<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Narrow";
panose-1:2 11 6 6 2 2 2 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-AU link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText>Hi,<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Just checked the anti spam box's and we are seeing a high
volume of it hitting us, approx 2k messages in the last 4 hours.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Regards,<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Dan<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
style='border-collapse:collapse'>
<tr style='height:34.95pt'>
<td width=111 valign=top style='width:83.1pt;padding:0cm 5.4pt 0cm 5.4pt;
height:34.95pt'>
<p class=MsoNormal><span style='color:#1F497D'><img width=105 height=47
id="Picture_x0020_1" src="cid:image001.jpg@01C9B37E.95F08970" alt=goldnet></span><span
style='color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial Narrow","sans-serif";
color:#1F497D'> </span><span style='color:#1F497D'><o:p></o:p></span></p>
</td>
<td width=455 valign=top style='width:341.45pt;padding:0cm 5.4pt 0cm 5.4pt;
height:34.95pt'>
<p class=MsoNormal style='text-align:justify'><span style='font-size:8.0pt;
font-family:"Arial Narrow","sans-serif";color:#1F497D'>Shop 1, 97 Forrest
Street, Kalgoorlie WA 6430</span><span style='font-size:8.0pt;font-family:
"Arial Narrow","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-size:8.0pt;
font-family:"Arial Narrow","sans-serif";color:#1F497D'>08 90805111 - 0427 757
336<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-size:8.0pt;
font-family:"Arial Narrow","sans-serif";color:#1F497D'><a
href="mailto:dhooper@gold.net.au"><span style='color:blue'>dhooper@gold.net.au</span></a><o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><span lang=EN-US>-----Original Message-----<br>
From: ausnog-bounces@lists.ausnog.net [mailto:ausnog-bounces@lists.ausnog.net] On
Behalf Of matthew@auscert.org.au<br>
Sent: Thursday, 2 April 2009 9:33 AM<br>
To: ausnog@ausnog.net<br>
Subject: [AusNOG] Trojan spam run with Facebook hook (AUSCERT#2009abf45)</span></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----BEGIN PGP SIGNED MESSAGE-----<o:p></o:p></p>
<p class=MsoPlainText>Hash: SHA1<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>G'day all,<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>We are seeing a decent trojan spam out using Facebook as
the hook. The<o:p></o:p></p>
<p class=MsoPlainText>emails all differ slightly but possess the same
characteristics. Eg:<o:p></o:p></p>
<p class=MsoPlainText> <o:p></o:p></p>
<p class=MsoPlainText> From: "Facebook presentment"
<support60@facebook.com><o:p></o:p></p>
<p class=MsoPlainText> Subject: Facebook announcement: Great looking girl
having fun (Last rated<o:p></o:p></p>
<p class=MsoPlainText> by Bradford Collins)<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> Messages from Your Friends on Facebook, April 01, 2009<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> You have 1 friend requests - Personal Message:<o:p></o:p></p>
<p class=MsoPlainText> Watch the video titled "Drunk Charlize is dancing
striptease on my<o:p></o:p></p>
<p class=MsoPlainText> Birthday Party, March 28, 2009! We're absolutely
shocked!".<o:p></o:p></p>
<p class=MsoPlainText> <o:p></o:p></p>
<p class=MsoPlainText> Proceed to view full message:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> hxxp://facebook.shared.id-etsmrnhy5e.subject.876panel.
com/home.htm?/identification/authentication=0616n9m12<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> Added 16 minutes ago. Message ID: FB-06nnzbrxizjrzvr<o:p></o:p></p>
<p class=MsoPlainText> 2009 Facebook community, Message Center.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Multiple domains are being used all following a naming
scheme of <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> [3-5 digit number]panel.com<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Eg:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText> 2349panel. com<o:p></o:p></p>
<p class=MsoPlainText> 43553panel. com<o:p></o:p></p>
<p class=MsoPlainText> 654panel. com<o:p></o:p></p>
<p class=MsoPlainText> 876panel. com<o:p></o:p></p>
<p class=MsoPlainText> 987panel. com<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Is anyone else seeing a decent run of this?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Just trying to work out how widespread it is as we are
preparing to do an<o:p></o:p></p>
<p class=MsoPlainText>alert on it.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Apologies if you see this across a few lists - looking
for any feedback<o:p></o:p></p>
<p class=MsoPlainText>on numbers on this (and it is all appreciated).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Best regards,<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>- -- Matthew McGlashan --<o:p></o:p></p>
<p class=MsoPlainText>Coordination Centre Team Leader | Hotline:
+61 7 3365 4417<o:p></o:p></p>
<p class=MsoPlainText>Australian Computer Emergency Response Team | Direct:
+61 7 3365 7924<o:p></o:p></p>
<p class=MsoPlainText>(AusCERT) | Fax:
+61 7 3365 7031<o:p></o:p></p>
<p class=MsoPlainText>The University of Queensland | WWW:
www.auscert.org.au<o:p></o:p></p>
<p class=MsoPlainText>Qld 4072 Australia | Email:
auscert@auscert.org.au<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----BEGIN PGP SIGNATURE-----<o:p></o:p></p>
<p class=MsoPlainText>Version: GnuPG v1.4.6 (FreeBSD)<o:p></o:p></p>
<p class=MsoPlainText>Comment: http://www.auscert.org.au/render.html?it=1967<o:p></o:p></p>
<p class=MsoPlainText>Comment: http://www.auscert.org.au/render.html?it=1967<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>iD8DBQFJ1BXZNVH5XJJInbgRAvMqAJ0cqNWqI3riSyf5Tq9lGzxO9C6xegCcCpl0<o:p></o:p></p>
<p class=MsoPlainText>KzfS5kwPQpBMNU4TfhQuqDo=<o:p></o:p></p>
<p class=MsoPlainText>=zKz3<o:p></o:p></p>
<p class=MsoPlainText>-----END PGP SIGNATURE-----<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>_______________________________________________<o:p></o:p></p>
<p class=MsoPlainText>AusNOG mailing list<o:p></o:p></p>
<p class=MsoPlainText>AusNOG@lists.ausnog.net<o:p></o:p></p>
<p class=MsoPlainText>http://lists.ausnog.net/mailman/listinfo/ausnog<o:p></o:p></p>
</div>
</body>
</html>