Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Yet another round of Viral Spam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yet another round of Viral Spam

Reports are coming in today regarding another round of spam attempting to spread malicious programs on machines all over the world. 

I just checked my Postini and I too am seeing these emails.  Here is the content of the new round:

You have (6) New Message from Outlook Microsoft<br /> <br /> - Please re-configure your Microsoft Outlook Again.<br /> - Download attached setup file and install.<br />

These emails contain an attachment.  The ones in my Postini filter contain an attachment with the name install.zip.  (This doesn't mean that is the only
name that is being used. )

According to the headers these emails are coming from IP addresses all over the world and are using various mailservers including servers from well
known services like Yahoo and GMail as well as private mail servers at private companies.

In addition to the Outlook spam we are seeing a new influx of IRS spam with an attachment tax-statement.exe, and of course the DHL Service spam.

Yesterday my company got hit with a round of the emails with OWA links.  We don't use Exchange for our external email so the link was "broken".  We
received a number of phone calls and emails from customers telling us they clicked on the link and it didn't work and asking what they should do now.  
Luckily the link was "broke" or we would have had a pretty nasty mess on our hands today.  The interesting thing about this was the email was sent to 
one email account with  "Dear another email account" and the users still clicked on the link. May wonders never cease. 

I find this unusual increase in virus spam emails rather ironic beings this is Security Awareness month.  Might be a good time to remind your
users about the dangers of clicking on links or attachments that they get in emails.  Make sure that they understand what the procedure is for reporting
these emails to your company or your security department.  

Deb Hale Long Lines, LLC

Deborah

278 Posts
ISC Handler
I see a lot of the "Outlook" viral spam as well. And I have been seeing the IRS and DHL viral spam for months now. I also see UPS and e-Card viral spam on and off.

I find that zen.spamhaus.org RBL blocks 99% of it. The rest that get through either the antivirus on the server/gateway catches it or failing that I have a filter to delete messages coming in with .exe, .bat, .vbs, etc. attached. There's no business case for anyone to email us executables.
Anonymous
Another great RBL is the BRBL (Barracuda Central).

http://www.barracudacentral.org/rbl

It is fast, reliable, and gets almost all of the hosts and end-user bots blocked. Also free, which is nice.

I had a customer laptop that was infected plug in, and in seconds BRBL had the IP blocked.

It is easy to get removed from their database if you are not a spammer, but got infected. I rate it #1 based upon years of experience, going all the way back to sendmail's rule set 97 and rule set 0 of which early relay-blocking was achieved :-)

Check it out. -Al
Al of Your Data Center

80 Posts
Has anyone seen this type of SPAM-
An attacker sends a "password reset" phishing email to members of the organization. The email contains a link to reset the password. The user clicks on it to reset the password, and the attacker gets the credentials and uses them to login to the users account and create different "rules" and starts spamming phishing emails from the account. One rule the attacker creates is to delete all sent email (so all the spam going out isn't noticed by the user). The attacker then creates another rule so that any mail that arrives from users that respond to the phishing emails with their credentials is forwarded to the attacker and then deleted. This is particularly effective because the phishing emails are actually coming from an account within the organization. The attacker also sends out thousands of emails to people outside the organization we well with typical phishing subjects such as "You have won the lottery!" trying to phish personal information. I have done a lot of searching and can't seem to find much information on this kind of SPAM where the attacker actually creates (or runs a script) to create email rules before sending out all the phishing emails. Has anyone had this happen or heard of this kind of attack?
Thanks, Mary
Al of Your Data Center
1 Posts

Sign Up for Free or Log In to start participating in the conversation!