Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! "Malvertisement using Fake HP Scan + Dup Your Network info"
- // An attempt to infect malware by faking the HP Scan data,
- // with also faking your office/personal domain (targeted), and faking -
- // your local network information. Also faking the virus scanned message.
- // Don't be fooled by this scam..
- // Currently Origin of these emails are coming from compromised machines at:
- ABTS-North-Static-201.3.176.122.airtelbroadband.in (122.176.3.201) N/W: airtelbroadband.in INDIA
- 068-213-103-026.sip.jan.bellsouth.net (68.213.103.26) N/W: BellSouth.net USA
- rrcs-184-74-11-133.nys.biz.rr.com (184.74.11.133) N/W: Road Runner USA
- :
- // Noted the usage of fakes double routing header in a pair, i.e.:
- // case 1
- Microsoft SMTP Server (TLS) id EU8BU9YT;
- Microsoft SMTP Server id LRD7L8ZP;
- // case 2
- Microsoft SMTP Server (TLS) id MM4D0EY3;
- Microsoft SMTP Server id MH0A1W45;
- // case 3
- Microsoft SMTP Server (TLS) id MV3BJQNE;
- Microsoft SMTP Server id N2KSWYKO;
- :
- // Email original Mime/headers data is as per below headers w/ same pattern (I picked one of the sample),
- // Indicated the #spambot controled via C2 #botnet to send these spams.
- // (privacy related data excluded, only malware related data shown)
- // This malvertisement samples was sucessfully collected from MMD Honeypot which is not having -
- // any local network and in a non-microsoft system -
- // (this explaining the tag in faking of Microsoft SMTP Server relay).
- --------- full MIME/header---- start snip--------------
- Return-Path: <alert@dnb.com>
- Delivered-To: xxx@xxx
- :
- Received: from unknown (HELO ABTS-North-Static-201.3.176.122.airtelbroadband.in) (122.176.3.201)
- by x.x.x.x with SMTP; 19 Jun 2013 23:34:49 +0900
- Received: from HP.Digital.Device495.YOUR.FAKE.OFFICE.NETWORK (10.0.0.135) by YOUR.OFFICE.DOMAIN (10.0.0.145) with Microsoft SMTP Server (TLS) id MM4D0EY3; Wed, 19 Jun 2013 20:04:52 +0530
- Received: from HP.Digital6636.YOUR.FAKE.OFFICE.NETWORK (10.147.124.149) by smtp.YOUR.OFFICE.DOMAIN (10.0.0.28) with Microsoft SMTP Server id MH0A1W45; Wed, 19 Jun 2013 20:04:52 +0530
- Date: Wed, 19 Jun 2013 20:04:52 +0530
- From: "HP Digital Device" <HP.Digital9@YOUR.OFFICE.DOMAIN>
- X-MS-Has-Attach: yes
- X-MS-Exchange-Organization-SCL: -1
- X-MS-TNEF-Correlator: <DJ661DF8YY2B23WT1W57IF3E3N70LYN2D8RMBW@YOUR.OFFICE.DOMAIN>
- X-MS-Exchange-Organization-AuthSource: WB6YT5L451A42IB@YOUR.OFFICE.DOMAIN
- X-MS-Exchange-Organization-AuthAs: Internal
- X-MS-Exchange-Organization-AuthMechanism: 03
- X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;9;0;0 0 0
- X-Priority: 3 (Normal)
- Message-ID: <GGXKPP8EW3ES94EJ4RZURG8IOTTZKETW319Q7H@YOUR.OFFICE.DOMAIN>
- To: <xxx@xxx>
- Subject: Scanned Copy
- MIME-Version: 1.0
- Status: RO
- X-UIDL: 1371652494.25432.xxx.xxx,S=2442
- Content-Type: multipart/mixed;
- boundary="_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_"
- --_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_
- Content-Type: text/plain; charset=koi8-r
- Content-Transfer-Encoding: 8bit
- Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
- To view this document you need to use the Adobe Acrobat Reader.
- -------------------------------------------------------------------------------
- This email has been scanned for viruses and spam.
- -------------------------------------------------------------------------------
- --_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_
- Content-Type: application/zip; name="HP_Scan_06292013_398.zip"
- Content-Transfer-Encoding: base64
- Content-Disposition: attachment; filename="HP_Scan_06292013_398.zip"
- Error[Base64]
- --_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_
- --------- end snip--------------
- // Error in Base64 caused the spam attached a corrupted zip attachment.
- // looks the moronz is having network problem in their botnet (#LOL)
- // Is a one shot campaign, we can expect all current samples are useless.
- #MalwareMustDie!
- @unixfreaxjp /malware]$ date
- Thu Jun 20 17:45:07 JST 2013
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement