Simon Willison’s Weblog

Bizex

I’m going to try not to turn this in to a blog about Windows security exploits but this one is genuinely interesting in that it actively tries to steal financial information and important passwords. Bizex spreads itself by spamming messages over ICQ advising the recipient to visit a specific URL. When they visit it, Internet Explorer exploits are used to download and execute the main payload which then infects their ICQ program and uses it to message their contacts. The worm also scans their hard drive for information relating to a number of well known financial services which it then uploads to a server via FTP, and it apparently snoops on their browser for any passwords travelling over HTTPS connections as well.

It seems that the sole purpose of this worm was to steal a bunch of cash quickly, and it looks very likely to succeed. The servers used to spread the worm have since been taken offline but you can be sure the person or people behind the worm were smart enough to cover their tracks.

More on Bizex can be found here and here; Thors Larholm’s analysis on BugTraq is particularly insightful.

This is Bizex by Simon Willison, posted on 27th February 2004.

Tagged , ,

Next: In praise of Apache documentation

Previous: Crap marketing sites

Previously hosted at http://simon.incutio.com/archive/2004/02/27/bizex