RE: ANI Exploits in Spam -> more info
From: Hubbard, Dan (dhubbard_at_websense.com)
Date: 03/30/05
- Previous message: James C Slora Jr: "RE: ANI Exploits in Spam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Mar 2005 07:22:13 -0800 To: "James C. Slora, Jr." <james.slora@phra.com>, <incidents@securityfocus.com>
Not to say there are / will be other variants but to date all sites we
have seen to date have the same code which goes to: http://
70.84.199.74/ hi.exe
Which is a wootbot AKA Sdbot.
-----Original Message-----
From: James C. Slora, Jr. [mailto:james.slora@phra.com]
Sent: Tuesday, March 29, 2005 8:25 AM
To: incidents@securityfocus.com
Subject: RE: ANI Exploits in Spam
Britton, Jeff B. wrote Tuesday, March 29, 2005 11:00 AM
> I notice the same trend. ANI files seem to be coming from:
> (some name).sitemynet.com\*.ani
> If possible, I would block sitemynet.com (212.101.97.230).
Keep in mind this is only mildly and temporarily effective. Sites and
file names can and probably will change without warning. The ANI files
download sdbot from a totally different address which will also likely
change.
Better blocking might involve screening cursor styles out of email,
reading messages in Plain Text, and ensuring machines are patched for
MS05-002. ANR and ANI exploits are in the wild on the web, used by
adware installers and other miscreants. So the patch is the most
important of all.
- Previous message: James C Slora Jr: "RE: ANI Exploits in Spam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
