Jump to content


ISC on the Web - malware observations - 5.30.2007

  • Please log in to reply
No replies to this topic

#1 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 May 2007 - 01:11 PM


BBB goes IRS (IRS malware ? ...)
- http://isc.sans.org/...ml?storyid=2874
Last Updated: 2007-05-30 15:55:28 UTC ~ "Just a quick heads-up - the Better Business Bureau (BBB) malware we've reported on earlier* seems to have mutated into one that claims to come form the Internal Revenue Service (IRS). Still using RTF attachments with embedded malware as vector, though."
* http://isc.sans.org/...ml?storyid=2853


Google Counter ...isn't
- http://isc.sans.org/...ml?storyid=2877
Last Updated: 2007-05-30 17:12:50 UTC ~ "Those of you who have seen the "google-analytics" URL in your logs before might be tempted to assume (as I was) that google-counter[dot]com is just another incarnation of the same. I even at first discounted that my anti-virus complained about "obfuscated javascript", thinking that Google must have cooked up some really complicated Ajax mess again that misled my AV to a false positive. But no. On a second look, the site tries to download an ANI cursor exploit. And wait - there is lots more IFRAMES. Ouch! This definitely ain't Google!

z-014-1.php contains an obfuscated exploit for MS06-014
z-014-3.php contains another exploit for MS06-014
z-create-o.php contains the IE CreateObject exploit (as seen on Metasploit TV)
z-cs-an.php is an obfuscated exploit for MS07-017
z-java1.php is an oldie, Java-ByteVerify exploit

All of these try to download and run a file "down.exe" off the same site, which in turn downloads and runs a Browser Helper Object (BHO) off someplace else. The BHO is a key logger / banking trojan. We have decoded the configuration file that tells the trojan what to do - you can look at the file under http://handlers.sans...-bho-helper.txt . Yes, lots of banks... Caution: The google-counter site is still live at the time of writing. Sink yourself at your own risk."


Edited by apluswebmaster, 30 May 2007 - 01:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

Member of UNITE
Support SpywareInfo Forum - click the button