lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 May 2004 17:09:40 +0200
From: David Jacoby <dj@...post24.com>
To: Bojan.Zdrnja@....hr
Cc: bugtraq@...urityfocus.com, incidents@...urityfocus.com
Subject: Re: Somebody exploiting (badly designed) yahoo service?


Howdy!

This is probably the W32/Wallon.A@mm 
<https://www.outpost24.com/ops/virus/3583> worm. Its massmailer and it 
uses the following vulnerabilities:

http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

It arrives in a email with the following body:
http://drs.ahoo.com/<domainname>/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.ahoo.com/<domainname>/NEWS/


//David



Bojan Zdrnja wrote:

>Hi Alex :) 
>
>  
>
>>-----Original Message-----
>>From: Aleksandar Milivojevic [mailto:alex@...ivojevic.org] 
>>Sent: Wednesday, 12 May 2004 4:25 a.m.
>>To: bugtraq@...urityfocus.com
>>Subject: Somebody exploiting (badly designed) yahoo service?
>>
>>I don't know if this is something new, or something old.
>>    
>>
>
>I got the same thing couple of days ago.
>It always uses the same link as you had, but it puts destination domain in
>it, so the resulting link is like:
>
>http://drs.yahoo.com/RECIPIENT_DOMAIN/NEWS/*http:// .....
>
>
>  
>
>>loads terra.html from the same site.  Downloading terra.html using wget,
>>there's some more JavaScript (again after several empty screens) and some
>>obfuscating code inside that I haven't analyzed in depth.
>>    
>>
>
>Terra.html file has some simple obfuscation. One obvious link that it opens
>is at www.danni.com.
>The other part is obfuscated by javascript.
>After decoding this you get the following HTML code:
>
><iframe width=0 height=0
>DEFANGED_src="http://counter.spros.com/1/count.htm"></iframe>
>
>Which essetianlly opens an invisible frame and goes to some counter site.
>That count.htm is completely empty and is probably used to enumerate users
>which click on this.
>
>  
>
>>Anybody seen this before?  Is this some kind of virus, worm, spyware, or
>>simply a spam?  Looking at received headers of emails, it doesn't look
>>like spam.  When I contacted the people who were listed as senders, they
>>said they never sent it (but that they suspect they might be infected by
>>some virus).
>>    
>>
>
>Same thing happened here. I didn't find any elements on that web page which
>could auto run some things so I suspect on something else.
>This would look to me like some kind of phishing, as it looks like it's at
>least checking how many users clicked on this link - but it arrived from
>legitimate users (headers confirm this) so it's really strange.
>
>  
>
>>I'll be contacting Yahoo about this (obviously, whatever they have at
>>drs.yahoo.com isn't designed with security in mind), however I'm
>>interested if anybody else saw/got this, and if he/she knows 
>>what it is.
>>    
>>
>
>That's a pretty well known (and old) feature at Yahoo, which I don't know
>why they provide - *a lot* of phishing e-mails I saw use this redirection
>feature in an attempt to fool users.
>
>I CC:ed this e-mail to incidents mailing list, I think it's more appropriate
>there.
>
>Cheers,
>
>Bojan Zdrnja
>CISSP
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
>  
>


-- 
Best regards,
David Jacoby
Security Analysist

Outpost24 Security Team
Email : dj@...post24.com
Tel   : +46 455 612311


---------------------------------------------------------------------------
----------------------------------------------------------------------------



Powered by blists - more mailing lists