copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2005.0029 -- "Hurricane Katrina" fraudulent emails and malicious web site

Date: 02 September 2005

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2005.0029 -- AUSCERT ALERT
       "Hurricane Katrina" fraudulent emails and malicious web site
                             2 September 2005

===========================================================================

OVERVIEW:

	AusCERT has observed the following fraudulent email circulating in 
	Australia and elsewhere:

	----

	Subject: Re: k5 80 people killed.
	From: "Dario Haar" <dario@njm.com>
	Date: Thu, 1 Sep 2005 08:58:56 -0500 (23:58 EST)
	To: "Anu Harshman" <auscert@auscert.org.au>

	Just before daybreak Tuesday, Katrina, now a tropical storm, was 35
	miles northeast of Tupelo, Miss., moving north-northeast with winds of
	50 mph. Forecasters at the National Hurricane Center said the amount of
	rainfall has been adjusted downward Monday.

	Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina
	killed as many as 80 people in his state and burst levees in Louisiana
	flooded New Orleans.

	Read more...

	----

	If followed, the link in this email connects to a web site which 
	attempts to install malicious programs on the user's system, giving 
	the attacker complete control.

	In addition, the referenced site also contains a 'news article' about
	the Zotob virus, and claims to offer a patch which prevents a user's
	infection.  The 'patch' is in fact malware classified as DDoS-Boxed
	by McAfee [1].


IMPACT:

	The linked web site attempts to use a variety of Internet Explorer
	exploits to install malware and take control of a machine.  This may
	include the installation of a backdoor process that allows for an 
	attacker to send arbitrary commands to the infected system.


MITIGATION:

	This exploit requires user interaction - deleting these e-mails as 
	they arrive and not clicking on any links they contain is a safe 
	mitigation strategy.

  	Ensuring your computer is up to date with the latest Windows patches 
	and allowing scripts to execute from trusted sites only will offer some
	protection against exploitation by this web site.

 	The exploits on this site specifically target Internet Explorer, so 
	using an alternate browser will also offer some mitigation against 
	exploitation by this web site.

  	Updated antivirus signatures may allow detection of this threat. 
	AusCERT recommends regular updating of virus definitions to ensure the
	maximum level of protection available from such threats.  Please note
	that some anti-virus products did not detect the malware on this site
	at the time of writing, so organisations may wish to also adopt other
	defensive measures in addition to anti-virus.

	System administrators may wish to scan their logs for the following
	addresses to detect access to the malicious site.  Please remember that
	these sites will attempt to infect your browser if visited, so visiting
	these URLs using a web browser is strongly discouraged:

	   nextermest.com
	   zone.datageer.com

REFERENCES:

	[1] http://vil.nai.com/vil/content/v_126100.htm

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQxfqTSh9+71yA2DNAQL09wP9HvEIY0UmEXx1gnH+wvMZYb0TgHABaWzw
0ocseuibdAClPlClOymW84njyX3nrkqVwVg3xKMO5Lw3j1vf+k7W55hAle41KPm3
VLzBuxnHS6Yhr7RSt9u2uT/Nsz8A6B/x7ZldqLC9dw+Vb0FL7y5ygwTxAd/kTgZd
ptjAx6WS3Bg=
=WLX3
-----END PGP SIGNATURE-----