like some kind of phishing, as it looks like it's at >least checking how many users clicked on this link - but it arrived from >legitimate users (headers confirm this) so it's really strange. > > > >>I'll be contacting Yahoo about this (obviously, whatever they have at >>drs.yahoo.com isn't designed with security in mind), however I'm >>interested if anybody else saw/got this, and if he/she knows >>what it is. >> >> > >That's a pretty well known (and old) feature at Yahoo, which I don't know >why they provide - *a lot* of phishing e-mails I saw use this redirection >feature in an attempt to fool users. > >I CC:ed this e-mail to incidents mailing list, I think it's more appropriate >there. > >Cheers, > >Bojan Zdrnja >CISSP > > >--------------------------------------------------------------------------- >---------------------------------------------------------------------------- > > > > -- Best regards, David Jacoby Security Analysist Outpost24 Security Team Email : dj@...post24.com Tel : +46 455 612311 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Powered by blists - more mailing lists