Educause Security Discussion mailing list archives
Re: FirstClass installations an exploit target?
From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 4 Apr 2006 14:18:29 -0400
It looks like a Mytob or Botob variant, but "rit.edu" is conspicuously absent. The report that we have is from a FirstClass user. My guess is that someone has found a way to fingerprint the FirstClass application, and is has created a worm with that target. Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio -----Original Message----- From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] Sent: Tuesday, April 04, 2006 2:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PS: [SECURITY] FirstClass installations an exploit target? On Tue, 04 Apr 2006 13:37:04 EDT, James H Moore said:
I should have mentioned that it carries an attachment important-details.zip which our spam/virus gateway stripped before it got to FirstClass.
Not a FirstClass issue at all, I suspect. It's one of the many worm variants that say the "Your <victim.domain> account was used to send spam", to entice you to open the .zip (which is the malware/worm payload). We can tell when a new variant has popped up that we don't have filters for, because we get stuff signed 'The vt.edu admin team' that we didn't send. ;)
Current thread:
- FirstClass installations an exploit target? James H Moore (Apr 04)
- <Possible follow-ups>
- Re: FirstClass installations an exploit target? Graham Toal (Apr 04)
- Re: FirstClass installations an exploit target? James H Moore (Apr 04)