Re: Somebody exploiting (badly designed) yahoo service?
"Aleksandar Milivojevic" <alex@xxxxxxxxxxxxxxx> wrote:
> I don't know if this is something new, or something old.
Well, part of it is old and part of it quite new...
> Yeasterday I received couple of emails (apperently from people I know).
> Emails were text/html, and contained only this text:
>
> http://drs.yahoo.com/milivojevic.org/NEWS
>
> Text was acutally linked to:
>
> http://drs.yahoo.com/milivojevic.org/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/milivojevic.org/NEWS
This is the self-mailing part of Wallon.A -- a new mass-mailer that
distributes itself simply by sending Emails with links to itself to
everyone in the victim's (Outlook) address book (not fully analysed
yet...).
BTW -- the "milivojevic.org" part of that bogo-URL is customized to
each recipient, based on their Email address.
> Downloading the above link using wget, drs.yahoo.com redirects to:
>
> http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/
Yes -- URLs like that (and some other, related forms) have been not
uncommopnly used by spammers for quite some time now (in general it
seems these Yahoo redirector pages parse off everything to the left of
and the including the asterisk and redirect to the remainder).
> This page contains some JavaScript (after couple of empty screens) that
> seems to open off-screen window (or at least it looks like that to me) ...
It's a porn page and the link includes an affiliate reference so the
perp may get paid for each recipient of the "viral" Email that cllicks
on the link in the Email...
> ... and
> loads terra.html from the same site. Downloading terra.html using wget,
> there's some more JavaScript (again after several empty screens) and some
> obfuscating code inside that I haven't analyzed in depth.
There is a simple a decode routine that de-obfuscates an iframe tag
directed to a Compiled Help file (.CHM) which, by exploiting the MHTML
URL Processing vulnerability in (unpatched copies of) IE, silently d/ls
the .CHM, opening it in the local computer zone where some scripting
inside the .CHM then exploits the ADODB.Stream vulnerability in
(unpatched copies of) IE to overwrite and execute Media Player with a
.EXE file retrieved from the same site as the .CHM. I've not analysed
that .EXE yet and information from various AV developers about it is
somewhat contradictory -- it is probably the component that mass-mails
the target URL from the new victim's machine and may download and
install a porn-dialer (there are also conflicting claims as to whether
the .EXE sets itself up to run on startup and some claim it also Emails
the list of its mail addresses its mailing routine compiles to
1@xxxxxxxxxxxxxxx). Different descriptions have somewhat different
filenames, suggestng that the pages served from the target URLs may
have changed "overnight" and slightly different variants (or even
radically components) may have been available at different times.
> Anybody seen this before? Is this some kind of virus, worm, spyware, or
> simply a spam? Looking at received headers of emails, it doesn't look
> like spam. When I contacted the people who were listed as senders, they
> said they never sent it (but that they suspect they might be infected by
> some virus).
Seen before -- yes and no. "Self-spamming mass-mailers", where all
that is mailed is a link to a location for the mass-mailer (or at least
to another component in a chain that ultimately closes a replication
loop) are not new. Use of the MHTML and .CHM tricks are not, neither
is use of ADODB.Stream exploits new, nor is the joint use of those two
exploits. Address harvesting by a mass-mailer is not new either. All
that leaves is the specifics of this implementation and the actual .EXE
file(s) that are d/l'ed from the target site and even some of these
appear to be already-known dialers (though many "virus scanners" will
not detect them).
> I'll be contacting Yahoo about this (obviously, whatever they have at
> drs.yahoo.com isn't designed with security in mind), however I'm
> interested if anybody else saw/got this, and if he/she knows what it is.
I doubt you'll get much assistance from Yahoo -- as far as it is
concerned, those pages are working as designed.
You'd probably do more help by complaining to http://www.security-
warning.biz/ about their "personal6" and/or "maljo24" user _AND_ CC'ing
that to their upstream provider's abuse address (and the DHS and/or
your pet FBI "cyber-crime" contact if you have one).
> Thanks for any info/pointers
You're welcome.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854