Re: [botnets] [phishing] XP update phish/malware
More links (have fun!) EF h x xp://img211.imageshack.us/img211/8804/53564624dd5.swf h x xp://img178.imageshack.us/img178/6055/48360498id9.swf h x xp://img363.imageshack.us/img363/6439/64566488mq7.swf h x xp://img152.imageshack.us/img152/2729/31549698ei0.swf h x xp://img530.imageshack.us/img530/6103/59151102rb3.swf h x xp://img99.imageshack.us/img99/5898/62138555hd9.swf h x xp://img372.imageshack.us/img372/8118/59719747ei9.swf h x xp://img185.imageshack.us/img185/9335/82661840nx8.swf h x xp://img293.imageshack.us/img293/4763/45789394gs7.swf h x xp://img178.imageshack.us/img178/9788/51170946pe4.swf h x xp://img142.imageshack.us/img142/3913/11423897ov7.swf h x xp://img90.imageshack.us/img90/2008/51270457la3.swf h x xp://img74.imageshack.us/img74/8522/45085869sh6.swf h x xp://img382.imageshack.us/img382/5364/96102388qu1.swf h x xp://img187.imageshack.us/img187/1963/29619654uk8.swf h x xp://img177.imageshack.us/img177/6360/69285889nm7.swf h x xp://img254.imageshack.us/img254/880/14642306ow1.swf h x xp://img247.imageshack.us/img247/4233/22200975ts2.swf h x xp://img99.imageshack.us/img99/9440/52828627qx6.swf h x xp://img365.imageshack.us/img365/7972/46847825fo0.swf h x xp://img99.imageshack.us/img99/594/95892453ot5.swf h x xp://img517.imageshack.us/img517/1968/77486504va4.swf h x xp://img230.imageshack.us/img230/5824/78233843jw7.swf h x xp://img187.imageshack.us/img187/3910/59662001uo5.swf h x xp://img144.imageshack.us/img144/7137/98780938dn9.swf h x xp://img120.imageshack.us/img120/5647/50805992bg2.swf h x xp://img90.imageshack.us/img90/2416/31864352xr5.swf h x xp://img379.imageshack.us/img379/203/58002967re9.swf h x xp://img372.imageshack.us/img372/9568/94993121ev8.swf h x xp://img362.imageshack.us/img362/2517/51161898ng9.swf h x xp://img293.imageshack.us/img293/8066/84520137hd2.swf h x xp://img264.imageshack.us/img264/7906/91105594ix6.swf h x xp://img231.imageshack.us/img231/3748/62962335wz2.swf h x xp://img231.imageshack.us/img231/267/84918094iq0.swf h x xp://img168.imageshack.us/img168/2760/17591524kq5.swf h x xp://img120.imageshack.us/img120/3516/33722385xh6.swf h x xp://img74.imageshack.us/img74/6486/39578125au2.swf h x xp://img516.imageshack.us/img516/747/95064813cv0.swf h x xp://img504.imageshack.us/img504/4349/47608063ev6.swf h x xp://img389.imageshack.us/img389/7425/73593614au0.swf h x xp://img369.imageshack.us/img369/7664/50077817mz3.swf h x xp://img362.imageshack.us/img362/442/54511953hg7.swf h x xp://img254.imageshack.us/img254/9613/84951271tu3.swf h x xp://img247.imageshack.us/img247/1466/44962136sl0.swf h x xp://img231.imageshack.us/img231/8544/22043469ng1.swf h x xp://img230.imageshack.us/img230/3984/20963797zd1.swf h x xp://img207.imageshack.us/img207/5/46258302wb8.swf h x xp://img168.imageshack.us/img168/3694/96349984ov9.swf h x xp://img145.imageshack.us/img145/2023/57451664ii1.swf h x xp://img141.imageshack.us/img141/3429/21327698vu3.swf h x xp://img141.imageshack.us/img141/1079/73226305li9.swf h x xp://img139.imageshack.us/img139/409/48948918bo9.swf h x xp://img99.imageshack.us/img99/4700/79917364gl7.swf h x xp://img93.imageshack.us/img93/1807/77305161gm5.swf h x xp://img90.imageshack.us/img90/752/52888755dq0.swf h x xp://img53.imageshack.us/img53/1618/64382852se9.swf h x xp://img396.imageshack.us/img396/6523/19822378ok9.swf h x xp://img390.imageshack.us/img390/6679/61377917aw6.swf h x xp://img388.imageshack.us/img388/6076/33852540ga7.swf h x xp://img388.imageshack.us/img388/2447/99672674yk9.swf h x xp://img388.imageshack.us/img388/1542/88527873om8.swf h x xp://img382.imageshack.us/img382/728/95974554lu8.swf h x xp://img381.imageshack.us/img381/2026/14591827xz8.swf h x xp://img369.imageshack.us/img369/6451/56742648if0.swf h x xp://img364.imageshack.us/img364/7038/40155918hl5.swf h x xp://img293.imageshack.us/img293/3287/10275575zm2.swf h x xp://img293.imageshack.us/img293/2189/41138736he1.swf h x xp://img292.imageshack.us/img292/9097/41669456gq5.swf h x xp://img292.imageshack.us/img292/8228/29106746gl5.swf h x xp://img247.imageshack.us/img247/8301/85097639if4.swf h x xp://img235.imageshack.us/img235/6129/65948768rb1.swf h x xp://img235.imageshack.us/img235/5333/28071066gg2.swf h x xp://img233.imageshack.us/img233/3785/28361241jj6.swf h x xp://img231.imageshack.us/img231/9116/81035442pq6.swf h x xp://img231.imageshack.us/img231/3969/88637755hf5.swf h x xp://img230.imageshack.us/img230/9113/65716097ub3.swf h x xp://img182.imageshack.us/img182/7638/36509153va7.swf h x xp://img169.imageshack.us/img169/8825/19988696ab4.swf h x xp://img169.imageshack.us/img169//93252402cs9.swf h x xp://img168.imageshack.us/img168/8633/45553933tg4.swf h x xp://img168.imageshack.us/img168/6339/96244904ig9.swf h x xp://img168.imageshack.us/img168/5798/13294931br0.swf h x xp://img168.imageshack.us/img168/4349/69444578ay1.swf h x xp://img148.imageshack.us/img148/8564/39132143hu5.swf h x xp://img148.imageshack.us/img148/4813/88179958sp6.swf h x xp://img144.imageshack.us/img144/6180/70912473pl7.swf h x
Re: [botnets] mailfreepostcards.com - spreading on the web
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi, I was able to get several EXE files. It's changing almost every hour, they use a kind of polymorphic packer. The web-component of this StormWorm variant is distributed by the following domains: mailfreepostcards.com postcardsbargain.com 2007postcards.com ecolorpostcards.com bestnetpostcards.com freewebpostcards.com They all resolve to 209.123.8.198 at the moment. The loader page could be funvideo.html, clip.html or winner.html. Try to google for Dont forget to see http (with quotes). More info here: http://www.symantec.com/enterprise/security_response/weblog/2007/02/mespam_infecting_web_20_with_l.html Amazingly some Nigerian spammer gets infected as well (http://www.joewein.net/blog/?p=12) or is using an infected machine in some Internet Cafe. :) EF - Original Message - From: Jake Mailinglists [mailto:[EMAIL PROTECTED] To: Elia Florio [mailto:[EMAIL PROTECTED], botnets@whitestar.linuxbox.org Sent: Thu, 01 Mar 2007 14:37:20 +0100 Subject: Re: [botnets] mailfreepostcards.com - spreading on the web Hello, I believe they have modded the file for fun.exe as well as an null-padded html loader file fun.html. Also on the same site. However, if you try to pull either exe file I get a redirect to a secsup.org mirror file... you? Jake On 2/26/07, Elia Florio [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi, looks like a component dropped by the StormWorm/Peacomm (rsvp32_2.dll) is infecting the web by injecting a malicious link to bulletin boards, forum, blogs, etc. Google for: mailfreepostcards.com to find some infected pages. Infected users won't notice anything because the trojan acts as LSP and injection works at tcp/ip level. EF ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Contact needed
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Hi, seen some mails with a link to: hXXp://infohelp.hk hXXp://wildnews.hk The site hosts the usual old ActiveX exploit and download iexplore.exe. Does anyone known this CC web interface? http://58.65.237.49/~botnet/apophis/ http://58.65.237.49/~botnet2/apophis/ EF ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets