Re: AIM-based worm?

From: Midkaemia (midkaemiaat_private)
Date: Sun Sep 29 2002 - 15:06:32 PDT

Next message: John Sage: "Unusual volume: UDP:137 probes"

Previous message: Axel Pettinger: "Re: E-Card Remote Code Execution Scam"
In reply to: Troy Ablan: "Re: AIM-based worm?"
Next in thread: x x: "RE: AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday 27 Sep 2002 9:48 pm, Troy Ablan wrote:
> > > -- BEGIN SOURCE --
> > >
> > > <html><head><title>Browser Plugin Requried</title><meta
> > > http-equiv="refresh" content="1;
> > > url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Bro
> > >wser Plugin Required:</h1><br>You may need to restart your browser for
> > > changes to take affect.<br>Security Certificate by <a
> > > href="http://www.verisign.com">Verisign</a> 2002.<br>MD5:
> > > 9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
> > > href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and
> > > choose "Run" to install.</body></html>
> > >
> > > -- END SOURCE --

> I don't think so.  I think it's just the text of the HTML page saying
> that -- part of the social engineering in play to get the user to execute
> the worm.
>
> -Troy

Ditto, that's what I thought as well. 

Basically the hacker is trying to fool the end user into thinking the page 
they have been asked to view (by whatever means) requires a plugin to run. 
The user thinks that by accepting to install the "plugin" they are being 
given a valid plugin signed by verisign. It isn't, and they shouldn't run it. 
But hey, people will. I suspect the "plugin" modifies the home page of the 
browser, or installs some other activeX control to make this thing work, 
hence the restart your browser bit.

If I had a spare winxx box I would be tempted to have a look at this thing to 
provide more info, unfortunately I'm mid rebuild of my entire systems so I 
can't atm :( 

It's a quite simple play on basic human ignorance, and nothing more.

Mike
-- 
_______________________________________________________________________
 "In their capacity as a tool, computers will be but a ripple on the 
   surface of our culture. In their capacity as intellectual challenge, 
   they are without precedent in the cultural history of mankind." 
	Edsger Wybe Dijkstra on Computers

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Sage: "Unusual volume: UDP:137 probes"
Previous message: Axel Pettinger: "Re: E-Card Remote Code Execution Scam"
In reply to: Troy Ablan: "Re: AIM-based worm?"
Next in thread: x x: "RE: AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 29 2002 - 19:26:43 PDT