[Dshield] Friendgreetings.com mass emailer

Russell Washington russ.washington at vaultsentry.com
Fri Oct 25 17:29:48 GMT 2002


www .friendgreetings.com = 65.89.168.4
ARIN information:

Search results for: ! NET-65-89-168-0-1 


CustName:   Free Yankee
Address:    11778 Election Draper UT 84020
Country:    US
RegDate:    2002-10-17
Updated:    2002-10-17

NetRange:   65.89.168.0 - 65.89.168.255
CIDR:       65.89.168.0/24
NetName:    BRW-9924-FREEYANKEE
NetHandle:  NET-65-89-168-0-1
Parent:     NET-65-88-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-10-17
Updated:    2002-10-17

# ARIN Whois database, last updated 2002-10-24 19:05

We've blackholed the entire Class C.  Following the install process we noted
communications with 65.89.168.4, 65.89.168.14, 12.107.125.99 (an AT&T
Worldnet address, also blackholed now).

We also saw comms with 207.46.230.220, a Microsoft address; we didn't
blackhole this one, figuring it might be in the mix due to certificate
revocation list checking during the install or something.

-----Original Message-----
From: Wayne Beckham [mailto:wbeckham at yahoo.com] 
Sent: Friday, October 25, 2002 8:57 AM
To: list at dshield.org
Subject: RE: [Dshield] Friendgreetings.com mass emailer


Does anyone have the IP address for friendgreetings.com or surprisecards.net
- I'm running a whois now, but I thought someone else may already have the
info...

Wayne Beckham
Network Administrator (Security)
Infragard Member (Los Angeles Chapter) http://www.infragardla.com

Riverside County Information Technology
Client Services Division
1113 Spruce St.
Riverside, CA. 92507


-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf Of
Russell Washington
Sent: Friday, October 25, 2002 8:09 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer


Craig nailed it, that's the one.  Symantec now has a doc up too:

http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.
html

Truth is that these companies can call it non-malicious all they want.
Anything that masquerades itself as coming from someone else to facilitate
propagation and mail-bombs contact lists is definitely treading in
wormspace... and I'll bet this thing does a lot more than what the EULA
authorizes although I have nothing to back that up.  We're thinking over
here that the email addresses it pulls are probably getting culled for
resale and reuse.

But that's another discussion.  For anyone looking to extract this thing
from their systems, good luck.  We're nuking the two boxes we found it on
because we can't verify their integrity.

"It's not a virus, it's not a worm... because it has a EULA" :)

-----Original Message-----
From: Tom Liston [mailto:tliston at premmag.com] 
Sent: Friday, October 25, 2002 6:47 AM
To: list at dshield.org
Subject: Re: [Dshield] Friendgreetings.com mass emailer


Could it be something like this?

http://www.theregister.co.uk/content/55/27782.html

On 24 Oct 2002 at 15:02, Russell Washington wrote:

> We've been researching an item that "landed" in an end-user's inbox 
> this morning.  Given the lack of information on this mass emailer I 
> thought I should get some more seasoned eyes on it.  Here's the dump 
> of information I have to date.  Symantec is aware of this item but (at

> least when we talked
---- >8 ---- Snip! 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list