Symantec Corp.s Threat Analyst Team has discovered an exploit in the wild that utilizes the recently announced JPEG vulnerability in Microsoft Corp.s GDI+ library to install a new and sophisticated phishing system.
eWEEK.com spoke with Oliver Friedrichs, senior manager of Symantec Security Response, who said the infected image is not able to attack a system from within Internet Explorer or Outlook, but only from within Windows Explorer, the file system browsing utility. Therefore, an attacker would likely need to entice a user to view the file from within the file system. Perhaps for this reason, Symantec says the spread of the attack is limited for now.
This was the most feared scenario for this vulnerability. Because of the nature of this particular attack, as a heap-based integer underflow vulnerability, implementations of the attack are likely to be specific to the application, perhaps even versions of the application, in which the image is viewed. Friedrichs says that it may not be possible to exploit the vulnerability from within Outlook or Outlook Express.
Once the user views the infected JPEG image, named ducky.jpg, the exploit code launches and downloads a file named ll.exe from the site maybeyes.biz. This file is saved as y.exe in the c: directory and executed. y.exe then downloads a second file from maybeyes.biz, upd.exe, and saves it as divxencoder.exe in the %SYSTEMROOT% directory (usually c:windows) and executes it. This file then injects a DLL file embedded in it into Windows explorer.exe.
eWEEK.com confirmed in testing that Symantec anti-virus programs detect the infected JPEG as Trojan.Ducky and the two executable files that follow it as Trojan.Spabot and Downloader.Trojan. Symantec recommends strongly that users apply the proper Microsoft patches in addition to running current anti-virus software.
Next page: How the phishing attack works.
How the phishing attack
works”>
The DLL, now infecting Windows Explorer, contacts a different system on the same provider network as maybeyes.biz and downloads from it an XML-based template file. This file describes the phishing spam message to be sent from the infected system and the e-mail addresses to which it should be sent. Analysis on the DLL is not complete.
The message itself is a phishing message appearing to come from Citibank and asking the user to go to a specified Web site to confirm personal data or else, so the message claims, access to the users account will be blocked. The body of the message itself is not text, but an image map, presumably to make it more difficult for counter-measures to work. Instead of scanning for text in the message, patterns in or checksums of the image will have to be employed, although these are often easily defeated with slight randomization of the body of the image.
If the user clicks on the link portion of the image, he or she is brought to a Web page residing on a system belonging to a Comcast user. The page brings up a browser window in the background with the actual Citibank home page to give the appearance of legitimacy and a popup in the foreground belonging to the attacker. The popup requests personal information.
Symantec says it has informed the authorities of all the details of the particular systems involved in this attack, and yet maybeyes.biz still appears to be running and hosting the infected files as of noon on Oct. 1. According to records of ARIN (American Registry for Internet Numbers) the address for the system is allocated to a D. Placek through Managed Solutions Group Inc. and is a private residence. The other specific addresses involved in the attack no longer appear to be up. Its unclear if the worm is sophisticated enough to recover and check elsewhere if the sites are down.
Symantec believes that the attackers were not novices and had prepared this phishing system in advance, waiting for a suitable vulnerability to come along and be used as a hook for installing the phishing attack. The sophisticated multistage attack will likely reappear in improved form as the attackers learn from their experience with it.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis.
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page