Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Some interesting SSL SPAM InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Some interesting SSL SPAM

Published: 2009-10-12
Last Updated: 2009-10-13 13:13:34 UTC
by Mark Hofman (Version: 1)
11 comment(s)

 A few people have mentioned (Thanks Luke, Anon, et all) that they have started receiving SPAM messages along the following lines: 

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. 
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://evil-link/evil-file

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

Not sure what the evil is, as the links I received have been dead, so if you do receive one of these messages please let us know.  If you follow the link, be prepared for surprises and do it on a system that you do not care about (and that does not mean the computer belonging to the annoying fellow/gal sitting two desk away.)

One of the reasons I like this is that the reason to many people it would seem quite plausible, especially if they are running an internal CA at the site.  They may have received messages like this from their own support desk.  So in a targeted attack this could work quite nicely.  The English isn't bad either.

UPDATE

the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV. 
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
If you have a sample with a different hash please upload it through the contact form.

UPDATE 2

In the samples received the URL used in the message typically has a component relating to the organisation itself.  e.g. http://something.<yourcompanydomain>.thehostingdomain/somefile.aspx   Embedding the company domain will make it look a little bit more legit to the user.

 

Mark H

Keywords: SSL SPAM
11 comment(s)
Diary Archives