One of our team members received anunsolicited but interesting email recently confirming his new accountat a certain website, and containing the login username and password.The email was addressed to him personally using his full name soundoubtedly his details were mined from somewhere on the Internet.
Using a secure computer he investigated by going first to the rootdirectory of the domain in the email, and found that it appeared to bea legitimate site. However upon then moving to the directory which waspart of the login URL contained in the email, he discovered exploitcode targeting the Microsoft Windows Media Player Plugin BufferOverflow Vulnerability (BID 16644).
The page contains shell code that downloads and runs an executable filewhich in turn drops other malware onto the computer. This malware isinjected into the explorer.exe process and scans all directories andfiles on both the compromised computer and any networked computers. Itlists them in a log file and attempts to upload the file to a remoteserver, which is different from the original one hosting the exploitcode.
Interestingly the threat also attempts to upload a whole range offiles from victim machines, including ones with extensions such as.exe, .mp3, .cab, .wav that may potentially include some very largefiles. It would probably be easy to notice the degradation in networkperformance as so many files were being uploaded.
What was interesting about this particular case was not the exploititself (which is certainly not new) nor the use of SPAM to spread theseed of the attack, but the method employed by the author to enticepeople to the compromised website in order to infect them: byattempting to trick them into thinking they had signed up for a mailinglist or forum of some kind. Curious types might then be tempted tocheck out what they had signed up for, and of course have theircomputers infected in the process. It was also puzzling why theattacker would attempt to upload so many potentially large files andrisk being detected doing so.
This threat is detected by Symantec as Infostealer.Winotim.
As always, it pays to be vigilant when dealing with unsolicited emails, no matter the source, subject or content.
Update - July 27, 2007
These unsolicited emails may have the following characteristics:
From:(One of the following)
Hmoz.net Support [mailto:firstname.lastname@example.org]
Subject:(One of the following)
Hmoz.net: signup confirmation
Hmoz.net: Your account confirmation
Thank you for using Hmoz.net !
This account created 26 Jul 2007 06:42:01 PM
from IP address < [REMOVED] >
User Name: [EMAIL ADDRESS]
Click here to login:
Your account ID:10641600
If you use anti-spam email software, be sure to add '[FROM EMAIL ADDRESS]' to your list of approved senders.