Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New variation of SSL Spam SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New variation of SSL Spam

We've received numerous emails about this already today.  This is an update to a diary we did earlier this week.

The body of the spam today is:

  Dear user of the <some company> mailing service!

  We are informing you that because of the security upgrade of the mailing
  service your mailbox (<user>@<some company>) settings were changed. In
  order to apply the new set of settings click on the following link:

The email contains a link with a file to download.  Some of the files we have seen are:

  settings-file.exe   MD5:  0244586f873a83d89caa54db00853205
  settings-file2.exe  MD5:  e6436811c99289846b0532812ac49986

The files are being detected by some anti-virus software programs at this time as Zbot variants.

Thanks Jon, Frank, iTinker, Nick and others for your reports on this.
David

78 Posts
Oct 14th 2009
We just received a large influx of these to our whole enterprise. We use Postini as spam filter and they caught them all.

----------------------------------
Received: from source ([213.21.97.141]) by eu1sys200amx117.postini.com ([207.126.147.14]) with SMTP;
Thu, 15 Oct 2009 05:01:31 GMT
Received: from 213.21.97.141 by mail-red.research.att.com; Thu, 15 Oct 2009 07:01:25 +0100
Message-ID: <000d01ca4d54$8bc16760$6400a8c0@lizapf5>
From: "support@target-domain.com" <support@target-domain.com>
To: <user@target-domain.com>
Subject: A new settings file for the user@target-domain.com mailbox has just been released
Date: Thu, 15 Oct 2009 07:01:25 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01CA4D54.8BC16760"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.3
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.00533/92.62311 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 3 (1.0000:1.0000) s cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <support@target-domain.com> [233/12]
X-pstn-disposition: quarantine

Date: Thu, 15 Oct 2009 07:01:25 +0100
From: "support@target-domain.com" <support@target-domain.com>
To: <user@target-domain.com>
Subject: A new settings file for the user@target-domain.com mailbox has just been released

Dear user of the target-domain.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (user@target-domain.com) settings were changed. In order to apply the new set of settings click on the following link:
http://target-domain.com/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user
Best regards, target-domain.com Technical Support.

----------------------------------

One of our users came round very confused although when i explained that if we had emailed him (internal mail) it wouldn't go through the spam filter at all.
Anonymous
I'm seeing a lot of these as well on my mail servers. Interestingly, not all of m domains are affected: only the ones in .com. I have domains in .ch and these are not affected. Also, sub-domains aren't targeted either.
Anonymous
The interesting thing is that the obfuscated URL in the HTML boundary partof the messages I have seen is http://target-domain.com.polikko.eu/owa/service_directory/settings.php?email=user@target-domain.com&from=target-domain.com&fromname=user

Note the addition of the .polikko.eu to the domain name !
Karl

14 Posts
As posted by Karl:
"Note the addition of the .polikko.eu to the domain name !"

Actually they use a sub-domain of "polikko.eu". In the Text they only quote that sub-domain.
So it has nothing to do with "target-domain .com"

PS:
I am the holder of the "target-domain .com" domain, and I can assure that this junk does originate elsewhere.

This really is a pain in the butt :(
Karl
1 Posts
Well, I, for one, have temporary filtered all mail containing the /owa/service_directory/settings.php?email= string as it seems to be the only common trail in all these mails. It's a temporary solution at best, since this string is easy to forge, but it's the only way I've found to really filter these out. Another option I'm persuing is to reject all mail coming in from a local address using the same rules as for mail relay. Unfortunately, my mail server doesn't allow this just yet.
Karl
16 Posts

Sign Up for Free or Log In to start participating in the conversation!