May 02, 2004
Osama Bin Laden Roams Free!
May 2004 hoax claims 9/11 Architect captured but actually is a Trojan virus in disguise
Don't be suckered in to the Scam of the Moment announcing the capture of Osama Bin Laden, architect of 9/11 (according to George W Bush and his administration). This email hoax is constructed like a news report variously attributed to ABC, CBS News, the BBC and CNN. I'm awaiting versions supposedly originating from Al-Jazeera and Al-Arabiya soon.
The infected messages arrive in groups of 8-10 with different (spoofed) sender's addresses but with a common subject 'Osama bin Laden Captured'. The message body reads "Just got this from Osama Bin Laden has just been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can: http://xxx.xxx.xxx.xx/pics/ God Bless America!".
Don't try to open the URL as it re-directs to a web advertisement for Viagra. But as you view the page, embedded scripting attempts to download and an executable file (EXPLOIT.EXE) containing the Small.B Trojan. The script takes advantage of a well-known (and often unpatched) Internet Explorer vulnerability. Once installed, the Trojan opens a random port and transmits the port details to a remote Web server ten listens on the opened Port for instructions. Mostly Small.B is used to route spam. But can also be used to compromise user privacy.
The Osama hoax reigns supreme on the Net as over the weekend, I was receiving over a dozen messages on the hour. The sender's address varied but the subject-line oft remained the same. And my mail filtering service's spam filters are getting a proper workout. They have so far have trapped every so-infected message. But the downside of this hyper-efficiency is the Mail Discards Report has doubled from 400 kB to 800+ kB and keeps growing!
In another instance a catch-all mail account my company uses is a good indicator of the reach of spam. As well as continued proliferation of open-relay mail servers that allow savvy users (including yours truly) to send mail while pretending to be a system administrator. Most spam received originates from .kr (South Korea) and .cn (China) domains. And the usual knee-jerk reaction of blocking mail originating from these domains can back fire and block genuine business messages too.
Which is why I'm looking forward to the eventual deployment of the next generation of mail server authentication. Sender Policy Framework (SPF) makes mail administrators add extra information to their domain's DNS records. This data lists the hosts authorized to send mail from a specific domain. Then when the mail server receives a client connection it checks the originating IP address against the DNS's SPF information. If the client IP is unlisted it's not "authorized" and will be refused a connection. But as things stand now SPF authenticators are far and few between and the method remains largely theoretical. Microsoft offers Caller-ID for Email initiative.
Worm_Sasser.A (W32/Sasser-A, Sasser, W32/Sasser.worm, Win32.Sasser.A, W32.Sasser.Worm) exploits all versions of Windows and causes a buffer overflow in LSASS.EXE. The buffer overrun allows remote code execution enabling an attacker to gain full control of an affected system. Read the Microsoft Security Bulletin MS04-011 for details of the various Windows services affected by the flow.
The Sasser worm scans the network for vulnerable systems and when it finds them, sends a specially crafted packet to produce a buffer overflow on LSASS.EXE. The worm also creates a script file CMD.FTP containing instructions for vulnerable systems to download and execute the malware from a remote infected system using FTP on TCP Port 5554. The buffer overflow in LSASS.EXE causes the latter program to crash; an even that causes Windows to reboot. To recover from this worm, I recommend Trend Micro Damage Cleanup Service utility.
While researching a topic for a client, I chanced across easy disclaimer© project; a free German site (English version available too) offering a free web site disclaimer. You don't actually host a copy of the disclaimer. Instead you host either a text or a choice of graphic images linking to the disclaimer service provider's site.
That's it for now. Stay Safe!
Click Here to Email Me
Post a Comment