luddite
join:2001-09-09
Allen, TX
| reply to Martinus
Re: Warning regarding fake malware patch 'patch_4723.zip '
said by Martinus  :said by Blackbird : Purely from the code perspective, yes. But these guys still can't get seem to get their spelling/grammar right: "adress", "becouse", "We recommend you to install...", "We had archived the patch...". English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention. I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. On the flip side I think that bad spelling/grammar is only a tip-off to those who are pretty fluent and proficient with the English language to begin with (which is probably a very small percent of the total users on the internet).
My in-laws don't speak English as their primary language and I would be willing to bet that they would be easily fooled by the supposed 'officialness' of such an email as this. I've had to reformat one PC in their household on two separate occasions so far... No idea how it got infected exactly (I suspect pr0n sites) but I wouldn't be surprised to find out they fell for some such email attack such as this.
I guess what I'm trying to say is that there are many, many, many people out there on the internet for which English is not their primary language and this email will not be viewed as an obvious 'scam' simply due to poor grammar. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
1 edit | reply to Jameson
said by Jameson :Got one as well this morning. The one i got was called removal-8736.zip Did the email header contain the information "User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)" and was it from a Yahoo email account?
X-Apparently-To: html_edit@yahoo.com via 68.142.198.159; Thu, 12 Apr 2007 11:27:33 -0700
X-YahooFilteredBulk: 162.39.116.180
X-Originating-IP: [162.39.116.180]
Return-Path:
Authentication-Results: mta434.mail.mud.yahoo.com from=med.va.gov; domainkeys=neutral (no sig)
Received: from 162.39.116.180 (HELO h180.116.39.162.ip.alltel.net) (162.39.116.180) by mta434.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 11:27:32 -0700
Received: from vqyhx ([26.84.210.33]) by h180.116.39.162.ip.alltel.net (8.13.4/8.13.4) with SMTP id l3CIm64j074509; Thu, 12 Apr 2007 14:48:06 -0400
Message-ID:
Date: Thu, 12 Apr 2007 14:44:50 -0400
From: "Customer Support Center"
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: html_edit@yahoo.com
Subject: Virus Detected!
Content-Type: multipart/mixed; boundary="------------040808030703010202050005"
Content-Length: 60246
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
Jameson
10-8
Premium
join:2004-05-28
Fallbrook, CA
clubs: 
 ·HughesNet Satellit..
 ·Time Warner Cable
3 edits | reply to antiphishing
Yup:
User-Agent:
Thunderbird 1.5.0.9 (Windows/20061207)
EDIT:
However it was From:
ohhsj @ icqmail.com
X-Originating-IP:
[216.141.228.112]
Authentication-Results:
mta121.sbc.mail.mud.yahoo.com from=icqmail.com; domainkeys=neutral (no sig)
Received:
from 207.115.36.76 (EHLO nlpi047.sbcis.sbc.com) (207.115.36.76) by mta121.sbc.mail.mud.yahoo.com with SMTP; Thu, 12 Apr 2007 23:07:56 -0700
X-Header-NoReverseIP:
IP.name.lookup.failed[216.141.228.112]
X-Originating-IP:
[216.141.228.112] |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | The "Thunderbird" user-agent header seems to be consistent across this entire spam run. It's probably hard-coded. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to Jameson
said by Jameson :Yup: User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) EDIT: However it was From: Customer Support One of the patterns that I have been noticing is that Yahoo email accounts are one of the targets. Every email contains the header line "Thunderbird 1.5.0.9 (Windows/20061207)" being sent through zombie machines in Europe and the United States.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs: | reply to antiphishing
Times like these I thank god for Solaris 10  |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| said by BosstonesOwn :Times like these I thank god for Solaris 10 If I had a choice to move to another operating system, it would be Linux Fedora Red Hat 7. 
I mean it's not that I don't like Microsoft Vista , but the new security exploits are are starting to get a little old now.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: | reply to antiphishing
::sigh:: i already got two people that already installed the "update" and wondered what it was AFTERWARDS  |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| said by pcdebb :::sigh:: i already got two people that already installed the "update" and wondered what it was AFTERWARDS Once again  ,the combination of naive internet plus social engineering, does equal the slow destruction of the internet.
We all pay for it , in the end. You have to look at the big picture of the whole thing. It's such a sad state when you can allow someone to use the internet, and they don't have
a clue on what is involved with internet security.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
| reply to Martinus
said by Martinus :English is not my native language but I've seen sentences in these forums - heck. nearly in most forums - by native English speakers with more grammatical or syntactical flaws than the ones you mention. I don't think grammar can be used as a malware giveaway in this context. For the illustrated, probably. For the rest, I doubt it. Perhaps I didn't express myself well. I was referring to the fact that phishes, fake patches, and the like all purport to be from established, reputable organizations. But my experience has been that "official" notification messages sent out by legitimate groups have almost always been vetted for basic spelling or grammar... either by spell/grammar checkers or by an educated author. That doesn't mean an error might not pop up in a legitimate message, but it does mean that a collection of obvious errors in a message almost certainly guarantees it's not any kind of official notice being broadcast by a legitimate organization. As a result, whenever I encounter an error-filled, purportedly "official" message, I generally look no further and simply hit the delete button.
Obviously, those with less English-language experience will not be able to do that... but that's why nobody should be opening executables or naively trusting URL links contained in any unsolicited eMail, regardless of language or where they live. And in any case, if the language looks OK, I still practice safe-hex in not opening attachments or assuming links are valid without first cross-checking 100% with the real purported sender by direct, person-to-person or other secure, independent means.
Verify, verify, verify.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
Rickez
Goinginsane
join:2000-09-02
Three Rivers, MA | reply to BosstonesOwn
Times like this I thank god for common sense. |
|
BosstonesOwn
join:2002-12-15
Everett, MA
clubs:
·Comcast
| Yeah for us. What about the normal people.
My email box is full of these because we support windows servers now too. And most of the windows shops are getting hammered with this.
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!" |
|
quatrix
Premium
join:2005-02-11
Davie, FL
| reply to Martinus
said by Martinus :Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away. Eagle? If you read the message, even the first sentence sounds obviously wrong. |
|
Martinus
Premium
join:2001-08-06
EU
| said by quatrix :said by Martinus :Probably a good idea not to ditch your AV just because you are an eagle to spot grammatical flaws right away. Eagle? If you read the message, even the first sentence sounds obviously wrong. Yeah, to you. But probably not to everybody.
I've seen more atrocities committed against the English language in this forum than I though was possible.
People writing "their" when they mean "there", "here, here Microsoft" when they, obviously meant "hear, hear Microsoft", and so on. So yes, a grammar check will quickly give a clue to some but don't expect that'll help everybody.
--
Si naciste pa' martillo del cielo te caen los clavos |
|
59126125
Premium
join:2006-01-21
clubs:
1 edit | reply to antiphishing
Isn't it a little strange that this is occurring close to the deadline for filing taxes? Or is it just coincidence? »news.yahoo.com/s/ap/20070414/ap_···JAJvzwcF
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| Are you referring that internet users will use infected computers, not knowing that their tax information will end up in the hands of cybercriminals through the use of a root kit or key logger
Interesting theory.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
59126125
Premium
join:2006-01-21
clubs:
1 edit | Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.?
--
There is a reason the wires are twisted together, it's called a pair. It defeats the whole purpose of twisted pair cabling by using the solid orange and solid green to wire the jack. |
|
mysec
Premium
join:2005-11-29
| reply to antiphishing
Forecast - Massive Storms clouded by Rootkits
The above subject title from
»www.antirootkit.com/blog/
"The Rootkit component is wincom32.sys"
I permitted the patch file to extract, then re-enabled security to watch it run:
________________________________________________________________
The loading of the rootkit component, driver wincom32.sys (an executable) is blocked. Then I permitted wincom32.sys to install, and it immediately attempted an outbound connection:
_________________________________________________________
A search doesn't reveal the wincom32.sys file.
_________________________________________________________
Also, none of the Registry entries mentioned in the analysis show up.
A final quote from the analysis:
quote:
The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.
The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code.
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier |
|
SpannerITWks
Premium
join:2005-04-22
| That link goes to - hxxp://64.28.178.4/index.php - and is associated with -
hxxp://free-orgy-movies.com
( This domain name parked on Estparking.com. To buy this domain click here. )
I was on an exact replica of that www - hxxp://moviefresher.com - in the last 1/2 hour, as i found it linked to a Zlob www i was DL'ing from.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to 59126125
Re: Warning regarding fake malware patch 'patch_4723.zip '
said by 59126125 :Sure the idea is on the paranoid side, but if someone wanted to harvest as much personal info as possible in the shortest amount of time, wouldn't tax time be the prime opportunity? What if someone created a root kit or whatever that targeted tax prep programs like TurboTax, etc.? That was exactly the point that I was trying to get at. Who's to say that you couldn't use a software program like TurboTax and have a key logger installed on the same computer.
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
