[Emerging-Sigs] Strange UDP Trojan check-in

Adam Brunner adam.brunner at internetidentity.com
Tue Oct 4 14:40:04 EDT 2011


I have seen a sample where the binary is directly attached to the email
, but from what I have been seeing lately it is a link in the email that
leads to the exploit kit and the binary itself it pulled from a backend
domain that has for the last few days been hosted on domains pointing to
yahoos web hosting platform.

-----
Adam Brunner
Manager of Threat Intelligence & Exploit Research
IID -- Actively Securing the Extended Enterprise
E-mail: adam.brunner at internetidentity.com
Office: 1-888-239-6932 ext: 7445 |  Mobile: 253-376-3573


On 10/4/11 11:37 AM, Martin Holste wrote:
> Jump right in!  All I want to know in the email is if it's a simple
> link that goes to the Blackhole kit or if there's a client side
> exploit in the email.  Might as well post the zip, I guess.
>
> On Tue, Oct 4, 2011 at 1:30 PM, Weir, Jason <jason.weir at nhrs.org> wrote:
>> Sorry to jump in mid stream here but I'm pretty sure I've got some IRS
>> spam samples..
>>
>> I'll take a look for email subject - anyone want the zip attachment to
>> play with?
>>
>> -J
>>
>>> -----Original Message-----
>>> From: emerging-sigs-bounces at emergingthreats.net
>>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf
>>> Of Martin Holste
>>> Sent: Tuesday, October 04, 2011 2:20 PM
>>> To: adam.brunner at internetidentity.com
>>> Cc: emerging-sigs at emergingthreats.net
>>> Subject: Re: [Emerging-Sigs] Strange UDP Trojan check-in
>>>
>>>
>>>> Ah ok awesome glad that actually helps you out.
>>> Yep, thanks for helping out!
>>>> The infection vector for that one was Spam posing at the
>>> IRS -> blackhole exploit -> Zeus download.
>>> Same here--if you have the email subject, can you post it?  I'm
>>> thinking this is at least as valuable as the UPS spam signature
>>> already in the ET set.
>>>
>>> Does anyone have some advice on a signature for the UDP last
>>> nine bytes?
>>
>>
>> _____________________________________________________________________________________________
>>
>> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Emerging-sigs mailing list