Date: 02 September 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
A U S C E R T A L E R T
AL-2005.0029 -- AUSCERT ALERT
"Hurricane Katrina" fraudulent emails and malicious web site
2 September 2005
AusCERT has observed the following fraudulent email circulating in
Australia and elsewhere:
Subject: Re: k5 80 people killed.
From: "Dario Haar" <firstname.lastname@example.org>
Date: Thu, 1 Sep 2005 08:58:56 -0500 (23:58 EST)
To: "Anu Harshman" <email@example.com>
Just before daybreak Tuesday, Katrina, now a tropical storm, was 35
miles northeast of Tupelo, Miss., moving north-northeast with winds of
50 mph. Forecasters at the National Hurricane Center said the amount of
rainfall has been adjusted downward Monday.
Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina
killed as many as 80 people in his state and burst levees in Louisiana
flooded New Orleans.
If followed, the link in this email connects to a web site which
attempts to install malicious programs on the user's system, giving
the attacker complete control.
In addition, the referenced site also contains a 'news article' about
the Zotob virus, and claims to offer a patch which prevents a user's
infection. The 'patch' is in fact malware classified as DDoS-Boxed
by McAfee .
The linked web site attempts to use a variety of Internet Explorer
exploits to install malware and take control of a machine. This may
include the installation of a backdoor process that allows for an
attacker to send arbitrary commands to the infected system.
This exploit requires user interaction - deleting these e-mails as
they arrive and not clicking on any links they contain is a safe
Ensuring your computer is up to date with the latest Windows patches
and allowing scripts to execute from trusted sites only will offer some
protection against exploitation by this web site.
The exploits on this site specifically target Internet Explorer, so
using an alternate browser will also offer some mitigation against
exploitation by this web site.
Updated antivirus signatures may allow detection of this threat.
AusCERT recommends regular updating of virus definitions to ensure the
maximum level of protection available from such threats. Please note
that some anti-virus products did not detect the malware on this site
at the time of writing, so organisations may wish to also adopt other
defensive measures in addition to anti-virus.
System administrators may wish to scan their logs for the following
addresses to detect access to the malicious site. Please remember that
these sites will attempt to infect your browser if visited, so visiting
these URLs using a web browser is strongly discouraged:
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----