SPAM: Server Upgrade

I have been alerted to a couple of users who are receiving spam that contains links to external websites. the message is as follows:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.<your domain>.<various>/ssl/id=73616375-<email>-patch2844683.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

I have noticed the following domain names being used so far which I have blocked on my proxy server:

*.admin-db.net
*.1ssl-certs.com

According to: http://www.dshield.org/diary.html?storyid=7333

The link leads the user to a download which disables AV and has Trojan / key logger characteristics.

Once again the URL contains the users email address so the site will probably log the entry to a db for future spamming.

I would suggest that you add all the domain names that you encounter in these messages to your proxy blocked list to prevent users from giving their email addresses away for future attacks.

tax-statement-taxpayer_id*.exe

There are some fake IRS spam mails circulating at the moment that go to a page and try to get you to download a virus file which trend micro office scan picks up as TROJ_ZBOT.CBY.

I am particularly worried about this email as it seems as though the URL contains the email address of the user it was sent to. This will then allow the owner of the site to log valid email addresses when someone clicks on the link in the email. They don't even need to download the file to now be a bigger target for spam.

Solution: I also noticed that there are multiple domains that users are being redirected to so I decided to block *.irs.gov.*.com on our Proxy server to prevent users getting themselves on a spam list.

I found the following domain names in this type of attack so far:

*.irs.gov.y11dera.com

*.irs.gov.fedas1am.com

*.irs.gov.fedasaz.com

*.irs.gov.y11derq.com

Screenshot of the website you get redirected to when you click on the link in the emails.

AutoRuns

Ever wondered why your computer is taking forever to start up? Well then AutoRuns is for you! This is the most comprehensive application that I have seen for killing automatic processes. I think I am going to be using AutoRuns a lot in future! I love sysinternals!

Sending Emails From CMD

I was recently asked to write a script to check if a file exists and then email someone if the file is found. I found this program called Blat. Blat is a command line email client. basically all I did to get it working was download and copy blat.exe and blat.dll to %SystemRoot%\System32.

Check the code below:

@ECHO OFF
REM ### CONFiGuRE SETTINGS HERE ################
set SMTPServer=127.0.0.1
set ToAddress=email@mydoamin.com
set fromAddress=email@mydomain.com
set Servername=My Server Name
set find="C:\myfile.txt"
REM #####################################
IF EXIST %find% (goto senderror)
goto end

:senderror
set Subject=File Found
set MessageBody=%ServerName% -File Found. (%Date%)
%SystemRoot%\System32\blat.exe -server %SMTPServer% -f %fromAddress% -to %ToAddress% -subject "%ServerName% - %Subject%" -body "%MessageBody%"
goto end

:end
@ECHO ON