Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB | reply to antiphishing
Re: Warning regarding fake malware patch 'patch_4723.zip '
Has anyone tried this bad boy in with a virtual system as we might have a no goer in a virtual environment.
Blake |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to 59126125
said by 59126125  :Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.? That was exactly the point that I was trying to get at. Who's to say that you couldn't use a software program like TurboTax and have a key logger installed on the same computer.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
SpannerITWks
Premium
join:2005-04-22
| reply to mysec
Re: Forecast - Massive Storms clouded by Rootkits
That link goes to - hxxp://64.28.178.4/index.php - and is associated with -
hxxp://free-orgy-movies.com
( This domain name parked on Estparking.com. To buy this domain click here. )
I was on an exact replica of that www - hxxp://moviefresher.com - in the last 1/2 hour, as i found it linked to a Zlob www i was DL'ing from.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
mysec
Premium
join:2005-11-29
| reply to antiphishing
The above subject title from
»www.antirootkit.com/blog/
"The Rootkit component is wincom32.sys"
I permitted the patch file to extract, then re-enabled security to watch it run:
________________________________________________________________
The loading of the rootkit component, driver wincom32.sys (an executable) is blocked. Then I permitted wincom32.sys to install, and it immediately attempted an outbound connection:
_________________________________________________________
A search doesn't reveal the wincom32.sys file.
_________________________________________________________
Also, none of the Registry entries mentioned in the analysis show up.
A final quote from the analysis:
quote:
The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.
The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code.
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier |
|
59126125
Premium
join:2006-01-21
clubs:
1 edit | reply to antiphishing
Re: Warning regarding fake malware patch 'patch_4723.zip '
Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.?
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to 59126125
Are you referring that internet users will use infected computers, not knowing that their tax information will end up in the hands of cybercriminals through the use of a root kit or key logger
Interesting theory. 
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
59126125
Premium
join:2006-01-21
clubs:
1 edit | reply to antiphishing
Isn't it a little strange that this is occurring close to the deadline for filing taxes? Or is it just coincidence? »news.yahoo.com/s/ap/20070414/ap_···JAJvzwcF
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
Martinus
Premium
join:2001-08-06
EU
| reply to quatrix
said by quatrix :said by Martinus :Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away. Eagle? If you read the message, even the first sentence sounds obviously wrong. Yeah, to you. But probably not to everybody.
I've seen more atrocities committed against the English language in this forum than I though was possible.
People writing "their" when they mean "there", "here, here Microsoft" when they, obviously meant "hear, hear Microsoft", and so on. So yes, a grammar check will quickly give a clue to some but don't expect that'll help everybody.
--
Si naciste pa' martillo del cielo te caen los clavos |
|
quatrix
Premium
join:2005-02-11
Davie, FL
| reply to Martinus
said by Martinus :Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away. Eagle? If you read the message, even the first sentence sounds obviously wrong. |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
 ·Comcast
| reply to Rickez
Yeah for us. What about the normal people.
My email box is full of these because we support windows servers now too. And most of the windows shops are getting hammered with this.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" |
|
Rickez
Goinginsane
join:2000-09-02
Three Rivers, MA | reply to BosstonesOwn
Times like this I thank god for common sense. |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
| reply to Martinus
said by Martinus :English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention. I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. Perhaps I didn't express myself well. I was referring to the fact that phishes, fake patches, and the like all purport to be from established, reputable organizations. But my experience has been that "official" notification messages sent out by legitimate groups have almost always been vetted for basic spelling or grammar... either by spell/grammar checkers or by an educated author. That doesn't mean an error might not pop up in a legitimate message, but it does mean that a collection of obvious errors in a message almost certainly guarantees it's not any kind of official notice being broadcast by a legitimate organization. As a result, whenever I encounter an error-filled, purportedly "official" message, I generally look no further and simply hit the delete button.
Obviously, those with less English-language experience will not be able to do that... but that's why nobody should be opening executables or naively trusting URL links contained in any unsolicited eMail, regardless of language or where they live. And in any case, if the language looks OK, I still practice safe-hex in not opening attachments or assuming links are valid without first cross-checking 100% with the real purported sender by direct, person-to-person or other secure, independent means.
Verify, verify, verify.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to pcdebb
said by pcdebb :::sigh:: i already got two people that already installed the "update" and wondered what it was AFTERWARDS  Once again  ,the combination of naive internet plus social engineering, does equal the slow destruction of the internet.
We all pay for it , in the end. You have to look at the big picture of the whole thing. It's such a sad state when you can allow someone to use the internet, and they don't have
a clue on what is involved with internet security.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: | reply to antiphishing
::sigh:: i already got two people that already installed the "update" and wondered what it was AFTERWARDS |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to BosstonesOwn
said by BosstonesOwn :Times like these I thank god for Solaris 10  If I had a choice to move to another operating system, it would be Linux Fedora Red Hat 7.
I mean it's not that I don't like Microsoft Vista , but the new security exploits are are starting to get a little old now.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs: | reply to antiphishing
Times like these I thank god for Solaris 10 |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to Jameson
said by Jameson :Yup: User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) EDIT: However it was From: Customer Support One of the patterns that I have been noticing is that Yahoo email accounts are one of the targets. Every email contains the header line "Thunderbird 1.5.0.9 (Windows/20061207)" being sent through zombie machines in Europe and the United States.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | reply to Jameson
The "Thunderbird" user-agent header seems to be consistent across this entire spam run. It's probably hard-coded. |
|
Jameson
10-8
Premium
join:2004-05-28
Fallbrook, CA
clubs:
 ·HughesNet Satellit..
·Time Warner Cable
3 edits | reply to antiphishing
Yup:
User-Agent:
Thunderbird 1.5.0.9 (Windows/20061207)
EDIT:
However it was From:
ohhsj @ icqmail.com
X-Originating-IP:
[216.141.228.112]
Authentication-Results:
mta121.sbc.mail.mud.yahoo.com from=icqmail.com; domainkeys=neutral (no sig)
Received:
from 207.115.36.76 (EHLO nlpi047.sbcis.sbc.com) (207.115.36.76) by mta121.sbc.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 23:07:56 -0700
X-Header-NoReverseIP:
IP.name.lookup.failed[216.141.228.112]
X-Originating-IP:
[216.141.228.112] |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | reply to Jameson
said by Jameson :Got one as well this morning. The one i got was called removal-8736.zip Did the email header contain the information "User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)" and was it from a Yahoo email account?
X-Apparently-To: html_edit@yahoo.com via 68.142.198.159; Thu, 12 Apr 2007 11:27:33 -0700
X-YahooFilteredBulk: 162.39.116.180
X-Originating-IP: [162.39.116.180]
Return-Path:
Authentication-Results: mta434.mail.mud.yahoo.com from=med.va.gov; domainkeys=neutral (no sig)
Received: from 162.39.116.180 (HELO h180.116.39.162.ip.alltel.net) (162.39.116.180) by mta434.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 11:27:32 -0700
Received: from vqyhx ([26.84.210.33]) by h180.116.39.162.ip.alltel.net (8.13.4/8.13.4) with SMTP id l3CIm64j074509; Thu, 12 Apr 2007 14:48:06 -0400
Message-ID:
Date: Thu, 12 Apr 2007 14:44:50 -0400
From: "Customer Support Center"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Detected!
Content-Type: multipart/mixed; boundary="------------040808030703010202050005"
Content-Length: 60246
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
