Security Incidents mailing list archives
Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!]
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Sun, 12 Aug 2001 13:58:28 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- On Sun, 12 Aug 2001 diphen () agitation net wrote:
Has anyone run across this before?
I'm sure many here would agree that this may be an old trick with a new face. While I don't yet have enough information to confirm that this is the product of a trojan, several indicators seem to point to as much...
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Outlook. Guh. The favored vector of trojan dissemination.
Hello! We're writing to let you know that someone has sent you a greeting.
The impersonal (and over-friendly) text.
http://www.GreetingCardsUSA.cc?aspickup.pd?i=710242162&m=1732&rr=y
Appropriately long URL that bounces you around and eventually goes to an IP address for dissemination of a binary. Present most users with a long URL and their eyes typically glaze over and they just blindly click on it. About the only thing that surprises me is that no '@' semantic attack was used. I'll have to see about collecting a copy of the binary. Until such time, this should probably be considered a *possible* trojan that should be ruled out. Fortunately, it's a Sunday, so we've got a little time before the Monday morning zombies come rolling in and contributing to the problem. :) Time to start a new pot of coffee! Yay. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) | = |-' `--' `--' `-------- Real men prefer full disclosure. --------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO3bf57lDRyqRQ2a9AQGrnQP7BfWpsqUd29FOV0V8bNff1AnqoN7FAptZ uXhnn1JSz6kWPO41OVVKAQ/sbcf8rPjLcy73CbHLb15BIpZxdZJLB08ti4kjr+FA hjD1isa7TKlTuWyek5sypQ6sdDmyji5tJaj6eslT50nTaI5xfVPJQF4cq8U6r4g6 0vQwK2biej8= =rI2s -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- [klmtfs () pridemail com: Your Online Greeting Awaits You!] diphen (Aug 12)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Mark Collins (Aug 12)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Jay D. Dyson (Aug 12)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] freehold (Aug 13)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Brett Glass (Aug 13)
- <Possible follow-ups>
- RE: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Jay D. Dyson (Aug 13)