copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2006.0049 -- [Win] -- Malicious "National Bank bankrupt" email links to sites targeting multiple web browsers

Date: 02 August 2006
References: AU-2006.0022  AU-2006.0019  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0049 -- AUSCERT ALERT
                                   [Win]
          Malicious "National Bank bankrupt" email links to sites
                      targeting multiple web browsers
                               15 June 2006

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
                      Access Confidential Data
Access:               Remote/Unauthenticated

OVERVIEW:

	A new malicious email with subject line "National Bank goes bankrupt?!"
	is currently in circulation, offering a link to a web page for 
	further information. Any users visiting this web page will be targeted
	with exploits for both Internet Explorer and Firefox, in order to 
	automatically install trojan software on the user's computer.
	
	As with previous malicious sites, simply visiting the page with a 
	vulnerable web browser is sufficient to infect the computer.


IMPACT:

	The malware installed is a Haxdoor variant that is currently 
	not detected by most antivirus products.
	
	This trojan is expected to steal personal data and in particular 
	online banking passwords.
	

MITIGATION:

	Users should always avoid clicking on any links in emails, unless 
	the email was already expected.

	Many current email viewers have stricter policies on web access than 
	web browsers, and enticing users to follow a link outside an email 
	and onto the web through a browser is a common way for attackers to 
	install malicious code onto a machine. [2, 3, 4]

	System administrators may consider configuring web proxy servers or 
	firewalls to block HTTP connections to the sites listed below and to
	files named "ie0606.cgi" or scripts with parameters such as:

	    exploit=MS03-11
	    exploit=MS04-013
	    exploit=MS05-002
	    exploit=MS05-054
	    exploit=MS06-006
	    exploit=MSFA2005-50
	    exploit=0day

	Checking proxy logs for those URLs will also help in revealing which 
	client computers may have been affected.

	Email that matches the description below can also be blocked at
	the gateway.


DETAILS:

	The malicious email is plain text with the following content:

	    Subject: National Bank goes bankrupt?!

	with body text:

	    People starting panic withdrawals, some of the accounts were reported 
	    closed due to technical reasons, many ATMs are not operating. 
	    Does it seem that one of the Australia's greatest goes bankrupt? 
	     
	    The full story could be found here: http://[MALICIOUS DOMAIN]/news.php
	      
	    Well, hope that isn't true... Anyway You'd rather check your balance...

	The URLs observed so far hosting the malicious page are as follows:

	    h**p://www,suriko,net/news.php        (now down)
	    h**p://www,saltnlight-e,com/news.php  (active)
	    The final trojan is downloaded from domain www,powwowtowel,com.

	(Here URLs have been modified such that 'http' becomes 'h**p' and 
	 all periods within a URL have been replaced with commas.) 

	On infected computers the following files are created and most of these
	are then hidden by the trojan:

	    C:\WINDOWS\system32\klo5.sys (visible)

	    C:\WINDOWS\system32\pptp16.dll 
	    C:\WINDOWS\system32\qz.dll 
	    C:\WINDOWS\system32\pptp24.sys 
	    C:\WINDOWS\system32\qz.sys 
	    C:\WINDOWS\system32\ms87.dat 
	    C:\WINDOWS\system32\config\SSL 
	    C:\WINDOWS\Temp\01083070 
	    %userprofile%\local settings\Temp\01083070


REFERENCES:

	[1] Protecting Your Computer from Malicious Code
	    http://www.auscert.org.au/3352

	[2] AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan targets multiple web browsers
	    http://www.auscert.org.au/6028

	[3] AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan
	    http://www.auscert.org.au/6028

	[4] AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan
	    http://www.auscert.org.au/6195


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRJC4JCh9+71yA2DNAQIc8AP/ZKNjgB/iR4324A8rKdncBJ3xf8r77wxp
DLqvUy7x+HhasL3+HNoeds01416tCaw44tH2dybUFTClib7xkVwN+Vb7vlqjls3O
M9gPQMgd5fc3luxvvBGk2kAUxnVwCtVVVOzib9CHEsWPV6/hoOx5EzwfL7sA/1BF
2UflyUasA38=
=urrY
-----END PGP SIGNATURE-----