-
September 22nd, 2004, 05:12 PM
#1
Click here to become infected
Evidence of a junk/spam e-mail making the rounds today shows a new way to get yourself infected with a Trojan or backdoor.
Selecting the 'click here to remove' link on messages blocked by MessageLabs today triggers an attempt to load malicious code onto potentially vulnerable Windows PC.
"I have not finished analysing the EXE currently hosted (currently called windows-update.exe), but the spammers can change this at any time by uploading a new Trojan. Typically, your machine may be turned into an open proxy, have passwords extracted, and keyloggers installed.
I have set-up a "Drop Dead" rule on my firewall to block the site named in the article, you may want to do the same.
Are we having fun yet?
Cheers:
-
September 22nd, 2004, 06:56 PM
#2
Fun Fun Fun
Thanks for the heads up DjM
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
September 22nd, 2004, 07:17 PM
#3
I have blocked it too but the problem I can see is that with each new email they can switch domains so we're fighting a losing battle here.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 22nd, 2004, 07:31 PM
#4
Re: Click here to become infected
Originally posted here by DjM
Are we having fun yet?
Fun is to be had everyday in this line of work!
Seriously, this is another reason why I inform anyone who asks to NEVER use the 'Click here to remove me' link. Yes, in some cases this is a legitimate way to end spam from certain companies - however, I tend to sneak towards the side of caution, so I never click those - they could end up doing just the opposite, which is what the article alludes to.
Thanks for the heads up, I'm off to block that domain now..
-
September 22nd, 2004, 08:47 PM
#5
Re: Re: Click here to become infected
Originally posted here by Tiger Shark
I have blocked it too but the problem I can see is that with each new email they can switch domains so we're fighting a losing battle here.
And that's why I said are we having fun yet. I feel your pain Tiger, but at this point this seems like to only alternative to protect my company. Now I realize, a patched system will likely give us more protection but as I am sure you are aware patching is not an exact process. We have to test all patches that are released because of the variety of software & systems we run, the cure could be worse than disease.
Originally posted here by Maverick811
Fun is to be had everyday in this line of work!
Seriously, this is another reason why I inform anyone who asks to NEVER use the 'Click here to remove me' link. Yes, in some cases this is a legitimate way to end spam from certain companies - however, I tend to sneak towards the side of caution, so I never click those - they could end up doing just the opposite, which is what the article alludes to.
Thanks for the heads up, I'm off to block that domain now..
This is also something I pound into the heads of my users, almost on a daily basis, but you know users, some of them, no matter how hard you hit them, just don't get the message.
-
September 22nd, 2004, 08:56 PM
#6
ok you guys...step back....take a deep breath. the key words here are"potentially vulnerable Windows PC."
as long as you stay up to date on your patches you dont have to worry. spammers (and every other digital evil doer group) use 'known' exploits. none of this stuff is 0day
the one discussed in this article is 'JS/Exploit-DragDrop' and was fixed with MS04-004
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
September 22nd, 2004, 09:02 PM
#7
Re: Re: Re: Click here to become infected
Originally posted here by DjM
This is also something I pound into the heads of my users, almost on a daily basis, but you know users, some of them, no matter how hard you hit them, just don't get the message.
LOL, I think that statement can be said by all of us admins here on AO - I know that I've had to deal with some idiots on my network in the past.
-
September 22nd, 2004, 09:04 PM
#8
Originally posted here by Tedob1
ok you guys...step back....take a deep breath. the key words here are"potentially vulnerable Windows PC."
as long as you stay up to date on your patches you dont have to worry. spammers (and every other digital evil doer group) use 'known' exploits. none of this stuff is 0day
the one discussed in this article is 'JS/Exploit-DragDrop' and was fixed with MS04-004
Thanks Tedob1, our latest desktop/laptop image may contain this patch, I'll have to check (got another fire to put out right now), but I will still take the extra precaution of keeping the block in place.
-
September 22nd, 2004, 09:50 PM
#9
Tedob: My deep breath has been taken. However I have a slightly different problem than many have.... Of the 650 machines on my network I only control 350..... They quite happily update themselves from my SUS servers on the day the patch becomes available..... Unfortunately, the other 300 workstations are spread through 4 other organizations that don't have the resources or the technical know-how to manage that. Those are the ones I worry about.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 22nd, 2004, 11:35 PM
#10
Can it be safely viewed in Firefox? Just curious...Just added it to the block list on the firewall myself...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|