Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Shorts - other things happening this week. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Shorts - other things happening this week.

There have been a few interesting things over the last few days that are worth a mention.  We’ll start with malware.

We’ve had some reports of a new round of Dept of Justice messages (thanks Steve).  You know the one:“A complaint has been filled against the company you are affiliated to ....” .  This particular text variation was first reported in early December, but seems to have received a new lease of life and a nice new payload to go along with it.  It was detected by only 4/32 on virustotal (should be close to 32/32 by now).  The other thing was that it was well targeted.  The name was correct as was the company name.  So someone has a good quality list.  The attachment was called PDF_Complaint.scr, luckily most of us already drop this extension at the gateway.

Another oldie, but goodie (the original goes back to 2006) was provided by Johan, who received a SPIM.   The message was along the lines of:  “Hi, my name is <name>.  I am studying in <country>.  I’m looking for a friend/partner ...etc”.   The link to the photos of the young lady takes you to Russia and provides you with a little extra code.   A file called ntos.exe is created and the registry is then modified replacing winlogin.exe with the new file.   You are now providing information to those that will use it for you.

We also received a report on SMS phishing.  A SMS is sent “Dear <insert bank name> customer, we are informing you that your online services have expired and needs to be renewed.  Please visit us at ...URL...”.   At the URL in the message a “special” surprise awaits.

So keep an eye on those mobiles.  Keep blocking those files that should never be emailed and patch.  A Significant portion of the malware we see, all exploit relatively old exploits.   Why?  Because they still work.

Cheers

Mark

 

Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!