Targeted Trojan attacks?
Update
I received a number of responses to the Diary entry below reporting similar _emails_. The reports showed or pointed to HTML emails with similar contents and construction. Examining the emails after setting MS email clients to "text" only will render a GIF attachment to the email.
In a few cases the html emails were flagged as phishing email by various AV products. In one case the email was flagged as both a phish email and seperately as a trojan/pwstealer/keystrokelogger.
I received analysis summary results of the Sun site's illicit.GIF file from two AV sources. Their analysis were similar. Since they were similar, quoting one "The only thing I would add is that it has been verified the GIF is not some executable code, but just a 'clean' image inside an HTML email where the image is hyperlinked. Clicking on the image takes one to a phishing site."
Thanks Mugg and Eric Chien for taking the time to follow up on the Diary .
So that leaves me with many other protection, detection and incident response questions that the results of their analysis begs, I'll look at those and report any results as resources allow.
Thanks again to everyone who submitted information, samples and pointers to samples.
Original Diary Entry Follows;
You have to love it when malware blows through your ISP's Email gateway AV, hits your desktop, and only 2 vendors flag it. This has been occuring regularly over the last few months. Some of todays email details are below. At this time only F-Secure and Kaspersky catch it, F-Secure says "malware found Trojan-Spy.HTML.Bayfraud.in (virus)".
After Googling the Subject of the email I'm writing about, "eBay Customer Notice: Details Confirmation", I saw a few returns, one was at archives.java.sun.com. Sun has been notified.
That page also references the trojan I was sent, only the image name is different, at the sun site it's named illicit.GIF [image/gif] and there's date/time visible on the page display [Fri, 21 Oct 2005 23:44:45 +0100], who knows how trustworthy that date information is. If it's accurate and based on the Jotti and Virustotal results next, it's a touch troubling.
If you're seeing any of these please drop us a note. Thanks!
illicit.GIF analysis results at Jotti and Virustotal.
Jotti.Org says
File: illicit.GIF
Status: INFECTED/MALWARE
MD5 15492310e33e16810c4d880b8f343f8d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Spy.HTML.Bayfraud.in
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
This is a report processed by VirusTotal on 02/12/2006 at 20:13:06 (CET) after scanning the file "illicit.GIF" file.
Antivirus Version Update Result
AntiVir 6.33.0.81 02.11.2006 no virus found
Avast 4.6.695.0 02.10.2006 no virus found
AVG 718 02.10.2006 no virus found
Avira 6.33.0.81 02.11.2006 no virus found
BitDefender 7.2 02.12.2006 no virus found
CAT-QuickHeal 8.00 02.11.2006 no virus found
ClamAV devel-20060126 02.12.2006 no virus found
DrWeb 4.33 02.12.2006 no virus found
eTrust-InoculateIT 23.71.74 02.11.2006 no virus found
eTrust-Vet 12.4.2074 02.10.2006 no virus found
Ewido 3.5 02.11.2006 no virus found
Fortinet 2.54.0.0 02.12.2006 no virus found
F-Prot 3.16c 02.09.2006 no virus found
Ikarus 0.2.59.0 02.10.2006 no virus found
Kaspersky 4.0.2.24 02.12.2006 Trojan-Spy.HTML.Bayfraud.in
McAfee 4694 02.10.2006 no virus found
NOD32v2 1.1404 02.11.2006 no virus found
Norman 5.70.10 02.10.2006 no virus found
Panda 9.0.0.4 02.12.2006 no virus found
Sophos 4.02.0 02.11.2006 no virus found
Symantec 8.0 02.12.2006 no virus found
TheHacker 5.9.4.094 02.10.2006 no virus found
UNA 1.83 02.09.2006 no virus found
VBA32 3.10.5 02.11.2006 no virus found
Some Email details;
Return-path: <support_num_3381305590018@ebay.com>
**snip**
Received: from ppp85-141-237-194.pppoe.mtu-net.ru ([85.141.237.194])
by orngca-mx-08.mgw.rr.com with SMTP; Sun, 12 Feb 2006 13:52:34 -0500
Date: Sun, 12 Feb 2006 14:43:23 -0400
From: eBay <support_num_3381305590018@ebay.com>
Subject: eBay Customer Notice: Details Confirmation [Sun, 12 Feb 2006 21:46:23 +0300]
To: pnk@nycap.rr.com
Message-id: <4oomdf$ha2v4r@orngca-mx-08.mgw.rr.com>
MIME-version: 1.0
X-Accept-Language: en-us, en
Fcc: mailbox://support_num_3381305590018@ebay.com/Sent
X-Identity-Key: Id7
X-Virus-Scanned: Symantec AntiVirus Scan Engine <=== Gateway AV
Original-recipient: rfc822;pnolan
Content-Type: multipart/mixed;
boundary="----=_cKusyvfBPGgnaHbQBgKUeaDHKTZHAlKYr"
Attachment name patch.GIF
Subject eBay Customer Notice: Details Confirmation
UPDATE I received a different piece of malware five minutes later ( ; ^ ), through the ISP Email Gateway AV undetected. There was no attachment, Subject is "Please Check Your Account !"
I received a number of responses to the Diary entry below reporting similar _emails_. The reports showed or pointed to HTML emails with similar contents and construction. Examining the emails after setting MS email clients to "text" only will render a GIF attachment to the email.
In a few cases the html emails were flagged as phishing email by various AV products. In one case the email was flagged as both a phish email and seperately as a trojan/pwstealer/keystrokelogger.
I received analysis summary results of the Sun site's illicit.GIF file from two AV sources. Their analysis were similar. Since they were similar, quoting one "The only thing I would add is that it has been verified the GIF is not some executable code, but just a 'clean' image inside an HTML email where the image is hyperlinked. Clicking on the image takes one to a phishing site."
Thanks Mugg and Eric Chien for taking the time to follow up on the Diary .
So that leaves me with many other protection, detection and incident response questions that the results of their analysis begs, I'll look at those and report any results as resources allow.
Thanks again to everyone who submitted information, samples and pointers to samples.
Original Diary Entry Follows;
You have to love it when malware blows through your ISP's Email gateway AV, hits your desktop, and only 2 vendors flag it. This has been occuring regularly over the last few months. Some of todays email details are below. At this time only F-Secure and Kaspersky catch it, F-Secure says "malware found Trojan-Spy.HTML.Bayfraud.in (virus)".
After Googling the Subject of the email I'm writing about, "eBay Customer Notice: Details Confirmation", I saw a few returns, one was at archives.java.sun.com. Sun has been notified.
That page also references the trojan I was sent, only the image name is different, at the sun site it's named illicit.GIF [image/gif] and there's date/time visible on the page display [Fri, 21 Oct 2005 23:44:45 +0100], who knows how trustworthy that date information is. If it's accurate and based on the Jotti and Virustotal results next, it's a touch troubling.
If you're seeing any of these please drop us a note. Thanks!
illicit.GIF analysis results at Jotti and Virustotal.
Jotti.Org says
File: illicit.GIF
Status: INFECTED/MALWARE
MD5 15492310e33e16810c4d880b8f343f8d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Spy.HTML.Bayfraud.in
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
This is a report processed by VirusTotal on 02/12/2006 at 20:13:06 (CET) after scanning the file "illicit.GIF" file.
Antivirus Version Update Result
AntiVir 6.33.0.81 02.11.2006 no virus found
Avast 4.6.695.0 02.10.2006 no virus found
AVG 718 02.10.2006 no virus found
Avira 6.33.0.81 02.11.2006 no virus found
BitDefender 7.2 02.12.2006 no virus found
CAT-QuickHeal 8.00 02.11.2006 no virus found
ClamAV devel-20060126 02.12.2006 no virus found
DrWeb 4.33 02.12.2006 no virus found
eTrust-InoculateIT 23.71.74 02.11.2006 no virus found
eTrust-Vet 12.4.2074 02.10.2006 no virus found
Ewido 3.5 02.11.2006 no virus found
Fortinet 2.54.0.0 02.12.2006 no virus found
F-Prot 3.16c 02.09.2006 no virus found
Ikarus 0.2.59.0 02.10.2006 no virus found
Kaspersky 4.0.2.24 02.12.2006 Trojan-Spy.HTML.Bayfraud.in
McAfee 4694 02.10.2006 no virus found
NOD32v2 1.1404 02.11.2006 no virus found
Norman 5.70.10 02.10.2006 no virus found
Panda 9.0.0.4 02.12.2006 no virus found
Sophos 4.02.0 02.11.2006 no virus found
Symantec 8.0 02.12.2006 no virus found
TheHacker 5.9.4.094 02.10.2006 no virus found
UNA 1.83 02.09.2006 no virus found
VBA32 3.10.5 02.11.2006 no virus found
Some Email details;
Return-path: <support_num_3381305590018@ebay.com>
**snip**
Received: from ppp85-141-237-194.pppoe.mtu-net.ru ([85.141.237.194])
by orngca-mx-08.mgw.rr.com with SMTP; Sun, 12 Feb 2006 13:52:34 -0500
Date: Sun, 12 Feb 2006 14:43:23 -0400
From: eBay <support_num_3381305590018@ebay.com>
Subject: eBay Customer Notice: Details Confirmation [Sun, 12 Feb 2006 21:46:23 +0300]
To: pnk@nycap.rr.com
Message-id: <4oomdf$ha2v4r@orngca-mx-08.mgw.rr.com>
MIME-version: 1.0
X-Accept-Language: en-us, en
Fcc: mailbox://support_num_3381305590018@ebay.com/Sent
X-Identity-Key: Id7
X-Virus-Scanned: Symantec AntiVirus Scan Engine <=== Gateway AV
Original-recipient: rfc822;pnolan
Content-Type: multipart/mixed;
boundary="----=_cKusyvfBPGgnaHbQBgKUeaDHKTZHAlKYr"
Attachment name patch.GIF
Subject eBay Customer Notice: Details Confirmation
UPDATE I received a different piece of malware five minutes later ( ; ^ ), through the ISP Email Gateway AV undetected. There was no attachment, Subject is "Please Check Your Account !"
Keywords:
0 comment(s)
Exploit #2 released for for Windows Services Insecure ACLs Local Privilege Escalation
Exploit #2 has been released for the Windows Services Insecure ACLs Local Privilege Escalation Vulnerability, described in MS Security Advisory (914457) "Possible Vulnerability in Windows Service ACLs".
Keywords:
0 comment(s)
Honeyd 1.5 Released
Honeyd 1.5 has been released, in addition to improvements this version corrects Remote Detection Via Multiple Probe Packets which affects prior versions of Honeyd.
Keywords:
0 comment(s)
×
Diary Archives
Comments