Hosting Provided By

Re: 030 igetnet ignkeywords

From: J. Foobar <jfoobar1(at)yahoo.com>
Date: Tue Nov 12 2002 - 05:39:17 EST

I have recently detected a few internal machines being solicited to download a file called
"Internet.Explorer.Browser.Security.Upgrade.exe"

I perform a parse of proxy logs looking for .exe downloads by users in my enterprise periodically (maybe 3 times a week) and I have just noticed this for the first time a few days ago in the 3-4 months I have been doing this.

I have a close look at the traffic of the one internal dolt stupid enough to actually download the file. He was surfing animatedgif.com, which is pop-up and cookie hell, and was probably solicited to download this by the IP 216.40.225.62, which serves some sort of "Keyword Tracking" function and is an IP assigned to Everyones Internet, Inc (ev1.net, Texas).

I wonder if they are related, at least conceptually.

I have not yet had a chance to examine the end user's machine and I do not yet know if he was silly enough to actually run the .exe.

Regards,
Justin

"Waitman C. Gobble" <waitman@emkdesign.com> wrote:
> Hello

> This list is provided by the SecurityFocus ARIS

Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 12 19:31:52 2002

This message: [ Message body ]
Next message: Robb, Bev: "RE: Port 5552?"
Previous message: craigwill(at)hush.com: "new version of aris analyzer?"
In reply to Waitman C. Gobble: "030 igetnet ignkeywords"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT