Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Some interesting SSL SPAM

Published: 2009-10-12
Last Updated: 2009-10-13 13:13:34 UTC
by Mark Hofman (Version: 1)
11 comment(s)

 A few people have mentioned (Thanks Luke, Anon, et all) that they have started receiving SPAM messages along the following lines: 

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. 
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://evil-link/evil-file

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

Not sure what the evil is, as the links I received have been dead, so if you do receive one of these messages please let us know.  If you follow the link, be prepared for surprises and do it on a system that you do not care about (and that does not mean the computer belonging to the annoying fellow/gal sitting two desk away.)

One of the reasons I like this is that the reason to many people it would seem quite plausible, especially if they are running an internal CA at the site.  They may have received messages like this from their own support desk.  So in a targeted attack this could work quite nicely.  The English isn't bad either.

UPDATE

the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV. 
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
If you have a sample with a different hash please upload it through the contact form.

UPDATE 2

In the samples received the URL used in the message typically has a component relating to the organisation itself.  e.g. http://something.<yourcompanydomain>.thehostingdomain/somefile.aspx   Embedding the company domain will make it look a little bit more legit to the user.

 

Mark H

Keywords: SSL SPAM
11 comment(s)

McAfee Spam Report

Published: 2009-10-12
Last Updated: 2009-10-13 10:51:33 UTC
by Scott Fendley (Version: 1)
0 comment(s)

In many enterprises, spam prevention and abuse handling is a function of IT Security and less of a business duty for the email system administrators.  With that in mind, I wanted to point out something on the operational security front.

Earlier today, McAfee released their October 2009 Spam Report.  This report discusses a number of things including the continued increase in pharmaceutical spam, brand abuses, and just the overall sophistication of the spam messages we are receiving today.  Throw in all of the phishing scam messages which have been on the increase for the past 3 years, and we can see why the younger generation has all but abandoned email as a communication resource in lieu of more closed systems such as Facebook or twitter.  Those of us in higher education has been attempting to cope with this change in communication to varying degrees and expect the corporate world to have to adjust within a few years as well.

So..... thought I would point out something that may be useful for situational awareness purposes, or to at least explain to the C-level people why the spam filters missed a number of spam messages recently.

Scott Fendley ISC Handler

Keywords:
0 comment(s)
Diary Archives