Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..

To: Thierry Zoller <Thierry@xxxxxxxxx>
Subject: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Tue, 13 Mar 2007 11:47:56 -0500 (CDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <1001643509.20070311183018@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On Sun, 11 Mar 2007, Thierry Zoller wrote:
> Dear list,
> 
> Whoever deals with these poeple and thinks they are a benign Adware
> company (and thus spreads their bundles.

iframedollaz used to offer webmasters a deal to include code on their
website for cash per hit (drive-by install).

They have been doing a lot of other stuff, as well, such as breaking into
websites and "defacing" them. Read defacing as "leave them the same way
only add malicious code to install drive-by malware".

They are by far not the only ones, nor are these their only strategies.

        Gadi.

> 
> Check this :
> Ignoring the fact that they basicaly  install a Rootkit, I attached a
> few files I reversed, they install a DLL that does not directly KEYLOG your
> banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page
> asking you to enter more details (like PIN, Magic Password etc), then
> capture that data and transmit it (I did no further investigation)
> 
> http://secdev.zoller.lu/system32.zip
> Pass: 123
> 
> I am disgusted. They even created their own XML parser for this ...
> 
> An extract of HTML code they inject :
> -------------------------------------
> <inject
> url="wellsfargo" 
> before="name=userid autocomplete='off'></DIV>" 
> what="
> <DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT 
> id=pin  tabIndex=2 maxLength=4 type=password size=4 name=pin 
> autocomplete='off'></SPAN></DIV>
> "
> block="alt=Go" 
> check="pin"
> quan="4"
> content="d"
> >
> </inject>
> ------------------------------------
> 
> Attached the main files (pass 123), feel free to add this as HIPS or whatever
> signatures, those interested in a complete reversal can contact me
> to receive the EXE in question.
> 
> I have no more time feel free to dig deeper.
> 
> 
> I especialy liked this :
> ------------------------
> <inject
> url="citibank.com" 
> <TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent 
> fraud enter your credit card information please:</SPAN></TD></TR>
> 
> 
> Puke..
> 
> -- 
> http://secdev.zoller.lu
> Thierry Zoller
>

References:
- Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
  - From: Thierry Zoller

Prev by Date: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln
Next by Date: Re: Microsoft Windows Vista/2003/XP/2000 file management security issues
Previous by thread: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
Next by thread: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
Index(es):
- Date
- Thread