When bad people/bots attack

In some of our logs, we come across some of the more interesting things people try to jam into our forms. The examples below have some, well, interesting aspects to them.

<a href= http://6.exefiles.cn/adduserexe-resource-kit.html &rt;adduser.exe resource kit</a&rt;
[url=http://6.exefiles.cn/adduserexe-resource-kit.html]adduser.exe resource kit[/url] <a href= http://7.microsoft-security.cn/ntfrsexe.html &rt;ntfrs.exe</a&rt;
[url=http://7.microsoft-security.cn/ntfrsexe.html]ntfrs.exe[/url] <a href= http://7.exefiles.cn/jammerexe.html &rt;jammer.exe</a&rt;
<a href= http://7.exefiles.cn/piv-pivbrowardschoolscom-pivexe.html &rt;piv piv.browardschools.com piv.exe</a&rt;
[url=http://7.exefiles.cn/piv-pivbrowardschoolscom-pivexe.html]piv piv.browardschools.com piv.exe[/url] <a href= http://10.antyspyware.cn/spdbvexe.html &rt;spdbv.exe</a&rt;
[url=http://10.antyspyware.cn/spdbvexe.html]spdbv.exe[/url] <a href= http://5.exefiles.cn/regenv32-has-caused-an-error-in-regenv32exe.html &rt;regenv32 has caused an error in regenv32.exe</a&rt;
[url=http://5.exefiles.cn/regenv32-has-caused-an-error-in-regenv32exe.html]regenv32 has caused an error in regenv32.exe[/url] <a href= http://9.antyspyware.cn/age-of-empires-2-crackexe.html &rt;age of empires 2 crack.exe</a&rt;
[url=http://9.antyspyware.cn/age-of-empires-2-crackexe.html]age of empires 2 crack.exe[/url] <a href= http://3.microsoft-security.cn/g2a_customerexe.html &rt;g2a_customer.exe</a&rt;
[url=http://3.microsoft-security.cn/g2a_customerexe.html]g2a_customer.exe[/url] <a href= http://9.exefiles.cn/qsliceexe.html &rt;qslice.exe</a&rt;
[url=http://9.exefiles.cn/qsliceexe.html]qslice.exe[/url] <a href= http://9.antyspyware.cn/wewb32exe.html &rt;wewb32.exe</a&rt;

First: if you have a windows machine UNDER NO CIRCUMSTANCES WHATSOEVER SHOULD YOU CUT AND PASTE ANY OF THESE LINKS, OR VISIT THEM FOR ANY REASON. If you fail to heed this free advice, you may lose control of your machine.
Second: Hmmm ….
What things do we notice about this attack (from our log)?
Well there is the TLD, and the misspelled domains, and …
… the attempt to inject binary executables into the run stream, assuming that we are running a Microsoft templated system.
Any security folks that want the info from the attempted injection, contact me offline.

3 thoughts on “When bad people/bots attack”

  1. For some reason this reminds me of their old slogan,
    Microsoft: Where do you want to go today?
    (Me: NOT THERE!)

  2. Update:
    So we have two more entries now, from the same folks, using the same cracking techniques.
    Allow me to wonder aloud if we should not use their tactics against them. When they are so kind to provide us with the names and IPs of their corrupted servers, is it not in our best interests to collectively, enmasse, pull stuff from those servers? That is, have a world wide distributed network of bots which are specifically designed to take “Bad Guys™” IP address/machine name, and request these files, as rapidly as possible?
    Yeah, it is vigilantism. Our choices are do nothing, defend ourselves (the vigilantism) , or have the government defend us. Sadly we are collectively doing most of the first.
    The issue at the end of the day is that there is no real cost to the “Bad Guys™” for their nefarious deeds. There needs to be a cost, and it needs to be high.

  3. We need to fundamentally shift away from “personal computing” to “shared computing” with personal data. the hardware is never corrupted, just the data. Social networks can undermine the current email system by forcing message to pass through trust networks. Spammers can literally be ostracized.

Comments are closed.