Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: sober.z to hit tomorrow

  • From: Wil Schultz
  • Date: Fri Jan 06 02:23:37 2006

Here is some more interesting information. I'm not positive this is Sober.Z related but it's walking like and talking like a duck.

First I see the below DNS requests, shortly after I see many SMTP packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc.... Looks like it's... Sending SPAM?!?!
This I didn't expect at all, here is a trace from one of the known infected users:

########################################################
220 mta272.mail.mud.yahoo.com ESMTP YSmtp service ready
HELO mx1.mail.yahoo.com
250 mta272.mail.mud.yahoo.com
MAIL FROM: <wrkdtdnqskz@hotmail.com>
250 sender <wrkdtdnqskz@hotmail.com> ok
RCPT TO: <klay900@yahoo.com>
250 recipient <klay900@yahoo.com> ok
data
354 go ahead
From: "oesh" <wrkdtdnqskz@hotmail.com>
To: klay900@yahoo.com
Content-type: text/html
Subject: You are tempter-lover, for sure! Soft Cialis.


Order <acy></acy>all your prescription medication online<BR>
Have a holiday in your <acm></acm>life with Viagra Pro<BR>
<A href="http://ikbghlmj.milliontime.info/?acdefjxwnsoyikzcvbghlm";>http://achibejkf.victoriaroadmaps.info/?dglmfxwnsoyachizcvbejk</A><BR>
Your <acj></acj>wife <acl></acl>will be charmed by your stamina and enduranceGenerik Viagra.<BR>
Your wife will be amazed by you. Generik Viagra.<BR>
Cheapest Viagra <acx></acx>Pro online<BR>

.
250 ok dirdel
quit
221 mta272.mail.mud.yahoo.com
########################################################

Wil Schultz wrote:

FYI: I've set some traps on our DNS servers, dunno exactally what this means but I thought that I should share:

Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: arcor.de IN MX
Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: freenet.de IN MX

These are the only two logs I have at this point. And I don't recall any other Sober searching for an email server.

-Wil

Wil Schultz wrote:

Wouldn't it be fun if it contained the WMF exploit in some form?
So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do?

-Wil


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.