Re: adobe exploit spam

[Nick FitzGerald <nick () virus-l demon co uk>]

RandallM wrote:

> anyone see this type of email going around? this particular one was
> addressed by our President and aimed at our controller. fortunitly the
> controller was wise enough not to click. the links will dl a program
> but the headers of course are all giving to another address. the "dL
> box" shows from an IP rather then adobe.

The .EXE and .PDF you mention are now unavailable, but the (bogus) 
adobe.us.to domain still redirects to the actual hosting site -- a 
(presumably popped) trixbox at 91.184.204.20.

Despite the target .EXE being down (for now) you should file an abuse 
complaint with afraid.org, owners of us.to and who provide dynamic DNS 
and URL redirector services through that domain.  With the "front" 
domain still up, the perps can trivially reconfigure the adobe.us.to 
redirector to their next compromised hosting box.  Killing the 
adobe.us.to domain renders all yet-to-be-read messages they've sent 
worthless.



Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.