Click here to become infected
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Click here to become infected

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Exclamation Click here to become infected

    Evidence of a junk/spam e-mail making the rounds today shows a new way to get yourself infected with a Trojan or backdoor.

    Selecting the 'click here to remove' link on messages blocked by MessageLabs today triggers an attempt to load malicious code onto potentially vulnerable Windows PC.
    "I have not finished analysing the EXE currently hosted (currently called windows-update.exe), but the spammers can change this at any time by uploading a new Trojan. Typically, your machine may be turned into an open proxy, have passwords extracted, and keyloggers installed.
    I have set-up a "Drop Dead" rule on my firewall to block the site named in the article, you may want to do the same.

    Are we having fun yet?

    Cheers:
    DjM

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Fun Fun Fun

    Thanks for the heads up DjM

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I have blocked it too but the problem I can see is that with each new email they can switch domains so we're fighting a losing battle here.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852

    Re: Click here to become infected

    Originally posted here by DjM
    Are we having fun yet?
    Fun is to be had everyday in this line of work!

    Seriously, this is another reason why I inform anyone who asks to NEVER use the 'Click here to remove me' link. Yes, in some cases this is a legitimate way to end spam from certain companies - however, I tend to sneak towards the side of caution, so I never click those - they could end up doing just the opposite, which is what the article alludes to.

    Thanks for the heads up, I'm off to block that domain now..
    - Maverick

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: Re: Click here to become infected

    Originally posted here by Tiger Shark
    I have blocked it too but the problem I can see is that with each new email they can switch domains so we're fighting a losing battle here.
    And that's why I said are we having fun yet. I feel your pain Tiger, but at this point this seems like to only alternative to protect my company. Now I realize, a patched system will likely give us more protection but as I am sure you are aware patching is not an exact process. We have to test all patches that are released because of the variety of software & systems we run, the cure could be worse than disease.


    Originally posted here by Maverick811


    Fun is to be had everyday in this line of work!

    Seriously, this is another reason why I inform anyone who asks to NEVER use the 'Click here to remove me' link. Yes, in some cases this is a legitimate way to end spam from certain companies - however, I tend to sneak towards the side of caution, so I never click those - they could end up doing just the opposite, which is what the article alludes to.

    Thanks for the heads up, I'm off to block that domain now..
    This is also something I pound into the heads of my users, almost on a daily basis, but you know users, some of them, no matter how hard you hit them, just don't get the message.

    DjM

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    ok you guys...step back....take a deep breath. the key words here are"potentially vulnerable Windows PC."

    as long as you stay up to date on your patches you dont have to worry. spammers (and every other digital evil doer group) use 'known' exploits. none of this stuff is 0day

    the one discussed in this article is 'JS/Exploit-DragDrop' and was fixed with MS04-004
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852

    Re: Re: Re: Click here to become infected

    Originally posted here by DjM
    This is also something I pound into the heads of my users, almost on a daily basis, but you know users, some of them, no matter how hard you hit them, just don't get the message.
    LOL, I think that statement can be said by all of us admins here on AO - I know that I've had to deal with some idiots on my network in the past.
    - Maverick

  8. #8
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tedob1
    ok you guys...step back....take a deep breath. the key words here are"potentially vulnerable Windows PC."

    as long as you stay up to date on your patches you dont have to worry. spammers (and every other digital evil doer group) use 'known' exploits. none of this stuff is 0day

    the one discussed in this article is 'JS/Exploit-DragDrop' and was fixed with MS04-004
    Thanks Tedob1, our latest desktop/laptop image may contain this patch, I'll have to check (got another fire to put out right now), but I will still take the extra precaution of keeping the block in place.

    DjM

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tedob: My deep breath has been taken. However I have a slightly different problem than many have.... Of the 650 machines on my network I only control 350..... They quite happily update themselves from my SUS servers on the day the patch becomes available..... Unfortunately, the other 300 workstations are spread through 4 other organizations that don't have the resources or the technical know-how to manage that. Those are the ones I worry about.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Can it be safely viewed in Firefox? Just curious...Just added it to the block list on the firewall myself...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •