[Snort-users] New phishing/Malware campaign

Lay, James james.lay at ...15009...
Mon Jun 20 11:42:56 EDT 2011


Thought folks may want to work on a sig for this...

 

Link that contains a copy of the email (I've seen multiple blog sites
that have this...the emails are exactly like this...looks like malicious
posts..do a Google search for "Federal Tax transfer rejected pdf.exe").
Enjoy.

 

James

 

 

http://gsujinbiblestudies.blogspot.com/2011/06/rejected-federal-tax-tran
saction.html

 

Headers:

 

GET /TAX25379001.pdf.exe HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument,
application/xaml+xml, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET4.0C)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: irs-web-report.info

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2011 15:29:32 GMT

Set-Cookie: BX=64qgorh6vupqs&b=3&s=0f; expires=Tue, 02-Jun-2037 20:00:00
GMT; path=/; domain=.irs-web-report.info

P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR
ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi
PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC
GOV"

Last-Modified: Mon, 20 Jun 2011 11:45:11 GMT

Accept-Ranges: bytes

Content-Length: 228864

Content-Type: application/octet-stream

Age: 0

Connection: close

Server: YTS/1.19.8

 

 

MZP..................... at ...15308...
!..L.!..This program must be run under Win32

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110620/789c385f/attachment.html>


More information about the Snort-users mailing list