On Sun, 11 Mar 2007, Thierry Zoller wrote: > Dear list, > > Whoever deals with these poeple and thinks they are a benign Adware > company (and thus spreads their bundles. iframedollaz used to offer webmasters a deal to include code on their website for cash per hit (drive-by install). They have been doing a lot of other stuff, as well, such as breaking into websites and "defacing" them. Read defacing as "leave them the same way only add malicious code to install drive-by malware". They are by far not the only ones, nor are these their only strategies. Gadi. > > Check this : > Ignoring the fact that they basicaly install a Rootkit, I attached a > few files I reversed, they install a DLL that does not directly KEYLOG your > banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page > asking you to enter more details (like PIN, Magic Password etc), then > capture that data and transmit it (I did no further investigation) > > http://secdev.zoller.lu/system32.zip > Pass: 123 > > I am disgusted. They even created their own XML parser for this ... > > An extract of HTML code they inject : > ------------------------------------- > <inject > url="wellsfargo" > before="name=userid autocomplete='off'></DIV>" > what=" > <DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT id=pin tabIndex=2 maxLength=4 type=password size=4 name=pin autocomplete='off'></SPAN></DIV> > " > block="alt=Go" > check="pin" > quan="4" > content="d" > > > </inject> > ------------------------------------ > > Attached the main files (pass 123), feel free to add this as HIPS or whatever > signatures, those interested in a complete reversal can contact me > to receive the EXE in question. > > I have no more time feel free to dig deeper. > > > I especialy liked this : > ------------------------ > <inject > url="citibank.com" > <TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent fraud enter your credit card information please:</SPAN></TD></TR> > > > Puke.. > > -- > http://secdev.zoller.lu > Thierry Zoller >
