Security Incidents mailing list archives
Re: Massive increase in spam volume? 'Osama Captured' e-Mail is Malicious Trojan
From: "webdevi" <webdevi () sympatico ca>
Date: Mon, 26 Apr 2004 10:30:09 -0400
April 23, 2004 'Osama Captured' e-Mail is Malicious Trojan By Ryan Naraine Those "Osama Bin Laden Captured" e-mails hammering your in-box today will attempt to download a Trojan if the embedded URL is clicked, anti-virus experts warned Friday. Glendale, Calif.-based Panda Software said the URL embedded in the e-mail directs users to what appears to be an advertising page before exploiting a known security vulnerability in Microsoft's Internet Explorer (IE) browser to download the trojan. The fake news item, purporting to come from CNN or the BBC and promising photographs and video of Bin Laden's capture, first appeared on instant messaging networks earlier this month. According to security analysts, it is yet another use of social engineering tactics by spammers to direct traffic to Web sites. The "Osama Bin Laden Captured" hoax includes following message text: "Hey, Just got this from CNN, Osama Bin Laden has been captured! Go to the link below to view the pics and to download the video if you so wish: (Internet address) "Murderous coward he is." God bless America!" If the link is activated via IE, the browser auto-executes a file called "EXPLOIT.EXE" and downloads an executable trojan, identified as "Trj/Small.B." The "Small.B" trojan opens ports on an infected machine and can be used to hijack PCs for use as spam zombies. The trojan has the ability to listen on the open port for instructions and redirects traffic to other IP addresses. "Spammers and hackers can take advantage of compromised systems by using the infected computer as a middleman, allowing them to pass information through it and remain anonymous," according to information provided by McAfee Security. A spokesperson for anti-virus firm Sophos told internetnews.com the malicious trojan will only affect users using an unpatched IE browser. Microsoft has issued cumulative patches the IE browser to plug known vulnerabilities. The latest updates for Internet Explorer are available here. http://www.internetnews.com/ent-news/article.php/3344641 http://news.netcraft.com/archives/2004/04/23/bin_laden_captured_email_downloads_trojan.html casey britton www.itshappening.com Moderator alNeda forum & Breaking News forum ----- Original Message ----- From: "Jay D. Dyson" <jdyson () treachery net> To: "Incidents List" <incidents () securityfocus com> Sent: Monday, April 26, 2004 2:00 AM Subject: Re: Massive increase in spam volume?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 24 Apr 2004, Thamer Al-Harbash wrote:I work at a large ISP in Canada and just a few hours ago we've experienced a massive increase in spam volume. The volume is so high it's bordering on being a denial of service attack. Does anyone know if there's a worm out in the wild currently doing this? I've confirmed with some of my collegues that other ISPs are also experiencing this. I'm interested in finding specific netblocks but the spam seems to be coming from everywhere.I'd say you're seeing the first wave of what appears to be a new worm. Earlier this evening I received about 20 copies of the same message (same subject, same body, different senders) which was titled, "Osama bin Laden found!" and listed a URL (http://220.95.231.54/pics/). Being naturally curious (and even more naturally paranoid), I went to the URL...but not with my browser. What I snagged was an obfuscated Javascript page which -- from what I could decipher at a glance -- was some kind of spam pitch for cheap prescription drugs. I didn't bother looking for a malicious payload after that. So what we have here could be a worm that spews spam. This sort of thing will pretty much render the idea of blackholing netblocks useless now, since unpatched Windows system are everywhere. That's my take. I look forward to hearing about what others have seen land in their inboxes. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee."--. ====<--. C|~~|C|~~| )>------ Jay D. Dyson - jdyson () treachery net ------<( | =
|-'
`--' `--' `-If you wanna make God laugh, tell him your plans.-' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFAjKVp6uxsHJ5aYG4RAsRGAJ484Fe0Rp1i+d/yt3yAnDPPRoSvwACcC8I0 aSmguv2f7zEF4hky8xDx6D4= =ZZ/E -----END PGP SIGNATURE----- --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Massive increase in spam volume? Thamer Al-Harbash (Apr 25)
- Re: Massive increase in spam volume? Ken Budd (Apr 25)
- Re: Massive increase in spam volume? Vinod Kumar (Apr 26)
- RE: Massive increase in spam volume? Bojan Zdrnja (Apr 26)
- Re: Massive increase in spam volume? TML (Apr 26)
- Re: Massive increase in spam volume? Josh Tolley (Apr 26)
- RE: Massive increase in spam volume? James C Slora Jr (Apr 26)
- Re: Massive increase in spam volume? Jay D. Dyson (Apr 26)
- Re: Massive increase in spam volume? Niek (Apr 26)
- Re: Massive increase in spam volume? 'Osama Captured' e-Mail is Malicious Trojan webdevi (Apr 26)
- Re: Massive increase in spam volume? Don Wilder (Apr 26)
- Re: Massive increase in spam volume? David M. Dinner (Apr 27)
- <Possible follow-ups>
- RE: Massive increase in spam volume? Tom . Marchand (Apr 26)
- RE: Massive increase in spam volume? Garneau . Marie-Josee (Apr 26)
- FW: Massive increase in spam volume? Andy Streule (Apr 27)
- RE: Massive increase in spam volume? Steven Trewick (Apr 27)
- RE: Massive increase in spam volume? Thamer Al-Harbash (Apr 30)
- Re: Massive increase in spam volume? Ken Budd (Apr 25)