Diary

 

Katrina Malware; Katrina Donation Scams (now with domain name list); Dameware
Share |
Published: 2005-09-01,
Last Updated: 2005-09-02 02:32:50 UTC
by John Bambenek (Version: 1)
0 comment(s)

Katrina Malware

It didn't take long. This morning, we received an email which is promissing news about the Hurricane. However, the site it links to appears to provide malware in addition to a brief news article. The text of the email (the original is in HTML): 
Subject: Re: u1 Katrina killed as many as 80 people.

Just before daybreak Tuesday, Katrina, now a tropica
l storm, was 35 miles
northeast of Tupelo, Miss., moving north-northeast with
 winds of 50 mph. 
Forecasters at the National Hurricane Center said the amou
nt of rainfall 
has been adjusted downward Monday.

Mississippi Gov. Haley Barbour said Tuesday that Hur
ricane Katrina killed 
as many as 80 people in his state and burst levees in
Louisiana flooded New 
Orleans.

Read More..
'Read More..' links to nextermest.com [DO NOT VISIT! MALWARE!]. We are currently analyzing this page. It uses obfuscated javascript to download what looks like a .hta exploit.

Katrina Donation Scams

A couple of the domains we discovered yesterday removed the paypal button. Again, please let us know if you find any suspect domains. There are now about 230 .com domains that contain the strings 'katrina' and 'hurrican'. We could use your help checking out domains we found that 'sound suspect'. These have been filtered from the .com zone file using keywords like 'katrina'. Lots of innocent domains, so don't use it as a block list just yet. We are trying to anotate this list as needed. NOTE: If you send us an anotation to add, we will add an e-mail address of yours to 'sign' the comment. The email address will be obfuscated. Unsigned comments come from our ISC handler team. http://isc.sans.org/katrina.com.txt Susan Bradley had this nice remark about "cyber looting" on the patch management list: "to the folks behind this one....sick guys....really sick... you know how much small businesses are going to need geek/IT help in the coming months and all you guys can do is to code up stuff like this? How about donating to the red cross? How about volunteering to help a small business owner displaced by Katrina reset up MX records, A records? How about doing something useful instead of this stuff? Okay rant box off"

Dameware Exploit

We do see pretty stong scanning for the recent Dameware exploit. The Dameware.com site is located in New Orleans and not reachable since the storm. However, you can download the latest version from the UK site: http://www.dameware.co.uk/thankyoudownload.asp?group=Downloads
(thanks David for the UK URL). --------
Keywords:
0 comment(s)

Comments

Login here to post a comment. Diary Archive