The *.cab file contains a file 'potd.dll', googling for it gives this link http://and.doxdesk.com/parasite/Cytron.html. Overthere it's considered a 'parasite' According to the link, it appears to be some module that will install into your IE and pop-up ads based on web pages being visited by the 'infected party'. The E-Card people are, of course, lying that it will -need- this module installed for the E-card to work. $) Henri > -----Original Message----- > From: Jonathan A. Zdziarski [mailto:jonathanat_private] > Sent: Saturday, September 28, 2002 11:25 AM > To: incidentsat_private > Cc: abuseat_private; server-certsat_private; abuseat_private > Subject: E-Card Remote Code Execution Scam > > > This seems an aweful lot to me like a Remote Code Execution Scam... > > I received an email addressed to "Undisclosed Recipients" notifying me > that I received an E-Card today, so I went to the site > http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed] > &card=Pick > +up to view the card. Oddly, I received a security warning > asking me if > I wanted to allow some code to run on my machine. Noticing the odd > choice of form variables as opposed to other e-card sites (not to > mention the fact that I could type in any number and get the same > screen), and with an eyebrow now raised I went to the main website > http://www.surprisecards.net to find "Welcome to the future home of > richardoliver.web.aplus.net". So I figure, if there's no way > to send a > card from this website then chances are nobody sent me a valid card. > > I took a look at the Thawte certificate for the card viewer "code" and > got www.cytron.com, some no-name development website with nothing more > than a phone number. > > At the moment I'm not in front of any sacrificial machine to test the > card out on, but I suspect this email is being mailed out as a scam in > an attempt to run arbitrary code on the user's machine using a valid > Thawte certificate. What the code does when it loads I've no idea as > I'm not dumb enough to try it on my home machine. > > In summary, my suspicion that this is the case is based on the > following: > > 1. The email was from egreetingsat_private, yet was not redirecting me > to a yahoo site. (It was in fact coming from a yahoo mail server > though). > > 2. The email was NOT from surprisecard.net > > 3. The email was addressed to undisclosed recipients > > 4. There is no medium for sending cards from this site > > 5. www.cytron.com has no credible information about any card reader > product or even the company. > > Perhaps someone in front of some extra hardware can take this and roll > with it. > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 29 2002 - 13:23:10 PDT