Educause Security Discussion mailing list archives
Re: Example of WMF Exploit SPAM Targetting Schools?
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 5 Jan 2006 20:21:40 -0500
H. Morrow Long wrote:
We weren't very happy that Mikko put that particular email message with our domain name in it on F-Secure's public weblog. The sender email address is forged and the content and name at the bottom are completely fictional. We received many spam and other complaints -- primarily from recipients in the UK. Examination of the email headers revealed that most of the email messages also originated (surprisingly enough) from UK ISP IP addresses. Comcast took the webpage with WMF exploit on it down quickly.
That could easily be any of us. Or worse, all of us. Think about that message being from security () yourdomain edu. A person could target a couple individuals at each university and the code could include an email worm that knows to change the domain name. Then make the link text read something () yourdomain edu instead of that playtimepiano thing. We've all seen a lot of worms in the past that change their domain according to target. I'd bet under those circumstances the majority of computer operators that saw such a message would click the link. And under the present circumstances with the population of XP and 2000 computers running IE out there, we'd all have a BIG problem. Mitigating Factors for Graphics Rendering Engine Vulnerability - CVE-2005-4560: "In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site." Not much of a mitigating factor in my mind. Any half way decent social engineering attack would be better than 80% effective unless everyone was being told "don't click anything because your computer's security has been completely compromised by a safety defect" or some other equally politically difficult drastic measures were in place. One of our people here received an email message today "from" another university person containing a rather racy cartoon for sexual enhancement products. It was sent from Brazil and the image link was to a site in China. It alarmed me at first because of the image but it was just business as usual on the Internet. Happy patching everyone. We've got a more or less homogeneous platform base and after quickly testing on a few machines, we went ahead and synchronized our SUS server and approved it for distribution. Didn't want to wait for the weekend. I don't think we're out of the woods on this one yet. Now to make sure word gets out to the students coming back this weekend.
Morrow On Jan 5, 2006, at 5:50 PM, Gary Flynn wrote:I thought you might find this interesting. I plan to incorporate it into some awareness presentations as an example of mildly targeted social engineering: http://www.f-secure.com/weblog/archives/archive-012006.html#00000768 I seem to remember some other type of virus or fraud using a similar message in the past regarding campus vandalism. It was also interesting that it also tried exploiting Firefox. http://www.frsirt.com/exploits/20060101.mozilla_compareto.pm.php -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Example of WMF Exploit SPAM Targetting Schools? Gary Flynn (Jan 05)
- <Possible follow-ups>
- Re: Example of WMF Exploit SPAM Targetting Schools? H. Morrow Long (Jan 05)
- Re: Example of WMF Exploit SPAM Targetting Schools? Gary Flynn (Jan 05)
- Re: Example of WMF Exploit SPAM Targetting Schools? Barbara Chung (DURTSCHI) (Jan 06)
- Re: Example of WMF Exploit SPAM Targetting Schools? Russell Fulton (Jan 09)
- Re: Example of WMF Exploit SPAM Targetting Schools? David Gillett (Jan 10)