New Sober Variant, Compromised Servers Deliver Spy/Adware?, Phishing Reports, No Honor Among Thieves II

Published: 2004-11-19
Last Updated: 2004-11-19 22:06:23 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
New Sober Worm Variant

Anti-virus vendors released pattern updates today to recognized a new variant of the Sober worm. Sober uses its own SMTP engine to spread via email attachments. Secunia has a page that links to anti-virus vendors' descriptions of this specimen. Take a look at this page if you need technical information regarding the latest Sober variant. Also, please be sure to keep your anti-virus signatures up to date.

Spy/Adware via Browser Vulnerabilities and Compromised Web Servers

Steve Friedl pointed us to the BroadbandReports discussion that documents a series of web server compromises that deliver spy/adware to victims that visit compromised sites. The victims are running a vulnerable browser. The information is still preliminary, but there are indications that the attackers are using an IFRAME vulnerability in Internet Explorer to deliver the payload. The web servers hosting the malicious code seem to be running Apache.

The BroadbandReports discussion of this incident:,11904374

A post to the Full-Disclosure list that may be related to this incident, referencing IFRAME and Apache (this link was posted on the BroadbandReports forum):

Information about the recent IFRAME vulnerability (no patch available at the moment; Windows XP SP2 systems not affected):

We don't have much information regarding this attack pattern to determine its scope. We'd love to hear from you if you can share with us logs, malware samples, or observations relevant to this incident. If server compromises are wide-spread, this incident is reminiscent of attacks on Web servers that distributed the Download.Ject trojan in June.

Recent Phishing Reports

Yesterday's diary mentioned a phishing scam that attempted to harvest logon credentials of MSN customers. Dan Hubbard sent us a link to screenshots that document two versions of this scam:

One of the popular uses for stolen ISP information is sending out more phishing spam. The attackers use the stolen accounts to send spam until MSN, AOL, Earthlink, or another service provider disables the account for policy violations. The attacker then moves to the next account stolen via an earlier phishing scam.

Today we received reports of phishing scams that targeted customers of SunTrust and Comcast customers. In one case, which was quite typical, the attackers used a compromised website to collect stolen information. The owners of the site were unaware of the problem, just like many owners of sites used to proxy spam messages, or the owners of accounts from which the spam was sent. The number of unsuspecting victims, involuntarily acting as phishing collaborators, can be surprisingly large.

No Honor Among Thieves (Part II)

We received a message from Don Parker, as a follow-up to yesterday's mention of the backdoor built into the fake Half-Life 2 exploit. Don described a post to a discussion forum ( ) that claimed to offer a zero-day exploit for the MS04-029 vulnerability. The exploit claimed to offer the attacker a remote shell; however, MS04-029 focused on denial of service and information disclosure. Moreover, the supposed exploit included shellcode, but lacked NOP instructions typically present in buffer-overflow attacks. Dan's analysis confirmed that the posted "exploit" actually provided the code's author an IRC-based backdoor to the hopeful attacker's system.

The practice of building backdoors into attack tools is quite wide-spread, particularly in malicious programs that don't come with source code, or with exploits that have hard-to-understand shellcode and come from obscure sources. Please use extreme caution when testing such tools on your systems.

Lenny Zeltser

ISC Handler of the Day
0 comment(s)


Diary Archives