[WSIS CS-Plenary] Trojan on our list!!
Bill McIver
Bill.McIver at nrc-cnrc.gc.ca
Fri Feb 11 16:29:55 GMT 2005
The wsis-cs.org site is a pond in which phishing is possible.
At minimum we need to remove the mailto: links and mangle the e-mail
addresses.
WJM
Carlos Afonso wrote:
> People, it seems our list is open to automatic registration, which
> allows for spamming bots to penetrate it.
>
> This phishing originates from a USA ISP named Interland
> (abuse at interland.com), but is linked to a gang in Brazil, as the site
> containing the trojan is www.guiasaiadatoca.com.br (its Brazilian ISP
> has already blocked access to the site).
>
> For the ones interested, full identification details as available on
> whois servers are in the attached text file.
>
> I am notifying the USA ISP, with no hope to get a response, as usual.
> Also notifying the Brazilian Internet security group (www.nbso.nic.br),
> who do act.
>
> Oh, yes, and please use GNU/Linux to avoid bad consequences of these
> attacks :)
>
> fraternal rgds
>
> --c.a.
>
> Rui Correia wrote:
>
> > Dear All
> >
> > Posting from rafa_2004 at terra.com.br <mailto:rafa_2004 at terra.com.br>
> > that appeared on this list with subject “lembra de mim?” is spam,
> > urging users to click on the link to view his (Rafael Dante’s) photo.
> > From a google search, I found out that the link takes you to a page
> > where a trigger downloads PSW.Banker.11.0, which is a Trojan that
> > captures bank account numbers and passwords. The google search turned
> > up 19 different versions of Rafael supposedly wanting to organise a
> > reunion with his old friends, hence the photo, ‘so you can be sure it
> > is the right person’!!!.
> >
> > O poste de rafa_2004 at terra.com.br <mailto:rafa_2004 at terra.com.br> que
> > circulou nests lista com o subject “lembra de mim?” eh spam,
> > encorajando listeiros a accionarem o link para ver a foto dele (do
> > Rafael Dante). Depois de uma busca no google, descobri que quem
> > accionar o link vai ser levado para uma página que propõe o download
> > do PSW.Banker.11.O, um trojan que captura números e senhas de contas
> > bancárias e os envia para o autor do programa malicioso. No google
> > aparecem 19 versoes deste truque, pedindo que vejam a foto ‘para
> > poderem saber se eh a pessoa certa’!!!
> >
> > Rui
> >
> > ________________________________________________
> >
> >
> > Rui Correia
> > Advocacy, Media and Language Consultant
> > 36 Finch St,
> > Ontdekkers Park, Roodepoort,
> > Johannesburg, South Africa
> > Tel/ Fax (+27-11) 766-4336
> > Cell (+27) (0) 83-368-1214
> >
> > -----Original Message-----
> > *From:* plenary-admin at wsis-cs.org [mailto:plenary-admin at wsis-cs.org]
> > *On Behalf Of *rafa_2004 at terra.com.br
> > *Sent:* 11 February 2005 06:29
> > *To:* plenary at wsis-cs.org
> > *Subject:* [WSIS CS-Plenary] lembra de mim?
> > *Importance:* High
> >
> > Ola, tudo bem?
> >
> > Meu nome é Rafael, e sem querer achei o seu email, meu amigo me disse
> > que esse era o seu email, não tenho certeza se é voce mesmo que
> > estudou comigo no colégio e gostaria de fazer uma festa de reencontro
> > do pessoal todo, seria legal reencontrar a turma toda, alguns morreram
> > infelizmente, mas eu estou tentando entrar em contato com o maior
> > numero de amigos possiveis daquela época, e estou te convidando para
> > ir a esta festa, gostaria muito de reencontra-lo.
> >
> > Para não haver engano eu tenho uma foto minha, se me reeconhecer por
> > favor entre em contato, estou um pouco diferente do que aquela época,
> > mais acho que da para se lembrar de mim.
> >
> > Minha foto --> http://www.fee.unicamp.br/docentes/fotos/rafael.jpg
> > <http://www.guiasaiadatoca.com.br/images/rafael.scr>
> >
> > Se não for voce realmente, por favor desconsidere este email, e
> > desculpe pelo incomodo.
> >
> > Atenciosamente Rafael Dante.
> >
> > _______________________________________________ Plenary mailing list
> > Plenary at wsis-cs.org
> > http://mailman.greennet.org.uk/mailman/listinfo/plenary
>
>
> --
> ++++++++++++++++++++++++++++++++++++++++++++++++
> Carlos Afonso
> diretor de planejamento
> Rede de Informações para o Terceiro Setor - Rits
> Rua Guilhermina Guinle, 272, 6º andar - Botafogo
> Rio de Janeiro RJ - Brasil CEP 22270-060
> tel +55-21-2527-5494 fax +55-21-2527-5460
> ca at rits.org.br http://www.rits.org.br
> ++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
>
>
>------------------------------------------------------------------------
>
>1. Full source of the message as received by a Rits mailserver:
>===============================================================
>
>From - Fri Feb 11 08:28:00 2005
>X-Account-Key: account1
>X-UIDL: MD50000186498:MSG:5652:29691890:3069820560
>X-Mozilla-Status: 0001
>X-Mozilla-Status2: 00000000
>Return-path: <plenary-admin at wsis-cs.org>
>Received: from seven.gn.apc.org (greennet2.poptel.org.uk [213.55.2.207])
> by rits.org.br (rits.org.br [200.198.184.110])
> (MDaemon.PRO.v7.1.1.R)
> with ESMTP id md50000050134.msg
> for <ca at rits.org.br>; Fri, 11 Feb 2005 02:32:34 -0200
>X-MDSPF-Result: (none)
>Received-SPF: none (rits.org.br: plenary-admin at wsis-cs.org does not
> designate permitted sender hosts)
> x-spf-client=MDaemon.PRO.v7.1.1.R
> receiver=rits.org.br
> client-ip=213.55.2.207
> envelope-from=<plenary-admin at wsis-cs.org>
> helo=seven.gn.apc.org
>Received: from seven.gn.apc.org (localhost.localdomain [127.0.0.1])
> by seven.gn.apc.org (Postfix) with ESMTP
> id A6A333CA2; Fri, 11 Feb 2005 05:16:31 +0000 (GMT)
>Delivered-To: plenary at mailman.greennet.org.uk
>Received: from mail.gn.apc.org (greennet1.poptel.org.uk [213.55.2.205])
> by seven.gn.apc.org (Postfix) with ESMTP id 6F3293BA3
> for <plenary at mailman.greennet.org.uk>; Fri, 11 Feb 2005 04:58:22 +0000 (GMT)
>Received: from localhost (unknown [192.168.0.2])
> by mail.gn.apc.org (Postfix) with ESMTP id E917314B778
> for <plenary at wsis-cs.org>; Fri, 11 Feb 2005 04:08:22 +0000 (GMT)
>Received: from ns3.webpor.net (unknown [216.150.18.18])
> by mail.gn.apc.org (Postfix) with ESMTP id CA38714B6A5
> for <plenary at wsis-cs.org>; Fri, 11 Feb 2005 04:08:21 +0000 (GMT)
>Received: (qmail 30246 invoked by uid 48); 11 Feb 2005 01:38:34 -0000
>Message-ID: <20050211013834.30245.qmail at ns3.webpor.net>
>To: plenary at wsis-cs.org
>From: rafa_2004 at terra.com.br
>content-type: text/html
>X-priority: 1
>Received: from inter.net
>Received: from dot.net
>X-Virus-Scanned: by amavisd-new at gn.apc.org
>Subject: [WSIS CS-Plenary] lembra de mim?
>Sender: plenary-admin at wsis-cs.org
>Errors-To: plenary-admin at wsis-cs.org
>X-BeenThere: plenary at wsis-cs.org
>X-Mailman-Version: 2.0.6
>Precedence: bulk
>Reply-To: plenary at wsis-cs.org
>List-Help: <mailto:plenary-request at wsis-cs.org?subject=help>
>List-Post: <mailto:plenary at wsis-cs.org>
>List-Subscribe: <http://mailman.greennet.org.uk/mailman/listinfo/plenary>,
> <mailto:plenary-request at wsis-cs.org?subject=subscribe>
>List-Id: Virtual WSIS CS Plenary Group Space <plenary.wsis-cs.org>
>List-Unsubscribe: <http://mailman.greennet.org.uk/mailman/listinfo/plenary>,
> <mailto:plenary-request at wsis-cs.org?subject=unsubscribe>
>List-Archive: <http://mailman.greennet.org.uk/public/plenary/>
>Date: 11 Feb 2005 01:38:34 -0000
>X-Lookup-Warning: MAIL lookup on plenary-admin at wsis-cs.org does not match 213.55.2.207
>X-MDRcpt-To: ca at rits.org.br
>X-Rcpt-To: ca at rits.org.br
>X-MDRemoteIP: 213.55.2.207
>X-Return-Path: plenary-admin at wsis-cs.org
>X-MDaemon-Deliver-To: ca at rits.org.br
>X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11)
>X-Spam-Report:
> * 0.2 NO_REAL_NAME From: does not include a real name
> * 1.3 X_PRIORITY_HIGH Sent with 'X-Priority' set to high
> * 1.0 FROM_ENDS_IN_NUMS From: ends in numbers
> * 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
> * 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> * 0.1 HTML_MESSAGE BODY: HTML included in message
> * -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
> * [score: 0.0000]
> * 0.6 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
> * 1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
> * 2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
> * 0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
>X-Spam-Status: No, hits=3.7 required=5.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
> HTML_FONTCOLOR_RED,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,
> MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER,
> NO_REAL_NAME,PRIORITY_NO_NAME,X_PRIORITY_HIGH autolearn=no
> version=2.63
>X-Spam-Level: ***
>X-Spam-Processed: rits.org.br, Fri, 11 Feb 2005 02:32:35 -0200
>X-MDAV-Processed: rits.org.br, Fri, 11 Feb 2005 02:32:35 -0200
>
><HTML>
>
><head>
><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><TITLE>rafa_2004 at terra.com.br</TITLE>
><META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
><META content="Microsoft FrontPage 4.0" name=GENERATOR></HEAD>
><BODY bgColor=#ffffff>
><DIV> </DIV>
><P><FONT face=Tahoma size=2>Ola, tudo bem?</FONT></P>
><P><FONT face=Tahoma size=2>Meu nome é Rafael, e sem querer achei o seu email,
>meu amigo me disse que esse era o seu email, não tenho certeza se é voce mesmo
>que estudou comigo no colégio e gostaria de fazer uma festa de reencontro do
>pessoal todo, seria legal reencontrar a turma toda, alguns morreram
>infelizmente, mas eu estou tentando entrar em contato com o maior numero de
>amigos possiveis daquela época, e estou te convidando para ir a esta festa,
>gostaria muito de reencontra-lo.</FONT></P>
>
><P><FONT face=Tahoma size=2>Para não haver engano eu tenho uma foto minha, se me
>reeconhecer por favor entre em contato, estou um pouco diferente do que aquela
>época, mais acho que da para se lembrar de mim.</FONT></P>
><P><FONT face=Tahoma size=2>Minha foto --> <font color="#ff0000"><A class=link1
>href="http://www.guiasaiadatoca.com.br/images/rafael.scr"
>target=_blank>http://www.fee.unicamp.br/docentes/fotos/rafael.jpg</A></font></FONT></P>
><P><FONT face=Tahoma size=2>Se não for voce realmente, por favor desconsidere
>este email, e desculpe pelo incomodo.</FONT></P>
>
><P><FONT face=Tahoma size=2>Atenciosamente Rafael
>Dante.</FONT></P></BODY></HTML>
>
>_______________________________________________
>Plenary mailing list
>Plenary at wsis-cs.org
>http://mailman.greennet.org.uk/mailman/listinfo/plenary
>
>
>2. Identification of origin:
>============================
>
>whois.arin.net.
>Results:
>
>OrgName: Interland
>OrgID: INTD
>Address: 101 Marietta Street
>City: Atlanta
>StateProv: GA
>PostalCode: 30039
>Country: US
>
>NetRange: 216.150.0.0 - 216.150.31.255
>CIDR: 216.150.0.0/19
>NetName: HOSTCENTRIC-NETBLK-4
>NetHandle: NET-216-150-0-0-1
>Parent: NET-216-0-0-0-0
>NetType: Direct Allocation
>NameServer: NS.DIALTONEINTERNET.NET
>NameServer: NS2.DIALTONEINTERNET.NET
>Comment:
>RegDate:
>Updated: 2004-07-14
>
>OrgAbuseHandle: ABUSE579-ARIN
>OrgAbuseName: ABUSE
>OrgAbusePhone: +1-404-260-8434
>OrgAbuseEmail: abuse at interland.com
>
>OrgTechHandle: ASNAD3-ARIN
>OrgTechName: ASNADMIN
>OrgTechPhone: +1-404-260-8434
>OrgTechEmail: asnadmin at interland.com
>
># ARIN WHOIS database, last updated 2005-02-10 19:10
># Enter ? for additional hints on searching ARIN's WHOIS database.
>
>3. Holder of the Brazilian domain pertaining to the Web site involved:
>======================================================================
>
>% Copyright registro.br
>% The data below is provided for information purposes
>% and to assist persons in obtaining information about or
>% related to domain name and IP number registrations
>% By submitting a whois query, you agree to use this data
>% only for lawful purposes.
>% 2005-02-11 09:04:14 (BRST -02:00)
>
>domínio: GUIASAIADATOCA.COM.BR
>entidade: Dacon Formaturas e Eventos LTDA
>documento: 003.273.690/0001-40
>responsável: Manoel Carlos Gomes Chacon
>endereço: Rua Sao Jose, 495,
>endereço: 12010-190 - Taubate - SP
>telefone: (012) 2332656 []
>ID entidade: AVV35
>ID admin: LID14
>ID técnico: AVV35
>ID cobrança: AVV35
>servidor DNS: NS1.CYBERHOSTING.COM.BR
>status DNS: 09/02/2005 AA
>último AA: 09/02/2005
>servidor DNS: NS2.CYBERHOSTING.COM.BR
>status DNS: 09/02/2005 AA
>último AA: 09/02/2005
>criado: 09/09/2003 #1344102
>alterado: 07/12/2004
>status: publicado
>
>ID: AVV35
>nome: Alexandre Vieira Vianna
>e-mail: saiadatocajah at TERRA.COM.BR
>endereço: Rua dos Carteiros, 57,
>endereço: 12511-030 - Guaratingueta - SP
>telefone: (12) 3125-2270 []
>criado: 03/09/2003
>alterado: 07/12/2004
>
>ID: LID14
>nome: Licio Dacon
>e-mail: webmagazine at IG.COM.BR
>endereço: Av. JK, 77,
>endereço: 12366-000 - Sao Jose dos Pinhais - SP
>telefone: (24) 5589623 []
>criado: 30/05/2000
>alterado: 15/02/2004
>
>remarks: Security issues should also be addressed to
>remarks: nbso at nic.br, http://www.nbso.nic.br/
>remarks: Mail abuse issues should also be addressed to
>remarks: mail-abuse at nic.br
>
>% whois.registro.br accepts only direct match queries.
>% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
>% IP and AS numbers.
>
>4. ISP in Brazil which was hosting the website (cyberhosting.com.br):
>=====================================================================
>
>% Copyright registro.br
>% The data below is provided for information purposes
>% and to assist persons in obtaining information about or
>% related to domain name and IP number registrations
>% By submitting a whois query, you agree to use this data
>% only for lawful purposes.
>% 2005-02-11 09:10:35 (BRST -02:00)
>
>domínio: CYBERHOSTING.COM.BR
>entidade: Cyber1 do Brasil Ltda.
>documento: 004.019.962/0001-43
>responsável: Domingos José Ribeiro
>endereço: Rua Coromandel, 47,
>endereço: 05088-010 - São Paulo - SP
>telefone: (011) 36419291 []
>ID entidade: DJR23
>ID admin: DJR23
>ID técnico: GDL42
>ID cobrança: DJR23
>servidor DNS: NS1.CYBERHOSTING.COM.BR 200.155.3.130
>status DNS: 10/02/2005 AA
>último AA: 10/02/2005
>servidor DNS: NS2.CYBERHOSTING.COM.BR 200.155.3.131
>status DNS: 10/02/2005 AA
>último AA: 10/02/2005
>criado: 03/07/2003 #1269112
>alterado: 18/09/2004
>status: publicado
>
>ID: DJR23
>nome: Domingos J. Ribeiro - Cyber1
>e-mail: webmaster at CYBER1.COM.BR
>endereço: Rua Coromandel, 47,
>endereço: 05088-010 - SÃO PAULO - SP
>telefone: (11) 3641 9291 []
>criado: 22/06/2001
>alterado: 11/01/2005
>
>ID: GDL42
>nome: Ger. de Dominios Cyber1 do Brasil Ltda.
>e-mail: webmaster at CYBER1.COM.BR
>endereço: Rua Coromandel, 47,
>endereço: 05088-010 - São Paulo - SP
>telefone: (11) 3641-9291 []
>criado: 16/08/2002
>alterado: 11/01/2005
>
>remarks: Security issues should also be addressed to
>remarks: nbso at nic.br, http://www.nbso.nic.br/
>remarks: Mail abuse issues should also be addressed to
>remarks: mail-abuse at nic.br
>
>% whois.registro.br accepts only direct match queries.
>% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
>% IP and AS numbers.
>
>
--
Bill McIver, Ph.D
==
Research Officer | Agent de recherche
e-Government/e-Citizen Group | Groupe de gouvernement ?lectronique/citoyen ?lectronique
National Research Council | Conseil national de recherches Canada
Institute for Information Technology | Institut de technologie de l'information
46 Dineen Drive | 46, promenade Dineen
Fredericton, NB E3B 9W4 Canada | Fredericton, NB E3B 9W4 Canada
E-mail: Bill.McIver at nrc-cnrc.gc.ca | Courriel: Bill.McIver at nrc-cnrc.gc.ca
==
URL: http://iit-iti.nrc-cnrc.gc.ca/iit-personnel-iti/e-government-gouvernement-e_e.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman-new.greennet.org.uk/pipermail/plenary/attachments/20050211/326fe636/attachment.html
More information about the Plenary
mailing list