|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jeff Jirsa (jeff_at_unixconsults.com)
Date: Sat Sep 28 2002 - 20:10:33 CDT
On Sat, 28 Sep 2002, Jonathan A. Zdziarski wrote:
> This seems an aweful lot to me like a Remote Code Execution Scam...
>
> I received an email addressed to "Undisclosed Recipients" notifying me
> that I received an E-Card today, so I went to the site
> http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick
> +up to view the card. Oddly, I received a security warning asking me if
> I wanted to allow some code to run on my machine. Noticing the odd
> choice of form variables as opposed to other e-card sites (not to
> mention the fact that I could type in any number and get the same
> screen), and with an eyebrow now raised I went to the main website
> http://www.surprisecards.net to find "Welcome to the future home of
> richardoliver.web.aplus.net". So I figure, if there's no way to send a
> card from this website then chances are nobody sent me a valid card.
>
> I took a look at the Thawte certificate for the card viewer "code" and
> got www.cytron.com, some no-name development website with nothing more
> than a phone number.
>
> At the moment I'm not in front of any sacrificial machine to test the
> card out on, but I suspect this email is being mailed out as a scam in
> an attempt to run arbitrary code on the user's machine using a valid
> Thawte certificate. What the code does when it loads I've no idea as
> I'm not dumb enough to try it on my home machine.
>
>
> Perhaps someone in front of some extra hardware can take this and roll
> with it.
The source of the page contains an object tag:
codebase="e-card_viewer.cab#version=1,0,0,1"
Obtaining that file and running strings reveals the following of interest:
1) There are numerous references to both thawte and verisign certificates
2) There is a reference to potd.dll
3) There are references to "Cytron"
A google search for "potd.dll" returns the following page:
http://and.doxdesk.com/parasite/Cytron.html
From that page:
Description
Cytron is an Internet Explorer Browser Helper Object. It scans the content
of pages being viewed for keywords and opens pop-up advertising when they
are detected.
Also known as
POTD, after the filename and BHO name; Burnaby, the internal object name;
TargetingSource, the name used to describe the control in Downloaded
Program Files.
Distribution
Installed by ActiveX drive-by download on a page pointed to by mail
claiming you have received an 'e-card'. The ActiveX control purports to be
a viewer for e-cards.
There you have it, adware.
- Jeff
--
Jeff Jirsa
jeff
unixconsults.com
------------------------------------------------------------------------------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]