Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What's the story behind this malware/virus/trojan/whatever

Status
Not open for further replies.

jlockley

Technical User
Nov 28, 2001
1,522
US
This is rampant in the food and beverage industry. It comes in addressed and cc'd to a large number of recipients, all visible, with nothing but a link, usually yaddayadda.ru .

Here's what I wrote for my candidates and clients.

It's very bad for someone who wants to look for a job under the radar to appear to send to his boss a series of links with craigslist ads in them....


since it's so simple and the link keeps changing, there is no way to look it up. Hope someone here can clear it up.

Would this be the first step in a DSA? I am truly curious.
 
This looks like part of a 'Ransomware' scam, anyone who replies to it is likely to get a demand for cash and may then actually become compromised.
Its likely that some of your contacts may already have malware that has farmed your groups email address.

Anyone who has received this mailing should security scans.

The text you have published is about right I would say.
As far as blocking it is concerned, as you say you wont be able to block the sender, but you should report the activity to your Anti-malware provider e.g Trend Micro.
Also to your ISP (not that that will help much).

What you can do is setup filters in your mail client to reject mail that contains parts of the text.






Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
I hadn't thought of that.
As for blocking it with the text or sender, that isn't possible because a: There is no text, just the link, which changes and b: the sender is always different. The addresses included in the To: and Cc: fields are authentic (they are not in my address book, but I know them and have access to their addresses) plus a number of expried Craigslist ad reply addresses.

There is also no subject.

I was able to catch the process in a couple of seconds and no just look at the addresses (which provides me with some pretty interesting industry information).

God help them, if they think there's anything for ransom. All backed up.
 
I wonder if any of the mail clients will allow for filtering out emails with only a link, no text... sometimes people will send JUST a link, but you should generally already know in advance when something like that is coming..

Also, what about domain? I know the program, MailWasher, can block based on sender, subject, and/or sender... and maybe the body text, but I don't remember for sure. It used to work very well, but I'm not sure how much help it would be for this one.
 
The domain changes. They had one up in Google for a while, some are .ru, other non US extensions. and of course so does the URL name and the sender..which are usually people you know. The first time I got one it was from a good friend, and I am pretty well protected, so I didn't think twice. As soon as a window opened containing a blank table with scroll bars,then flashed to a Cialis site, I shut the computer down and rebooted safe with connectivity, ran housecall and interrupted a running process.

Some of the individuals hacked indicate that their mail server told them they had been hacked, which speaks to the quality of tech support - it's pretty unlikely that Google, AOL, ATT and Hotmail could all get hacked, and impossible that that kind of invasion wouldn't be front page news.

I figure the link deposits the malware, which then cleans out the address book. My question is to what end. I'm good..have been keeping strong track of it, but it's really going around in the Food and Beverage world.

I also got a lot of failure responses to something I didn't send some time after I first saw the mail. The addresses included were mostly expired Craigslist ads (I put them up, but don't answer them, so they're not in my address list) and addresses from people who are not in my book, so it's spoofing senders with addresses it gleans from infected computers.....

I still think that it's setting up for a Denial of Service attack.

As I said, I'm just mighty curious.
 
I would send an email to everyone in your address book (if you dare) and ask them to install and run MalwareByte's Anti-Malware to clean up anything on their PCs.

I had this issue a while back with a club I belonged to with an email distribution list. One guy got a bug and there were random emails being sent to people in his address book with URLs to virus-giving sites.

Once he ran MBAM, his PC was clean and members of the group stopped getting the B.S. emails
 
That's a great way of thinking outside the box, goombawaho! Literally out of the box! [wink]

Seriously, that would be a good idea for sure. And if you want to be more careful for people who may not easily install software, tell them to get it from - they did what I always wanted to do myself, but never took the time to try. ;p
 
I will check out the software and put out the word. My own mailing list, however (it is apparently not compromised. That would be because I keep only a personal list on my mail servers and the others in a distinct database. I get the mails from people emailing me for employment consideration, some of whom I don't know, but may have sent them a mail at some point in their job searches.
The curious thing is that the phenomenon (virus, malware, whatever) seems to be rampant among chefs and food and beverage directors - it's a tight to incestuous community with common and cross connections.
Every instance of the mail, furthermore, contains at least one and usually several expired craigslist job addresses, which does beg a question.
Nearly all of them contain addresses of my competition. (So I know who my candidates are conspiring with..interesting). Many contain addresses of relatively powerful people in the industry (Elizabeth Blau, Danny Meyers, Mario Battali) -appreciated.

I got a new one yesterday with a subject, at least I assume it was. It was sent to a number of search firms with the subject ~hi~ (which can be filtered).
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top