Yeah seen the Fed Ex's already have those blackholed, I guess USPS was on the list also. Had a few users that fell for the attack therefore had to do a little bit of Incident Response yesterday (FUN FUN!)
Ran across another cool blog from Larry Zelster about PDF malware analysis, that is very interesting. http://blog.zeltser.com/post/5567384219/online-tools-for-malicious-pdf-a nalysis Some good tools for Windows/Unix, to use to analyze threats in PDF's. Sincerely, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, May 31, 2011 5:57 PM To: NT System Admin Issues Subject: RE: Malware Heads Up targeted attacks Heads up Old news dude, I've been seeing those for about a year, maybe more. Some are UPS, other USPS, others FedEx. Dave -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, May 31, 2011 11:15 AM To: NT System Admin Issues Subject: Malware Heads Up targeted attacks Heads up Just seen this one today, (IE Don't click on the link) This is the known bad webpage: http://www.usps.com.track05.com/shipping/trackandconfirm.php?navigation= 1&respLang=Eng&resp=493092049503922 IP Origin is: 2 IP Addresses, could be the start of a possible Fast Flux Domain. > www.usps.com.track05.com Non-authoritative answer: Name: p8p.geo.mf0.yahoodns.net Addresses: 67.195.145.141 67.195.145.142 Aliases: www.usps.com.track05.com Hostname p8p-a.geo.vip.sp1.yahoo.com ISP Yahoo Continent North America Flag Country United States Country Code US (USA) Region California Local time* 31 May 2011 11:10 Metropolis* San Francisco-Oakland-San Jose Postal Code 94089 City Sunnyvale Latitude 37.4249 IP Address 67.195.145.141 Longitude -122.0074 Dear Customer, We attempted to deliver your item at 1:37 pm on May 30, 2011 and a notice was left. You may arrange redelivery by clicking the link below or pick up the item at the Post Office indicated on the notice. If this item is unclaimed after 15 days then it will be returned to the sender. Label/Receipt Number: 0464 5675 5443 4424 3456 Expected Delivery Date: May 30, 2011 Class: Package Services Service(s): Delivery Confirmation Status: Notice Left To check on the delivery status of your mailing or arrange redelivery please visit our website: http://www.usps.com.track05.com/shipping/trackandconfirm.php?navigation= 1&respLang=Eng&resp=493092049503922 Please make sure to print out your invoice in order to collect your package at our Post Office: http://www.usps.com.track05.com/shipping/invoice.php?navigation=1&respLa ng=Eng&resp=39039194833849 We're here to help. Call 1-800-ASK-USPS! Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin