BackTrack 3 Final - Released

Remote Exploit has just released the final version of BackTrack 3 - the screwdriver of the penetration testers toolbox. I am a big fan of BackTrack.

From the site:

Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date.

For more information - visit Remote-Exploit.org

Fake Porntube site -> r.html -> video.exe

I recently received an email:

Delivered-To: (REDACTED)
Received: by 10.114.197.7 with SMTP id u7cs66501waf;
Thu, 19 Jun 2008 07:06:35 -0700 (PDT)
Received: by 10.210.46.12 with SMTP id t12mr1910940ebt.23.1213884394448;
Thu, 19 Jun 2008 07:06:34 -0700 (PDT)
Return-Path:
Received: from ?88.251.149.76? ([88.251.202.216])
Thu, 19 Jun 2008 07:06:34 -0700 (PDT)
client-ip=88.251.202.216;
(pluviosc1998@trinitycollege.edu does not designate 88.251.202.216 as permitted sender) smtp.mail=pluviosc1998@trinitycollege.edu
From: "=?ISO-8859-1?Q?Croughn?="
To: (REDACTED)
Subject: =?ISO-8859-1?Q?Lastest! Obama quits presidential race?=
Date: Thu, 19 Jun 2008 17:06:34 +0300
Mime-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: 8BIT
Message-Id:
X-Antivirus: avast! (VPS 080618-0, 18.06.2008), Outbound message
X-Antivirus-Status: Clean

Ring it up for Celtics after fantastic win
http://(PARTS REDACTED)homes.com/r.html

Or for those who aren't interested in the headers:

On Thu, Jun 19, 2008 at 8:06 AM, Croughn said:
Ring it up for Celtics after fantastic win
http://(PARTS REDACTED)homes.com/r.html

(I've removed the domain name for your protection.)

I suspected malware, so I clicked the url in a sandbox. I was more than surprised by the images I saw. A very young looking nude girl was standing next to an older guy. I've blacked out portions of the site - however you can see how a link like this could get even the most innocent people in serious trouble.

Update: The screen shot has been removed from the main page.
If you would like to view the semi censored (not work safe) screen shot, you may: [CLICK HERE]

The image is actually a link to "video.exe", which is identified by most antivirus as Peed/Peacomm.

This file creates and executes C:\WINDOWS\System32\CbEvtSvc.exe. I suggest that everyone update your IDS to watch for r.html and video.exe.

The domain name is not really important. Those who need to know about it already do.

Update: I have several more emails in my mail drops. I've personally received a dozen or more unique sites. I thumbed through my mailing lists, and the experts are already on to these guys. This may be new to many of us this week - but the real experts have already been watching the transformation.

Others blogged about this before me - you can view their analysis by following the URLs below:

http://blog.mxlab.be/2008/06/19/new-malware-outbreak/
http://www.pcmag.com/article2/0,2817,2320835,00.asp

CME711's latest SE Spam

The Stormworm operators have recently updated their spam and web content. The webpage (capture to the right) is shown in its entirety. Users are then given the opportunity to download and run a malicious file, beijing.exe.

For the last couple months the Storm domains have been less fastfluxy - they change every 60 seconds instead of with every request. Perhaps this is because they simply are too small, or perhaps its because too many people are hitting the DNS servers, causing a Denial of Service attack.

Regardless, we've spotted the following domains in use:

biztech-co.cn, ratedhot.cn, fconnorlaw.cn, pacoast.cn, cadeaux-avenue.cn, likenewvideos.com, tellicolakerealty.cn, activeware.cn, grupogaleria.cn and polkerdesign.cn.


Please update your IDS accordingly.