(Updated) Another Russian Bank Scam, New Exploit for MS04-020

Published: 2004-07-16. Last Updated: 2004-07-17 04:26:53 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
New Exploit for MS04-020 The ISC was notified earlier today that there was a public release of a Windows POSIX local privilege escalation exploit (MS04-020). Time to patch was last Tuesday. This is not a remote access issue, but one that still needs to be addressed and corrected.
Another Russian Bank Scam. (Updated 2230 UTC) All three of the sites hosting the malware related to this incident remain online. The ISC will not publicize the IP addresses of the sites, but we will mention the names of the providers in the hope that they will take action:

Earthlink

Global Net Access

Reseller Matrix



(Updated 1700 UTC) After comparing notes with the US-CERT this morning, we have come to the conclusion that this episode is another page in a long chapter of similar activity. A very nice write up on the malware is online at http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=142

The sites we have been looking at have files dated as early as April 23rd, so it is likely that this scam has been working since then or earlier. The URL above is dated June 3rd, confirming that it has been in circulation at least six weeks. Here are the similarities:

- The Australian analysis starts with a machine at 67.174.247.101/ws/. In our case, the compromised box in New York City has a file structure in the "ws" subdirectory that looks like this, and is presumably the equivalent site for the current round:

Parent Directory 15-Jul-2004 22:30 -

1.html 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

...

(several dozen more)

...

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

eBayISAPI.dll&ViewIt..> 13-Jul-2004 06:16 1k

main1.chm 13-Jul-2004 06:47 14k

new_links_2.bat 13-Jul-2004 06:42 73k

page.hta 13-Jul-2004 06:47 4k

page.php 13-Jul-2004 06:47 1k


main1.chm is the file that the phishing email points to, and it launches the series of exploits. In the Australian analysis, there is a reference to mstasks.exe. In our sample, we found that it is named mstasks1.exe. This file is located in the root directory of the New York City computer rather than the /ws directory.

- The Australian analysis then goes to 63.247.91.54:8080/loads/ where additional files are pulled. In our case, the next stop is in Atlanta and here's the directory listing of /loads at that site:
Parent Directory 29-May-2004 01:24 -

delloader.exe 29-Apr-2004 16:10 3k

[DIR] id/ 16-Jul-2004 08:44 -

loger.exe 15-Jul-2004 22:43 34k

loger.php 23-Apr-2004 07:54 1k

post.php 23-Apr-2004 07:54 1k

screen.exe 15-Jul-2004 22:37 175k

screen.php 23-Apr-2004 07:54 1k

test.txt 16-Jul-2004 08:40 14.7M

update.php 23-Apr-2004 07:55 1k


The id directory and the text.txt files contain data on the compromised computers (keystrokes and so forth). Both are quite large and indicate that thousands of accounts have been hijacked.

Other than the differences in the URLs, the Australian analysis of the executables is the same as ours. They are UPX packed, but not encoded.

One final note, we are tracking an FTP site related to this that does not appear to be mentioned in the Australian analysis. This might be a small improvement on the attacker's code or just a variant on delivery mechanisms.

-----
A reader contacted the ISC early on Friday morning to report yet another online banking scam. In this case, the victim receives a forged email from PayPal instructing them that their account appears to have unauthorized access attempts and they need to change their password for their protection. Clicking on the embedded link takes the victim to a web site hosted by a cable modem user near New York City.

If the victim is using Internet Explorer and the browser is not patched for the .chm exploit, the victim's browser is directed to download several files including executables from a web hosting site in Atlanta. The .chm patch is included in the latest cumulative security update for Outlook Express at
http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx

The files on the Atlanta site attempt to capture login and password activity, then upload that information to a data repository at the same site. As of early morning on July 16th there appears to be over 11,000 victims with over 16,000 captured passwords and account information. The data collection starts in early May and is unfortunately still continuing. The Atlanta site has been notified. The Department of Homeland Security and US-CERT have also been notified.

One of the executable files contains the list of banks below. URLs viewed by the ISC in files at the Atlanta site include additional banking and financial sites. The ISC has made the files available to the US-CERT for their investigation.

http://www.ukpersonal.hsbc.co.uk
https://www.halifax-online.co.uk
https://ibank.barclays.co.uk

https://www.nwolb.com

https://webbank.openplan.co.uk

http://login.passport.net/uilogin

http://ukpersonal.hsbc.co.uk

https://halifax-online.co.uk

https://www.ibank.barclays.co.uk

https://nwolb.com

https://www.webbank.openplan.co.uk
http://www.login.passport.net/uilogin
https://www.e-gold.com
https://bank-gold.com
https://webbank.openplan.co.uk

https://online.lloydstsb.co.uk/customer
http://www.privatebanking.lloydstsb-offshore.com
https://evocashld.com
https://e-bullion.com
https://pecunixld.com
Again, this scam will not work if Internet Explorer is properly patched. Mozilla, Netscape, Opera, and other browsers are not affected by this.

Many thanks to ISC Handlers Lorna Hutcheson and John Bambenek for their extraordinary efforts during the early hours of Friday morning.

Marcus H. Sachs

Handler on Duty
Keywords:
0 comment(s)

Comments


Diary Archives