• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0

ISC on the Web - malware observations - 5.30.2007

1 post in this topic



BBB goes IRS (IRS malware ? ...)

- http://isc.sans.org/diary.html?storyid=2874

Last Updated: 2007-05-30 15:55:28 UTC ~ "Just a quick heads-up - the Better Business Bureau (BBB) malware we've reported on earlier* seems to have mutated into one that claims to come form the Internal Revenue Service (IRS). Still using RTF attachments with embedded malware as vector, though."

* http://isc.sans.org/diary.html?storyid=2853




Google Counter ...isn't

- http://isc.sans.org/diary.html?storyid=2877

Last Updated: 2007-05-30 17:12:50 UTC ~ "Those of you who have seen the "google-analytics" URL in your logs before might be tempted to assume (as I was) that google-counter[dot]com is just another incarnation of the same. I even at first discounted that my anti-virus complained about "obfuscated javascript", thinking that Google must have cooked up some really complicated Ajax mess again that misled my AV to a false positive. But no. On a second look, the site tries to download an ANI cursor exploit. And wait - there is lots more IFRAMES. Ouch! This definitely ain't Google!


z-014-1.php contains an obfuscated exploit for MS06-014

z-014-3.php contains another exploit for MS06-014

z-create-o.php contains the IE CreateObject exploit (as seen on Metasploit TV)

z-cs-an.php is an obfuscated exploit for MS07-017

z-java1.php is an oldie, Java-ByteVerify exploit


All of these try to download and run a file "down.exe" off the same site, which in turn downloads and runs a Browser Helper Object (BHO) off someplace else. The BHO is a key logger / banking trojan. We have decoded the configuration file that tells the trojan what to do - you can look at the file under http://handlers.sans.org/dwesemann/decoded-bho-helper.txt . Yes, lots of banks... Caution: The google-counter site is still live at the time of writing. Sink yourself at your own risk."



Edited by apluswebmaster

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0