On Sat, 28 Sep 2002, Jonathan A. Zdziarski wrote: > This seems an aweful lot to me like a Remote Code Execution Scam... > > I received an email addressed to "Undisclosed Recipients" notifying me > that I received an E-Card today, so I went to the site > http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick > +up to view the card. Oddly, I received a security warning asking me if > I wanted to allow some code to run on my machine. Noticing the odd > choice of form variables as opposed to other e-card sites (not to > mention the fact that I could type in any number and get the same > screen), and with an eyebrow now raised I went to the main website > http://www.surprisecards.net to find "Welcome to the future home of > richardoliver.web.aplus.net". So I figure, if there's no way to send a > card from this website then chances are nobody sent me a valid card. > > I took a look at the Thawte certificate for the card viewer "code" and > got www.cytron.com, some no-name development website with nothing more > than a phone number. > > At the moment I'm not in front of any sacrificial machine to test the > card out on, but I suspect this email is being mailed out as a scam in > an attempt to run arbitrary code on the user's machine using a valid > Thawte certificate. What the code does when it loads I've no idea as > I'm not dumb enough to try it on my home machine. > > > Perhaps someone in front of some extra hardware can take this and roll > with it. The source of the page contains an object tag: codebase="e-card_viewer.cab#version=1,0,0,1" Obtaining that file and running strings reveals the following of interest: 1) There are numerous references to both thawte and verisign certificates 2) There is a reference to potd.dll 3) There are references to "Cytron" A google search for "potd.dll" returns the following page: http://and.doxdesk.com/parasite/Cytron.html From that page: Description Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected. Also known as POTD, after the filename and BHO name; Burnaby, the internal object name; TargetingSource, the name used to describe the control in Downloaded Program Files. Distribution Installed by ActiveX drive-by download on a page pointed to by mail claiming you have received an 'e-card'. The ActiveX control purports to be a viewer for e-cards. There you have it, adware. - Jeff -- Jeff Jirsa jeffat_private -- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 29 2002 - 13:00:56 PDT