Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Oct 28th):Small Changes to Ransomware E-Mails;

Latest Diaries

Your Bill Is Not Overdue today!

Published: 2016-10-27
Last Updated: 2016-10-27 15:13:04 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Just as little as yesterday's order that "proceeded."  It Look like today's ransomware subject is "Your Bill is Overdue." But then again, don't bother blocking it. Block ZIP'ed visual basic scripts. This round of Locky makes blocking a tad harder by using "application/octet-stream" as a Content-Type instead of "application/zip."

(and about 2 hrs after publishing this diary, another small update: the Content-Type now changed to application/x-compressed . Makes you wonder if they are reading this ;-) )

It may be safe to strip everything with an "application/octet-stream" attachment. 

For the last 30 minutes, I received just about 1,000 attachments like that, and about 4000 total. The first one I received arrived just after 8 am UTC.

Anti-Virus coverage is spotty as usual. Kaspersky and Sophos seem to be doing a rather good job lately detecting the initial downloaders

As usual, Xavier's mime-zip-trojan script does a beautiful job of keeping these attachments out of your inbox:



Johannes B. Ullrich, Ph.D.

4 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Critical Flash Player Update APSB16-36
1 day ago by Johannes (1 comment)

Another Day, Another Spam...
2 days ago by Xme (3 comments)

A few Mirai Updates: MIPS, PPC version; a bit less scanning
3 days ago by Johannes (2 comments)

ISC Briefing: Large DDoS Attack Against Dyn
4 days ago by Johannes (7 comments)

Request for Packets TCP 4786 - CVE-2016-6385
5 days ago by Guy (0 comments) DDoS Attack
6 days ago by Johannes (9 comments)

How Stolen iOS Devices Are Unlocked
6 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

created 2 days ago by SYNERGYUSALLC (0 replies)

Any experience with hyper-v ram forensic?
created 6 days ago by DrGreen (0 replies)

Question about faux news websites
created 2 weeks ago by Marko (0 replies)

Event Logging Requirements
created 4 weeks ago by Circadian (4 replies)

Configuring 'cvtwin': Windows 10 and Norton 360 Premier
created 1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
6 days ago by Johannes (9 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
8 months ago by Johannes (25 comments)

How Stolen iOS Devices Are Unlocked
6 days ago by Johannes (0 comments)

New tool:
2 weeks ago by Jim (4 comments)

The Short Life of a Vulnerable DVR Connected to the Internet
3 weeks ago by Johannes (8 comments)