Snort mailing list archives
New phishing/Malware campaign
From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 20 Jun 2011 09:42:56 -0600
Thought folks may want to work on a sig for this... Link that contains a copy of the email (I've seen multiple blog sites that have this...the emails are exactly like this...looks like malicious posts..do a Google search for "Federal Tax transfer rejected pdf.exe"). Enjoy. James http://gsujinbiblestudies.blogspot.com/2011/06/rejected-federal-tax-tran saction.html Headers: GET /TAX25379001.pdf.exe HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: irs-web-report.info HTTP/1.1 200 OK Date: Mon, 20 Jun 2011 15:29:32 GMT Set-Cookie: BX=64qgorh6vupqs&b=3&s=0f; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.irs-web-report.info P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Mon, 20 Jun 2011 11:45:11 GMT Accept-Ranges: bytes Content-Length: 228864 Content-Type: application/octet-stream Age: 0 Connection: close Server: YTS/1.19.8 MZP.....................@............................................... !..L.!..This program must be run under Win32
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- New phishing/Malware campaign Lay, James (Jun 20)