Security Incidents mailing list archives
RE: ANI Exploits in Spam
From: "James C. Slora, Jr." <james.slora () phra com>
Date: Tue, 29 Mar 2005 11:25:08 -0500
Britton, Jeff B. wrote Tuesday, March 29, 2005 11:00 AM
I notice the same trend. ANI files seem to be coming from: (some name).sitemynet.com\*.ani
If possible, I would block sitemynet.com (212.101.97.230).
Keep in mind this is only mildly and temporarily effective. Sites and file names can and probably will change without warning. The ANI files download sdbot from a totally different address which will also likely change. Better blocking might involve screening cursor styles out of email, reading messages in Plain Text, and ensuring machines are patched for MS05-002. ANR and ANI exploits are in the wild on the web, used by adware installers and other miscreants. So the patch is the most important of all.
Current thread:
- ANI Exploits in Spam James C. Slora, Jr. (Mar 29)
- <Possible follow-ups>
- RE: ANI Exploits in Spam Britton, Jeff B. (Mar 29)
- RE: ANI Exploits in Spam James C. Slora, Jr. (Mar 29)
- RE: ANI Exploits in Spam James C Slora Jr (Mar 30)