Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Be on the Alert

Published: 2010-07-15
Last Updated: 2010-07-15 15:18:33 UTC
by Deborah Hale (Version: 1)
9 comment(s)

I am seeing a large amount of spam hit our network that has been successful at fooling our spam filter.  The
emails contain .zip and .html extensions with various file names.  The subject also varies.  Some subjects
that I have seen are:

Your Funds Will Be Transferred
From Jan RIchter (name varies)
Newest Products
Latest Software

The zip file is being analyzed to determine what payload may be involved.  You may want to remind your email
users to refrain from opening any attachments that they weren't expecting to receive.

UPDATE: We have received some information from one of our readers that the zip file that he received contained
a multiple exploit-kit downloader.  He indicated that there are over 120,000 successful downloads of the exe file.
They have discovered that IP address 173. 204. 119 . 122 is where the file appears to be hosted at and is being
updated with new binaries consistently. The downloader appears to grab a few files with random file names and
have been observed connecting too imagehut4 .cn, allxt .com, hitinto .com. Jason indicates that all files appear
to run fully under Windows VMWARE and are resistant to detection by many of the common threat programs.

Many thanks to Jason for supplying us with the information.

We also have received a report of emails that are hitting which tell the recipient that they letter cannot be opened
due to low screen resolution.  It says that they need to open the attached zip file for the message.  Again the filename
for the zip file varies. Thanks to Jason R for this information.

Deb Hale Long Lines, LLC

Keywords: spam attachments
9 comment(s)
Diary Archives