Keystroke logger being installed from a link in an email (Subject: Police Investigation )
Julian Field
mailscanner at ecs.soton.ac.uk
Fri Feb 20 08:25:48 GMT 2004
This is apparently quite an old one. There is a good report from AusCERT here:
http://www.auscert.org.au/render.html?it=3858
Sophos, for example, has detected it since May 2003.
At 22:27 19/02/2004, you wrote:
>We have received copies of a malicious email, with the subject "Police
>Investigation".
>
>It looks like an innocent spam email. There are no attachments, just text
>and some obfuscated links to websites (discussed on this list before). If
>you go to them (I don't recommend it) you will see a "SERVER ERROR 550"
>message, and you might think that the website is down. What actually
>happens is the error message is from the website, and they use an exploit
>in Internet Explorer to install a keystroke logger on your PC. This
>information is then mailed to an email address pentasatan at mail.ru with the
>trojan using its own inbuilt SMTP engine to do so. Hopefully your
>firewall blocks any internal host trying to use port 25 (smtp) except for
>your email server.
>
>Information about this expoit can be found here.
>http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=55
>
>What is the best way to block an exploit like this?
>
>Create a custom Spamassassin rule?
>Feed it to Bayes a bunch of times as SPAM?
>Use MCP?
>
>Thanks,
>
>Tristan Rhodes
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
More information about the MailScanner
mailing list