sober.z to hit tomorrow
Wil Schultz
wschultz at wilcomm.net
Fri Jan 6 07:22:20 UTC 2006
Here is some more interesting information. I'm not positive this is
Sober.Z related but it's walking like and talking like a duck.
First I see the below DNS requests, shortly after I see many SMTP
packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc....
Looks like it's... Sending SPAM?!?!
This I didn't expect at all, here is a trace from one of the known
infected users:
########################################################
220 mta272.mail.mud.yahoo.com ESMTP YSmtp service ready
HELO mx1.mail.yahoo.com
250 mta272.mail.mud.yahoo.com
MAIL FROM: <wrkdtdnqskz at hotmail.com>
250 sender <wrkdtdnqskz at hotmail.com> ok
RCPT TO: <klay900 at yahoo.com>
250 recipient <klay900 at yahoo.com> ok
data
354 go ahead
From: "oesh" <wrkdtdnqskz at hotmail.com>
To: klay900 at yahoo.com
Content-type: text/html
Subject: You are tempter-lover, for sure! Soft Cialis.
Order <acy></acy>all your prescription medication online<BR>
Have a holiday in your <acm></acm>life with Viagra Pro<BR>
<A
href="http://ikbghlmj.milliontime.info/?acdefjxwnsoyikzcvbghlm">http://achibejkf.victoriaroadmaps.info/?dglmfxwnsoyachizcvbejk</A><BR>
Your <acj></acj>wife <acl></acl>will be charmed by your stamina and
enduranceGenerik Viagra.<BR>
Your wife will be amazed by you. Generik Viagra.<BR>
Cheapest Viagra <acx></acx>Pro online<BR>
.
250 ok dirdel
quit
221 mta272.mail.mud.yahoo.com
########################################################
Wil Schultz wrote:
> FYI: I've set some traps on our DNS servers, dunno exactally what this
> means but I thought that I should share:
>
> Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query:
> arcor.de IN MX
> Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query:
> freenet.de IN MX
>
> These are the only two logs I have at this point. And I don't recall
> any other Sober searching for an email server.
>
> -Wil
>
> Wil Schultz wrote:
>
>> Wouldn't it be fun if it contained the WMF exploit in some form?
>> So, I'm planning on using swatch to monitor DNS requests for the
>> known affected domains. What is everyone else planning to do?
>>
>> -Wil
>>
>>
>
>
>
More information about the NANOG
mailing list