Re: Massive increase in spam volume? 'Osama Captured' e-Mail is Malicious Trojan

["webdevi" <webdevi () sympatico ca>]

April 23, 2004
'Osama Captured' e-Mail is Malicious Trojan
By Ryan Naraine

Those "Osama Bin Laden Captured" e-mails hammering your in-box today will
attempt to download a Trojan if the embedded URL is clicked, anti-virus
experts warned Friday.

Glendale, Calif.-based Panda Software said the URL embedded in the e-mail
directs users to what appears to be an advertising page before exploiting a
known security vulnerability in Microsoft's Internet Explorer (IE) browser
to download the trojan.

The fake news item, purporting to come from CNN or the BBC and promising
photographs and video of Bin Laden's capture, first appeared on instant
messaging networks earlier this month. According to security analysts, it is
yet another use of social engineering tactics by spammers to direct traffic
to Web sites.

The "Osama Bin Laden Captured" hoax includes following message text:

"Hey, Just got this from CNN, Osama Bin Laden has been captured! Go to the
link below to view the pics and to download the video if you so wish:
(Internet address) "Murderous coward he is." God bless America!"

If the link is activated via IE, the browser auto-executes a file called
"EXPLOIT.EXE" and downloads an executable trojan, identified as
"Trj/Small.B."

The "Small.B" trojan opens ports on an infected machine and can be used to
hijack PCs for use as spam zombies. The trojan has the ability to listen on
the open port for instructions and redirects traffic to other IP addresses.

"Spammers and hackers can take advantage of compromised systems by using the
infected computer as a middleman, allowing them to pass information through
it and remain anonymous," according to information provided by McAfee
Security.

A spokesperson for anti-virus firm Sophos told internetnews.com the
malicious trojan will only affect users using an unpatched IE browser.
Microsoft has issued cumulative patches the IE browser to plug known
vulnerabilities. The latest updates for Internet Explorer are available
here.

http://www.internetnews.com/ent-news/article.php/3344641

http://news.netcraft.com/archives/2004/04/23/bin_laden_captured_email_downloads_trojan.html

casey britton
www.itshappening.com
Moderator alNeda forum & Breaking News forum


----- Original Message ----- 
From: "Jay D. Dyson" <jdyson () treachery net>
To: "Incidents List" <incidents () securityfocus com>
Sent: Monday, April 26, 2004 2:00 AM
Subject: Re: Massive increase in spam volume?


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, 24 Apr 2004, Thamer Al-Harbash wrote:
>
> > I work at a large ISP in Canada and just a few hours ago we've
> > experienced a massive increase in spam volume. The volume is so high
> > it's bordering on being a denial of service attack.
> >
> > Does anyone know if there's a worm out in the wild currently doing this?
> > I've confirmed with some of my collegues that other ISPs are also
> > experiencing this.
> >
> > I'm interested in finding specific netblocks but the spam seems to be
> > coming from everywhere.
>
> I'd say you're seeing the first wave of what appears to be a new
> worm.  Earlier this evening I received about 20 copies of the same message
> (same subject, same body, different senders) which was titled, "Osama bin
> Laden found!" and listed a URL (http://220.95.231.54/pics/).
>
> Being naturally curious (and even more naturally paranoid), I went
> to the URL...but not with my browser.  What I snagged was an obfuscated
> Javascript page which -- from what I could decipher at a glance -- was
> some kind of spam pitch for cheap prescription drugs.  I didn't bother
> looking for a malicious payload after that.
>
> So what we have here could be a worm that spews spam.  This sort
> of thing will pretty much render the idea of blackholing netblocks useless
> now, since unpatched Windows system are everywhere.
>
> That's my take.  I look forward to hearing about what others have
> seen land in their inboxes.
>
> - -Jay
>
>   (    (                                                         _______
>   ))   ))  .--"There's always time for a good cup of coffee."--.
> ====<--.
> C|~~|C|~~| )>------ Jay D. Dyson - jdyson () treachery net ------<( |    =
|-'
>  `--' `--' `-If you wanna make God laugh, tell him your plans.-' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQFAjKVp6uxsHJ5aYG4RAsRGAJ484Fe0Rp1i+d/yt3yAnDPPRoSvwACcC8I0
> aSmguv2f7zEF4hky8xDx6D4=
> =ZZ/E
> -----END PGP SIGNATURE-----
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------