All the same nasty obfuscated Javascript exploit code is still there and doesn't appear to have changed from what we were seeing last week.
Subject: Happy Labor Day
Body: Someone has sent you an E-Card. To view it, follow this link: http://ecards.com/funcard/edelivery?xz2dl2ifbi6r80hzk
Subject: The Big Labor Day Weekend
Body: Here is the link to view your holiday greeting online: http://hallmark.com/ecards/labor1?j7hesyq65ubntze680a1p67969wt2
Subject: Your friend has sent you a card.
Body: Click here to pick up your greeting card: http://netcards.com/cards/edelivery?p9n2q90enz4afj0
I do most of my javascript deobfuscation using technique #4 as detailed by Daniel Wesemann on the SANS Internet Storm Center site (http://isc.sans.org). I'll probably go over how I do it in a little more detail in an upcoming post.
3 comments:
I'm just wonderin why did you erase the sign of MR. bennet, the original maker of picture labor day? It's against copyrights. Thank you
I'm not sure what "MR" sign you are referring to. This is a screen shot of a Storm worm infected machine that is hosting the Labor Day image and some malware.
If you would provide the information as to who created the image, I'd be happy to link to the original. The only reason I included it here is to show others how Storm worm was trying to dupe users into infecting themselves.
Thanks for sharing a useful information
http://www.grabbitmedia.com/
Post a Comment