Well, for the moment I've had to suspend any new users from downloading sigs/scripts.
I've only got 20 gig hosting currently and this month, I've hit over 15 gig... so playing it safe, new users are suspened until I sort something out.
Please could everyone check that their scripts are downloading using the HEAD command i.e. only grabbing the downloads when they have changed.
Some users have been downloading the sigs regardless of changes and it's not really helping, while only users have made mistakes and are trying to download every minute :(
A hopefully interesting blog from the world of zero hour malware, phishing, scams and spams
Amazon
Monday, 30 April 2007
Sunday, 29 April 2007
Greeting Card
Here's a slightly odd greeting card currently detected as: Email.Malware.Sanesecurity.07030201
It doesn't look anything special to look at... but wait... what's this.... oh look, it's a username/password ftp link to download a normally nasty .pif file:
So, it loads the Zapchast trojan, as can be seen from some VirusTotal results:
Now, let's look at the live FTP site, you can see from the screen grab, the .pif file containing the trojan. Hmmm.... there seems to be other folders there too:
Hang on... that's an Italian Bank name!
Let's see what it looks like in FireFox (with NoScript plugin enabled).
Yup, I'ts a Posteitaliane bank fraud page, just waiting to capture your details:
It doesn't look anything special to look at... but wait... what's this.... oh look, it's a username/password ftp link to download a normally nasty .pif file:
So, it loads the Zapchast trojan, as can be seen from some VirusTotal results:
Now, let's look at the live FTP site, you can see from the screen grab, the .pif file containing the trojan. Hmmm.... there seems to be other folders there too:
Hang on... that's an Italian Bank name!
Let's see what it looks like in FireFox (with NoScript plugin enabled).
Yup, I'ts a Posteitaliane bank fraud page, just waiting to capture your details:
Saturday, 28 April 2007
Is anyone going to bother?
I know the spammers have to hide from SURBL's etc so, they'vedecided to do this:
Look www.2211122. And add COM after dot at the end
Is anyone that receives a spam like this really going to bother, adding a .com to the
end of www.2211122. ????
It's detected as:
Email.Spam.Gen398.Sanesecurity.07042502
Look www.2211122. And add COM after dot at the end
Is anyone that receives a spam like this really going to bother, adding a .com to the
end of www.2211122. ????
It's detected as:
Email.Spam.Gen398.Sanesecurity.07042502
Sanesecurity Blog
Yup, I thought it was about time I started a blog, which might make things a little bit easier for news items... well, that's the plan anyway.
Subscribe to:
Posts (Atom)