Security Incidents mailing list archives

Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!]

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Sun, 12 Aug 2001 13:58:28 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 12 Aug 2001 diphen () agitation net wrote:

Has anyone run across this before?


        I'm sure many here would agree that this may be an old trick with
a new face.  While I don't yet have enough information to confirm that
this is the product of a trojan, several indicators seem to point to as
much...

X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0


        Outlook.  Guh.  The favored vector of trojan dissemination.

Hello!  We're writing to let you know that someone has sent you a greeting.


        The impersonal (and over-friendly) text.

http://www.GreetingCardsUSA.cc?aspickup.pd?i=710242162&m=1732&rr=y


        Appropriately long URL that bounces you around and eventually goes
to an IP address for dissemination of a binary.  Present most users with a
long URL and their eyes typically glaze over and they just blindly click
on it.  About the only thing that surprises me is that no '@' semantic
attack was used. 

        I'll have to see about collecting a copy of the binary.  Until
such time, this should probably be considered a *possible* trojan that
should be ruled out.  Fortunately, it's a Sunday, so we've got a little
time before the Monday morning zombies come rolling in and contributing
to the problem.  :)

        Time to start a new pot of coffee!  Yay.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-------- Real men prefer full disclosure. --------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO3bf57lDRyqRQ2a9AQGrnQP7BfWpsqUd29FOV0V8bNff1AnqoN7FAptZ
uXhnn1JSz6kWPO41OVVKAQ/sbcf8rPjLcy73CbHLb15BIpZxdZJLB08ti4kjr+FA
hjD1isa7TKlTuWyek5sypQ6sdDmyji5tJaj6eslT50nTaI5xfVPJQF4cq8U6r4g6
0vQwK2biej8=
=rI2s
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

[klmtfs () pridemail com: Your Online Greeting Awaits You!] diphen (Aug 12)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Mark Collins (Aug 12)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Jay D. Dyson (Aug 12)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] freehold (Aug 13)
- Re: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Brett Glass (Aug 13)
- <Possible follow-ups>
- RE: [klmtfs () pridemail com: Your Online Greeting Awaits You!] Jay D. Dyson (Aug 13)