Delete spam messages no matter how enticing they are

Wiz Feinberg · Post by **Wiz Feinberg** » 13 Jul 2008 11:31 pm

Heads up again; The Russian Business Network in still active and has released a new wave of Storm Worm linked emails, as has the Russian Grisbi Botnet. Both are using current or imaginary, but believable headlines in the subjects, to entice people into clicking on the links in the body.

No matter how enticing the headline in the subject may be the payload ain't worth it. If you get an email with a fantastic subject line, delete it. You'll probably save yourself a visit to the computer clinic!

These botnets are ramping up activity in a recruitment drive, for involuntary new members.

Jeff Garden · Post by **Jeff Garden** » 14 Jul 2008 3:24 am

Hey Wiz, can you trash your computer simply by opening up one of these e-mails or would you have to click on one of the links in the e-mail to do damage? I've always wondered about that since occasionally I'm not sure by the title if something is spam or not. Thanks as always for your help.

Wiz Feinberg · Post by **Wiz Feinberg** » 14 Jul 2008 8:16 am

Jeff Garden wrote:Hey Wiz, can you trash your computer simply by opening up one of these e-mails or would you have to click on one of the links in the e-mail to do damage?

There have been scripts embedded in malicious emails that will infect an unpatched PC when they are previewed or opened. Most recently a script was embedded in a hidden iframe in spam messages sent to Mexico. That script contained codes that exploited 2wire brand DSL modem/router combos that didn't have a personal administrator password set. The exploit was silent and invisible to the users. However, if they did online banking at the major bank in Mexico their request was redirected by the pwned router to a look-alike site that stole their login credentials, then their money.

The same attack that was successful in Mexico can be used against users anywhere who have not secured their routers, especially 2wire branded models. I have authored three articles about the 2wire modem exploits on my blog, in the Vulnerabilities section. It makes an excellent read for those who think that an unsecured broadband router is safe to use, off the beaten path.

In addition to the modem and router exploit codes there are other nasty items that are often linked to in hidden iframes and false image requests. Sometimes criminals will hire a spam botnet to send out messages containing hostile embedded codes and scripts, as opposed to iframe links. Should you preview or open such a message you had better have a fully patched computer with an up-to-date anti-virus program that has an email scanner module.

Finally, to answer the last part of your question, 99.9999% of all spam messages contain links. Most go to spamvertised websites, but a lot of them lead to Storm or Zlob Trojan destinations. There is a huge spike in activity right now in the Storm botnet that is using all kinds of trick headlines in the subject and body. The links all end up on websites hosting the Storm Trojan. The links to the Zlob Trojan have never subsided in the last several months. The Zlob is characterized by a pop-up or on-page notice that you require an ActiveX Object to play the video that lured you there. The Zlob is one of the most prolific infections in the Wild today.

George Rozak · Post by **George Rozak** » 14 Jul 2008 10:59 pm

Wiz...

Thanks for your help tracking down all of these threats. Your blog is quite extensive. I was wondering if you knew of a list somewhere of the particular models that are vulnerable to these attacks?

I'm using a HomePortal 1000HW manufactured by 2Wire (not using the wireless option) that has a built in firewall. Do you think that the built in firewall might preclude this model from being vulnerable to these attacks? I did a quick net search and couldn't find anything mentioning this model in relation to said threats.

Thanks again for all the time you put in keeping current on this stuff.

George

Wiz Feinberg · Post by **Wiz Feinberg** » 15 Jul 2008 5:57 am

George;
Yes, your modem-router has been successfully exploited by hostile scripts in email messages, or on rigged iframes in hacked websites.

You can read about some exploited HomePortal 1000HW users on dslreports.com. Also read this article about Cross Site Scripting Vulnerabilities in 2Wire modems.

Check your modem to see if pinging google.com yields a believable IP address, or just press in the reset button for a minute and restart the router. Then assign it a unique administrator password and continue securing it against remote administration and UPnP exploits.