Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Trojan postcards; Using authorized apps to do bad things; More IE and Outlook problems? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Trojan postcards; Using authorized apps to do bad things; More IE and Outlook problems?

Postcard Trojans


We're receiving more reports of email messages coming in posing as "postcard pickup" notifications that wind up delivering a trojan payload. One example we were forwarded is an email message claiming "You have just received a virtual postcard from a family member!" which apparently sends you to a "pickup" site that gives you an mIRC-based trojan. While it's sad that we have to say this, the amount of cruft that's being delivered via email continues to encourage us to take a "default deny" posture; without knowing the true source of an email, one has to be cautious on accepting just about everything these days.

Use of authorized apps in client side attacks


One reader wrote in and made a good observation that some of these client-side hijackings (like the trojan mentioned above that hooks mIRC) slide past most AV engines and even desktop firewalls; they are considered "authorized" applications by most controls, therefore appear to be benign (when they really are not). We continue to see trojan delivery models that leverage existing applications, and this is something that we - as a community - are really going to need a long-term solution for. Some further reading on the topic, if anyone is interested:

"Take back the desktop," from the March 17th issue of Network Computing


(175k PDF)

More Outlook and IE problems?


While this shouldn't come as a surprise to anyone, it looks like we might be in for some more IE and Outlook patching:

http://www.eeye.com/html/research/upcoming/20050316.html">
http://www.eeye.com/html/research/upcoming/20050316.html
http://www.eeye.com/html/research/upcoming/20050329.html">
http://www.eeye.com/html/research/upcoming/20050329.html
Greg

3 Posts
Apr 3rd 2005

Sign Up for Free or Log In to start participating in the conversation!