UK Honeynet Project » Incidents http://www.ukhoneynet.org News and information from the UK Honeynet Project Sun, 20 Feb 2011 21:28:04 +0000 en hourly 1 http://wordpress.org/?v=3.1 It had to happen http://www.ukhoneynet.org/2008/06/30/it-had-to-happen/ http://www.ukhoneynet.org/2008/06/30/it-had-to-happen/#comments Mon, 30 Jun 2008 09:00:10 +0000 arthur http://www.ukhoneynet.org/2008/06/30/it-had-to-happen/ Today we received our first bit of spam from EC2. The message itself was pretty standard:

From: "Microsoft" 
Date: 29 June 2008 11:47:43 BST
To: XXX
Subject: Important Update Notification

Hello XXX,

You are receiving this notification because the version of Windows you are running is effected by a critical security issue.

For the protection of yourself and others using the Windows operating system, it is reccomended that all consumers update their operating system at their earliest convenience.

To do so, you may visit Microsoft Update by clicking here, and simply pressing "Open" or "Run" to begin the automatic update process.

Thank you for your cooperation in resolving this matter.

Kind Regards,
Microsoft Customer Support

The link points to a phishing site


http://XXX/go.nhn?url=http%3A%2F%2Fupdate%2Emicrosoft%2Ecom%2E00000000000000000000000000000000000000000000000000000000000000%2Enet

So far, so standard. The interesting bit is in the headers of the message:

Received: (qmail 29794 invoked from network); 29 Jun 2008 09:53:08 -0000
Received: from ec2-75-101-198-26.compute-1.amazonaws.com (HELO ec2-75-101-198-26.compute-1.amazonaws.com) (75.101.198.26)
  by server-14.tower-117.messagelabs.com with SMTP; 29 Jun 2008 09:53:08 -0000
From: "Microsoft"

How long before all email from EC2 is blacklisted? It was only a matter of time before services like this started to be used for sending spam, but this is the first time I’ve seen it in the wild.

]]> http://www.ukhoneynet.org/2008/06/30/it-had-to-happen/feed/ 0 French HP catch zero-day exploit http://www.ukhoneynet.org/2005/08/17/170805-a/ http://www.ukhoneynet.org/2005/08/17/170805-a/#comments Wed, 17 Aug 2005 00:01:00 +0000 david http://ukhoneynet.dev2.isotoma.com/?p=270 French Honeynet Project catch zero-day exploit: A honeypot run by the French Honeynet Project has caught a zero-day windows exploit (http://www.frenchhoneynetproject.org)

]]> http://www.ukhoneynet.org/2005/08/17/170805-a/feed/ 0 Microsoft’s ‘monkeys’ find first zero-day exploit http://www.ukhoneynet.org/2005/08/09/090805/ http://www.ukhoneynet.org/2005/08/09/090805/#comments Tue, 09 Aug 2005 00:00:00 +0000 david http://ukhoneynet.dev2.isotoma.com/?p=274 Microsoft’s “monkeys” find first zero-day exploit: Microsoft’s well publicised Honeymonkey project has found its first zero day exploit: http://online.securityfocus.com/news/11273

]]> http://www.ukhoneynet.org/2005/08/09/090805/feed/ 0 Rootkit websites taken down by DDoS attacks http://www.ukhoneynet.org/2005/04/13/130405/ http://www.ukhoneynet.org/2005/04/13/130405/#comments Wed, 13 Apr 2005 00:00:00 +0000 david http://ukhoneynet.dev2.isotoma.com/?p=302 Rootkit web sites taken down by DDoS attacks

]]> http://www.ukhoneynet.org/2005/04/13/130405/feed/ 0