Last Updated: 2009-02-23 03:03:09 UTC
by Joel Esler (Version: 7)
Please see Shadowserver's write up: here for more information
UPDATE: Another great VRT Blog post. These guys keep pumping them out! Check it out here.
UPDATE Shadowserver has released important mitigation information. You can see that post at the url below.
UPDATE: Sourcefire VRT has published a "homebrew" patch for the vuln. PLEASE TEST THIS BEFORE DEPLOYING IN ANY ENVIRONMENT!!! SANS ISC has NOT verified the effectiveness of this "homebrew patch", and as such we cannot make any claims or comments on its effectiveness or any unintended consequences of using this modified software. As some of you may remember ZERT in the past has done similar, and there are obviously caveats involved with this approach. (both technical and possibly legal) So please do educate your self, and if need be discuss with your legal team before deploying third party modified software into your environment.
Information on patch:
Information on ZERT:
Disclosure: Joel works for Sourcefire, but does not work for the VRT.
-- Joel Esler http://www.joelesler.net
-- Andre L
Last Updated: 2009-02-20 12:26:18 UTC
by Mark Hofman (Version: 1)
A reader sent this through to us (thanks) and it has an interesting little twist.
The message is one we are already used to
Dear email account owner,
This message is from somewhere email administration center to all email
account owners. We are currently upgrading the email securities of our
database and email account center. We are also conducting a routine check
by deleting all unused accounts to create more space for new accounts.
To prevent your email account from being closed, you will have to update
it below by providing us with the below mentioned so that we can ascertain
that your account is prensently in use.
CONFIRM YOUR EMAIL IDENTITY BELOW
Date of Birth:.....................
Country or Territory:..............
Warning!!! Account owner that refuses to update his or her account within
Seven days of receiving this warning will lose his or her account
Thank you for using somewhere email account
We know this message. Nothing different so far. The twist is in the sender and reply address. Instead of the usual email@example.com such as hotmail, live.com, gmail, yahoo, etc. this reply address had its own domain. So they set up a domain to make it seem more legit. The domain was registered yesterday. The phising messages are already going out. No doubt replies are already going back. You may wish to consider making email to the domain email-helpdesk.com disappear. Just be aware there may be other domains as well.
Joanne mentioned that she has seen this a bit over the last few months. Like most of us she just discarded the message, after all spam is spam no matter what the reply address is.
Mark H - Shearwater