HP3000-L Archives

February 2003, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: A new kind of Spam
From:
Denys Beauchemin <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Mon, 17 Feb 2003 16:05:09 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (118 lines) 
I do not think the Sonicwall would have caught this one.  Remember, the
attachment came as an .hta extension.  The message was extremely sneaky and
the script creates the program, switches things around during creation and
then launches this newly created program.

It is the first time I have seen something like this and it got by NAV and
other mechanisms we have here.  The only reason it was pulled out and sent
to the Spam folder was because of one of my final rules in LookOut.  "Send
anything that avoids all my rules to the Spam filter."  When I scan the Spam
folder, I am always more careful, disabling the preview pane and not opening
any message that I am not comfortable with.  I had never seen a
mailer_daemon notification with an attachment before.

Denys

-----Original Message-----
From: Dennis Hassell [mailto:[log in to unmask]]
Sent: Monday, February 17, 2003 11:01 AM
To: [log in to unmask]; [log in to unmask]
Subject: RE: [HP3000-L] A new kind of Spam

An option that I have invoked is a firewall appliance - specifically
Sonicwall's SOHO3 (or TELE3). I will examine attachments to e-mail and
will disable or delete (your option) any attachment which has an
executable type code (your choice, too). To disable, it will change the
type from .exe, .dll, .vbs, etc. to something else and will notify you
that it did that. It at least prevents an inadvertent execution of the
attachment. Besides that, they are excellent stateful packet firewalls,
VPN's, and are ICSA certified. They say they have never been hacked. I
have had great service from them and recommend them unreservedly.

I think these are falling under a new class of pests which some call
parasite (adware, spyware, stealth) programs. There are benign and not
so benign parasites which come with a lot of commercial web sites and
with many installed programs. I'm just starting to learn about them,
myself. Many are designed to monitor you web choices, some will create
pop-ups, some act as super cookies to send even more info back to
double-click and other advertising providers. (They are not cookies per
se - they provide info on what you are selecting and can do it better
than the cookie mechanism can.) AFAIK there are no Norton/McAfee/etc.
solutions to the parasite problems. There are some web sites which
address the issue. See Google/Yahoo searches for parasite programs.

Dennis Hassell
(941) 750-9917 - home
(941) 224-3981 - cell


-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
Behalf Of Denys Beauchemin
Sent: Monday, February 17, 2003 9:10 AM
To: [log in to unmask]
Subject: [HP3000-L] A new kind of Spam


The present discussions are all nice and interesting but this morning, I
came across something I have not seen before.  Perhaps I have simply
missed it in the past, but this seems new to me.

In my LookOut 2000 mail client I have installed several dozen rules to
filter out the large amount of spam I receive.  One of the final rules
is that if the message in question has an attachment and does not come
from several known sources, it gets moved to the SPAM folder, where it
joins others that are filtered out according to other rules.

We also use Norton Anti-Virus here and the definitions are current.

So this morning, I am going through my spam folder to rescue any message
that may have landed there by mistake, an increasingly rare occurrence
as my rules steadily improve.  I noticed a message from
[log in to unmask] with the subject line of Delivery
failure. The message has an attachment, which is why it landed in the
spam folder. This looked rather strange, so I sent the message to a text
file and opened it.  The body of the message is innocuous.  It reads as
follows:

"Hi. This is the mailer-daemon. All the detailed information is in the
attachmet. I'm afraid I wasn't able to deliver your message to the
following addresses. This is a permanent error; I've given up. Sorry it
didn't work out."

Not exactly a message that I would classify as something a company would
have set in their mailer-daemon.  The spelling mistake, the very
familiar terms used and the lack of any corporate identity point to some
sort of bogus message.  The invitation to read the "attachmet" is also
very suspicious.

So I opened the message in LookOut and saw that it had an HTA file
called error.hta.  The HTA extension is an HTML application.  Why would
a mailer daemon send HTML application attachment as part of a delivery
failure message.  So I save the file to a text file on my desktop and
opened it with notepad.

Well, let me tell you, this is very revealing.

The file is a java script that loads a few thousand hex values into a
file called c:\program files\uliuli.exe after fiddling with the values
on my one. At the end of the script, it launches the newly created VBS
program.  The rest of the file contains what may appear as a valid
delivery failure, except for a few things.  The intended recipient is me
and the date of the message is February 14, 2002 over a year ago.

Pretty sneaky, I wonder what the VBS program does.  I am not going to
test it.

If anyone is interested I can send them the text file of the attachment.

My question is this, is this something new in the on-going virus wars?

Denys

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2