New Mass Mailer

[Soda_Popinsky]

Ok, so far I've seen 3 types, one with a link & .eml attachment, link & no attach, and one from a paypal spoofed address w/ link. The paypal one is extremely convincing. The subject line is like, "Payment received!" or whatever. I got really worried and checked my bank balance on the spot before before even thinking it was another mydoom variant... It's a safe bet people are going to click that link inside. I checked my balance before opening the email, but the untrained eye won't be able to tell that paypal wouldn't link you to an IP inside their email.

Tiger- Every email I've seen has linked to the same IP. You can block all access to that IP, prolly not a bad idea.

IP is 10.55.3.245 on varying ports. Also, the emails all seem to have some sort of antivirus label in their source, (X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software) and similar. I've never heard of them, so you could probably filter by them until you have something stronger to key on.

[Tiger Shark]

Soda:

10.anything is a private address.... It won't be transmitted across the internet and therefore cannot be the point of infection..... View the source, (html), of the the email and you will probably see an <image map> , my best guess right now..... That's a bummer... because it looks like something it's not too.... it's a phishing trick that appeared relatively recently.....

Please confirm my suspicion.......

[Soda_Popinsky]

No image maps.

Return-Path: <[email protected]>
Delivered-To: ----------------------
Received: from vhboots.com (drake-200-218.drake.edu [207.28.200.218])
by -------------- (Postfix) with ESMTP id BA59932BC
for <-------------------.edu>; Tue, 9 Nov 2004 08:42:44 -0600 (CST)
Received: from Knap-SKehoe1.drake.edu (Knap-SKehoe1.drake.edu [10.55.3.245])
by drake.edu (8.12.8p1/8.12.8) with ESMTP id i38O9Fim028351
for <------------------------->; Tue, 9 Nov 2004 08:42:44 -0600
(envelope-from [email protected])
Message-Id: <000801c4c638$14f3d990$f503370a@KnapSKehoe1>
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
From: [email protected]
To: --------------------------
Subject:
Date: Tue, 9 Nov 2004 08:42:44 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0005_01C4C638.14F3D990"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C4C638.14F3D990
Content-Type: text/html;
charset="iso-8859-2
Content-Transfer-Encoding: quoted-printable

<html>

<body>

Hi! I am looking for new friends. I am from Miami, FL. You can see my <a href=3D"http://10.55.3.245:1639/index.htm">homepage</a> with my last webcam photos!
</body>
</html>

Hello!




------=_NextPart_000_0005_01C4C638.14F3D990--

[Negative]

It looks like the e-mail was sent from one client in the drake.edu domain to another (therefore the 10.x IP), and then from that second client to Soda... the message is "built" by using the sender's IP address, but that didn't seem to have worked very well (since in this case the link was built using the IP of two senders back in stead of just one). Since the sender is infected, a web server can be opened on its port 1639, and the receiver of the e-mail should be able to connect to that server through the link in the e-mail - but not in this case...

[nihil]

Hi Soda,

Slightly off the topic but the Gordano's AV Software rang a bell..................they are a British outfit based in Somerset?????????????????

Here is a link to their site:

http://www.gordano.com/kb.htm?q=1621

That is peculiar, and may be genuine as it would be odd to spoof checking by a virtually unknown AV product, which might be calculated to arouse suspicion. I would have expected spoofing the AVG message, or one of the better known products?

just a thought

EDIT: Even curiouser, vhboots.com appears to be a Van Halen bootleg music site?

[hogfly]

Just a quick bit of info..

Soda: The IP in the link in the emails is the machine that sent the email since it contains its own smtp engine. If you were to click on it, it would connect back and DL the payload as per instruction.

[Soda_Popinsky]

I understand that,

My main curiosity was how it forced the payload onto the target, but now that I know it is the new IFrame vuln as someone added, I am wondering why all the emails I am getting are going to the same internal address, when I am receiving these emails from different places, outside my network?

[hogfly]

irc..let's talk.

[Soda_Popinsky]

Caught the sucker...

Source of the page the emails link to is attached.

Password is antionline.

Don't be stupid, unless you have a test enviroment, don't touch this link.