Strange infection from VeriSign to Italy users

Discussion in 'malware problems & news' started by EraserHW, Sep 25, 2006.

Thread Status:
Not open for further replies.
  1. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Hello,

    thanks to TNT that reported me this strange thing, I've done some analysis of what COULD APPEAR to be a strange hack of VeriSign. In fact, italian users are hit by a wmf exploit that starts when they write a wrong web address with .com or .net extension.

    I wrote a paper, if you are interested:

    Verisign.com: deeply studying the evidence

    Hope it will be an interesting short read.

    Best regards,

    Marco
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Thanks Marco. Also a Java exploit and another exploit (XMLHTTP if I remember correctly); malware gets dropped only on largely unpatched machines, but the most shocking is not the exploit themselves (all quite old) but the method...
     
  3. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Those types of phishing are all too well known here in DK.
    If you type 'bal' instead of 'bla', you'll get hit by some nasty...

    Hmm... Maybe not the perfect example, but it sounds like the same thing.
    It's been going on for years here.
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    No, sadly it's a totally different thing. This thing happens for any domains containing illegal characters: you type one, you're redirected to an infecting website every single time. This is not typo-cybersquatting, it looks like a root dns server on Verisign that should handle all the characters not permitted in URLs has been compromised and just redirects to a site with exploits.
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    That's sad ... Thx God I don't live in Italy :cool:
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Italy is being targeted hard these days. Sad, and I believe italian users are generally really not ready for this kind of scenario (yes, the computer security industry here is very weak, and many compter users lack basic security knowledge).
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, romanian users are also very poor informed about PC security. :(
    Most of them have an AV installed when purchasing their PC. They did not even know they have to update it from time to time. :D
     
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Looks like VeriSign fixed the redirect :)

    I updated my paper
     
Loading...
Thread Status:
Not open for further replies.