Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..

To: Securityfocus <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: Nicolas RUFF <nicolas.ruff@xxxxxxxxx>
Date: Wed, 14 Mar 2007 21:32:22 +0100
Cc: Reversemode <advisories@xxxxxxxxxxxxxxx>, Thierry Zoller <Thierry@xxxxxxxxx>, ge@xxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=o9Ho1E30glydcJ2SDVdtTYP+Al2Mwosc6zCLEhsl/tgwwRFrgkNCrni7y/6oXAmJ61DcWmFRbei89BkwNoTdPE+HXtqE1coknf8g5eT5GsxffO4pQ5tP+rdh0zdl9RYpNVlE6XOi3mTFFFZzGn3D8+Oh35yAzAc6fX+1dCgbio4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=R2tUho5JFf0dijfKwFHfGpc2rCBKXSdS4fGV9Pr6ICp4bLLpCfG4Ezbh4+sGedpB7VF3vSDoez0zLkayQ4MQH03mznUjGJxdEh8AbJ6c1Vxsrur9f3J0HKuhjSzh+pGzTG4OFsYsoeLDh4fhK6i0r5jxdXsoO/8De2hGN5LNzw8=
In-reply-to: <45F6DC4D.7050900@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1001643509.20070311183018@xxxxxxxxx> <45F6DC4D.7050900@xxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

> Among other things (password stealer), this BHO has backdoor and
> "botnet" capabilities, implementing several remote commands:
> + upload
> + run
> + update
> ...

Yeah, I love the KILLWINANDREBOOT command, which will basically delete
NTLDR and NTDETECT.COM before rebooting Windows ...


> Watch out for unexpected http traffic containing
> commandack.php,mailwab.php..

Embedded URLs are :
http://58.65.234.73/~mjakson
http://58.65.234.73/~mjakson/mail.php
http://58.65.234.73/~mjakson/newuser.php
http://58.65.234.73/~mjakson/commandack.php
http://58.65.234.73/~mjakson/mailwab.php
http://58.65.234.73/~mjakson/command.php
http://58.65.234.73/~mjakson/upload.php

You can also easily guess the following URL :
http://58.65.234.73/~mjakson/admin.php

Best course of action for sysadmins would be to block at least this IP.

The site seems to be hosted in a server farm near Hong Kong.
On March, 14th at 20:00 GMT the site was still up and running.

Very nice piece of malware indeed ...

Regards,
- Nicolas RUFF

References:
- Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
  - From: Thierry Zoller
- Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
  - From: Reversemode

Prev by Date: Norton Insufficient validation of 'SymTDI' driver input buffer
Next by Date: XSS vulnerability in the online help system of several Cisco products
Previous by thread: Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
Next by thread: Call for Papers: DeepSec IDSC 2007 Europe/Vienna: 20-23 Nov 2007
Index(es):
- Date
- Thread