I got some phishing mail yesterday that was puzzling me. It was, of course, bogus, because I didn't have accounts (let alone ever heard of) at the sites the mail was talking about but when I examined the links and the body of the mail, it all seemed "legitimate". I use that in quotes because by legitimate I mean there was no obfuscation being used. The links went where they said where they went.
I fired up my sandbox VM and went to visit the page they asked about. The first thing it tried to do was install an ActiveX component for MDAC. Yeah... I think not. Drive-by intalls and attacks aren't new, but it was the first time I got to play with one. I might go back later and let it install and see what it wants to do with my data.
I completed my analysis of the distributed FTP network machine we seized. It had the drftpd FTP daemon on it which seems specifically designed to work with IRC as a file distribution mechanism. It itself doesn't appear suspect, but it definitely didn't belong there. Seems the initial compromise occurred back in JULY 06. Radmin and its friends were installed at that point, but the FTP server was installed till 12/21/06. It doesn't appear to have been populated as I found no warez of any kind on the machine. The IRC channel it was configured to connect to doesn't exist anymore either. Oh well.
