Link-based RBot seeding


Somebody has lately been seeding emails like the one pictured below.
Obviously, they are not from Symantec. And when you click the link, you end up getting redirected to a web page which will initiate an autodownload of a file called “rxBot.exe”, which is – you guessed it – a variant of the RBot family.
A mail like this will pass most corporate email filters. There’s no attachment. There’s no masked link either, so phishing filters probably won’t detect it.
It all goes down to whether the end user can be tricked to click on the link and accept the download or not.
If you’re a sysadmin, you might want to block access to www.thefive.us at your firewall right about now (abuse messages have been sent).
…and a trojan called W32om3/1.bbc? Oh come on, give me a break!
Update: RXbot changed to Rbot
Source=F-Secure
**************************************************************************
IT MAY BE A SMART IDEA NOT TO VISIT THE LINK SHOWEN IN THE PICTURE!
**************************************************************************
Posted in Security | Comments Off on Link-based RBot seeding