Attention!
On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.
http://updates.<some-domain>.secure.<some-evil-domain>/ssl/id=7906947-<some-address>-list@<some-domain>-patch263.exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
Nice trick! But no thanks! Here are some details of the downloaded binary:
File name: patch.exe
MD5 sum: 0ee4f395dd071f169e95e34454bbf446
ThreatExpert Summary: Threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
I assumed that it was a targeted attack, and the attacker created the subdomains that look alike the real servers for each email that they send.. But I was totally wrong..
No matter what subdomain you use (or even without subdomain), and what ever file you request as long as the file extension is .EXE, the server will still going to response with HTTP/1.1 301 Moved Permanently and redirect you to the binary file.
WGET with no subdomain
WGET with random file name
More technical information on the downloaded binary: