Phishing attempts to my spamcop account
Posted 17 September 2010 - 06:20 AM
Posted 17 September 2010 - 07:17 AM
Can you refer to these things by way of a Tracking URL rather than as a paste-in of the actual spam? The forum formatting and badword filter changes stuff posted here, there can sometimes be live links to bad places and, although munged slightly, there is exposure of (usually) innocent addresses etc. when you post the spam in public.
Posted 18 September 2010 - 12:18 AM
Posted 20 September 2010 - 07:44 PM
Well worth raising SL, seems it was and is a 'zero day' sort of thing. Zero detections from the massed AV engines at VirusTotal when the O/P first raised the topic but now my resident Norton says Trojan.Webkit!html - http://securityrespo...r...-99&tabid=2
FYI for whatever it's worth
I've been getting similar stuff, seems to be increasing every day.
Seems the 'unescape' coding within the scri_pt may be variable and/or some random characters outside the active body of code may be variable - which successfully defeats initial detection - the O/P's version was not picked up by Norton until yesterday's/today's updates. Haven't specifically checked yours but that's what I think is happening - the hash values will be variable, the code content may appear variable until unescape codes resolved, the redirection destination (which is well obfuscated, I can't see it) may be variable, very likely each day's version of the thing will be undetectable as a threat to most scanners for some days after release.
Discovered: October 9, 2007
Updated: October 9, 2007 4:42:01 PM
Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000
Trojan.Webkit!html is a generic detection for HTML files containing malicious code to redirect users to malicious Web servers.
A successful compromise by a malicious Web server may result in additional malicious files being downloaded to the compromised computer
HTML attachments/content in spam have been around for ages - the prudent assumption is, if they are in spam they probably *are* malicious but this is the first time I have personally verified an instance. Well, apart from a few web bugs (can't assume they are history either - to keep a step ahead, spammers sometimes step backwards). The 'inconvenience' of safe practice (no scripting allowed, no preview of email, view text only, don't read obvious spam at all, don't open unknown attachments or click on unknown links, query/prevent redirections) seems to be vindicated once again.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users