[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45F6DC4D.7050900@reversemode.com>
Date: Tue, 13 Mar 2007 18:15:57 +0100
From: Reversemode <advisories@...ersemode.com>
To: Securityfocus <bugtraq@...urityfocus.com>
Cc: Thierry Zoller <Thierry@...ler.lu>
Subject: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
Hi,
The BHO you are talking about is part of a banking malware toolkit which
is being sold probably.
Among other things (password stealer), this BHO has backdoor and
"botnet" capabilities, implementing several remote commands:
+ upload
+ run
+ update
...
This toolkit also comprises various "infection management system" php
scripts :
+ statistics about infections, countries...
+ users/victims tracking
+ logs parsing
...
The BHO communicates directly with those scripts for sending and/or
receiving captured information and remote commands respectively.
Watch out for unexpected http traffic containing
commandack.php,mailwab.php..
Cheers,
-Rubén.
Powered by blists - more mailing lists