Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-02-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SPAM with a large Word file on the side

Published: 2009-02-07
Last Updated: 2009-02-07 22:06:12 UTC
by Tony Carothers (Version: 1)
1 comment(s)

Scott has provided us with a new piece of SPAM with the subject "Offshore Banking & Investment" with a 1Mb Word file attachment.  Having received two in 45 minutes, this is probably the tip of the iceberg, and as Scott mentions, will definitely start to load the mail servers.

If anybody else is seeing this, please let us know.  More data will be posted as it develops.....

Thanx Scott!

Keywords:
1 comment(s)

.gif Files Presenting a Not so Pretty Picture

Published: 2009-02-07
Last Updated: 2009-02-07 21:51:03 UTC
by Tony Carothers (Version: 1)
0 comment(s)

A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org.  For the sake of expediency, and because this person did such a good write up, here is the analysis provided:

"The *.gif files were found the "random" board of the image board site 4chan.  The files contain a large picture with instructions to save the file with a .jse extension and run it.

The *.out files are the result of applying scrdec to the gifs to reveal the encoded script.

It appears to:
 (1) copy itself somewhere as 'sys.jse'
 (2) add itself to a Run key in the registry
 (3) (a) fetch the index to 4chan's /b forum
    (b) download the first image
    (c) save it as 'j.jse'
    (d) attempt to run 'j.jse'
 (4) construct a POST request containing the image as payload
 (5) upload itself as a new post on 4chan
 (6) point an instance of IE at site it came from

(3)-(6) are in an infinite loop."

To the subscriber who did the legwork on tihs one, my thanx for the excellent work

I will provide more data as it develops.......

Keywords:
0 comment(s)

A Rough Day in West Palm Beach

Published: 2009-02-07
Last Updated: 2009-02-07 03:11:05 UTC
by Tony Carothers (Version: 2)
0 comment(s)

Not a good day for some in Florida, specifically West Palm Beach, to find out something like this:

http://www.bestbuy.com/store/550/

1880 Palm Beach Lakes Blvd
West Palm Beach, FL 33401


If you were in the West Palm Beach area, in the store indicated, during November and December 2008, please take the time to read the following:

Substitute Notice Letter

Because this is listed here at the Storm Center, obviously a breach was involved, but I will repeat what the above letter states: "Although none of Best Buy’s electronic systems were compromised by this former employee’s actions, Best Buy believes that approximately 4,000 people could have been affected by this former employee’s unlawful skimming of customer credit card information."  The efforts indicated in the letter demonstrate a swift response by Best Buy to take care of the matter, and their customers.
 

Keywords:
0 comment(s)
Diary Archives