What's New, Old and Morphing? - SANS Internet Storm Center

What's New, Old and Morphing?
Cyberspace was so busy churning out facts yesterday that our Handler on Duty, Donald Smith furiously posted diary entries to keep you informed. So, I thought I would take a moment to summarize the events of April 22 and further elaborate on the situation. First, spam plagues us every day so it is important for us to stay up on the current threat vector. Don wrote about the latest attempt to exploit users called “Apocalyptic NEWS Usama Ben Laden.” The email attempts to lure users to download a version of Zlob. The links in the blog site are malicious. Don talked about another spam phenomenon involving Google agenda. This is considered a new method of delivery. Social network site MySpace was exploited again in an attempt to lure the user to download by clicking on a “fake” Microsoft update popup. The pop up is actually a large css layer which initiates a download session. Then, Don told us about a situation in which a malicious .rar file (promising Paris Hilton undressing), which cleverly bypassed email gateway security but was ultimately found by an AV program. The program seems to be SDBOT. So there you have it, new spam, Google agenda, social networking css and a bot. Another day in the life… But, all that was all so yesterday, today we have several situations arousing attention from our readers. First off today, Heather wrote in to tell us about US Cert releasing an advisory yesterday afternoon concerning a malicious website injecting javascript which infected many UK and a UN site. Websense alerted about it here. They analyzed the malware and concluded that it is related to our story by Bojan. We recommended mitigations for the situation here. Then, Andrew from Vancouver wrote in to tell us about his experience with a Wordpress Blog infection that let spammers insert hidden text into the Wordpress (several versions) powered sites. While not widespread, the technique is interesting and should allow us the opportunity to discuss these methods of attack. Further information is revealed on a Tech Side Up blog. Another reader sent in an old “download this” scam which has seemed to have migrated itself to a Skype chat. The following information is used to get the user to click on the included link which downloads the Downloader Trojan. Your AV should catch the download of this old nasty, but the new delivery vector should be added to the warnings to users through your security awareness programs. "[4:09:40 PM] Software Update ® says: WINDOWS REQUIRES IMMEDIATE ATTENTION ============================= ATTENTION ! Security Center has detected malware on your computer ! Affected Software: Microsoft Windows NT Workstation Microsoft Windows NT Server 4.0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Win98 Microsoft Windows Server 2003 Impact of Vulnerability: Remote Code Execution / Virus Infection / Unexpected shutdowns Recommendation: Users running vulnerable version should install a repair utility immediately Your system IS affected, download the patch from the address below ! Failure to do so may result in severe computer malfunction." That sums it up! With all this activity, let us know what you are seeing out there. Fair winds, Mari	Mari Nichols 76 Posts Apr 23rd 2008
Thread locked Subscribe	Apr 23rd 2008 1 decade ago