Re: [Fwd: Re: AIM Password theft]

From: Mark Coleman (markc_at_uniontown.com)
Date: 09/23/03

  • Next message: Mark Coleman: "AIM Password theft" 
    Date: Tue, 23 Sep 2003 15:27:41 -0400
To: "Cullen, Michael" <michael.cullen@umusic.com>

    This issue has been confirmed via a telephone conversation with an
    anonymous party who saw my email to the list. This was a person
    involved with one of the systems/services remotely involved, and was
    very credible and knowledgeable. This appears to be an exploit that is
    live in the wild.

    This is an exploit that apparently abuses an IE vulnerability to pull
    usernames/passwords from the registry, where I guess it then uses the
    newly obtained buddy list to attempt to "spread" by sending a link to
    itself to the buddies. Any who click on the link are also "infected"
    (for lack of a better word).

    I haven't visited this MS link yet, but this is a link that supposedly
    describes the problem according to the tech I spoke with:

    http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/overview/htaoverview.asp

    The exploit itself is not new, but the delivery mechanism to steal an
    AIM account to deliver the link is (from what I understand).

    For the list's reference, the sequence of events I have so far is as
    follows:

    An AIM user received this email message (including headers) to the
    account registered with their AIM (username hidden):

    -----------------(Start Email Message)---------------------------------
    Received: from newman-d02.blue.aol.com ([205.188.210.41])
              by sccrmxc13.comcast.net (sccrmxc13) with SMTP
              id <2003xxxxxx854s1300qcljue>; Tue, 23 Sep 2003 13:38:54 +0000
    From: AOL Instant Messenger
    <changeold_4_85xxxxxxxxxxxxxxxxxxxxxxxxxxx(usernamehidden)@newman.oscar.aol.com>
    To: (usernamehidden)
    Subject: AIM Address Change
    Date: Tue, 23 Sep 2003 09:38:54 EDT
    Message-ID: <20030xxxxxxx854.17121.06113570@newman-d02.aol.com>
    Mime-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit

    Dear AIM(SM) user,

    (usernamehidden) has asked to change the e-mail address for the
    following screen
    name
    from (usernamehidden) to dent2aim@yahoo.com:

    (usernamehidden)

    If you DO NOT wish to make this change, PLEASE REPLY to this e-mail
    and type 'OK' as the text of your message. If we receive your reply
    within 72 hours the change request will be canceled.

    If you want this change to take place, you can ignore this e-mail.
    Instead, go to your new e-mail address and confirm the e-mail we are
    sending there. Only reply to this e-mail if you do not want to change
    your AOL Instant Messenger e-mail address.

    Thank you for using the AOL Instant Messenger(SM) service.
    -----------------(End Email Message)------------------------

    Being suspicious of this email, he did nothing.

    At some point during the same morning (this a.m.), this user was also
    sent a link via AIM to visit a web page, www.haxr.org from someone in
    his buddy list. (not known if this was before or after the above email
    arrived, I would conclude the email came after this AIM solicitation, as
    that would make sense for the infection to happen after he visited the URL)

    I believe this user visited the link, but they claim no recollection of it.

    Shortly afterwards, all members of this user's buddy list also received
    solicitations to visit www.haxr.org, and this user's AIM account was
    compromised and he was locked out. At least one other user visited the
    site. This second user subsequently had their AIM account locked out,
    saying it was in use elsewhere. About this time I blocked all access to
    www.haxr.org. All users who have visited the link appear to have had
    their AIM accounts compromised, as they are all unable to log in. I
    have instructed them all to contact the members of their buddy lists and
    ask them to not visit any sites that get advertised to them.

    Viewing the logs in the email server, it appears that the above email
    was legitimately from AOL, at least from their network. I went ahead
    and formed a reply to prevent the address/password change from
    happening, no word yet on the success/failure of the reply.

    The second infected user used an option on the AIM website to have their
    password emailed to them, and surprisingly they received an email
    response, and their password was the letter "a" followed by several
    lines of whitespace. This user continues to try to regain control of
    their AIM account, but they are in a pinch because the AOL system will
    not allow them to do anything without the password EXCEPT retrieve the
    password via email, and it's an invalid password in the compromised
    format of the letter "a" followed by all the whitespace.

    The CRC of the AIM executables are unchanged on the workstation. We
    watch processes on all machines and check CRCs of them, and there have
    been no additional executables running on the machine, and no changes to
    any existing executables. A sniffer currently sees no additional
    suspicious traffic to/from this machine. These machines are in the care
    and control of another department, but I have them checking the registry
    entries and such, haven't heard anything yet from them. These machines
    do pass through my various Intruder Detection Systems, and they are
    showing no suspicious traffic whatsoever.

    I am in the process of creating a snort rule that will trigger on static
    portions of the malicious vbs code as my first step, and will be
    checking the patch level of IE of those workstations from their
    administrator.

    Questions: is it normal practice for AOL to change an email
    address/password without email confirmation, sending confirmation to
    only ABORT the change by replying to an email? Also, can anyone on the
    list make a suggestion to help mitigate damages, and/or detect other
    domains/pages from having similar malicious code?

    Thanks.. more to come as the answers reveal themselves...
     
    -Mark Coleman

    Please note that this is my personal email address, none of the above
    activities or events occured on the network or hosts providing service
    for this email account.

    Cullen, Michael wrote:

    >I did some searching in the registry of Windows XP and 2000 machines with
    >AIM loaded on it. They did not have any of the keys indicated in the
    >'code.txt' file. This would lead me to think that either:
    >
    >1. Users would have to have the client version of AOL installed and then
    >install the AIM client (not sure since I have never had AOL)
    >
    >2. Maybe this was written for Windows 95/98.
    >
    >
    >-Michael Cullen
    >
    >-----Original Message-----
    >From: Mark Coleman [mailto:markc@uniontown.com]
    >Sent: Tuesday, September 23, 2003 9:43 AM
    >To: bugtraq@securityfocus.org
    >Subject: [Fwd: Re: AIM Password theft]
    >
    >
    >Hi, can anyone shed some light on this for me? If this is new, its
    >going to spread like wildfire. AOL or incidents lists have yet to
    >reply.... it appears to be a legitimate threat as I have at least one
    >user "infected" already.. Thank you..
    >
    >-Mark Coleman
    >
    >--------------
    >
    >Hi, please find attached the vbs code that appears to be running when
    >visitors hit www.haxr.org.
    >
    >This reportedly pulls username/password from registry of AIM accounts,
    >then something elsewhere gets buddy lists through this password theft
    >and sends links to them via AOL to start the process again.
    >
    >We've had at least one "infection" if you want to call it that, and a
    >user's AIM account was hijacked and this link sent to all users in his
    >buddy list which then propelled the "infection" as they click the link
    >to www.haxr.org.
    >
    >Does anyone have any information about this issue? Any help on this
    >would be greatly appreciated. Still chasing it down..
    >
    >-Mark Coleman
    >
    >
    >
    >Mark Coleman wrote:
    >
    >
    >
    >>I just started investigating a report that appears to have merit of a
    >>username/password theft of AIM accounts.
    >>
    >>Users are being directed to a web page located at www.haxr.org where
    >>the source appears to run a javascript program that is proportedly
    >>stealing AIM usernames/passwords/buddy lists.
    >>
    >>Does anyone have any information related to www. haxr.org or the
    >>technique being used?
    >>Please be careful when visiting the page, it pulls script off of a
    >>yahoo site.
    >>
    >>I am finding nothing in any of the initial searches that I am doing.
    >>
    >>Any help/insight would be greatly appreciated.
    >>
    >>-Mark Coleman
    >>
    >>
    >>
    >>
    >>
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Mark Coleman: "AIM Password theft"