Keystroke logger being installed from a link in an email (Subject: Police Investigation )

Tristan Rhodes tristanr at CI.GRANDJCT.CO.US
Thu Feb 19 22:27:30 GMT 2004


We have received copies of a malicious email, with the subject "Police Investigation".  

It looks like an innocent spam email.  There are no attachments, just text and some obfuscated links to websites (discussed on this list before).  If you go to them (I don't recommend it) you will see a "SERVER ERROR 550" message, and you might think that the website is down.  What actually happens is the error message is from the website, and they use an exploit in Internet Explorer to install a keystroke logger on your PC.  This information is then mailed to an email address pentasatan at mail.ru with the trojan using its own inbuilt SMTP engine to do so.  Hopefully your firewall blocks any internal host trying to use port 25 (smtp) except for your email server.

Information about this expoit can be found here.
http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55

What is the best way to block an exploit like this?

Create a custom Spamassassin rule?
Feed it to Bayes a bunch of times as SPAM?
Use MCP?

Thanks,

Tristan Rhodes




More information about the MailScanner mailing list