FYI...LinkedIn SPAM serving Adobe and Java exploits
06/14/12 - "... email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack... If we verify the “To” and “CC” fields of this email, we see about -100- other recipients
.... email in question:
Subjects of this email might be: 'Relationship LinkedIn Mail, 'Communication LinkedIn Mail', 'Link LinkedIn Mail' or 'Urgent LinkedIn Mail'
. No doubt the subjects of this email will vary, and are not limited to these four.
- Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
- Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer: Adobe Reader / Java
In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens
... the exploit will begin doing its work... seems to spawn a .dll file, which in turn spawns another file.. Your machine is executing malware and is in the process of being infected... a malicious executable which will start every time the computer boots. The exploits’ source is probably the Blackhole exploit kit. The exploits in question are: CVE-2006-0003 / CVE-2010-0840
Unknown (at this point) Adobe Reader exploit
- Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. The malware will try to phone home or connect to the following IP addresses: 188.8.131.52 / 184.108.40.206 . The IPs (220.127.116.11 in particular) are part of a known botnet
. The IPs are used to receive new instructions from the botherder or to download additional malware... lesson is a very important one and is one of the basics of security... Keep ALL of your software up-to-date! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player...This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed..."
person: Octave Klaba
address: OVH SAS
address: 2 rue Kellermann
address: 59100 Roubaix
address: France ...