[Full-disclosure] Spam exploiting MS05-016

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 05/29/05

  • Next message: Gadi Evron: "[Full-disclosure] Wide-scale industrial espionage using Trojan horses in Israel" 
    Date: Mon, 30 May 2005 01:30:52 +1200
To: full-disclosure@lists.grok.org.uk

    Yesterday at least two of my spam-traps received the following message
    (I've elided the MIME boundary values just in case...):

       Subject: We make a business offer to you
       MIME-Version: 1.0
       Content-type: multipart/mixed;
               boundary="[...]"

       [...]
       Content-Type: text/plain;
               charset="Windows-1252"
       Content-Transfer-Encoding: 8bit

       Hello! It is not spam, so don't delete this message.
       We have a business offer to you.
       Read our offer.
       You can increase the business in 1,5 times.
       We hope you do not miss this information.

       Best regards, Keith

       [...]
       Content-type: application/octet-stream;
               name="agreement.zip"
       Content-Transfer-Encoding: base64
       Content-Disposition: attachment;
               filename="agreement.zip"

       <<encoded ZIP file data>>

    There are a few trivial differences between the messages to the
    different addresses I checked, so don't anyone try to turn the above
    into a totally literal filtering rule...

    Anyway, the "agreement.zip" attachment held only one file, apparently
    called "agreement.txt", but on closer inspection it turned out the file
    was called "agreement.txt " where the apparent trailing space was
    actually a 0xFF character. This "pseudo-TXT" file was, in fact, an
    OLE2 format file (originally a Word document file) with the OLE2 Root
    Entry CLSID set to that of the Microsoft HTML Application Host (MSHTA).
    This was all done as per the description in the iDEFENSE advisory
    announcing this vulnerability:

       http://www.idefense.com/application/poi/display?id=231&type=vulns

    This "pseudo-TXT" file is an example of what is produced by the PoC
    generator posted to Bugtraq. Oddly, that message is not archived in
    SecurityFocus' own mailing list archives, but its PoC code is listed
    with the vulnerability's BID entry:

       http://www.securityfocus.com/bid/13132/info/

    That PoC may be identified from the comment at the top of its code:

       MS05-016 POC
       Made By ZwelL
       zwell@sohu.com
       2005.4.13

    Anyway, the "agreement.txt " file contained a script to write a text
    file with commands and responses for use with the Windows ftp client
    via its "-s" option and further commands to run ftp with those scripted
    commands and then to run the executable that ftp script would cause to
    be downloaded from a Russian web site. At the time of writing, that
    site is still up and the executable that is downloaded (a backdoor) is
    the same one that was there when the spam was first seen.

    If you haven't installed the MS05-016 Windows Shell patch yet:

       http://www.microsoft.com/technet/security/bulletin/ms05-016.mspx

    or at least taken reasonable precautions to defang possible
    exploitation of this vulnerability (particularly through MSHTA), it
    would be advisable to do so now. When initially discovered, only two
    of more than 20 tested virus scanning engines detected the exploit in
    "agreement.txt ". Since alerting the antivirus developer community of
    the field discovery of this exploit, a couple more "big name" scanners
    have added a degree of detection for this exploit, and I expect that
    number to grow as the new week dawns and new updates are pushed to
    customers. 

    -- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
  • Next message: Gadi Evron: "[Full-disclosure] Wide-scale industrial espionage using Trojan horses in Israel"

    Relevant Pages

    • Spam exploiting MS05-016
      ... It is not spam, ... the "agreement.txt " file contained a script to write a text ... via its "-s" option and further commands to run ftp with those scripted ...
      (Bugtraq)
    • Re: ftp in shell scripts
      ... Julius Plenz wrote: ... >>I need some help on shell script and I'm a newbie on this. ... so I've thought the best way should be using ftp. ... and ftp will be quite happy to carry out the commands unattended. ...
      (comp.unix.shell)
    • Re: Anyone know how to complete this script?
      ... Then you can set an envionmental variable such as "DAT" and call it in a script ... Then you can create a text file (FTP-CMD.TXT) of commands that can then be used by using FTP ...
      (microsoft.public.win2000.general)
    • Re: FTP problem in Solaris 5.8
      ... I saw a mainframe FTP setup that would always return 0 ... > script worked on an HP box do you mean the identical script ... to some mainframe communcations newsgroup or mailing list. ... contained a bunch of MODE kind of commands, ...
      (comp.unix.solaris)
    • Re: Form Security
      ... After all this, if no error message has been generated, the form contents are emailed to me. ... I'm no Linux guru, so I don't know what someone could do to cause problems with this script, other than spam me. ... What he's proposing is false security - which is worse than no security ...
      (comp.lang.php)