Michael Scheidell wrote:
just saw this one in email. terra.com/ spamcop.com./br are hosting
trojans.
but this email uses flash to load this:
<param name=movie value="http://www.terra.com.br/cartoes/datas/amor.swf";>
(which redirects to http://cartoes.terra.com.br/datas/amor.swf )
than trys to load a binary:
ref="http://www.spamcom.com.br/CartadeAmor.exe";
both files still exist on the hosts, and neither was identified by
clamav, and neither triggered any ET (snort) rules, SA didn't trigger
any rules except these:
HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957,
(and my private rule, looking for a uri ending in .exe)
email that tries to get you to load these here:
http://pastebin.com/m2fcbe7b5
Oh lovely!
We've seen flash ad based driveby attacks on websites for a year or so -
this is the first time I've seen them inserted into an email (although
I'm sure it's been happening for a while).
I don't know what bright spark at Adobe thought it would be a good idea
for the Flash API to have the functionality to download and execute
remote arbitrary code, but it should be easy enough to write a SA rule
to detect embedded flash-based content and score it.
Thanks for posting the example.
