What is this email trying to do? - Security

This is a discussion on What is this email trying to do? - Security ; I receive occasional emails from unknown females (probably script kiddies) whose body (the emails, not the women) is a line of hex numbers or similar. A virus scan in Windows disclosed no risk, but they can't be innocent. Any ideas? ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: What is this email trying to do?

  1. What is this email trying to do?

    I receive occasional emails from unknown females (probably script kiddies)
    whose body (the emails, not the women) is a line of hex numbers or similar.
    A virus scan in Windows disclosed no risk, but they can't be innocent.

    Any ideas?

    Doug.

  2. Re: What is this email trying to do?

    On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:
    > I receive occasional emails from unknown females (probably script kiddies)
    > whose body (the emails, not the women) is a line of hex numbers or similar.
    > A virus scan in Windows disclosed no risk, but they can't be innocent.


    With about 10 new pieces of malware a minuted why would you think a
    scan is safe. http://www.darkreading.com/document.asp?doc_id=143424
    Not to mention how long your AV sofware takes to get around to
    detecting what is being mailed.
    http://www.commtouch.com/Site/Resear...t_activity.asp

    Guessing obfuscated javascript or url based on all the provided information.

  3. Re: What is this email trying to do?

    Bit Twister wrote:

    > On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:
    >> I receive occasional emails from unknown females (probably script
    >> kiddies) whose body (the emails, not the women) is a line of hex numbers
    >> or similar. A virus scan in Windows disclosed no risk, but they can't be
    >> innocent.

    >
    > With about 10 new pieces of malware a minuted why would you think a
    > scan is safe. http://www.darkreading.com/document.asp?doc_id=143424
    > Not to mention how long your AV sofware takes to get around to
    > detecting what is being mailed.
    > http://www.commtouch.com/Site/Resear...t_activity.asp
    >
    > Guessing obfuscated javascript or url based on all the provided
    > information.


    Naturally, I didn't want to post the signature to the group.

    As for the 10 pieces of malware a minute:

    (a) this one is now months old;

    (b) A friend was unlucky enough to lose his whole system to a virus that got
    him before Norton had updated to detect it. He blamed Norton and left them
    over it, saying it was their job to have it in their database. I suggested
    that more probably, he was just unlucky, although Norton has copped some
    bad publicity in the past. I run CA, sold in Aus as Vet.

    Doug.

  4. Re: What is this email trying to do?

    On Thu, 13 Mar 2008 02:52:39 +1100, Doug Laidlaw wrote:
    >
    > (a) this one is now months old;


    Not really germane to the problem.

    Saw an article more than a year ago, where a couple were selling a
    root kit which went undetected for year.

    AV vendors have to catch a copy of malware before they can put them
    into the database. Black Hats have databases of AV site ips.
    When those sites hit a malware distribution site, the site does not
    serve up any malware.

    They also were re-obfuscating malware on each delivery making it much
    less detectable by AV software.


  5. Re: What is this email trying to do?

    Doug Laidlaw writes:

    >Bit Twister wrote:


    >> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:
    >>> I receive occasional emails from unknown females (probably script
    >>> kiddies) whose body (the emails, not the women) is a line of hex numbers
    >>> or similar. A virus scan in Windows disclosed no risk, but they can't be
    >>> innocent.

    >>
    >> With about 10 new pieces of malware a minuted why would you think a
    >> scan is safe. http://www.darkreading.com/document.asp?doc_id=143424
    >> Not to mention how long your AV sofware takes to get around to
    >> detecting what is being mailed.
    >> http://www.commtouch.com/Site/Resear...t_activity.asp
    >>
    >> Guessing obfuscated javascript or url based on all the provided
    >> information.


    >Naturally, I didn't want to post the signature to the group.


    >As for the 10 pieces of malware a minute:


    >(a) this one is now months old;


    >(b) A friend was unlucky enough to lose his whole system to a virus that got
    >him before Norton had updated to detect it. He blamed Norton and left them
    >over it, saying it was their job to have it in their database. I suggested
    >that more probably, he was just unlucky, although Norton has copped some
    >bad publicity in the past. I run CA, sold in Aus as Vet.


    Why he would blame NOrton rather than Microsoft has always bewildered me.
    The wheels fall off of your car regularly because the carmaker uses bad
    steel, and you blame the road builders for not filling in the holes fast
    enough.




  6. Re: What is this email trying to do?

    In comp.os.linux.security Unruh :
    >>> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:

    [..]

    >>(b) A friend was unlucky enough to lose his whole system to a virus that got
    >>him before Norton had updated to detect it. He blamed Norton and left them
    >>over it, saying it was their job to have it in their database. I suggested

    [..]

    > Why he would blame NOrton rather than Microsoft has always bewildered me.
    > The wheels fall off of your car regularly because the carmaker uses bad
    > steel, and you blame the road builders for not filling in the holes fast
    > enough.


    LOL...The question remains what has this to do with Linux?

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 382: Someone was smoking in the computer room
    and set off the halon systems.

  7. Re: What is this email trying to do?

    Michael Heiming wrote:
    > In comp.os.linux.security Unruh :
    >>>> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:

    > [..]
    >
    >>> (b) A friend was unlucky enough to lose his whole system to a virus that got
    >>> him before Norton had updated to detect it. He blamed Norton and left them
    >>> over it, saying it was their job to have it in their database. I suggested

    > [..]
    >
    >> Why he would blame NOrton rather than Microsoft has always bewildered me.
    >> The wheels fall off of your car regularly because the carmaker uses bad
    >> steel, and you blame the road builders for not filling in the holes fast
    >> enough.

    >
    > LOL...The question remains what has this to do with Linux?
    >


    One of the recipients of the email has an aunt who bumped into
    a man whose son once smelled the shoe of a person who used Linux.

    (I thought that was obivous)


  8. Re: What is this email trying to do?

    Chris Cox wrote:

    > Michael Heiming wrote:
    >> In comp.os.linux.security Unruh :
    >>>>> On Thu, 13 Mar 2008 00:12:39 +1100, Doug Laidlaw wrote:

    >> [..]
    >>
    >>>> (b) A friend was unlucky enough to lose his whole system to a virus
    >>>> that got
    >>>> him before Norton had updated to detect it. He blamed Norton and left
    >>>> them
    >>>> over it, saying it was their job to have it in their database. I
    >>>> suggested

    >> [..]
    >>
    >>> Why he would blame NOrton rather than Microsoft has always bewildered
    >>> me. The wheels fall off of your car regularly because the carmaker uses
    >>> bad steel, and you blame the road builders for not filling in the holes
    >>> fast enough.

    >>
    >> LOL...The question remains what has this to do with Linux?
    >>

    >
    > One of the recipients of the email has an aunt who bumped into
    > a man whose son once smelled the shoe of a person who used Linux.
    >
    > (I thought that was obivous)


    No, that was a "by the way." It was a reply to the "we can never be up to
    date, so why bother anyway?" It is a by-product of my being old and
    garrulous.

    Just got the same thing again. 3x w, which could be www. but 119
    doesn't appear in the ASCII table at all, and the next ones are
    .l "&" + another nonexistent one. The complete line runs off the
    page. No wonder I couldn't put them in a Web page and get any sense out of
    them.

    Doug.

  9. Re: What is this email trying to do?

    On Mon, 17 Mar 2008 23:59:34 +1100, Doug Laidlaw wrote:

    > Just got the same thing again. 3x w, which could be www. but 119
    > doesn't appear in the ASCII table at all,


    You sure,
    man ascii | grep 119

  10. Re: What is this email trying to do?

    On Mon, 17 Mar 2008, in the Usenet newsgroup comp.os.linux.security, in article
    , Doug Laidlaw wrote:

    >Just got the same thing again. 3x w, which could be www. but
    >119 doesn't appear in the ASCII table at all, and the next ones are
    >.l "&" + another nonexistent one. The complete line runs
    >off the page. No wonder I couldn't put them in a Web page and get
    >any sense out of them.


    Have you tried using 'decimal' rather than octal or hex?

    &#00119 -> w
    &#46 -> .
    &#108 -> l

    That's an old spammer's trick for obfuscation of addresses and URLs.
    The leading '&#' tells some browsers that this character is shown in
    decimal. I'm not sure, but I think it's merely using an 8 bit (or
    multi-byte) character set instead of ASCII. I think it's a feature of
    the browsers most idiots use to read their mail. If you look at the
    man pages for the other character sets

    [compton ~]$ whatis ascii iso_8859_1 Unicode
    ascii (7) - the ASCII character set encoded in octal,
    decimal, and hexadecimal
    iso_8859_1 (7) - the ISO 8859-1 character set encoded in octal,
    decimal, and hexadecimal
    Unicode [unicode] (7) - the unified 16-bit super character set
    [compton ~]$

    the lower 127 characters of the various 8859 and Unicode character sets
    (as well as one or more of the windoze sets) are a direct copy of ASCII.

    Old guy

  11. Re: What is this email trying to do?

    On 17 Mar, 19:53, ibupro...@painkiller.example.tld (Moe Trin) wrote:
    > On Mon, 17 Mar 2008, in the Usenet newsgroup comp.os.linux.security, in article
    >
    > , Doug Laidlaw wrote:
    > >Just got the same thing again. *3x w, which could be www. but
    > >119 doesn't appear in the ASCII table at all, and the next ones are
    > >.l "&" + another nonexistent one. *The complete line runs
    > >off the page. *No wonder I couldn't put them in a Web page and get
    > >any sense out of them.

    >
    > Have you tried using 'decimal' rather than octal or hex?
    >
    > &#00119 -> w
    > &#46 * *-> .
    > &#108 * -> l
    >
    > That's an old spammer's trick for obfuscation of addresses and URLs.
    > The leading '&#' tells some browsers that this character is shown in
    > decimal. *I'm not sure, but I think it's merely using an 8 bit (or
    > multi-byte) character set instead of ASCII. I think it's a feature of
    > the browsers most idiots use to read their mail. If you look at the
    > man pages for the other character sets


    It sounds like you're seeing the spam aimed at Outlook and other
    clients that automagically transform such debris into URL's. I'm also
    seeing a lot of Unicode, foreign language spew lately, so it could be
    in a language you're not set up to display. Spammers will try
    *anything*, so it's hard to guess which it is without a copy of the
    spew.

+ Reply to Thread