Jump to content
Join Sheffield Forum for FREE and join in the discussion! ×
Join Sheffield Forum for FREE and join in the discussion!

Mega Thread: Email Spam/Scam & Virus Warnings

By Jon in Computer & Tech Chat

Recommended Posts

Wildcat    10

Wildcat
Posted
The Asprox virus was first reported in 2007-06-08 15:09 So the Times report is a year late, surely they have it under control by now?

 

http://secunia.com/virus_information/38997/asprox/

 

.

 

Apparently in the last few months it has become 'an SQL injection vector for website attacks' - whatever that means.

 

http://www.scmagazineus.com/Asprox-botnet-malware-morphs/article/110169/

 

If you do a google news search on asprox you will see there has been a lot of concern about the virus recently from reputable newspapers like the Times and Guardian.

Share this post

Link to post
Share on other sites

ASPGuru    10

ASPGuru
Posted

I've just had to sort a web site out that had been hit by this. Not one that I built I should say.

 

ASPRox is an SQL Injection attack that adds data into any text fields it can find in any SQL Server database.

 

The data it adds is a JavaScript block that could then be displayed on any web pages that display the text from that database field. It pulls back a .js file (originally a.js, then b/js and currently ngg.js) from any one of about 10,000 different web sites. The payload of the .js file I understand varies.

 

As I understand it ASPRox is not a virus itself, as that describes the attack on the web sites, although the .js payload could potentially load a virus or provide a link that you could click that loads a virus. The attack is most likely launched by a virus ridden PC, so there is a trojan virus element to it.

 

To sort the web site I had two main tasks. First review all the code and close the front door to prevent the SQL Injection - mostly through decent input validation.

 

Then I had to code a script to parse through the database looking for and cleaning out all the rogue script blocks. The site I worked on had 16,000+ fields that were infected, most with multiple script blocks as the site had been getting hit by this multiple times a day since May at least.

 

The site is still being hit, but the SQL Injection is no longer working, so not causing any harm.

 

It could have been worse - the injection just added to the database. Bad enough, but it could so easily have been a delete command that was injected.

Share this post

Link to post
Share on other sites

Ms Macbeth    75

Ms Macbeth
Posted

Mod note: The thread has been moved and closed.

 

If you receive a 'Life is beautiful' email, please don't forward it and perpetuate the spam.

Share this post

Link to post
Share on other sites

Ghozer    112

Ghozer
Posted

Mod Note: Multiple threads merged to create Virus Mega thread

Share this post

Link to post
Share on other sites

adaline    10

adaline
Posted

Why merge it with a hoax thread tho?

Share this post

Link to post
Share on other sites

ScotDoc6537    10

ScotDoc6537
Posted

Having received emails from UPS in the past and avoided the potential zip file risk, I was suspicious to receive today an email from unknown sender 'Minnie':

 

'Please find attached a statement of fees as requested, this will be posted today.

The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.

Minnie'

 

I have no knowlege of this sender or any request of mine.

 

I did NOT open the attached zip file.

 

The sender's email domain is bluelakecamp.com, which appears to be associated with a website for a Christian Retreat Centre in Andalusia, Alabama USA.

 

Anyone know if this is a recognised scam format?

Share this post

Link to post
Share on other sites

esme    10

esme
Posted

Looks like there's an Abbey National phishing email doing the rounds

 

if you get this and open it delete it without clicking on anything, there don't appear to be any tracking graphics or other malware in it so you should be ok opening it but I may have missed something so if you haven't opened it just delete it.

 

it's from "[email protected]"

title "Abbey Bank Security Update For New Year"

content is an HTML page with the following text

 

Abbey Bank Account Holder,

 

We are running our early year security routing check on all Abbey National Bank account.

This Requires proper rectification on previous transactions on record update details edited and recent changes made.

 

To ensure a pre-modified security check,you are expexted to reveiw

All previous records, updates, and details editted in previous months.

Please click on the link below for immediate security check

 

some graphics and links come from the abbey national site so it looks authentic but the immediate security check link goes to a page at "myuchallenge.net" registered in Hong Kong and the return path of the mail goes to "mail.jasakonstruksi.net" which is in Indonesia somewhere

 

this seems to be adopting the blunderbus approach of sending it to everyone, I got it and I don't have an account with Abbey

 

As a general rule if you receive an email from a financial institution that is genuine they will not provide a link in the email for you to click on, they will tell you to go to their website and log in, also they won't send one to you if you don't have an account with them

Share this post

Link to post
Share on other sites

simonj    10

simonj
Posted
As a general rule if you receive an email from a financial institution that is genuine they will not provide a link in the email for you to click on, they will tell you to go to their website and log in, also they won't send one to you if you don't have an account with them

 

Good general rules. One more - a genuine financial institution will use correct English grammar and spelling as well ;)

Share this post

Link to post
Share on other sites

esme    10

esme
Posted

yet another one doing the rounds

 

the title may change mine was "Re:admin"

email address is spoofed so it's sent to your address apparently from your address

content is an HTML message with the text

You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy.

If you do not wish to receive this MSN Featured Offers e-mail,

please click the "Unsubscribe" link below. This will not unsubscribe

you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers.

This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers'

content nor any of the goods or service

advertised. Prices and item availability subject to change without notice.

 

any links go to "thirdspirituality.com" or "speakintuition.com" and any graphics come from "intuitionwest.com"

 

it doesn't look capable of verifying your email address as the graphic names are too simple and there doesn't appear to be any other payload, however any graphics in the message may carry their own malware

 

a big giveaway is that I don't use MSN in any way shape or form and have never subscribed to their "Featured Offers" if indeed they have such a thing

 

if you get it delete it without opening it, if you've already opened it, delete it without clicking on any links, then I suggest you update your virus and spyware scanners and rescan your machine, just to be on the safe side this probably isn't necessary though

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Close   I accept