[AusNOG] qld transport contact

Matt Perkins matt at spectrum.com.au
Thu Dec 13 14:27:57 EST 2012 

Looks like it's trying to spread Trojan/WIN32.Jork / Bredo-AEL

Enjoy.



On 13/12/12 2:17 PM, Admin Chris wrote:
> Our email server has been getting nailed over the last two weeks, basically
> attacks from all over the world.  It'll get a few bad connections from a
> certain IP address, then that IP address would be discarded and another one
> used.  IPS would be useless in this situation.
>
> Yesterday, one of our users was complaining of a large number of bounce
> backs for emails he didn't send.  Somehow someone was using his email
> address externally to see a large number of spam emails out with some sort
> of embedded image/file.  Still trying to work it out.
>
> There was only three IP addresses the connections were coming from, all from
> China  I've still got the IP addresses Matt if you want to compare them.
>
> Anyone else seen anything like this lately?
>
> Chris Scholfield
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Perkins
> Sent: Thursday, 13 December 2012 2:08 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] qld transport contact
>
> All the Ip's I have found so far originate in china or HK. I just got two in
> between the last two posts on Ausnog. The Imbedded graphics come from the VB
> website. So VB could go change those referees/graphics right away to
> indicate it's a spam. Attachment reports to be a zipped pdf. But is a file
> named virgin-itinerary.pdf.exe file is a PE32 executable for MS windows 32
> bit.
>
> I haven't looked inside yet to see what's in the honypot within. If I get a
> chance this arvo I will pop it's cork in the sand pit.
>
> Matt.
>
>
>
>
> On 13/12/12 1:43 PM, Sean K. Finn wrote:
>> I thought PDF's were the PREFERRED delivery method of Malware these days?
>>
>> By the way, I've been getting QANTAS ones too. Definitely a coordinated
> and targeted zerg rush of malware.
>> Considering the Zerg Rush style of tactic, I wonder where the origin might
> be?
>> S.
>>
>> -----Original Message-----
>> From: ausnog-bounces at lists.ausnog.net
>> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Paul Gear
>> Sent: Thursday, December 13, 2012 12:08 PM
>> To: ausnog at lists.ausnog.net
>> Subject: Re: [AusNOG] qld transport contact
>>
>> On 12/13/2012 11:54 AM, Nathan Ridge wrote:
>>> Wow... so now hundreds or  thousands of people that are actually
>>> travelling soon open the virus under instruction from virgin to do
>>> so, that's lazy, they will be raped over this, they should have been
>>> much more explicit saying only open the attachment if it is a pdf not
>>> zip or exe and make sure you scan with an uptodate av program before
> opening.
>> PDFs are not exempted from buffer overrun & sandbox escape
> vulnerabilities.  End users should be advised not to open ANY attachments
> which they aren't expecting.
>> Paul
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> --
> /* Matt Perkins
>           Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
>           Office 1300 133 299     matt at spectrum.com.au
>           Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
>           SIP 1300137379 at sip.spectrum.com.au
>           PGP/GNUPG Public Key can be found at  http://pgp.mit.edu */
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


-- 
/* Matt Perkins
         Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
         Office 1300 133 299     matt at spectrum.com.au
         Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
         SIP 1300137379 at sip.spectrum.com.au
         PGP/GNUPG Public Key can be found at  http://pgp.mit.edu
*/

More information about the AusNOG mailing list