Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: Thierry Zoller <Thierry () Zoller lu>
Date: Mon, 12 Mar 2007 13:52:48 +0100

Dear list,

Whoever deals with these poeple and thinks they are a benign Adware
company (and thus spreads their bundles.

Check this :
Ignoring the fact that they basicaly  install a Rootkit, I attached a
few files I reversed, they install a DLL that does not directly KEYLOG your
banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page
asking you to enter more details (like PIN, Magic Password etc), then
capture that data and transmit it (I did no further investigation)

Pass: 123

I am disgusted. They even created their own XML parser for this ...

An extract of HTML code they inject :
before="name=userid autocomplete='off'></DIV>" 
<DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT id=pin  tabIndex=2 maxLength=4 type=password 
size=4 name=pin autocomplete='off'></SPAN></DIV>


Attached the main files (pass 123), feel free to add this as HIPS or whatever
signatures, those interested in a complete reversal can contact me
to receive the EXE in question.

I have no more time feel free to dig deeper.

I especialy liked this :
<TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent fraud enter your credit card information 


Thierry Zoller

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]