sober.z to hit tomorrow

• Previous message (by thread): sober.z to hit tomorrow
• Next message (by thread): WMF Microsoft Patch is out
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is some more interesting information. I'm not positive this is 
Sober.Z related but it's walking like and talking like a duck.

First I see the below DNS requests, shortly after I see many SMTP 
packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc.... 
Looks like it's... Sending SPAM?!?!
This I didn't expect at all, here is a trace from one of the known 
infected users:

########################################################
220 mta272.mail.mud.yahoo.com ESMTP YSmtp service ready
HELO mx1.mail.yahoo.com
250 mta272.mail.mud.yahoo.com
MAIL FROM: <wrkdtdnqskz at hotmail.com>
250 sender <wrkdtdnqskz at hotmail.com> ok
RCPT TO: <klay900 at yahoo.com>
250 recipient <klay900 at yahoo.com> ok
data
354 go ahead
From: "oesh" <wrkdtdnqskz at hotmail.com>
To: klay900 at yahoo.com
Content-type: text/html
Subject: You are tempter-lover, for sure! Soft Cialis.


Order <acy></acy>all your prescription medication online<BR>
Have a holiday in your <acm></acm>life with Viagra Pro<BR>
<A 
href="http://ikbghlmj.milliontime.info/?acdefjxwnsoyikzcvbghlm">http://achibejkf.victoriaroadmaps.info/?dglmfxwnsoyachizcvbejk</A><BR>
Your <acj></acj>wife <acl></acl>will be charmed by your stamina and 
enduranceGenerik Viagra.<BR>
Your wife will be amazed by you. Generik Viagra.<BR>
Cheapest Viagra <acx></acx>Pro online<BR>

.
250 ok dirdel
quit
221 mta272.mail.mud.yahoo.com
########################################################

Wil Schultz wrote:

> FYI: I've set some traps on our DNS servers, dunno exactally what this 
> means but I thought that I should share:
>
> Jan  5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: 
> arcor.de IN MX
> Jan  5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: 
> freenet.de IN MX
>
> These are the only two logs I have at this point. And I don't recall 
> any other Sober searching for an email server.
>
> -Wil
>
> Wil Schultz wrote:
>
>> Wouldn't it be fun if it contained the WMF exploit in some form?
>> So, I'm planning on using swatch to monitor DNS requests for the 
>> known affected domains. What is everyone else planning to do?
>>
>> -Wil
>>
>>
>
>
>

• Previous message (by thread): sober.z to hit tomorrow
• Next message (by thread): WMF Microsoft Patch is out
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]