0x01 trojan update (ev1.net host), openssl proof of concept exploit, HP mystery ssh patch

Published: 2004-01-16
Last Updated: 2004-01-17 18:18:24 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
ev1.net trojan (was: Yahoo.fr)

A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.

The virus spreading this email is smart enough to tailor the 'From' address
to match the users domain. So for example, if your email address is 'user@example.com', the from address will read:

Example.com's Virus Department.
The fake URL will show up as 'http://example.com' followed by the 0x01 character and a randomized URL.

Likely in an effort to dwarf attempts to capture the trojan and shut down the
site, the site uses multiple redirects and will only deliver the trojan if the
user is using Microsoft Internet Explorer. In order to accomplish this, java script and cgi scripting is used.

The trojan is only delivered once to a given IP address. The final URL used
to download the trojan is http:/ /66.98.208.24/cgi-bin/page.cgi at this point, but it has been changing.

The ISP hosting this site, EV1.net, was notified via e-mail to abuse, and
replied that the virus has been removed. However, even after this reply was
received, the trojan was still accessible via this URL.

A phone call to the customer service department of ev1.net was answered. The ev1.net representative was not able to respond to the case and was not able to provide a phone contact for the ev1.net abuse department.

Later today (early afternoon EST), the host was shut down. Another user reported
to us, that a very similar URL was used at ev1.net back in December 2003:

http://66.98.188.67:180/cgi-bin/page.cgi

Back then, the e-mail claimed to include a "Gift Card from Sears".
OpenSSL POC exploit

Exploit code for the older ASN.1 vulnerability in OpenSSL has been posted to
various mailing lists. Please double check that your openssl installs are
current. Remember, some software may not use the dynamic library. Such
software has to be recompiled to link it against the new version.

HP Mystery SSH patch

HP released a patch for ssh on Tru64 Unix. The patch does not state what vulnerability it fixes.
-------------------

Johannes Ullrich, SANS Inst., jullrich at sans.org
Keywords:
0 comment(s)

Comments


Diary Archives