Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: If It Sounds Too Good To Be True..., Don't Let This Happen To You, Updated MS04-039 - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
If It Sounds Too Good To Be True..., Don't Let This Happen To You, Updated MS04-039
If It Sounds Too Good To Be True...

We received a report from a reader who found a little more than he bargained for when looking for a cheap used car. It appears that some rather unsavory characters are posting "deals" online that carry some surprises. When you go to look at photos of your "ride-to-be", the seller tells you "please check the pictures on the file. Are packed with WinZip SelfExtract , I don't have much space in this free host and I can put the on the server. After you download it, if you open the file will ask you where to unpack the files."

Uh... sure...

The executable packs a bit more than some candid photos of your dream car. It carries a version of the QHosts trojan which makes changes to your hosts file pointing domain names for various escrow services to a specific IP address. The seller then insists that to "safeguard" the transaction, an escrow service must be used. Care to guess the rest?

Moral of the story: If it seems too good to be true, it probably is.

Don't Let This Happen To You

Another reader pointed out a different scam. This time, the victim receives an email claiming that their credit card has been charged. The victim is given a link to view their "invoice." While none of this is new, the almost overwhelming barrage of exploit attempts at the other end of the "invoice" link was astounding. The victim's machine is hit with three different exploit attempts, targeting different vulnerabilities. It appears that some piece of dirt out there is an over-achiever.

Updated MS04-039

MS updated bulletin MS04-039 today. In their words, the bulletin was updated:

to reflect the release of updated ISA Server 2000
security updates for all languages. These issues
affected customers using ISA Server 2000 Service
Pack 1 or using Windows 2000 Service Pack 3. The
Security Update Replacement section has also been


Handler on Duty : Tom Liston ( )

160 Posts
Nov 17th 2004

Sign Up for Free or Log In to start participating in the conversation!