[Emerging-Sigs] Strange UDP Trojan check-in

Martin Holste mcholste at gmail.com
Tue Oct 4 14:37:37 EDT 2011


Jump right in!  All I want to know in the email is if it's a simple
link that goes to the Blackhole kit or if there's a client side
exploit in the email.  Might as well post the zip, I guess.

On Tue, Oct 4, 2011 at 1:30 PM, Weir, Jason <jason.weir at nhrs.org> wrote:
> Sorry to jump in mid stream here but I'm pretty sure I've got some IRS
> spam samples..
>
> I'll take a look for email subject - anyone want the zip attachment to
> play with?
>
> -J
>
>> -----Original Message-----
>> From: emerging-sigs-bounces at emergingthreats.net
>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf
>> Of Martin Holste
>> Sent: Tuesday, October 04, 2011 2:20 PM
>> To: adam.brunner at internetidentity.com
>> Cc: emerging-sigs at emergingthreats.net
>> Subject: Re: [Emerging-Sigs] Strange UDP Trojan check-in
>>
>>
>> > Ah ok awesome glad that actually helps you out.
>> Yep, thanks for helping out!
>> > The infection vector for that one was Spam posing at the
>> IRS -> blackhole exploit -> Zeus download.
>> Same here--if you have the email subject, can you post it?  I'm
>> thinking this is at least as valuable as the UPS spam signature
>> already in the ET set.
>>
>> Does anyone have some advice on a signature for the UDP last
>> nine bytes?
>
>
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Emerging-sigs mailing list