Date: Thu, 16 Feb 2006 08:43:22 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org.>
To: [email protected]Subject: First WMF mass mailer ItW (phishing Trojan)
Message-ID: <Pine.LNX.4.21.0602160836150.10887-100000@linuxbox.org.>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-1.7.5 (linuxbox.org [127.0.0.1]); Thu, 16 Feb 2006 08:43:23 -0600 (CST)
X-Virus-Scanned: antivirus-gw at tyumen.ru
The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in
Australia.
Our initial reports indicate the worm is not massive, however it steals
financial information from users (Phishing Trojan from a known group) it
infects and is causing quite a buzz in Australian media. We expect it to
break as a full-blown media hype this morning, tops tomorrow morning.
The worm *does* do the said damage, but as we said does not seem to be
widely spread. No reports outside of Australia have been received as of
yet.
The emails themselves do not contain the payload, but rather a URL to
sites that will infect users. Both the sites who did this are now down, I
expect the next one to be up soon (or the bad guys will just get a new
variant out in a few days). Abusing websites is mostly how WMF is
exploited, but no much in the way of emails before today.
(almost) All anti virus vendors do not detect this worm (it?s new), a
couple detect it heuristically. (almost) All anti virus vendors detect the
attachment regardless because of the WMF exploit detection routines.
Hopefully, all AV companies will detect this soon. I know most will.
If you are in Australia, you already heard about this for sure.. but not
clearly. Otherwise, this is it before the media gets their hands on it.
"Regular Phishing" as we all know it, asking us for information by means
of simple email is alive, kickin` and will still be with us 10 years from
now. However, it is slowly decreasing in volume while Phishing Trojan
attacks are getting more and more common.
We will update as necessary when we know more. The Australians have done a
good job on this.
If necessary I will also update on this in real time over at
http://blogs.securiteam.com where this text is located.
Gadi