Re: [klmtfsat_private: Your Online Greeting Awaits You!]

From: Jay D. Dyson (jdysonat_private)
Date: Sun Aug 12 2001 - 13:58:28 PDT

Next message: corecode: "for all those wondering - CRII has a bug!"

Previous message: Dean Cunningham: "IKE /HTTP exploit???"
In reply to: diphenat_private: "[klmtfsat_private: Your Online Greeting Awaits You!]"
Next in thread: Jay D. Dyson: "RE: [klmtfsat_private: Your Online Greeting Awaits You!]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 12 Aug 2001 diphenat_private wrote: 

> Has anyone run across this before?

	I'm sure many here would agree that this may be an old trick with
a new face.  While I don't yet have enough information to confirm that
this is the product of a trojan, several indicators seem to point to as
much... 

> X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0

	Outlook.  Guh.  The favored vector of trojan dissemination.

> Hello!  We're writing to let you know that someone has sent you a greeting. 

	The impersonal (and over-friendly) text.

> http://www.GreetingCardsUSA.cc?aspickup.pd?i=710242162&m=1732&rr=y 

	Appropriately long URL that bounces you around and eventually goes
to an IP address for dissemination of a binary.  Present most users with a
long URL and their eyes typically glaze over and they just blindly click
on it.  About the only thing that surprises me is that no '@' semantic
attack was used. 

	I'll have to see about collecting a copy of the binary.  Until
such time, this should probably be considered a *possible* trojan that
should be ruled out.  Fortunately, it's a Sunday, so we've got a little
time before the Monday morning zombies come rolling in and contributing
to the problem.  :)

	Time to start a new pot of coffee!  Yay.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
 `--' `--'  `-------- Real men prefer full disclosure. --------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO3bf57lDRyqRQ2a9AQGrnQP7BfWpsqUd29FOV0V8bNff1AnqoN7FAptZ
uXhnn1JSz6kWPO41OVVKAQ/sbcf8rPjLcy73CbHLb15BIpZxdZJLB08ti4kjr+FA
hjD1isa7TKlTuWyek5sypQ6sdDmyji5tJaj6eslT50nTaI5xfVPJQF4cq8U6r4g6
0vQwK2biej8=
=rI2s
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: corecode: "for all those wondering - CRII has a bug!"
Previous message: Dean Cunningham: "IKE /HTTP exploit???"
In reply to: diphenat_private: "[klmtfsat_private: Your Online Greeting Awaits You!]"
Next in thread: Jay D. Dyson: "RE: [klmtfsat_private: Your Online Greeting Awaits You!]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 16:54:11 PDT