[Fwd: Re: sober.z to hit tomorrow]

• Previous message (by thread): Awful quiet?
• Next message (by thread): [Fwd: Re: sober.z to hit tomorrow]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is some more interesting information. I'm not positive this is 
Sober.Z related but it's walking like and talking like a duck.

First I see the below DNS requests, shortly after I see many SMTP 
packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc.... 
Looks like it's... Sending SPAM?!?!
This I didn't expect at all, here is a trace from one of the known 
infected users:

###############################################################
<snip, due to the postmasters request since it looks like SPAM>
###############################################################

Wil Schultz wrote:

> FYI: I've set some traps on our DNS servers, dunno exactally what this 
> means but I thought that I should share:
>
> Jan  5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: 
> arcor.de IN MX
> Jan  5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: 
> freenet.de IN MX
>
> These are the only two logs I have at this point. And I don't recall 
> any other Sober searching for an email server.
>
> -Wil
>
> Wil Schultz wrote:
>
>> Wouldn't it be fun if it contained the WMF exploit in some form?
>> So, I'm planning on using swatch to monitor DNS requests for the 
>> known affected domains. What is everyone else planning to do?
>>
>> -Wil
>>
>>
>
>
>

• Previous message (by thread): Awful quiet?
• Next message (by thread): [Fwd: Re: sober.z to hit tomorrow]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]