E-mails with malicious links targeting Australia

Published: 2006-06-15
Last Updated: 2006-06-15 13:17:35 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
We've received couple of reports about e-mails being spammed which contain browser exploits. What's interesting about this is that they are targeting Australia.

All e-mails we've received have the same content, but the URL seems to be moving around. The body is pasted below:

"People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: <URL>
Well, hope that isn't true... Anyway You'd rather check your balance..."

The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script.
The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.

The following Internet Explorer vulnerabilities are exploited:

MS03-011
MS06-006
MS06-014

And one Mozilla FireFox vulnerability is exploited as well:

MFSA2005-50

For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called "NoScript". You can find more information following site : 
https://addons.mozilla.org/firefox/722/


Keywords:
0 comment(s)

Comments


Diary Archives