NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2005-08

Re: [Full-Disclosure] Virus on web site

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Tue Aug 02 2005 - 22:07:53 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter B. Harvey wrote:

> An update the Virus is a HAXDOOR variant which is a backdoor.
> Symantec and Trend also now detect it.

And most other "major" AV engines -- about an hour before you posted, I
got this result from 22 virus scanners with different engines:

   Win32:Haxdoor-AE [Trj]
   BDS/Haxdoor.DW.1
   BackDoor.Generic.HKX
   Backdoor.Win32.Haxdoor.dw
   BackDoor.Haxdoor
   BackDoor-BAC.gen.b
   Backdoor.Win32.Haxdoor.DW
   Trojan Horse
   Win32/Haxdoor
   Bck/Haxdoor.DG
   BKDR_HAXDOOR.CI
   Troj/Haxdor-Gen
   Win32.Haxdoor.AF
   Win32/Banker.50353!Trojan
   Backdoor.Haxdoor.DM1

> The virus is spread by an iframe or link in an email asking to go to
> a compromised website. The latest site seen is:
> http://crbmarketing.[...]
>
> This opens up a two frame page with A hotmail look alike login screen
> which appears to be used to steal passport credentials to anyone
> foolish enough to enter them.
>
> The other frame is only a couple of pizels high at the top. This
> opens an IFRAME to
> http://crbmarketing.[...]
>
> This page looks like an advert for a samsung phone but contains two
> objects
> http://crbmarketing.[...]
>
>
> http://crbmarketing.[...]
> JS_PSYME.AT
>
> These emails will get past most content scanners as they are just an
> HTML email. SPAM engines might catch them.
>
> A new variant just came in and it appears to be just using the
> javascript component
> http://mistysunshine.[...]
> IFRAME at the top points to
> http://besttraff.[...]
>
> Again have Javascript turned off before looking at the sites

All those sites are now returning "closed for maintenance" or "closed
for ToS abuse" style pages...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]