[LINK] Identity theft virus infects 10,000 computers

Jan Whitaker jwhit at melbpc.org.au
Sat Aug 5 08:58:43 AEST 2006 

Richard, see below from 15 June.

Fwd: [NATIONAL-ALERTS] (AUSCERT AL-2006.0049) [Win] - Malicious "National 
Bank bankrupt" email links to sites targeting multiple web browsers

>X-Original-To: jwhit at numbat.melbpc.org.au
>Delivered-To: jwhit at numbat.melbpc.org.au
>From: auscert at auscert.org.au
>X-Mailer: IMSML v1.0
>Date: Thu, 15 Jun 2006 01:30:32 UT
>To: national-alerts at auscert.org.au
>Subject: [NATIONAL-ALERTS] (AUSCERT AL-2006.0049) [Win] - Malicious 
>"National Bank bankrupt" email links to sites targeting multiple web browsers
>X-Loop: national-alerts at auscert.org.au
>Reply-To: national-alerts at auscert.org.au
>Sender: auscert at auscert.org.au
>X-Filtered-With: renattach 1.2.2
>X-RenAttach-Info: mode=badlist action=rename count=0
>X-Antivirus: AVG for E-mail 7.1.394 [268.8.4/363]
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>===========================================================================
>A  U  S  C  E  R  T                                           A  L  E  R  T
>
>                        AL-2006.0049 -- AUSCERT ALERT
>                                    [Win]
>           Malicious "National Bank bankrupt" email links to sites
>                       targeting multiple web browsers
>                                15 June 2006
>
>===========================================================================
>
>         AusCERT Alert Summary
>         ---------------------
>
>Operating System:     Windows
>Impact:               Execute Arbitrary Code/Commands
>                       Access Confidential Data
>Access:               Remote/Unauthenticated
>
>OVERVIEW:
>
>         A new malicious email with subject line "National Bank goes 
> bankrupt?!"
>         is currently in circulation, offering a link to a web page for
>         further information. Any users visiting this web page will be 
> targeted
>         with exploits for both Internet Explorer and Firefox, in order to
>         automatically install trojan software on the user's computer.
>
>         As with previous malicious sites, simply visiting the page with a
>         vulnerable web browser is sufficient to infect the computer.
>
>
>IMPACT:
>
>         The malware installed is a Haxdoor variant that is currently
>         not detected by most antivirus products.
>
>         This trojan is expected to steal personal data and in particular
>         online banking passwords.
>
>
>MITIGATION:
>
>         Users should always avoid clicking on any links in emails, unless
>         the email was already expected.
>
>         Many current email viewers have stricter policies on web access than
>         web browsers, and enticing users to follow a link outside an email
>         and onto the web through a browser is a common way for attackers to
>         install malicious code onto a machine. [2, 3, 4]
>
>         System administrators may consider configuring web proxy servers or
>         firewalls to block HTTP connections to the sites listed below and to
>         files named "ie0606.cgi" or scripts with parameters such as:
>
>             exploit=MS03-11
>             exploit=MS04-013
>             exploit=MS05-002
>             exploit=MS05-054
>             exploit=MS06-006
>             exploit=MSFA2005-50
>             exploit=0day
>
>         Checking proxy logs for those URLs will also help in revealing which
>         client computers may have been affected.
>
>         Email that matches the description below can also be blocked at
>         the gateway.
>
>
>DETAILS:
>
>         The malicious email is plain text with the following content:
>
>             Subject: National Bank goes bankrupt?!
>
>         with body text:
>
>             People starting panic withdrawals, some of the accounts were 
> reported
>             closed due to technical reasons, many ATMs are not operating.
>             Does it seem that one of the Australia's greatest goes bankrupt?
>
>             The full story could be found here: http://[MALICIOUS 
> DOMAIN]/news.php
>
>             Well, hope that isn't true... Anyway You'd rather check your 
> balance...
>
>         The URLs observed so far hosting the malicious page are as follows:
>
>             h**p://www,suriko,net/news.php        (now down)
>             h**p://www,saltnlight-e,com/news.php  (active)
>             The final trojan is downloaded from domain www,powwowtowel,com.
>
>         (Here URLs have been modified such that 'http' becomes 'h**p' and
>         all periods within a URL have been replaced with commas.)
>
>         On infected computers the following files are created and most of 
> these
>         are then hidden by the trojan:
>
>             C:\WINDOWS\system32\klo5.sys (visible)
>
>             C:\WINDOWS\system32\pptp16.dll
>             C:\WINDOWS\system32\qz.dll
>             C:\WINDOWS\system32\pptp24.sys
>             C:\WINDOWS\system32\qz.sys
>             C:\WINDOWS\system32\ms87.dat
>             C:\WINDOWS\system32\config\SSL
>             C:\WINDOWS\Temp\01083070
>             %userprofile%\local settings\Temp\01083070
>
>
>REFERENCES:
>
>         [1] Protecting Your Computer from Malicious Code
>             http://www.auscert.org.au/3352
>
>         [2] AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan 
> targets multiple web browsers
>             http://www.auscert.org.au/6028
>
>         [3] AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan
>             http://www.auscert.org.au/6028
>
>         [4] AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan
>             http://www.auscert.org.au/6195
>
>
>AusCERT has made every effort to ensure that the information contained
>in this document is accurate.  However, the decision to use the information
>described is the responsibility of each user or organisation. The decision to
>follow or act on information or advice contained in this security bulletin is
>the responsibility of each user or organisation, and should be considered in
>accordance with your organisation's site policies and procedures. AusCERT
>takes no responsibility for consequences which may arise from following or
>acting on information or advice contained in this security bulletin.
>
>If you believe that your computer system has been compromised or attacked in
>any way, we encourage you to let us know by completing the secure National IT
>Incident Reporting Form at:
>
>         http://www.auscert.org.au/render.html?it=3192
>
>===========================================================================
>Australian Computer Emergency Response Team
>The University of Queensland
>Brisbane
>Qld 4072
>
>Internet Email: auscert at auscert.org.au
>Facsimile:      (07) 3365 7031
>Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
>                 AusCERT personnel answer during Queensland business hours
>                 which are GMT+10:00 (AEST).
>                 On call after hours for member emergencies only.
>===========================================================================
>
>-----BEGIN PGP SIGNATURE-----
>Comment: http://www.auscert.org.au/render.html?it=1967
>
>iQCVAwUBRJC4JCh9+71yA2DNAQIc8AP/ZKNjgB/iR4324A8rKdncBJ3xf8r77wxp
>DLqvUy7x+HhasL3+HNoeds01416tCaw44tH2dybUFTClib7xkVwN+Vb7vlqjls3O
>M9gPQMgd5fc3luxvvBGk2kAUxnVwCtVVVOzib9CHEsWPV6/hoOx5EzwfL7sA/1BF
>2UflyUasA38=
>=urrY
>-----END PGP SIGNATURE-----
>AusCERT is the national computer emergency response team for Australia.  We
>monitor various sources around the globe and provide reliable and independent
>information about serious computer network threats and vulnerabilities.
>AusCERT, which is a not-for-profit organisation, operates a cost-recovery
>service for its members and a smaller free security bulletin service to
>subscribers of the National Alerts Service.
>
>In the interests of protecting your information systems and keeping up to date
>with relevant information to protect your information systems, you should be
>aware that not all security bulletins published or distributed by AusCERT are
>included in the National Alert Service.  AusCERT may publish and distribute
>bulletins to its members which contain information about serious computer
>network threats and vulnerabilities that could affect your information
>systems. Many of these security bulletins are publicly accessible from our web
>site.
>
>AusCERT maintains the mailing list for access to National Alerts Service
>security bulletins. If you are subscribed to the National Alerts Service and
>wish to cancel your subscription to this service, please follow the
>instructions at:
>
>         http://www.auscert.org.au/msubmit.html?it=3058
>
>Previous security bulletins published or distributed as part of the National
>Alerts Service can be retrieved from:
>
>         http://national.auscert.org.au/render.html?cid=2998
>
>Previous security bulletins published or distributed by AusCERT can be
>retrieved from:
>
>         http://www.auscert.org.au/render.html?cid=1
>
>If you believe that your computer system has been compromised or attacked in
>any way, we encourage you to let us know by completing the secure National IT
>Incident Reporting Form at:
>
>         http://national.auscert.org.au/render.html?it=3192
>
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.394 / Virus Database: 268.8.4/363 - Release Date: 13/06/2006

Jan Whitaker
JLWhitaker Associates, Melbourne Victoria
jwhit at janwhitaker.com
business: http://www.janwhitaker.com
personal: http://www.janwhitaker.com/personal/
commentary: http://janwhitaker.com/jansblog/

'Seed planting is often the most important step. Without the seed, there is 
no plant.' - JW, April 2005
_ __________________ _

More information about the Link mailing list