Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Be on the Alert - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Be on the Alert

I am seeing a large amount of spam hit our network that has been successful at fooling our spam filter.  The
emails contain .zip and .html extensions with various file names.  The subject also varies.  Some subjects
that I have seen are:

Your Funds Will Be Transferred
From Jan RIchter (name varies)
Newest Products
Latest Software

The zip file is being analyzed to determine what payload may be involved.  You may want to remind your email
users to refrain from opening any attachments that they weren't expecting to receive.

UPDATE: We have received some information from one of our readers that the zip file that he received contained
a multiple exploit-kit downloader.  He indicated that there are over 120,000 successful downloads of the exe file.
They have discovered that IP address 173. 204. 119 . 122 is where the file appears to be hosted at and is being
updated with new binaries consistently. The downloader appears to grab a few files with random file names and
have been observed connecting too imagehut4 .cn, allxt .com, hitinto .com. Jason indicates that all files appear
to run fully under Windows VMWARE and are resistant to detection by many of the common threat programs.

Many thanks to Jason for supplying us with the information.

We also have received a report of emails that are hitting which tell the recipient that they letter cannot be opened
due to low screen resolution.  It says that they need to open the attached zip file for the message.  Again the filename
for the zip file varies. Thanks to Jason R for this information.

Deb Hale Long Lines, LLC

Deborah

278 Posts
ISC Handler
I've also seen an increase in email with an HTML attachments that get through SPAM filters that have the subject "DELIVERY NOTIFICATION FAILURE"

Attachments contain link to Trojan.Malscript!html
Viral
Anonymous
I have had several as well over the past week. There has been enough that it makes me question our spam filter.
Anonymous
We've put a block on zip files years ago and has saved us numerous of times.
Anonymous
I am also having issues with faith in my spam appliance. I am looking at these messages in detail trying to figure out why they are not being stopped. they do appear, on the surface, to just be easily identifiable as spam...
Blagarswinth

23 Posts
We've been seeing a lot of "Delivery Notification Failure" SPAM too, though that subject line has since morphed into more random subjects. Included in the e-mail is malicious js, no attachments. It seems to run as soon as the e-mail is read (or viewed in a reading pane)
Flyshuffle

1 Posts
FYI...
- http://www.symantec.com/connect/blogs/spammers-harvesting-high-gear
July 15, 2010 - "... observed a dramatic increase in the directory harvest attack (DHA) method. There was a staggering -15- times increase in DHA attacks during the first week of July 2010 when compared to the same period in June 2010. The spike was observed in the second week of June and is still rife..."

It -will- take some time for SPAM blockers and AV to catch up with this...

.
Jack

160 Posts
"a dramatic increase in the directory harvest attack (DHA) method."

There are lots of MTA configuration options that will slow down DHAs. It's not up to the spam blocker or AV to handle that part.

If it is a botnet attack as the Symantec analysis suggests, then simply implementing the Spamhaus Zen DNSBL at SMTP time would likely keep it from having any effect on you.
John Hardin

62 Posts
I started seeing this NDR behavior on July 3. Our SPAM filter didn't catch it, nor did our local Symantec client. The file size didn't feel right, and the JS certainly felt icky. I observed the same action that it runs as soon as the e-mail is read. When I threw it up on VirusTotal on July 05 13/40 vendors picked it up, each one with a different JS based malware signature......
We reverted to quarantining .htm/.html based attachments into a select quarantine and reviewing manually. The
John Hardin
2 Posts
Sanesecurity signatures are already blocking some of these:

http://sanesecurity.co.uk/index.htm
Sanesecurity

21 Posts

Sign Up for Free or Log In to start participating in the conversation!