I can't believe that came from your mouth!
Watch Out for Fake Microsoft Patches
I just finished dealing with an incident as a result of a user clicking on an email asking him to install a Microsoft Patch. Instead of fixing his PC (which was fixed anyway because our patch management RULEZ!!1!) he downloaded a trojan that started flooding spam.
FSecure has a great screenshot of it here, along with a demonstration of how the domain name that is hosting the patch is actually a distributed beastie and has the ability to constantly mutate to avoid being shutdown. FSecure calls it a “fast flux” domain.
You can’t just block a single IP with a router. This type of block should be put in three places. First, put a block in the gateway Antivirus system to stop all emails containing the domain in the body text pertaining to the fast flux domain. Next, blacklist the DNS of the domain if you have an internal DNS system. Finally, put a block for that url in your content filters to prevent your users from surfing to that domain in case the local hosts file is compromised.
So what are you waiting for? Block cfm48.com now.
Like This Post? Rate it and tell your friends! Click the Share button below.
| Print article | This entry was posted by Dr. Jones on February 7, 2008 at 3:57 pm, and is filed under Cyber. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 4 years ago
I love it when I run across one of these while I’m running LINUX!!!
about 4 years ago
Not only that, Microsoft doesn’t email patches to anyone. And the only people more pretentious than Apple snobs are Linux snobs.
about 4 years ago
I dual boot actually. Linux for home. Windows for work.
about 4 years ago
I just got a 400GB hard drive. I might get me a nice Linux flavor to play with. Which one do you use?
about 4 years ago
Linux Mint. It’s an offshoot of Ubuntu. very little fuss.