[LINK] www.ipv6.org.au/summit

Stilgherrian stil at stilgherrian.com
Sun Aug 31 19:31:55 AEST 2008 

On 31/08/2008, at 7:09 PM, Rick Welykochy wrote:
> Stilgherrian wrote:
>> Having spent a day last week, and another day tomorrow, dealing  
>> with  the fallout from two users who opened the anonymous email  
>> with subject  "You've received a greeting ecard", clicked on the  
>> unmasked link to  an .exe file in a random domain and then, when  
>> asked what to do with  the file, clicked on "Run"... having  
>> considered this, I believe the  discussion of whether NAT does or  
>> does not improve security to be  completely irrelevant kthxbai.
>
> I have received many of these emails. I downloaded the .exe out of
> curosity to see what kind of file it was. Couldn't get any further on
> the Mac (of course).
>
> What damage does this one do, Stil?

Oh, this one is sweet... though I suspect what I'm about to describe  
is "typical" rather the the same each time. The .exe is Trojan.Srizbi  
which in this case installed three components.

One is the screensaver Joke.Blusod, which throws up fake a Blue Screen  
of Death and, when you escape out of it, plays an animation of a  
Windows restart and then, once back at the desktop, pops up a  
convincing "Windows has encountered a serious error" dialog. After a  
couple of these, the user is suitably paranoid.

The second piece is an application "Antivirus XP 2008" which is set to  
auto-run on Windows start. After a delay, it pops up a window with a  
convincing-looking anti-virus scan and then a message that your  
computer is infected. If you click on the button to disinfect, it says  
your copy is not registered, and the register button takes you to a  
website where you can conveniently enter your credit card details.  
Identity Theft R Us.

One user got as far as *almost* doing this before she thought that  
their anti-virus software would have been registered already, and she  
finally became suspicious.

All in all, though, a nice bit of social engineering once installed.

Meanwhile, the third component is a rootkit to totally own the  
machine. Only one of the two machines had this, so I suspect this is  
only loaded once the hijacked computer reports back to its mothership.  
Or maybe the rootkit didn't work on the other because the two machines  
are configured differently. Either way, the machine which did get  
rooted soon started sending spam.


> I really hear you regarding the above sequence of events with naive  
> users.
> With behaviour like that, all bets are off. Did you recommend these  
> two
> users find the box the machine came in and return it pronto?

Sadly that's outside my brief. ;)

However, in the users' defence, they did say that "It wasn't  
spam" (i.e. the ISP spam filter hadn't tagged it), and they DO have  
other people sending them ecards occasionally. [shrugs]

Stil


-- 
Stilgherrian http://stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia
mobile +61 407 623 600
fax +61 2 9516 5630
Twitter: stilgherrian
Skype: stilgherrian
ABN 25 231 641 421

More information about the Link mailing list