While Tim is still trying to figure out how to integrate ExchangeDefender into his company, I’m feeling good knowing that some of the policies we have established a long time ago are finally starting to be used by the spammers. It’s one of the things we do here very often – if we were to SPAM the world, what would we do? (then we sit down and find the ways to crush it)
One of the things we integrated years ago covered the topic of extension masking, in the scam similar to the one outlined on Tim Barret’s blog. Basically, the spammer either attaches or links in a dangerous attachment that doesn’t look too dangerous. It’s all done by masking the extension to get by the user. For example:
This is a text file:
Vlad is great.txtThis is an executable:
Vlad is great.txt.exeThis is an executable that idiot users click on:
Vlad is great.txt .exe
So a few years ago we integrated two checks – first, does the extension get masked by another extension and second, does the attachment or link include an excessive amount of spaces in it. If it does – poof.
Now.. That’s hot!
This strain by the way has been going on for weeks now and we’ve locked down over 75,000 hosts for spraying it across the Internet. This one shows a familiar Youtube shell but links to a random web site with the virus linked on it with a masked extension.
Also of note, question came up: Why do these viruses always get spread by random web sites on the Net??? Well, because those web sites got 0wn3d. Do you really think a hacker or a script kiddy behind this is going to register a domain name and serve their traffic off their own site? Heck no. Let others pay for it, you just work on controlling your botnet.
Anyhow, thats what we do at ExchangeDefender all day long. That and read your email. We hit delete. A lot. Ok, sometimes we forward too – but only if its funny!
P.S. Oh, and if you’re wondering how I did that bubble thing in the screenshot – feature of the new SnagIt 9.0 – Betsy and Kristina have been hooking me up new copies of it for years, best damn tool in the shed.
Pingback: User links about "executable" on iLinkShare
Pingback: Recent Faves Tagged With "snagit" : MyNetFaves