Katrina Malware; Katrina Donation Scams (now with domain name list); Dameware

Published: 2005-09-01
Last Updated: 2005-09-02 02:32:50 UTC
by John Bambenek (Version: 1)
0 comment(s)

Katrina Malware

It didn't take long. This morning, we received an email which is promissing news about the Hurricane. However, the site it links to appears to provide malware in addition to a brief news article. The text of the email (the original is in HTML): 
Subject: Re: u1 Katrina killed as many as 80 people.

Just before daybreak Tuesday, Katrina, now a tropica
l storm, was 35 miles
northeast of Tupelo, Miss., moving north-northeast with
 winds of 50 mph. 
Forecasters at the National Hurricane Center said the amou
nt of rainfall 
has been adjusted downward Monday.

Mississippi Gov. Haley Barbour said Tuesday that Hur
ricane Katrina killed 
as many as 80 people in his state and burst levees in
Louisiana flooded New 
Orleans.

Read More..
'Read More..' links to nextermest.com [DO NOT VISIT! MALWARE!]. We are currently analyzing this page. It uses obfuscated javascript to download what looks like a .hta exploit.

Katrina Donation Scams

A couple of the domains we discovered yesterday removed the paypal button. Again, please let us know if you find any suspect domains. There are now about 230 .com domains that contain the strings 'katrina' and 'hurrican'. We could use your help checking out domains we found that 'sound suspect'. These have been filtered from the .com zone file using keywords like 'katrina'. Lots of innocent domains, so don't use it as a block list just yet. We are trying to anotate this list as needed. NOTE: If you send us an anotation to add, we will add an e-mail address of yours to 'sign' the comment. The email address will be obfuscated. Unsigned comments come from our ISC handler team. http://isc.sans.org/katrina.com.txt Susan Bradley had this nice remark about "cyber looting" on the patch management list: "to the folks behind this one....sick guys....really sick... you know how much small businesses are going to need geek/IT help in the coming months and all you guys can do is to code up stuff like this? How about donating to the red cross? How about volunteering to help a small business owner displaced by Katrina reset up MX records, A records? How about doing something useful instead of this stuff? Okay rant box off"

Dameware Exploit

We do see pretty stong scanning for the recent Dameware exploit. The Dameware.com site is located in New Orleans and not reachable since the storm. However, you can download the latest version from the UK site: http://www.dameware.co.uk/thankyoudownload.asp?group=Downloads
(thanks David for the UK URL). --------
Keywords:
0 comment(s)

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
10 months ago

password reveal .

Anonymous

Dec 3rd 2022
10 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
9 months ago

Login here to join the discussion.


Diary Archives