Monday, March 25, 2019
  • Home
  •             

Link-based RBot seeding

October 23rd, 2005 by Patrick S

Somebody has lately been seeding emails like the one pictured below.

the five
(Click for bigger image)

Obviously, they are not from Symantec. And when you click the link, you end up getting redirected to a web page which will initiate an autodownload of a file called “rxBot.exe”, which is – you guessed it – a variant of the RBot family.

A mail like this will pass most corporate email filters. There’s no attachment. There’s no masked link either, so phishing filters probably won’t detect it.

It all goes down to whether the end user can be tricked to click on the link and accept the download or not.

If you’re a sysadmin, you might want to block access to www.thefive.us at your firewall right about now (abuse messages have been sent).

…and a trojan called W32om3/1.bbc? Oh come on, give me a break!

Update: RXbot changed to Rbot

Source=F-Secure

**************************************************************************
IT MAY BE A SMART IDEA NOT TO VISIT THE LINK SHOWEN IN THE PICTURE!
**************************************************************************

Posted in Security | Comments Off on Link-based RBot seeding


This entry was posted on Sunday, October 23rd, 2005 at 9:23 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


Comments are closed.