KRL

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

Spunky

Actually that has been happening for awhile...fucking weasels are really up on this...hope they all rot in hell

__________________

Fletch XXX

"You can point your gun at me
And hope it will go away
But if God was alive,
He would hate you anyway."

Cheers!

just checking in on vacation

__________________

Want an Android App for your tube, membership, or free site?

Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

StuartD

I love using Mozilla

__________________
This is me on facebook
This is me on twitter

evildick

Great, how long before we will have to make our sigs static jpegs on gfy?

iwantchixx

man this shit is getting more and more sinister with each exploit/hack/trojan that comes to light,

gornyhuy

Anybody want me to write them a BHO?
Its gonna cost ya.

__________________

icq:159548293

webair

any protection out on this one yet?

__________________


~ Webair Dedicated Cloud Servers™ ~ WEBAIR VSYS™ Virtual Hosting Platform ~ Superior CDN Network ~
~ Managed Dedicated hosting Specialists ~ DISCOUNT DOMAIN NAMES! ~ WEBAIR FUSION IO MANAGED CLOUD SERVERS! ~

ICQ: 243116321 - TWITTER - @WEBAIRINC - E-Mail: [email protected]

brizzad

if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

pimplink

Thanks for the info.

__________________

Groove

brizzad

get over it

money is money

people can download ad-aware if it bothers them

kenny

The surpreme court needs to stop wasting time with the porn sites and focus on shit like this

KRL

I don't even believe I'm seeing this.

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

pxxx

Must be a dream

KRL

Yeh, one hot gallery on The Hun and you'd be a millionaire in a week.

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

V_RocKs

Back in my trojanning days I met a chick who did a similar job in GIF's and when I tried to discuss it with a professor or two they'd always laugh me out of the room. You can't execute code from inside of a gif, there is no compiler (blah blah blah) and yada yada... So finally someone has probably paired it with IRC bots to infect hundreds a day and now all of a sudden it IS possible... funny how shit turns out.

Snake Doctor

Any coders want to hook me up on how to send this fucker a virus through his AIM?

__________________
sig too big

Tuna

you must be kidding

__________________


$30 PER SIGNUP PLUS 25% RECURRING
FREE HOSTED PIC AND MOVIE GALLERIES
Submit Your Free Sites, Pic and Movie Galleries Here
ICQ : 20034024

StuartD

tough to spend a million from prison, unless it was offered as an alternative to his hairy ass

__________________
This is me on facebook
This is me on twitter

Shoehorn!

Fuck, pretty soon they'll have to just abandon this internet as we know it and start all over again from scratch. Mark my words, it'll happen.

__________________

brizzad

i'd set it up outside the u.s. lol

FilthyRob

I have been battling fucked up spyware all week and I know it came from some TGP sites.

Fucking auto intalling mother fuckers. I can't see how screwing up my machine is making anyone money. I couldn't even buy something from them if I wanted to. It fucks the browser up so bad that even when you click on the search listings from the auto intalled hacked homepage, you just get ads to remove spyware.

The pay per click search engine traffic will become worthless at this rate really.

__________________
AKA - Clubsexy

KRL

Lose IE and use one of the more secure browsers.

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

spywareboard com

This is evil.

__________________
spyware instant help

AMADude

__________________
No sig, just here to fuck around.

baddog

I don't think this is a viable option for someone that reviews sites. . . you have to see what your surfer/member is going to see, and they are using MSIE

Snake Doctor

That doesn't really help us from a business standpoint though.
Most surfers barely know how to open internet explorer, much less install and use opera or mozilla.
If this stuff keeps up surfers will be afraid to go to adult sites period.

__________________
sig too big

gazool

Mozilla Mozilla Mozilla Mozilla Mozilla

__________________
High Converting CCBILL Programs
Amateur/CFNM -> http://www.boozedwomen.com/tour/
Best Selling Granny Site -> http://www.excitedwives.com/tour/


If I had a hammer....

SmokeyTheBear

mozilla stopped using gif's ?? news to me hahah

mozilla has more holes than a golf course

__________________
hatisblack at yahoo.com

EviLGuY

Hey Smokey did you even read the post?

"The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer. "

Does nothing at all to people on Mozilla . Mozilla is secure because not many people use it.. so who is going to bother wasting time trying to exploit it? That being said.. I am sure any holes that people do find will be patched with alacrity.

chemicaleyes

__________________
No way as way, No limitation as limitation. AmeriNOC formally PhatServers

AgentCash

Actually if you read the write-up at
http://isc.sans.org/presentations/banking_malware.pdf
you'll find that the image file needs to be renamed to install itself. They theorize that a .chm exploit is used to rename the GIF and run it. So the fact that it's a GIF file isn't really important, it could have any file extension the attacker would like. JPG would work just as well.

strobi

woa! Imagine the data that "listener" server gets! Thousands and thousands of CC numbers/passwords...

Mr. Marks

Thanks for the information!

grumpy

Show you how elite that 420-4-L thing is. Now you know. Stay away.

__________________
Don't let greediness blur your vision | You gotta let some shit slide
icq - 441-456-888

chemicaleyes

1. It's not about being elite.
2. Don't be so quick to open your mouth.

__________________
No way as way, No limitation as limitation. AmeriNOC formally PhatServers

pudcat

GFY getting thicker and thicker by the day.

If you actually read the post you'd see that it uses the BHO... now my guess is telling me that Mozilla doesn't have this BHO.

I'm glad I use Linux and Mozilla

__________________
SUBMIT YOUR BABE GALLERIES

PROMOTE YOUR BLOG HERE

always looking for hardlinks icq #207011694

Thunder-Ball.net, good for hardlink exchanges

SmokeyTheBear

slip of the tongue , the argument is moot , the statement stands.

__________________
hatisblack at yahoo.com