Clever new voluntary-virus morphology

Aug. 21st, 2007 12:00 pm
prog: (khan)
[personal profile] prog
You get an email that actually looks like it may have been composed by a native English speaker welcoming you to a web-based community you may not necessarily recall asking to join, and providing a raw numeric IP address (uh oh) as a confirmation link.

Clicking the link calls up a bare-naked web page (uh oh) with a single line of text apologetically informing you that you need to download (uh oh) a "secure login" thingum to actually see the website, and offers another link to an .exe file (uhhh ohhh).

I assume that carrying on with the download and running the file would (if I were on a Windows box) instantly zombify my PC and put it to use making DDoS attacks against the Turkish government or whatever they're up to now. When it comes down to it I guess I'm really just impressed that the initial email actually doesn't look entirely unreasonable, except for the giveaway raw IP link.
Tags:
Flat | Top-Level Comments Only

Date: 2007-08-21 05:07 pm (UTC)
From: [identity profile] jaq.livejournal.com
Yes I've had several of those in the last couple of days, though I didn't bother to follow the link.

Date: 2007-08-21 05:11 pm (UTC)
From: [identity profile] prog.livejournal.com
It was so different than the usual "This am BAnk of Ammerica! We shut down ur Account unless you Click Here -> OK!!" that I just had to see how far down it went.

Date: 2007-08-21 06:45 pm (UTC)
From: [identity profile] keimel.livejournal.com
Every single one I've received (not in gmail filtered accounts, but talker.com ones) have been pointing me at a different zombified web server to download the payload. I've forwarded every one to their respective abuse departments for whatever good that will do.

I was noticing this new method as well. It's a good one in study of legit emails from communities. If they culled the lists from some real communities people were on, it'd be nicer, but they do appear to be somewhat random. I am not on any dog communities, but remember one being indicated as my membership.

They also targeted an email address for which I don't generally sign up for memberships. ;)

Date: 2007-08-21 09:14 pm (UTC)
From: [identity profile] chocorisu.livejournal.com
According to The Register this is the latest version of the Storm Worm, the one that's been "belching out toxic ecard scams". Lots of very sneaky metamorphic code stuff in there making it hard to detect. You don't want that on your PC!

Date: 2007-08-21 10:37 pm (UTC)
From: [identity profile] karlvonl.livejournal.com
Woah, I just got one of those. And thanks to you, I had to click the link just to see. :-)
Flat | Top-Level Comments Only

Profile

prog: (Default)
prog
jmac.org

August 2022

S M T W T F S
 123456
78910111213
14151617181920
21222324252627
28 293031   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 9th, 2025 01:12 pm
Powered by Dreamwidth Studios