SHARE
TWEET

Malvertisement using Fake HP Scan + Dup Your Network info

MalwareMustDie Jun 20th, 2013 206 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie! "Malvertisement using Fake HP Scan + Dup Your Network info"
  2. // An attempt to infect malware by faking the HP Scan data,
  3. // with also faking your office/personal domain (targeted), and faking -
  4. // your local network information. Also faking the virus scanned message.
  5. // Don't be fooled by this scam..
  6.  
  7. // Currently Origin of these emails are coming from compromised machines at:
  8.  
  9. ABTS-North-Static-201.3.176.122.airtelbroadband.in (122.176.3.201) N/W: airtelbroadband.in INDIA
  10. 068-213-103-026.sip.jan.bellsouth.net (68.213.103.26) N/W: BellSouth.net USA
  11. rrcs-184-74-11-133.nys.biz.rr.com (184.74.11.133) N/W: Road Runner USA
  12.  :
  13.  
  14. // Noted the usage of fakes double routing header in a pair, i.e.:
  15.  
  16. // case 1
  17. Microsoft SMTP Server (TLS) id EU8BU9YT;
  18. Microsoft SMTP Server id LRD7L8ZP;
  19.  
  20. // case 2
  21. Microsoft SMTP Server (TLS) id MM4D0EY3;
  22. Microsoft SMTP Server id MH0A1W45;
  23.  
  24. // case 3
  25. Microsoft SMTP Server (TLS) id MV3BJQNE;
  26. Microsoft SMTP Server id N2KSWYKO;
  27.   :
  28.  
  29. // Email original Mime/headers data is as per below headers w/ same pattern (I picked one of the sample),
  30. // Indicated the #spambot controled via C2 #botnet to send these spams.
  31. // (privacy related data excluded, only malware related data shown)
  32. // This malvertisement samples was sucessfully collected from MMD Honeypot which is not having -
  33. // any local network and in a non-microsoft system -
  34. // (this explaining the tag in faking of Microsoft SMTP Server relay).
  35.  
  36. --------- full MIME/header---- start snip--------------
  37.  
  38. Return-Path: <alert@dnb.com>
  39. Delivered-To: xxx@xxx
  40.   :
  41. Received: from unknown (HELO ABTS-North-Static-201.3.176.122.airtelbroadband.in) (122.176.3.201)
  42.   by x.x.x.x with SMTP; 19 Jun 2013 23:34:49 +0900
  43. Received: from HP.Digital.Device495.YOUR.FAKE.OFFICE.NETWORK (10.0.0.135) by YOUR.OFFICE.DOMAIN (10.0.0.145) with Microsoft SMTP Server (TLS) id MM4D0EY3; Wed, 19 Jun 2013 20:04:52 +0530
  44. Received: from HP.Digital6636.YOUR.FAKE.OFFICE.NETWORK (10.147.124.149) by smtp.YOUR.OFFICE.DOMAIN (10.0.0.28) with Microsoft SMTP Server id MH0A1W45; Wed, 19 Jun 2013 20:04:52 +0530
  45. Date: Wed, 19 Jun 2013 20:04:52 +0530
  46. From: "HP Digital Device" <HP.Digital9@YOUR.OFFICE.DOMAIN>
  47. X-MS-Has-Attach: yes
  48. X-MS-Exchange-Organization-SCL: -1
  49. X-MS-TNEF-Correlator: <DJ661DF8YY2B23WT1W57IF3E3N70LYN2D8RMBW@YOUR.OFFICE.DOMAIN>
  50. X-MS-Exchange-Organization-AuthSource: WB6YT5L451A42IB@YOUR.OFFICE.DOMAIN
  51. X-MS-Exchange-Organization-AuthAs: Internal
  52. X-MS-Exchange-Organization-AuthMechanism: 03
  53. X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;9;0;0 0 0
  54. X-Priority: 3 (Normal)
  55. Message-ID: <GGXKPP8EW3ES94EJ4RZURG8IOTTZKETW319Q7H@YOUR.OFFICE.DOMAIN>
  56. To: <xxx@xxx>
  57. Subject: Scanned Copy
  58. MIME-Version: 1.0
  59. Status: RO
  60. X-UIDL: 1371652494.25432.xxx.xxx,S=2442
  61. Content-Type: multipart/mixed;
  62.   boundary="_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_"
  63.  
  64. --_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_
  65. Content-Type: text/plain; charset=koi8-r
  66. Content-Transfer-Encoding: 8bit
  67.  
  68. Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.
  69.  
  70. To view this document you need to use the Adobe Acrobat Reader.
  71.  
  72. -------------------------------------------------------------------------------
  73. This email has been scanned for viruses and spam.
  74. -------------------------------------------------------------------------------
  75.  
  76. --_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_
  77. Content-Type: application/zip; name="HP_Scan_06292013_398.zip"
  78. Content-Transfer-Encoding: base64
  79. Content-Disposition: attachment; filename="HP_Scan_06292013_398.zip"
  80.  
  81. Error[Base64]
  82.  
  83. --_009_316Y25L7TWDMPDMPXSENE8V275OW49KPWGMFYVWVUS6ZLCUQJFY2BDF_
  84.  
  85.  
  86. --------- end snip--------------
  87.  
  88.  
  89. // Error in Base64 caused the spam attached a corrupted zip attachment.
  90. // looks the moronz is having network problem in their botnet (#LOL)
  91. // Is a one shot campaign, we can expect all current samples are useless.
  92.  
  93. #MalwareMustDie!
  94. @unixfreaxjp /malware]$ date
  95. Thu Jun 20 17:45:07 JST 2013
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top