[pchelpers] News: Attack involving .hk domains

• From: Scott McNay <wizard@xxxxxxxx>
• To: pchelpers@xxxxxxxxxxxxx
• Date: Wed, 27 Jun 2007 20:52:05 -0500

Hi folks,

Attack involving .hk domains
2007 June 16

Eric, one of our many valued contributors wrote in yesterday with
various spam messages that contained nothing but a short piece of text
and a link to a very simple HK domain. Different domains were used in
each message.

Subject line: Hello, Pal
Body: look

http://[domain].hk

When investigating this, we noticed that these domains have no less
than 10 authorative nameservers. Most interesting is that each of
these appear to be located within an ISPs dynamic IP address range.
This is naturally highly suspicious. Random querying for A records
shows that a large number of other compromised hosts are being used to
host the actual website.

On each of these servers, the index.html page contains nastiness:

    * One piece of obfuscated javascript code, that once decoded
    appears to exploit a known vulnerability in msdss.dll;

    * One piece of obfuscated javascript which contains iframe
    inclusion of three other files, exp1.htm, exp2.htm and exp3.htm
    and a link to an icon file 123.htm. The three HTM files attempt to
    exploit three vulnerabilities in Internet Explorer, the 123.htm
    file in fact turns out to be a malicious ANI file.

    * A final piece of human readable text that invites a user to
    click on a link, should the ‘download not start automatically’.
    Once you click on this link, a file ‘fun.exe’ will be downloaded
    from this same web server.

[...]

This type of well-prepared and extensive attack is very difficult to
shut down, mostly due to the amount of servers and authorities
involved. As such, the most effective way of responding would be to
have the domain itself taken down. This issue has been reported to the
HKCERT as well as the administrators of the .hk TLD. In addition,
we’re working with anti virus vendors to improve coverage of both the
resulting file and the trojan droppers being used on the malicious
site.

Full article:
http://isc.sans.org/diary.html?storyid=2985&rss


-- 
Scott.



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription