Some interesting SSL SPAM

Published: 2009-10-12
Last Updated: 2009-10-13 13:13:34 UTC
by Mark Hofman (Version: 1)
11 comment(s)

 A few people have mentioned (Thanks Luke, Anon, et all) that they have started receiving SPAM messages along the following lines: 

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. 
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://evil-link/evil-file

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

Not sure what the evil is, as the links I received have been dead, so if you do receive one of these messages please let us know.  If you follow the link, be prepared for surprises and do it on a system that you do not care about (and that does not mean the computer belonging to the annoying fellow/gal sitting two desk away.)

One of the reasons I like this is that the reason to many people it would seem quite plausible, especially if they are running an internal CA at the site.  They may have received messages like this from their own support desk.  So in a targeted attack this could work quite nicely.  The English isn't bad either.

UPDATE

the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV. 
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
If you have a sample with a different hash please upload it through the contact form.

UPDATE 2

In the samples received the URL used in the message typically has a component relating to the organisation itself.  e.g. http://something.<yourcompanydomain>.thehostingdomain/somefile.aspx   Embedding the company domain will make it look a little bit more legit to the user.

 

Mark H

Keywords: SSL SPAM
11 comment(s)

McAfee Spam Report

Published: 2009-10-12
Last Updated: 2009-10-13 10:51:33 UTC
by Scott Fendley (Version: 1)
0 comment(s)

In many enterprises, spam prevention and abuse handling is a function of IT Security and less of a business duty for the email system administrators.  With that in mind, I wanted to point out something on the operational security front.

Earlier today, McAfee released their October 2009 Spam Report.  This report discusses a number of things including the continued increase in pharmaceutical spam, brand abuses, and just the overall sophistication of the spam messages we are receiving today.  Throw in all of the phishing scam messages which have been on the increase for the past 3 years, and we can see why the younger generation has all but abandoned email as a communication resource in lieu of more closed systems such as Facebook or twitter.  Those of us in higher education has been attempting to cope with this change in communication to varying degrees and expect the corporate world to have to adjust within a few years as well.

So..... thought I would point out something that may be useful for situational awareness purposes, or to at least explain to the C-level people why the spam filters missed a number of spam messages recently.

Scott Fendley ISC Handler

Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives