Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-09-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Katrina Malware; Katrina Donation Scams (now with domain name list); Dameware

Published: 2005-09-01
Last Updated: 2005-09-02 02:32:50 UTC
by John Bambenek (Version: 1)
0 comment(s)

Katrina Malware

It didn't take long. This morning, we received an email which is promissing news about the Hurricane. However, the site it links to appears to provide malware in addition to a brief news article. The text of the email (the original is in HTML):
Subject: Re: u1 Katrina killed as many as 80 people.

Just before daybreak Tuesday, Katrina, now a tropica
l storm, was 35 miles
northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph.
Forecasters at the National Hurricane Center said the amou nt of rainfall
has been adjusted downward Monday. Mississippi Gov. Haley Barbour said Tuesday that Hur ricane Katrina killed
as many as 80 people in his state and burst levees in Louisiana flooded New
Orleans. Read More..
'Read More..' links to nextermest.com [DO NOT VISIT! MALWARE!]. We are currently analyzing this page. It uses obfuscated javascript to download what looks like a .hta exploit.

Katrina Donation Scams

A couple of the domains we discovered yesterday removed the paypal button. Again, please let us know if you find any suspect domains. There are now about 230 .com domains that contain the strings 'katrina' and 'hurrican'. We could use your help checking out domains we found that 'sound suspect'. These have been filtered from the .com zone file using keywords like 'katrina'. Lots of innocent domains, so don't use it as a block list just yet. We are trying to anotate this list as needed. NOTE: If you send us an anotation to add, we will add an e-mail address of yours to 'sign' the comment. The email address will be obfuscated. Unsigned comments come from our ISC handler team. http://isc.sans.org/katrina.com.txt Susan Bradley had this nice remark about "cyber looting" on the patch management list: "to the folks behind this one....sick guys....really sick... you know how much small businesses are going to need geek/IT help in the coming months and all you guys can do is to code up stuff like this? How about donating to the red cross? How about volunteering to help a small business owner displaced by Katrina reset up MX records, A records? How about doing something useful instead of this stuff? Okay rant box off"

Dameware Exploit

We do see pretty stong scanning for the recent Dameware exploit. The Dameware.com site is located in New Orleans and not reachable since the storm. However, you can download the latest version from the UK site: http://www.dameware.co.uk/thankyoudownload.asp?group=Downloads
(thanks David for the UK URL). --------
Keywords:
0 comment(s)
Diary Archives