Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fwd: Copies Of Policies


  • Please log in to reply
3 replies to this topic

#1 WD40.5

WD40.5

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 12 March 2013 - 02:35 PM

I got this in an email:
 
-------------
Fwd: Copies Of Policies
 
Unfortunately, I cannot obtain electronic copies of the SPII Policy.
 
Here is the Package and Umbrella, and a copy of the most recent schedule.
 
DANI Wells.
-----------
 
It's a link to webpage at a site that appears to have been hacked. The link goes to:
 
(DANGER :: LINK GOES TO MALWARE)
starlinewindows.info/mail-index.htm
 
The starlinewindows link is a redirect to another site:
 
(DANGER :: LINK GOES TO MALWARE)
hxxp://gimihaloook.ru:8080/forum/links/column.php
 
The link above loads a heavily obfuscated javascript. I looked at the script, but I'm not an expert at javascript. I'm curious what it does. It seems to go to a great deal of trouble identifying the browser and OS. What else does it do?

Edited by Orange Blossom, 12 March 2013 - 02:51 PM.
Deactivated link and moved to general AV forum.. ~ OB


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:43 PM

Posted 12 March 2013 - 09:38 PM

Hello -

Have you opened any link in the questionable email ??

Never open any link that is totally unknown to you, as this is the easiest way to spread infections.

 

Do you currently have problems with your computer, or is this posted for some ? information ??

 

Thank You -

 

If you are / think you are infected please post in the Malware removal or Am I Infected forums -

 

Thank You -



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 13 March 2013 - 04:18 AM

It's most likely an exploit kit. The most prevalent is the Blackhole exploit kit: https://en.wikipedia.org/wiki/Blackhole_exploit_kit


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 WD40.5

WD40.5
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 13 March 2013 - 07:30 PM

It's most likely an exploit kit. The most prevalent is the Blackhole exploit kit: https://en.wikipedia.org/wiki/Blackhole_exploit_kit

From what I could gather, it is a black hole exploit. Yes, I did open it, but I did so on an up-to-date Linux system using a user account with little in the way of privileges and no stored passwords to grab.

 

I got a couple more spam emails today with variations of the same exploit. It looks like someone is going the extra mile to get this out in the wild.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users