Archive for the ‘Incidents’ Category

It had to happen

Monday, June 30th, 2008

Today we received our first bit of spam from EC2. The message itself was pretty standard:

From: "Microsoft" 
Date: 29 June 2008 11:47:43 BST
To: XXX
Subject: Important Update Notification

Hello XXX,

You are receiving this notification because the version of Windows you are running is effected by a critical security issue.

For the protection of yourself and others using the Windows operating system, it is reccomended that all consumers update their operating system at their earliest convenience.

To do so, you may visit Microsoft Update by clicking here, and simply pressing "Open" or "Run" to begin the automatic update process.

Thank you for your cooperation in resolving this matter.

Kind Regards,
Microsoft Customer Support 

The link points to a phishing site


http://XXX/go.nhn?url=http%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E00000000000000000000000000000000000000000000000000000000000000%2Enet

So far, so standard. The interesting bit is in the headers of the message:

Received: (qmail 29794 invoked from network); 29 Jun 2008 09:53:08 -0000
Received: from ec2-75-101-198-26.compute-1.amazonaws.com (HELO ec2-75-101-198-26.compute-1.amazonaws.com) (75.101.198.26)
  by server-14.tower-117.messagelabs.com with SMTP; 29 Jun 2008 09:53:08 -0000
From: "Microsoft" 

How long before all email from EC2 is blacklisted? It was only a matter of time before services like this started to be used for sending spam, but this is the first time I’ve seen it in the wild.

French HP catch zero-day exploit

Wednesday, August 17th, 2005

French Honeynet Project catch zero-day exploit: A honeypot run by the French Honeynet Project has caught a zero-day windows exploit (http://www.frenchhoneynetproject.org)

Microsoft’s ‘monkeys’ find first zero-day exploit

Tuesday, August 9th, 2005

Microsoft’s “monkeys” find first zero-day exploit: Microsoft’s well publicised Honeymonkey project has found its first zero day exploit: http://online.securityfocus.com/news/11273

Rootkit websites taken down by DDoS attacks

Wednesday, April 13th, 2005

Rootkit web sites taken down by DDoS attacks