What is this email trying to do?
This is a discussion on What is this email trying to do? within the Linux Security forums, part of the System Security and Security Related category; I receive occasional emails from unknown females (probably script kiddies) whose body (the emails, not the women) is a line ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-12-2008
|
|||
|
|||
What is this email trying to do?
I receive occasional emails from unknown females (probably script kiddies)
whose body (the emails, not the women) is a line of hex numbers or similar. A virus scan in Windows disclosed no risk, but they can't be innocent. Any ideas? Doug. 
|
|
03-12-2008
|
|||
|
|||
|
Re: What is this email trying to do?
On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:
> I receive occasional emails from unknown females (probably script kiddies) > whose body (the emails, not the women) is a line of hex numbers or similar. > A virus scan in Windows disclosed no risk, but they can't be innocent. With about 10 new pieces of malware a minuted why would you think a scan is safe. http://www.darkreading.com/document.asp?doc_id=143424 Not to mention how long your AV sofware takes to get around to detecting what is being mailed. http://www.commtouch.com/Site/Resear...t_activity.asp Guessing obfuscated javascript or url based on all the provided information.
|
|
03-12-2008
|
|||
|
|||
|
Re: What is this email trying to do?
Bit Twister wrote:
> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote: >> I receive occasional emails from unknown females (probably script >> kiddies) whose body (the emails, not the women) is a line of hex numbers >> or similar. A virus scan in Windows disclosed no risk, but they can't be >> innocent. > > With about 10 new pieces of malware a minuted why would you think a > scan is safe. http://www.darkreading.com/document.asp?doc_id=143424 > Not to mention how long your AV sofware takes to get around to > detecting what is being mailed. > http://www.commtouch.com/Site/Resear...t_activity.asp > > Guessing obfuscated javascript or url based on all the provided > information. Naturally, I didn't want to post the signature to the group. As for the 10 pieces of malware a minute: (a) this one is now months old; (b) A friend was unlucky enough to lose his whole system to a virus that got him before Norton had updated to detect it. He blamed Norton and left them over it, saying it was their job to have it in their database. I suggested that more probably, he was just unlucky, although Norton has copped some bad publicity in the past. I run CA, sold in Aus as Vet. Doug.
|
|
03-12-2008
|
|||
|
|||
|
Re: What is this email trying to do?
On Thu, 13 Mar 2008 02:52:39 +1100, Doug Laidlaw wrote:
> > (a) this one is now months old; Not really germane to the problem. Saw an article more than a year ago, where a couple were selling a root kit which went undetected for year. AV vendors have to catch a copy of malware before they can put them into the database. Black Hats have databases of AV site ips. When those sites hit a malware distribution site, the site does not serve up any malware. They also were re-obfuscating malware on each delivery making it much less detectable by AV software.
|
|
03-12-2008
|
|||
|
|||
|
Re: What is this email trying to do?
Doug Laidlaw <doug@dougshost.invalid> writes:
>Bit Twister wrote: >> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote: >>> I receive occasional emails from unknown females (probably script >>> kiddies) whose body (the emails, not the women) is a line of hex numbers >>> or similar. A virus scan in Windows disclosed no risk, but they can't be >>> innocent. >> >> With about 10 new pieces of malware a minuted why would you think a >> scan is safe. http://www.darkreading.com/document.asp?doc_id=143424 >> Not to mention how long your AV sofware takes to get around to >> detecting what is being mailed. >> http://www.commtouch.com/Site/Resear...t_activity.asp >> >> Guessing obfuscated javascript or url based on all the provided >> information. >Naturally, I didn't want to post the signature to the group. >As for the 10 pieces of malware a minute: >(a) this one is now months old; >(b) A friend was unlucky enough to lose his whole system to a virus that got >him before Norton had updated to detect it. He blamed Norton and left them >over it, saying it was their job to have it in their database. I suggested >that more probably, he was just unlucky, although Norton has copped some >bad publicity in the past. I run CA, sold in Aus as Vet. Why he would blame NOrton rather than Microsoft has always bewildered me. The wheels fall off of your car regularly because the carmaker uses bad steel, and you blame the road builders for not filling in the holes fast enough.
|
|
03-15-2008
|
|||
|
|||
|
Re: What is this email trying to do?
In comp.os.linux.security Unruh <unruh-spam@physics.ubc.ca>:
>>> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote: [..] >>(b) A friend was unlucky enough to lose his whole system to a virus that got >>him before Norton had updated to detect it. He blamed Norton and left them >>over it, saying it was their job to have it in their database. I suggested [..] > Why he would blame NOrton rather than Microsoft has always bewildered me. > The wheels fall off of your car regularly because the carmaker uses bad > steel, and you blame the road builders for not filling in the holes fast > enough. LOL...The question remains what has this to do with Linux? -- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 382: Someone was smoking in the computer room and set off the halon systems.
|
|
03-16-2008
|
|||
|
|||
|
Re: What is this email trying to do?
Michael Heiming wrote:
> In comp.os.linux.security Unruh <unruh-spam@physics.ubc.ca>: >>>> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote: > [..] > >>> (b) A friend was unlucky enough to lose his whole system to a virus that got >>> him before Norton had updated to detect it. He blamed Norton and left them >>> over it, saying it was their job to have it in their database. I suggested > [..] > >> Why he would blame NOrton rather than Microsoft has always bewildered me. >> The wheels fall off of your car regularly because the carmaker uses bad >> steel, and you blame the road builders for not filling in the holes fast >> enough. > > LOL...The question remains what has this to do with Linux? > One of the recipients of the email has an aunt who bumped into a man whose son once smelled the shoe of a person who used Linux. (I thought that was obivous)
|
|
03-17-2008
|
|||
|
|||
|
Re: What is this email trying to do?
Chris Cox wrote:
> Michael Heiming wrote: >> In comp.os.linux.security Unruh <unruh-spam@physics.ubc.ca>: >>>>> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote: >> [..] >> >>>> (b) A friend was unlucky enough to lose his whole system to a virus >>>> that got >>>> him before Norton had updated to detect it. He blamed Norton and left >>>> them >>>> over it, saying it was their job to have it in their database. I >>>> suggested >> [..] >> >>> Why he would blame NOrton rather than Microsoft has always bewildered >>> me. The wheels fall off of your car regularly because the carmaker uses >>> bad steel, and you blame the road builders for not filling in the holes >>> fast enough. >> >> LOL...The question remains what has this to do with Linux? >> > > One of the recipients of the email has an aunt who bumped into > a man whose son once smelled the shoe of a person who used Linux. > > (I thought that was obivous) No, that was a "by the way." It was a reply to the "we can never be up to date, so why bother anyway?" It is a by-product of my being old and garrulous. Just got the same thing again. 3x w, which could be www. but 119 doesn't appear in the ASCII table at all, and the next ones are .l "&" + another nonexistent one. The complete line runs off the page. No wonder I couldn't put them in a Web page and get any sense out of them. Doug.
|
|
03-17-2008
|
|||
|
|||
|
Re: What is this email trying to do?
On Mon, 17 Mar 2008, in the Usenet newsgroup comp.os.linux.security, in article
<ni62b5-npa.ln1@dougshost.douglaidlaw.net>, Doug Laidlaw wrote: >Just got the same thing again. 3x w, which could be www. but >119 doesn't appear in the ASCII table at all, and the next ones are >.l "&" + another nonexistent one. The complete line runs >off the page. No wonder I couldn't put them in a Web page and get >any sense out of them. Have you tried using 'decimal' rather than octal or hex? w -> w . -> . l -> l That's an old spammer's trick for obfuscation of addresses and URLs. The leading '&#' tells some browsers that this character is shown in decimal. I'm not sure, but I think it's merely using an 8 bit (or multi-byte) character set instead of ASCII. I think it's a feature of the browsers most idiots use to read their mail. If you look at the man pages for the other character sets [compton ~]$ whatis ascii iso_8859_1 Unicode ascii (7) - the ASCII character set encoded in octal, decimal, and hexadecimal iso_8859_1 (7) - the ISO 8859-1 character set encoded in octal, decimal, and hexadecimal Unicode [unicode] (7) - the unified 16-bit super character set [compton ~]$ the lower 127 characters of the various 8859 and Unicode character sets (as well as one or more of the windoze sets) are a direct copy of ASCII. Old guy
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 09:36 AM.
