1 Overview
Not all people that send undesirable email (spam) are the same. Their motives differ as greatly as their tools and technical abilities. This document uncovers a spam gang who seeks to acquire your banking information, and the response from one of the targeted victims: Citibank.
This document describes the unique bulk-mailing tool used for recent rash of financial email scams. These scams target financial entities such as Citibank, Wells Fargo, Halifax Bank, eBay, and Yahoo. Only one specific spam gang uses this tool for these financial scams. This spam gang started slow with only a few members, but has increased in both gang membership and spam volume.
All emails and headers are provided unmodified with the following exception: all personal information has been modified to protect the identity of the recipient. These modifications are denoted with bold and underlined typeset. Every effort has been made to retain the same data format without disclosing personal information. For data taken from the public domain, such as newsgroup postings and messages from open forums, no effort has been made to modify the data or protect the publicly disclosed recipient.
2 The Citibank Scam
With the growth of online banking comes online fraud. These schemes vary from web sites that "look" like the actual financial institution to email asking for personal banking information. At first glance, the email below (Fig. 1) looks like just another one of these simple bank fraud schemes.
| Figure 1: Sample Citibank Scam |
Received: from host70-72.pool80117.interbusiness.it ([80.117.72.70]) by mailserver with SMTP id <20030929021659s1200646q1e>; Mon, 29 Sep 2003 02:17:00 +0000 Received: from sharif.edu [83.104.131.38] by host70-72.pool80117.interbusiness.it (Postfix) with ESMTP id EAC74E21484B for <e-response@securescience.net>; Mon, 29 Sep 2003 11:15:38 +0000 Date: Mon, 29 Sep 2003 11:15:38 +0000 From: Verify <verify@citibank.com> Subject: Citibank E-mail Verification: e-response@securescience.net To: E-Response <e-response@securescience.net> References: <F5B12412EAC2131E@securescience.net> In-Reply-To: <F5B12412EAC2131E@securescience.net> Message-ID: <EC2B7431BE0A6F48@citibank.com> Reply-To: Verify <verify@citibank.com> Sender: Verify <verify@citibank.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Dear Citibank Member, This email was sent by the Citibank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit Card number and PIN that you use on ATM. This is done for your protection -t- becaurse some of our members no longer have access to their email addresses and we must verify it. To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL)K, copy and paste the link into the address bar of your web browser. http://www.citibank.com:ac=piUq3027qcHw003nfuJ2@sd96V.pIsEm.NeT/3/?3X6CMW2I2uPOVQW y--------------------------------------------- Thank you for using Citibank! C--------------------------------------------- This automatic email sent to: e-response@securescience.net Do not reply to this email. R_CODE: ulG1115mkdC54cbJT469
|
At a quick glance, this email appears to be from Citibank, as it contains a Citibank URL. But a closer inspection indicates a financial scam:
- The email contains multiple misspellings and grammatical errors, such as "becaurse" and "This automatic email sent to:".
- The content contains hash-busters (unique characters in the contents that are used to bypass hash-based spam filters). For example, the "-t-" and "K" in the main paragraphs, and the "y" and "C" before the long lines of hyphens. Different recipients received the message with different hash-buster characters.
- Although the included URL begins with "www.citibank.com", it actually goes to "sd96v.pisem.net" [ref 1]. This server is hosted in Moscow, Russia and is not part of Citibank.
- The email header does not originate from Citibank. Instead, it originated from a DSL system in Italy. Network scans of this host (Appendix A) indicate that the system was likely compromised.
People who clicked on the link saw the Citibank web page and a popup that prompts for login information (Fig. 2, Fig. 3). Although the Citibank web page actually came from Citibank, the popup came from a non-Citibank server. Victims that entered banking information in the popup essentially gave their accounts to an unknown scam artist.
Figure 2: Trojan login popup from 29-Sep-2003.[ref 2] |
Figure 3: Reply screen after entering login information. |
2.1 Mass Mailing Revisions
The 29-Sep-2003 mass mailing (Fig. 1, Fig. 2, and Fig. 3) is actually the second revision of the fraudulent bank emails. The first revision appeared on 16-Aug-2003 and asked the recipient to view new banking terms and conditions. Users who clicked on the link were redirected to a server in China. The first revision included the recipient's email address as a field in the URL. The second revision replaced the address field with a series of random characters. The popup for the second revision only asked for the user's Card and PIN numbers. The third release on 25-Oct-2003 (Fig. 4) was revised to prompt for the user's Card number, PIN number, and expiration date.
In nearly every case, a Russian server was used, either to host the requests, or to act as a web-bug and count the number of hits. For example, the web bug from the first revision can be found here. According to this web-log, there were 107,274 hits on 16-Aug-2003, and 91,573 hits on 17-Aug-2003 (Fig. 5). These were primarily due to responses to the first spam message. In contrast, the day before the mass mailing, there was only one web-log entry, from "68.82.62.191" - a cable modem in Tybouts Corner, Delaware. The Delaware system was used 8 out of 10 times in the week prior to the mass mailing [ref 3] (Fig. 6) and was likely used for testing the web server. It is unclear whether this is the IP address of the actual perpetrator or a compromised host. Network scans of the host suggest the presence of a firewall and no open proxy services, so it is unlikely that the host previously provided an open proxy [ref 4].
Figure 4: The third revision of the Citibank trojan login, from 25-Oct-2003. A server in Moscow, Russia provides the popup but the main window actually is the Citibank home page. |
Figure 5: Number of daily web hits recorded by the Russian web bug from the 16-Aug-2003 Citibank mailing. |
Figure 6: IP addresses from the week preceding the 16-Aug-2003 mailing. A Delaware address repeatedly accessed the web bug prior to the mass mailing. This likely indicates someone testing before the public release. |
3 Linking Scams
In order to operate a spam-based financial scam, three items are required: (1) a bulk mailing tool, (2) an individual or group to operate the tool, and (3) a method to collect victim information. By identifying these items, we can identify related scams by the same spam group, and distinguish these scams from scams initiated by other groups.
3.1 Bulk Mailing Tool
People that send spam operate with millions of email addresses. To generate the emails within a reasonable amount of time, an automated email tool is used. Different tools have different unique traits. In the case of this Citibank scam, the tool has a unique "Message-ID" value in the email header: 16 to 17 characters consisting of "A-Z" and "0-9", followed by "@" and the forged sender's domain. Comparing this unique sequence to a large spam collection such as the Great Spam Archive [ref 5] (GSA) and the newsgroup news.admin.net-abuse.sightings (NANAS), we can identify similar messages. For example, between 11-Nov-1997 and 21-Aug-2003 the GSA recorded 17,867 spam messages. Of those, only 16 messages matched the unique signature of this specific bulk-mailing tool. All 16 matches were found clustered in the last five (5) months of the archive.
| GSA Date |
GSA Message-ID value |
GSA Subject |
24 Apr 2003 13:01:55
|
0JJ9H7JGA03EI8A7I@att.net
|
Rich, Hello! My name is John Turner....
|
15 Jun 2003 12:41:00
|
D4CI74IDH3FKH13D@att.net
|
Dear Rich! I've been scammed over...
|
07 Jul 2003 07:43:51
|
2EF98ADD2HG3CJ54@att.net
|
Rich, Any software just for 15$ - 40$
|
17 Jul 2003 10:39:28
|
76E7A5HFIJIHK63C@e-loan.com
|
[Ftpserver] Re: Your E-Loan Refinance..
|
17 Jul 2003 10:46:08
|
6J76H1B289HCC313@e-loan.com
|
Re: Your E-Loan Refinance Application..
|
22 Jul 2003 01:21:52
|
77EGJ4AGC1F3AIB5@wellsfargo.com
|
Re: Wells Fargo Bank New Business...
|
26 Jul 2003 09:43:59
|
JFHAL1CJIB78IFA8@security.org
|
Newsletter
|
26 Jul 2003 23:00:46
|
H8HFB0BB06232180@e-gold.com
|
The Great E-Gold Giveaway!
|
29 Jul 2003 18:39:15
|
4K63GFHLE8FJ1GK7@utp.edu.co
|
Rich, software for you
|
30 Jul 2003 19:03:38
|
3FHG03G0I213JJ92@yahoo.com
|
I want to introduce Stock Cruiser
|
31 Jul 2003 05:26:44
|
BG5L3CAI6J586EK0@headgear.org
|
new mail p1QwvfpX
|
02 Aug 2003 10:21:12
|
J9D9GK1H1IJ47920@hotmail.com
|
Rich,Want sex <rndmx>
|
09 Aug 2003 11:59:24
|
50LJ6D9B4EK320HD@annexia.org
|
Ïëÿæíûé îòäûõ
|
17 Aug 2003 07:58:36
|
2J73600018ECI75J@virtualitas.net
|
Re: mail e4AXAvl8
|
17 Aug 2003 17:49:39
|
FBE6962ED2FJFK58@hotmail.com
|
Rich, Instant Pleasures,
|
20 Aug 2003 19:37:45
|
A60I9A7D890FL51L@cbshost-68-111-42-31.sbcox.net
|
Re: mail 3CPVQp5E
|
Although we expect the GSA to contain more entries by this bulk-mailing tool, the GSA is only updated periodically. The current archive ends on 21-Aug-2003, so more information will not be available until the GSA is updated.
The narrow timeframe and near weekly appearance of spam from this bulk-mailing tool by the GSA recipient indicates a number of factors. First, there is likely only one or two senders using the tool; this tool does not have a large distribution. Second, the tool takes between 3 days and a week to cycle through the entire address list. Because the same email recipient does not receive every mass mailing, the spam gang is likely using subsets from their mailing list. The subsets may be due to a slow network connection (e.g., DSL or dialup) rather than an intentional selection of recipients. Finally, the minor change from 17 to 16 characters in the Message-ID, between the first and second observed messages, indicates that the sender is likely also the developer.
3.2 Scam Content Analysis
Most of the email messages sent by this group contain grammatical errors and spelling errors (Fig. 7). For example, "I am the customer" is correct in Spanish, German, and other Slavic- and Latin-based languages, but proper English would be, "I am a customer." The errors are similar to those made by Europeans who have English as a second language. In addition, the currency notations match European notations ("300$" instead of "$300").
| Figure 7: GSA 24-Apr-2003 Contents |
Hello. My name is John Turner.... I am the customer of AURUM INVESTMENT There is nothing like this program. At first I spent 800$ and in 4 weeks I have earned more than 300$ of profit I am really impressed. You doesnt get any better than this. Just follow the link http://am-it.biz//sign.php?ref_id=28934887 There is only one honest way to get money: to invest them wisely Money and you must keep a good company, right?
|
Although the spam topics used by this bulk-mailing tool rotate, there appears to be two distinct content types (Fig. 8, Fig. 9). The first type indicates a spam sender that delivers content for bulk-message customers (spammer for hire). The contents offer everything from discount software to penis enhancements. Other bulk-mailing tools have been observed delivering similar messages, but with western currency notations and common American grammatical errors. The grammatical errors and currency notations associated with this specific bulk-mailing tool suggests a European.
The second content type is more interesting: many messages show a desire for banking and credit card information, or for users to download software. These messages do not have the same style of grammatical errors nor the European currency notation. This suggests a different sender than the bulk-message individual. This different sender is likely in the United States or Canada.
| Figure 8: GSA Dates for Financial Fraud |
Figure 9: GSA Dates for Bulk Messages |
24 Apr 2003
15 Jun 2003
17 Jul 2003
22 Jul 2003
26 Jul 2003 (two different instances) |
07 Jul 2003
29 Jul 2003
30 Jul 2003
31 Jul 2003
02 Aug 2003
17 Aug 2003 (two different instances)
20 Aug 2003 |
Besides the GSA, other spam archives have been analyzed. Some archives only contain the "bulk-messages" from this particular spam tool, other archives only contain the "financial fraud" messages, and many archives contain both types of messages. Based on the distinct differences in content, we can conclude that multiple groups use this specific bulk-mailing tool. However, the non-overlapping sending dates, independent mailing lists, and content text that is specific and unique to this tool indicates that (1) the group operating the financial fraud emails are different than the general bulk-message senders, and (2) the financial fraud emails are generated by a single spam gang.
3.3 Collecting Victim Information
The financial fraud spam group appears to use multiple methods for gathering information from fraud victims. Initially the group requested responses by email. These emails went to unverified accounts that likely acted as blind-drops where the information would be either forwarded or gathered later.
3.3.1 Use of Malware
For a brief period, email messages sent by this particular financial fraud spam gang contained hostile attachments (malware). On 17-Jul-2003 a series of email messages were observed being sent from this particular bulk-mailing tool. The first content targeted E-Loan customers and included the "Trojan.Download.Berbew" [ref 6] malware. This trojan code was written in C (not C++ nor Java). This backdoor program attempts to steal passwords and send them to a remote web server. When used in conjunction with the bank scam, the system monitors passwords and presents the user with the actual bank login screen. Thus, when the user logs in, their bank account becomes compromised. On 22-Jul-2003, the same bulk-mailing tool generated a second wave of email. The second wave targeted Wells Fargo and Citibank customers, and included a newer version of Trojan.Download.Berbew.
Trojan.Download.Berbew was not the only malware used by this group. On 26-Jul-2003, an email claiming to come from "admin@security.org" was observed. The text contents contained poor grammar and appeared to have been written in haste. The attachment contained the Exploit-Codebase [ref 7] malware. According to Network Associates:
ref 8
"[Exploit-Codebase] is a generic detection of malware which tries to exploit a Microsoft Internet Explorer vulnerability, which was discovered February 25, 2002. This exploit could result in an executable file being run without the user's permission or knowledge, when visiting a web page or viewing HTML email message. This affects Internet Explorer 4.x and higher, Microsoft Outlook, and Microsoft Outlook Express." []
Exploit-Codebase malware appears to have been written in C, similar to Trojan.Download.Berbew. While it is probable that the same individual created the Trojan.Download.Berbew and Exploit-Codebase malwares, it is unlikely that the malware author actually discovered the Expoit-Codebase vulnerability nearly a year prior.
3.3.2 Web Impersonations
After using email blind-drops and malware, the group quickly progressed to impersonating web sites. The impersonation was done through web redirections. The hypertext transport protocol (HTTP) permits web servers to redirect requests to alternate sites (HTTP 303 return codes). In this case, the gang's web server returned an HTTP 303 return code redirecting browsers to the targeted financial institution. But, the HTTP response may also contain valid HTML code. The valid code usually tells the user that the page has been moved to a new location. This gang used the redirection response's HTML code to generate a popup requesting the victim's banking information. Thus, the main web page is the targeted financial institution, but the popup comes from a hostile server (Fig. 4). The hostile server acts as a blind-drop for victim information.
3.4 Related Financial Scams
The same bulk-mailing tool has been observed sending similar fraudulent content that targets many financial institutions. The table below presents dates and targets that are verifiable based on the sending email tool's unique fingerprint and common text within the messages. But, this is unlikely to be a complete list. Prior to July 2003, this spam gang appears to send "regular" bulk-mailing contents and not imitate financial login screens, a practice known as "phishing". In addition, there is no record of this particular spam tool being used by anyone prior to April 2003.
Although this spam gang has targeted other financial groups, there is a strong emphasis on eBay and Citibank. This apparent preference may indicate a grudge, familiarity, specific knowledge, or specific access. The recent increase in banking targets may indicate a rush to capture more victims before being blacklisted, caught, or ignored.
On 20-Oct-2003 the group attempted a 419 scam [ref 9]. Individuals rarely attempt the 419, or Nigerian scam, because this Ponzi scheme requires a noticeable amount of manpower and resources. The appearance of a 419 by this particular bulk-mailing tool indicates a likely increase in scam operators. There are many different groups that operate 419 scams; the text from this particular email was a poor copy of the 419 scam - other 419 gangs have better contents and better methods to identify themselves as the person in need. Due to the high volume of 419-style scams since April 2003, these approaches have become relatively common, easy to spot, and regularly ignored. In all likelihood, this financial fraud gang's attempt on 20-Oct-2003 was likely a failure. This may also account for the sudden increase in bank impersonations in the following days (5 banks targeted in 3 days). The group may have applied their additional manpower to their proven-successful strategy and simply branched out. In addition, the sudden focus change from USA financial sources to British banks (Barclays, Halifax, Nationwide, and Lloyds) at the end of October likely indicates new spam gang members with familiarity of the UK.
| Targeted Financial Groups |
| Date |
E-Loan |
E-Gold |
Yahoo |
eBay |
PayPal |
Wells Fargo |
Citibank |
One-time Financial Targets |
| 17-Jul-2003 |
Malware |
|
|
|
|
|
|
|
| 21-Jul-2003 |
|
|
|
|
|
Malware |
Malware |
|
| 26-Jul-2003 |
|
X |
|
|
|
|
|
Security.org (Malware) |
| 16-Aug-2003 |
|
|
|
|
|
|
X |
|
| 3-Sep-2003 |
|
|
X |
|
|
|
|
|
| 17-Sep-2003 |
|
|
X |
|
|
|
|
|
| 19-Sep-2003 |
|
|
|
X |
|
|
|
|
| 23-Sep-2003 |
|
|
|
X |
|
|
|
|
| 25-Sep-2003 |
|
|
|
|
|
|
X |
|
| 28-Sep-2003 |
|
|
|
|
|
|
X |
|
| 30-Sep-2003 |
|
|
|
X |
|
|
|
|
| 2-Oct-2003 |
|
|
|
X |
|
|
X |
|
| 4-Oct-2003 |
|
|
|
|
|
|
X |
|
| 5-Oct-2003 |
|
|
|
X |
|
|
|
|
| 9-Oct-2003 |
|
|
|
|
X |
|
|
|
| 18-Oct-2003 |
|
|
|
X |
|
|
|
|
| 20-Oct-2003 |
|
|
|
|
|
|
X |
419 (Nigerian scam) |
| 21-Oct-2003 |
|
|
|
X |
|
|
|
|
| 25-Oct-2003 |
|
|
|
|
|
|
X |
Barclays Bank |
| 26-Oct-2003 |
|
|
|
|
|
|
|
Halifax BankNationwide Bank |
| 27-Oct-2003 |
|
|
|
|
|
|
|
Lloyds Bank |
Malware: Use of email with a hostile attachment.
X: Use of email requesting information by email or hostile web site. |
3.5 Unrelated Financial Scams
Not all financial fraud email messages can be attributed to this particular group. For example, this particular spam gang was not involved with requesting users to update eBay account information on 15-Oct-2003 and 17-Oct-2003; a different spam tool was used to distribute the fraudulent email messages. Additionally, the financial fraud messages from "verify@online-banking.net" that target financial institutions such as Citibank, Wells Fargo, Bank of America, Affinity Bank, and the Union Bank of California, all appear to be from a separate spam gang that focuses on banks located in California.
4 Reporting to Citibank
The first financial-fraud email that we received (Fig. 1) claimed to be from Citibank. As such, we proceeded to report it to Citibank's online fraud reporting system (Fig. 10).
Figure 10: The Citibank online fraud reporting system. |
A few hours later, a response from Citibank was received (Fig. 11). Unfortunately, this reply has a significant number of questionable aspects. In particular:
- The reply discusses fraudulent email content that differs from the submitted email. The submitted content did not discuss money transfers, include a virus, nor contain an attachment, as suggested by the response. This could be due to specific content in a generic form letter.
- The reply concludes with a static string of odd characters. These appear to be a hash-buster (used by spam senders to bypass hash-based spam filters) but never change. Strings such as this have not been observed with other official Citibank email communications.
- The content directs further questions to a toll-free number: 1-877-4-MYCITI. Unfortunately, this toll-free number is not correct. People who call this number receive the following short message: "The number you dialed is invalid." The correct number, according to the Citibank web site, is different than the invalid number provided in the automated reply.
- The content directs future fraud emails to be sent to a non-Citibank email address: hatsu1@aol.com. The owner of this email address is unknown. In no other Citibank web page or official Citibank email is a non-Citibank email address provided. Editor's note: as of 12-Nov-03, this email address is still used in Citibank's response.
- "Cleatis Hawkins" signed the email. According to an operator at Citibank?s correct toll-free number, Cleatis is a real person, but has not worked at Citibank for a few months. There is no evidence to suggest that "Cleatis Hawkins" is responsible or involved with the email scam or possible system compromise. It is unclear how his name became attached to the reply.
No aspect of the email headers appears forged. The reply from Citibank originated from the Citibank Development Center in Los Angeles, California (CDCLA). It is now left to the reader to draw his own conclusions from this email.
| Figure 11: The Citibank reply from 29-Sep-2003. |
Received: from mango2-a.citicorp.com (HELO mango2.citicorp.com) ([192.193.196.141]) (envelope-sender
|
5 Conclusion
A single spam gang, using a unique bulk-mailing tool, appears responsible for the recent rash of financial fraud emails. This gang has targeted over a dozen financial sources, had dabbled in malware, and has struck over 20 times, showing what appears to be a serial pattern.
Attempts to report these findings to Citibank were unsuccessful, and Citibank was unavailable for comment. Citibank has publicly stated that they do not know who has been victimized by the Citibank scams, nor do they know how many victims [ref 10]. In truth, their web logs very likely indicate exactly who fell victim to the 16-Aug-2003 fraudulent Citibank scheme. In addition, Citibank may not be able to identify "who" fell victim on 25-Sep-2003 and 25-Oct-2003 to the second and third revisions of the fraud scheme, but Citibank can identify "how many" victims are likely. This is because the fraudulent web sites used HTML links that directly referenced the financial institution's web site.
6 About the Author
Secure Science Corporation is a professional services and software company that develops advanced technology dedicated to protecting online assets. Clients of Secure Science Corp. are provided with in-depth security evaluations, as well as cost-effective solutions, that are seamless in both deployment and maintenance. Secure Science Corp. is pioneering innovative ways to transform the Internet into a secure environment for both online communications and transactions.
Comments on this article can be sent to e-response@securescience.net or to the SF editor.
The initial fraudulent Citibank email that we received, leading toward this investigation, originated from "80.117.72.70". [Editor's note: this host is now down.] Network scans of host were conducted within five (5) minutes of receipt of the email. The scans indicate that the sending host was likely compromised. It is unclear whether the email sender was responsible for the compromise, or simply found a system with an open proxy server.
7.1 Italy DNS and Whois Scan
Based on the IP address, we can identify the hosting company, country, and often the city. In addition, many service providers indicate the type of network connection. In this case, the host is located in Italy and provided by Telecom Italia. The host is on an ADSL connection.
ping: 80.117.72.70 IS ALIVE! 70.72.117.80.in-addr.arpa domain name pointer host70-72.pool80117.interbusiness.it. % This is the RIPE Whois server. % The objects are in RPSL format. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 80.117.0.0 - 80.117.255.255 netname: TINIT-ADSL-LITE descr: Telecom Italia descr: Accesso ADSL BBB country: IT admin-c: BS104-RIPE tech-c: BS104-RIPE status: ASSIGNED PA remarks: Please send abuse notification to abuse@telecomitalia.it notify: ripe-staff@telecomitalia.it mnt-by: TIWS-MNT changed: net_ti@telecomitalia.it 20020927 source: RIPE
|
7.2 Italy Nmap Results
Nmap is a system utility for determining open services and operating system on a remote host. Nmap is available from http://www.insecure.org/nmap/.
Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Insufficient responses for TCP sequencing (2), OS detection may be less accurate Interesting ports on host70-72.pool80117.interbusiness.it (80.117.72.70): (The 1617 ports scanned but not shown below are in state: closed) Port State Service 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 5555/tcp open freeciv 6666/tcp open irc-serv 6699/tcp open napster 8888/tcp open sun-answerbook Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXPN map run completed -- 1 IP address (1 host up) scanned in 88 seconds
|
7.3 Italy Nessus Results
Nessus is a vulnerability scanner and can be used to determine if a host as unspecified services, or known system compromises. Nessus is available from http://www.nessus.org/.
+ 80.117.72.70 : . List of open ports : o NFS-or-IIS (1025/tcp) (Security notes found) o LSA-or-nterm (1026/tcp) o IIS (1027/tcp) o unknown (4455/tcp) (Security hole found) o freeciv (5555/tcp) (Security hole found) o unknown (6186/tcp) o irc-serv (6666/tcp) (Security hole found) o unknown (6699/tcp) o loc-srv (135/udp) o profile (136/udp) o netbios-ns (137/udp) o netbios-dgm (138/udp) o netbios-ssn (139/udp) o microsoft-ds (445/udp) o isakmp (500/udp) o route (520/udp) o general/tcp (Security notes found) o general/udp (Security notes found) . Information found on port NFS-or-IIS (1025/tcp) An unknown service runs on this port. It is sometimes opened by this/these Trojan horse(s): Fraggle Rock md5 Backdoor NetSpy Remote Storm Unless you know for sure what is behind it, you'd better check your system Solution: if a trojan horse is running, run a good antivirus scanner Risk factor : Low . Vulnerability found on port unknown (4455/tcp) : The 'Count.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0021 BID : 128 . Vulnerability found on port unknown (4455/tcp) : The 'upload.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone upload arbitrary files on the remote web server. Solution : remove it from /cgi-bin. Risk factor : Serious . Vulnerability found on port unknown (4455/tcp) : The Cobalt 'siteUserMod' CGI is installed. Older versions of this CGI allow any user to change the administrator password. Make sure you are running the latest version. Solution : RaQ 1 Users, download : ftp://ftp.cobaltnet.com/ pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg RaQ 2 Users, download : ftp://ftp.cobaltnet.com/ pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg RaQ 3 Users, download : ftp://ftp.cobaltnet.com/ pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg Risk factor : High CVE : CVE-2000-0117 BID : 951 . Vulnerability found on port unknown (4455/tcp) : /cgi-bin/.cobalt/overflow/overflow.cgi was detected. Some versions of this CGI allow remote users to execute arbitrary commands with the privileges of the web server. *** Nessus just checked the presence of this file *** but did not try to exploit the flaw, so this might *** be a false positive See: http://www.cert.org/advisories/CA-2002-35.html Solution : get a newer software from Cobalt Risk factor : High . Information found on port unknown (4455/tcp) A web server is running on this port . Information found on port unknown (4455/tcp) The remote web servers is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map or search page instead. Nessus enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate . Information found on port unknown (4455/tcp) The remote web server type is : Apache/1.3.22 Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. . Vulnerability found on port freeciv (5555/tcp) : The 'guestbook.cgi' is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0237 BID : 776 . Vulnerability found on port freeciv (5555/tcp) : The 'webdist.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0039 BID : 374 . Warning found on port freeciv (5555/tcp) The 'printenv' CGI is installed. printenv normally returns all environment variables. This gives an attacker valuable information about the configuration of your web server. Solution : Remove it from /cgi-bin. Risk factor : Medium . Information found on port freeciv (5555/tcp) A web server is running on this port . Information found on port freeciv (5555/tcp) The remote web servers is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map or search page instead. Nessus enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate . Information found on port freeciv (5555/tcp) The remote web server type is : Apache/1.3.22 Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. . Vulnerability found on port irc-serv (6666/tcp) : The file /wwwboard/passwd.txt exists. This file is installed by default with Matt's Script wwwboard software. This can be a high risk vulnerability if the password used is the same for other services. An attacker can easily take over the board by cracking the passwd. Solution : Configure the wwwadmin.pl script to put the passwd.txt file somewhere else. Risk factor : High CVE : CVE-1999-0953 BID : 649 . Vulnerability found on port irc-serv (6666/tcp) : The CGI /scripts/tools/newdsn.exe is present. This CGI allows any attacker to create files anywhere on your system if your NTFS permissions are not tight enough, and can be used to overwrite DSNs of existing databases. Solution : Remove newdsn.exe Risk factor : High CVE : CVE-1999-0191 BID : 1818 . Warning found on port irc-serv (6666/tcp) The 'mailnews' cgi is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CAN-2001-0271 BID : 2391 . Warning found on port irc-serv (6666/tcp) The 'nph-test-cgi' CGI is installed. This CGI has a well known security flaw that lets an attacker get a listing of the /cgi-bin directory, thus discovering which CGIs are installed on the remote host. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0045 BID : 686 . Information found on port irc-serv (6666/tcp) A web server is running on this port . Information found on port irc-serv (6666/tcp) The remote web servers is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map or search page instead. Nessus enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate . Information found on port irc-serv (6666/tcp) The remote web server type is : Apache/1.3.22 Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. . Information found on port general/tcp Nmap found that this host is running Windows Millennium Edition (Me), Win 2000, or WinXP . Information found on port general/tcp Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP CVE : CAN-1999-0454
|
8 Appendix B: GSA Email Message Summary
The following table summarizes the email message from the Great Spam Archive that were sent by this group's unique bulk-mailing tool.
| GSA Date |
GSA Content Summary |
| 24 Apr 2003 13:01:55 |
A financial fraud asking people to invest in "AURUM INVESTMENT". The content is unique. The text contains grammatical and spelling errors, and indicates a European author. |
| 15 Jun 2003 12:41:00 |
A financial fraud asking people to invest in a program called "Daily Earnings". The content is unique. The text contains grammatical and spelling errors, and indicates a European author. |
| 07 Jul 2003 07:43:51 |
An offer for discount software from "CheapWarez.com". The content is not unique: other spam tools have been observed using the same text. But, the text has been modified to use European dollar values ("15$") rather than the American notation ("$15"). In addition, the original text used an IP address in the URL. This likely indicates that the spam sender has negotiated an agreement for sending content for this site. |
| 17 Jul 2003 10:39:28 |
Financial fraud requesting E-Loan account information. The attachment is a trojan called "Trojan.Download.Berbew" [ref 11]. It was written in C (not C++). The backdoor program attempts to steal passwords and send them to a remote web server. When used in conjunction with this spam, the system monitors passwords and presents the user with the actual bank login screen. Thus, when the user logs in, their login information is compromised. |
| 17 Jul 2003 10:46:08 |
A second E-Loan fraud message. This indicates that the address list contains two names associated with the GSA. 22 Jul 2003 01:21:52 Financial fraud requesting Wells Fargo information. It also contains Trojan.Download.Berbew. A similar mailing was observed on NANAS targeting Citibank customers. But, the executable appears to be modified; the reporting server address changed and a few other minor differences indicating a work-in-progress. |
| 26 Jul 2003 09:43:59 |
A scam claiming to come from "admin@security.org". The content contains poor grammar and appears to have been written in haste. The attachment contains Exploit-Codebase [ref 12]. According to Network Associates, "This is a generic detection of malware which tries to exploit a Microsoft Internet Explorer vulnerability, which was discovered February 25, 2002. This exploit could result in an executable file being run without the user's permission or knowledge, when visiting a web page or viewing HTML email message. This affects Internet Explorer 4.x and higher, Microsoft Outlook, and Microsoft Outlook Express." It is unlikely that the author of this bulk-mailing tool also discovered this vulnerability. |
| 26 Jul 2003 23:00:46 |
Financial scam for E-Gold. The URL redirects the user to a false login screen. The login appears to be for www.e-gold.com, but is actually running on a different server. Users that enter their e-gold login information compromise their account. |
| 29 Jul 2003 18:39:15 |
Offer for free software. This same content appears in NANAS periodically between 31-May-2003 and 12-Sep-2003. This could be related to the GSA 7-Jul-2003 software relationship. |
| 30 Jul 2003 19:03:38 |
Similar to the 15-Jun-2003 "Daily Earnings" software, this content offers "Stock Cruiser" software. Similar text content was seen in NANAS between 15-Jun-2003 and 23-Dec-2002. But, the dollar amounts in the new message matches the European notation. |
| 31 Jul 2003 05:26:44 |
An offer for free email. Text is present in both English, and the Windows-1251 character set (Cyrillic, Russian, and other Slavic languages). The hosting site is located in Moscow, Russia. |
| 02 Aug 2003 10:21:12 |
An offer for pornography. |
| 17 Aug 2003 07:58:36 |
A free email offer similar to the GSA 31-Jul-2003 record. But the text is strictly in English. |
| 17 Aug 2003 17:49:39 |
An offer to increase your sexual organ size. Although NANAS reports sightings of this content dating back to 16-Jan-2003, this particular bulk-mailing tool has only recently began to use the content. In addition, while this tool has been observed sending this particular content, other bulk-mailing tools have also been observed delivering the content. This indicates an agreement to deliver spam for other companies. |
| 20 Aug 2003 19:37:45 |
A free email offer identical to the 17-Aug-2003 email and similar to the 31-Jul-2003 email. |
|