Saturday, January 24, 2009

Faizal.js -- Custom Detection and Removal Tool

I have created this custom detection and removal tool for faizal.js. This JS worm is very easy to be removed manually. However this tool is aimed for some non-tech savvy users that need easy removal steps.

Symantec has a good description on the infections and the removal steps as well:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-050709-5710-99&tabid=3

FaizalRemover - Custom Detection and Removal Tool

Features:
[+] 2 modes, detection and removal mode
[+] Detection mode > Detect faizal.js infection. It will report to you if infection found.
[+] Removal mode > Removal faizal.js, Autorun.inf and other copy of itself on the infected machine.
[+] Kill the worm process to prevent reinfection.
[+] It will remove all the registry keys created by it.
[+] It will restore the IE title bar that was changed by the worm.

Download here:

http://www.4shared.com/file/82263107/5a1b8c38/FaizalRemover.html

Tuesday, January 6, 2009

CIMB's Scam E-Mail

I decided to post this as this is the first time I received scam email related to the local banking website, CIMB. Here is the contents:

From: [Fake email address]
Sent: [Date and Time]
------------------------------------------------------------------------------------------------------
Dear CIMB CLICKS Customer,

We are hereby notifying you that we've recently suffered a DDos-Attack on one our's Internet Banking service
For Security reasons you must complete the next steps to verify the integrity of your CIMB CLICKS account.
If you fail to complete the verification in the next 24 hours your account will be suspended.


Here's how get started:


1. LogIn to CIMB CLICKS online account ( Click here )

2. You must request the TAC online via CIMB CLICKS - your TAC will be sent via SMS to the mobile phone
number you registered at the ATM
( You can find the "Request TAC" button in the left menu of your account ).

3. LogOut from your account and close the browser.

4. When you recivied the TAC (Transaction Authorization Code) on your mobile phone please LogIn to
our secured server
verification server and submit the required information(Account User ID, password and TAC)
( Please click here to go on our secured server. )

5. Please allow 48 hours for processing.



Please compily and thanks for understanding.

© 2009 CIMB CLICKS Internet Banking Service.


Please do not reply at this email.

Notice the link from the first instruction is the genuine CIMB website. It is apparently the attacker is convincing victims to request "TAC" through his mobile phone. This authentication method is infamous and implemented by all the local e-banking. With the "TAC", the attacker can then do anything he wants on the victims' account. The first thing he will probably do is to change the authentication mobile phone to himself so that he can requests more "TAC" afterwards as every transactions done for example, changing password, transfering money and etc require each "TAC".

Afterwards, it required the victims to logout and login to another websites. This is the funny thing I see here :P. Why do you need to logout and relogin again since you can accompolish the verification process at the same page. The attacker claimed that the second URL is "our secured server", that's mean the website that given just now is not a secured one? People with a little common sense would realize that the instructions are not logical at all.
--------------------------------------------------------------------------------------------------------

Nevertheless, the second URL will redirect victims to some rogue banking websites. Immediately after I saw this scam email, I google and found some URLs used by this scam email:
  • http://www.xxx.xxx.xxx.using.ssl.cimb-secured.net/asp/cimb/system.htm?wps/portal/!ut/p/c0/04_SB8K8xLLM9MSSzPy8xBz9QJ_89Mw8_YJ0RUUAk9OZqw!!/
  • http://xxx.xxx.mia.bellsouth.net/services/VerifyTAC/Login/
Both URLs are inactive at the time of this writting. No further analysis can be done here.
So, please don't click the links sent via emails to avoid such attacks.