[LINK] Identity theft virus infects 10,000 computers
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Sat Aug 5 09:42:44 AEST 2006
Jan - I found the Auscerts. I didn't find the statement which Auscert
says the ATO issued on Wednesday. The ATO alert should be prominent on
its home page - after all, shouldn't taxpayers know that they need to
check their own machines before filling in their e-Tax?
RC
Jan Whitaker wrote:
> Richard, see below from 15 June.
>
> Fwd: [NATIONAL-ALERTS] (AUSCERT AL-2006.0049) [Win] - Malicious
> "National Bank bankrupt" email links to sites targeting multiple web
> browsers
>
>> X-Original-To: jwhit at numbat.melbpc.org.au
>> Delivered-To: jwhit at numbat.melbpc.org.au
>> From: auscert at auscert.org.au
>> X-Mailer: IMSML v1.0
>> Date: Thu, 15 Jun 2006 01:30:32 UT
>> To: national-alerts at auscert.org.au
>> Subject: [NATIONAL-ALERTS] (AUSCERT AL-2006.0049) [Win] - Malicious
>> "National Bank bankrupt" email links to sites targeting multiple web
>> browsers
>> X-Loop: national-alerts at auscert.org.au
>> Reply-To: national-alerts at auscert.org.au
>> Sender: auscert at auscert.org.au
>> X-Filtered-With: renattach 1.2.2
>> X-RenAttach-Info: mode=badlist action=rename count=0
>> X-Antivirus: AVG for E-mail 7.1.394 [268.8.4/363]
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> ===========================================================================
>>
>> A U S C E R T A L
>> E R T
>>
>> AL-2006.0049 -- AUSCERT ALERT
>> [Win]
>> Malicious "National Bank bankrupt" email links to sites
>> targeting multiple web browsers
>> 15 June 2006
>>
>> ===========================================================================
>>
>>
>> AusCERT Alert Summary
>> ---------------------
>>
>> Operating System: Windows
>> Impact: Execute Arbitrary Code/Commands
>> Access Confidential Data
>> Access: Remote/Unauthenticated
>>
>> OVERVIEW:
>>
>> A new malicious email with subject line "National Bank goes
>> bankrupt?!"
>> is currently in circulation, offering a link to a web page for
>> further information. Any users visiting this web page will be
>> targeted
>> with exploits for both Internet Explorer and Firefox, in
>> order to
>> automatically install trojan software on the user's computer.
>>
>> As with previous malicious sites, simply visiting the page
>> with a
>> vulnerable web browser is sufficient to infect the computer.
>>
>>
>> IMPACT:
>>
>> The malware installed is a Haxdoor variant that is currently
>> not detected by most antivirus products.
>>
>> This trojan is expected to steal personal data and in particular
>> online banking passwords.
>>
>>
>> MITIGATION:
>>
>> Users should always avoid clicking on any links in emails,
>> unless
>> the email was already expected.
>>
>> Many current email viewers have stricter policies on web
>> access than
>> web browsers, and enticing users to follow a link outside an
>> email
>> and onto the web through a browser is a common way for
>> attackers to
>> install malicious code onto a machine. [2, 3, 4]
>>
>> System administrators may consider configuring web proxy
>> servers or
>> firewalls to block HTTP connections to the sites listed below
>> and to
>> files named "ie0606.cgi" or scripts with parameters such as:
>>
>> exploit=MS03-11
>> exploit=MS04-013
>> exploit=MS05-002
>> exploit=MS05-054
>> exploit=MS06-006
>> exploit=MSFA2005-50
>> exploit=0day
>>
>> Checking proxy logs for those URLs will also help in
>> revealing which
>> client computers may have been affected.
>>
>> Email that matches the description below can also be blocked at
>> the gateway.
>>
>>
>> DETAILS:
>>
>> The malicious email is plain text with the following content:
>>
>> Subject: National Bank goes bankrupt?!
>>
>> with body text:
>>
>> People starting panic withdrawals, some of the accounts
>> were reported
>> closed due to technical reasons, many ATMs are not
>> operating.
>> Does it seem that one of the Australia's greatest goes
>> bankrupt?
>>
>> The full story could be found here: http://[MALICIOUS
>> DOMAIN]/news.php
>>
>> Well, hope that isn't true... Anyway You'd rather check
>> your balance...
>>
>> The URLs observed so far hosting the malicious page are as
>> follows:
>>
>> h**p://www,suriko,net/news.php (now down)
>> h**p://www,saltnlight-e,com/news.php (active)
>> The final trojan is downloaded from domain
>> www,powwowtowel,com.
>>
>> (Here URLs have been modified such that 'http' becomes 'h**p'
>> and
>> all periods within a URL have been replaced with commas.)
>>
>> On infected computers the following files are created and
>> most of these
>> are then hidden by the trojan:
>>
>> C:\WINDOWS\system32\klo5.sys (visible)
>>
>> C:\WINDOWS\system32\pptp16.dll
>> C:\WINDOWS\system32\qz.dll
>> C:\WINDOWS\system32\pptp24.sys
>> C:\WINDOWS\system32\qz.sys
>> C:\WINDOWS\system32\ms87.dat
>> C:\WINDOWS\system32\config\SSL
>> C:\WINDOWS\Temp\01083070
>> %userprofile%\local settings\Temp\01083070
>>
>>
>> REFERENCES:
>>
>> [1] Protecting Your Computer from Malicious Code
>> http://www.auscert.org.au/3352
>>
>> [2] AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan
>> targets multiple web browsers
>> http://www.auscert.org.au/6028
>>
>> [3] AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan
>> http://www.auscert.org.au/6028
>>
>> [4] AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan
>> http://www.auscert.org.au/6195
>>
>>
>> AusCERT has made every effort to ensure that the information contained
>> in this document is accurate. However, the decision to use the
>> information
>> described is the responsibility of each user or organisation. The
>> decision to
>> follow or act on information or advice contained in this security
>> bulletin is
>> the responsibility of each user or organisation, and should be
>> considered in
>> accordance with your organisation's site policies and procedures.
>> AusCERT
>> takes no responsibility for consequences which may arise from
>> following or
>> acting on information or advice contained in this security bulletin.
>>
>> If you believe that your computer system has been compromised or
>> attacked in
>> any way, we encourage you to let us know by completing the secure
>> National IT
>> Incident Reporting Form at:
>>
>> http://www.auscert.org.au/render.html?it=3192
>>
>> ===========================================================================
>>
>> Australian Computer Emergency Response Team
>> The University of Queensland
>> Brisbane
>> Qld 4072
>>
>> Internet Email: auscert at auscert.org.au
>> Facsimile: (07) 3365 7031
>> Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
>> AusCERT personnel answer during Queensland business
>> hours
>> which are GMT+10:00 (AEST).
>> On call after hours for member emergencies only.
>> ===========================================================================
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Comment: http://www.auscert.org.au/render.html?it=1967
>>
>> iQCVAwUBRJC4JCh9+71yA2DNAQIc8AP/ZKNjgB/iR4324A8rKdncBJ3xf8r77wxp
>> DLqvUy7x+HhasL3+HNoeds01416tCaw44tH2dybUFTClib7xkVwN+Vb7vlqjls3O
>> M9gPQMgd5fc3luxvvBGk2kAUxnVwCtVVVOzib9CHEsWPV6/hoOx5EzwfL7sA/1BF
>> 2UflyUasA38=
>> =urrY
>> -----END PGP SIGNATURE-----
>> AusCERT is the national computer emergency response team for
>> Australia. We
>> monitor various sources around the globe and provide reliable and
>> independent
>> information about serious computer network threats and vulnerabilities.
>> AusCERT, which is a not-for-profit organisation, operates a
>> cost-recovery
>> service for its members and a smaller free security bulletin service to
>> subscribers of the National Alerts Service.
>>
>> In the interests of protecting your information systems and keeping
>> up to date
>> with relevant information to protect your information systems, you
>> should be
>> aware that not all security bulletins published or distributed by
>> AusCERT are
>> included in the National Alert Service. AusCERT may publish and
>> distribute
>> bulletins to its members which contain information about serious
>> computer
>> network threats and vulnerabilities that could affect your information
>> systems. Many of these security bulletins are publicly accessible
>> from our web
>> site.
>>
>> AusCERT maintains the mailing list for access to National Alerts Service
>> security bulletins. If you are subscribed to the National Alerts
>> Service and
>> wish to cancel your subscription to this service, please follow the
>> instructions at:
>>
>> http://www.auscert.org.au/msubmit.html?it=3058
>>
>> Previous security bulletins published or distributed as part of the
>> National
>> Alerts Service can be retrieved from:
>>
>> http://national.auscert.org.au/render.html?cid=2998
>>
>> Previous security bulletins published or distributed by AusCERT can be
>> retrieved from:
>>
>> http://www.auscert.org.au/render.html?cid=1
>>
>> If you believe that your computer system has been compromised or
>> attacked in
>> any way, we encourage you to let us know by completing the secure
>> National IT
>> Incident Reporting Form at:
>>
>> http://national.auscert.org.au/render.html?it=3192
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date:
>> 13/06/2006
>
>
> Jan Whitaker
> JLWhitaker Associates, Melbourne Victoria
> jwhit at janwhitaker.com
> business: http://www.janwhitaker.com
> personal: http://www.janwhitaker.com/personal/
> commentary: http://janwhitaker.com/jansblog/
>
> 'Seed planting is often the most important step. Without the seed,
> there is no plant.' - JW, April 2005
> _ __________________ _
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>
More information about the Link
mailing list