lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200501292222.j0TMMkrs019043@lists.netsys.com>
From: seclists at securinews.com (Paul Kurczaba)
Subject: Is there a 0day vuln in this phisher's site?

Interesting Site. When I went to the page, McAfee VirusScan notified me of
an script it blocked on the page. The blocked script, a virus, was called
"JS/Stealus.gen". After some research, I found the script "exploit(s) an
Internet Explorer vulnerability resulting in Internet Explorer displaying
one location in the Address bar, but actually loading the content from a
different site." -http://vil.nai.com/vil/content/v_126246.htm

-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of
lists-security@...tracers.com
Sent: Saturday, January 29, 2005 3:15 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Is there a 0day vuln in this phisher's site?

I was annoyed today by a phisher impersonating my favorite bank Washington
Mutual http://www.Wamu.com


The phisher's site: http://220.194.228.91:87/wa/

Obviously any data collected there will be abused by the phishers...but does
it pose a greater risk of being exposed to a much wider audience of
crackers?  Have these phishers hardened their system enough to prevent
attack and maybe even the discovery of their identity?

So I did a quick scan of the "collector" system 220.194.228.91 setup by the
phishers and found the Asia-Pacific based system to have TCP port 87 open
for web, and UDP 7- Echo and UDP 161-SNMP open.  

Browsing the SNMP MIBS showed me a Win2K system with a private address
192.168.0.1 sitting in WORKGROUP with a LANMAN Name ZFZ.  

Network card MAC addresses (VITALCOM) 00e0433a4bbd and 00e0433a4957 and
MTU's of 1500.

sysUpTime TimeTicks 11 hours, 3 minutes, 22 seconds.

Usernames Guest and cclogin 

Mib Oid; Type; Value; Type #;
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT
able.svUserEntry.svUserName.5.71.117.101.115.116; String; Guest; 4;
.iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT
able.svUserEntry.svUserName.7.99.99.108.111.103.105.110; String; cclogin; 4;


Also, looking at the source on the /wa/index.htm and /wa/thank.htm pages
shows that they were grabbed for malicious editing on 10/4/2004

....that is as far as I could take it tonight.  Regarding the open SNMP, I
have seen "a buffer overrun is present in all implementations", but do not
know if the phisher's system is exploitable and have not tried any code to
actually do this.

Once cracked, getting information regarding all connections could lead
closer to the real identity of the phishers, especially if some trojan code
can be placed using an SNMP exploit.  If those phishers are getting wealthy
by stealing identities, it would be possible for them to be trumped by yet
another crook stealing their identity/bank accounts, etc.  

Some questions for the inclined:

 1) What information can still be gathered regarding this fake banking site
using both passive probes and active exploits?

 2) How long has this particular site been active?  

 3) Is the network range repeatedly used for malicious activity, or is this
unusual activity in that network?

 4) While the proliferation of these sites has caused a tremendous amount of
security awareness in businesses and the public, these scams continue to
trick people.  How can phishers be virtually neutered? 

 5) When secure transactions must be done via the web, users must be
verified to the secure site, but web sites are not easily verified by the
average user.  What foolproof device, dongle, etc. could a clueless user
employ to verify a secure site?

 6) Should secure sites employ steganographic watermarking to allow for
forensic tracking of images served by secure sites?  (do they do this
already like my Minolta QMS2300DL does with those little yellow dots?)





  






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists