New botnet spammed malware – Peals.F!plock

This is a big one, coming from hitherto unlisted botnet addresses – and it’s coming right now. I’m cross referencing the blacklisted addresses now to see if I can see who’s had an expansion lately. Spamassassin isn’t that great at picking it up, with about 10% getting straight through and about 90% failing to reach five points.

It’s a Microsoft Word document, apparently containing controversial malware Peals.F!plock. Little is known about this, other than Security Essentials flagging it but others say it’s a false positive. Well someone’s gone to a lot of trouble to sent it a “false positive”.

The messages all claim to come from “Stephanie Greaves”, sgreaves at btros.co.uk, with a fixed subject of COS007202, which is unusual. You’d have thought that if you’re using a clean botnet you’d randomise things a bit. This is a genuine domain name (with no SPF – come on guys!) and for all I know, Stephanie Greaves is the name of a genuine victim. Their MX is a virtual server and they’re probably wondering why it’s been heavily loaded since 9am.

Whoever’s doing this has a pretty comprehensive spamming list, containing nearly all of my honeypots.

Update:

This same malware is now being sent out claiming to be from customerservices@ocado.com with the subject “Your receipt for today’s Ocado delivery”, and an HTML message looking like an Ocado receipt (as far as I can tell – I shop for my own groceries!) Again, Ocado doesn’t seem to have SPF set up.

The message text is:


 

HERE’S YOUR RECEIPT

Hello

Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.

Your order doesn’t have any substitutions, everything’s there.

See you later,

Paul

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

 


The fake bombardier one reads:

Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
cid:image002.jpg@01D01077.BAC48BA0
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD

 

Update: 20-Oct-15 11:22

The malware spam now looks like this:

From: Shaun Buzzard <shaunb@hubbardproducts.com>
To: <to_addr}}>  <-- Note error
Subject: Order

Hi ,

Please find attached order.

 

Kind regards.

Shaun Buzzard

 

 

Malware sent in .ace format

This one made me look twice. I’m intercepting a lot of malware spreading attempts with text that starts out thus:


Dear Sir or madam
 Hi
 I'm milad and our company called UTIACHEM CO. located in Tehran-Iran.
 Following a telephone conversation with my colleague.
 I was going to send me your request.
 We have an inquiry from your products as attached file,please check.
 Please answer each request.
 Please certificate and an analysis and data sheet product send it to us.

 

They’re notable because they contain a pair of files of similar length (454K) which have names ending in .jpg.ace. It took me a while to figure this out; they’re compressed using a program called WinAce, a proprietary (paid for) German program from the late 1990’s. The only people likely to have a copy of this will likely be running Windows 98 – or so I thought. The company is still going, much to my surprise, and there are Linux and Mac versions too – although not UNIX, BSD, Android, Apple OS or anything else you’d need if you wanted to compete as a cross-platform archive format. There is, however, a DLL for unpacking that may be used in other people’s products, so perhaps decoders are more prevalent than might first appear.

I wonder how many they’ll have to spam out before they find someone (a) with an ACE decoder; and (b) dumb enough to use it?

Incidentally, most of these spams trace back to Mandril (aka Mailchimp), and are probably uploaded there by someone abusing an IOMart account (from Nottingham). In other words, zero abuse enforcement, based on previous attempts to contact them.

Fake Received: used by spammers – new tactic

Actually, this isn’t a new tactic at all. There was a lot of this going on in the 1990s and early 2000s, but I haven’t seen such widespread use of fake Received headers for a while now. As mail is no longer relayed, what’s the point? And yet, it’s coming again. Take this recent example:

Received: from host101-187-static.229-95-b.business.telecomitalia.it (host101-187-static.229-95-b.business.telecomitalia.it [95.229.187.101])
by real-mail-server.example.com (8.14.4/8.14.4) with ESMTP id t8NAOpJS007947;
Wed, 23 Sep 2015 11:24:57 +0100 (BST)
(envelope-from name-up-name@a-genuine-domain.com)
Received: from remacdmzma03.rbs.com (mail09.rbs.com [155.136.80.33]) by mail.example.com (Postfix) with ESMTP id B849451943 for made-up-name@example.com; Wed, 23 Sep 2015 11:22:43 GMT)
Message-ID: <XZ95O517.6281609@rbs.co.uk>
Date: Wed, 23 Sep 2015 11:22:43 GMT
Thread-Topic: Emailing: bankfl.emt
Thread-Index: made-up-name@example.com
From: "RBS" <secure.message@rbs.co.uk>
To: made-up-name@example.com
MIME-Version: 1.0
To: made-up-name@example.com
Subject: Bankline ROI - Password Re-activation Form
Content-Type: multipart/mixed;
boundary="----------------_=_NextPart_001_01CF5EDB.A2094B20"
This is a multi-part message in MIME format.
------------------_=_NextPart_001_01CF5EDB.A2094B20
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.

… etc …

Obviously the above has been re-written to use example.com, and the made-up-name was something random. The rest of the header is as it was. They’re obviously trying to convince you that your mail servers have already seen this  this message, so it must be okay. This is such a dumb trick – does any spam filter bother to even look at earlier headers? Are they hoping that Bayesian analysis will score the incorrectly guessed mail server as particularly hammy?

But what’s doing this, and why? Is there a new spambot in town, or is there a new spam filter that’s susceptible to such a dumb trick?

As it stands, this was sent from a blacklisted IP address and the SPF fails for RBS anyway, and the English it was written by a virtual English illiterate. For what it’s worth, the payload was malware in a ZIP.

 

Spam from WH Smith?

Whoever next? We’ve intercepted a load of spam sent by French company EmailVision on behalf of WH Smith to honeypot addresses – i.e. definitely not opt-in and definitely not legal in the UK. EmailVision is getting quite a reputation for this kind of thing, with PayDay loan spam and suchlike. W H Smith – I’m surprised at you! Or perhaps I’m not.

Malware claiming to come from Transport for London

I often get Transport for London information messages. I suspect a few million people in London do. But until just now, I’ve not seen it used as a malware distribution trick. Here’s what they look like:

Received: from [80.122.72.234] ([80.122.72.234])
	by  (8.14.4/8.14.4) with ESMTP id t5QAj0ns002218
	for ; Fri, 26 Jun 2015 11:45:01 +0100 (BST)
	(envelope-from noresponse@cclondon.com)
Date: Fri, 26 Jun 2015 12:45:04 +0200
From: 
Subject: Email from Transport for London
To: 
Message-ID: 
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: multipart/mixed;
 boundary="=_5557BCCC15D34570E10080000A82A3EC"
Envelope-To: 


--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: inline
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: Email from Transport for London


Dear Customer,

Please open the attached file to view correspondence from Transport for
London.

If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.

Thank you for contacting Transport for London.



Business Operations
Customer Service Representative

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
______________________________________________________________________
--=_5557BCCC15D34570E10080000A82A3EC
Content-Disposition: attachment;
 filename="AP0210932630.doc"
Content-Type: application/doc;
 name="AP0210932630.doc"
Content-Transfer-Encoding: base64
Content-Description: AP0210932630.doc

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAJwAAAAAA

The file attachment is a dodgy Microsoft Word document, unknown to malware scanners, and in spite of the faulty English it’s unlikely that Bayesian analysis will think it odd, although the SPF records don’t match and the IP address is currently flagged as slightly dodgy with no reverse lookup. It belongs to Telekom Austria, and I suspect it’s NOT a botnet at this time.

If anyone else has received one, I’d be interested to know! I let TFL know, and, refreshingly, got through to the right people and they took the matter seriously. This is hardly ever the case, so my feelings for TFL have gone up several notches!

Spam From Amazon SES

Spam has always been a problem with Amazon’s email service (SES). They make an effort to filter the outgoing missives transmitted by their customers, but it’s not perfect. And Amazon is no respecter of laws outside the good ‘ol US of A, where the right to free speech is a license to spam any kind of junk you like; whether the recipient asked for it or not.

Here’s a case in point:

Received: from a8-55.smtp-out.amazonses.com (a8-55.smtp-out.amazonses.com [54.240.8.55])
	by xxx.xxx.xxx.uk (8.14.4/8.14.4) with ESMTP id t5NHpefn075543
	for <spambait@xxx.xxx.uk>; Tue, 23 Jun 2015 18:51:40 +0100 (BST)
	(envelope-from 0000014e218bf8a9-07659756-debc-452c-9a9f-1b0ecedf709d-000000@amazonses.com)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1435081898;
	h=From:Date:To:MIME-Version:Message-ID:Reply-to:Subject:Content-Type:Feedback-ID;
	bh=jCdtb+gUf4FAvUudtcIKxlX0IOnQHEd/YxIGxHXLcQ4=;
	b=cNIs7cNe5LzyxYvGWw/LdIeA7epknAFAoeQYjiyf9b5mTKRYLAW9KLvUTSGtlsr7
	WWy52wd3Tz9o9vQryvK/Q5l5okAFxgZCZa5uSbXMor7sa/1dU02kwjCyACnb7viR1np
	BlEytfbGEBUlAfBBrrJueagmdzwa+IXNZsBo4w2Y=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=lfgclj2zbjygv5i5rirpal2v2zj3dquy; d=uebaps.com; t=1435081898;
	h=From:Date:To:MIME-Version:Message-ID:Reply-to:Subject:Content-Type;
	bh=jCdtb+gUf4FAvUudtcIKxlX0IOnQHEd/YxIGxHXLcQ4=;
	b=bZZSEICBkHU8HkdFtiYg9fp+qxzmxJlfNj6UclS3B4dtaKBMTf1oSCSQR5jm0XXE
	0JxmIdNWKsgumLUcf8XnZGZFVfwe2f7cVOCiA1EcHX7oHn0weHQjoce+nxwVClgCQYz
	m0OlXn/YvNBE1MwSvpQR3PfoSCyTVQQpBWjgD8dQ=
From: Ray-Ban Sale <enews@uebaps.com>
Date: Tue, 23 Jun 2015 17:51:38 +0000
To: "spambait@xxx.xx.uk" <spambait@xxx.xx.uk>
X-MessageID: OXx8fHwxMzY3MXx8fHxmcmFuazJAZmpsLmNvLnVrfHx8fDEwfHx8fDF8fHx8MA%3D%3D MIME-Version: 1.0
Message-ID: <0000014e218bf8a9-07659756-debc-452c-9a9f-1b0ecedf709d-000000@email.amazonses.com>
X-Priority: 3
Reply-to: Ray-Ban Sale <enews@uebaps.com>
Subject: Spambait: Keep Calm and Get 80% Off Ray-Ban!
Content-Type: multipart/alternative; boundary="b1_b18fea4f74280e521923210f4d5c61eb"
X-SES-Outgoing: 2015.06.23-54.240.8.55
Feedback-ID: 1.us-east-1.E00ipiLUCdDBKP1kTeYjtCc2E2c3DbfGjCtoi1emL2E=:AmazonSES 
--b1_b18fea4f74280e521923210f4d5c61eb
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: base64
SGksRnJhbmsgTGVvbmhhcmR0OiAjUl9Ub3BfVGl0bGUjLg0KQm9ybiBmcm9tIGEgbWVzaCBiZXR3
ZWVuIHR3byBvZiBSYXktQmFuJ3MgbW9zdCBpY29uaWMgYW5kIHBvcHVsYXIgc3VuZ2xhc3NlcyAt
IHRoZSBDbHVibWFzdGVyIGFuZCBXYXlmYXJlciAtIFJheS1CYW5DbHVibWFzdGVyIE92ZXJzaXpl

As you can see (if you’re used to reading email headers), this looks very legitimate – send from a correctly configured server. However. these characters are as guilty has hell. The email body, once decoded, claims that the spambait email address belonged to a past customer of theirs, and was used for placing an order (in the USA). This is, of course, physically impossible.

If this had been sent in Europe they’d have been breaking the local law that implemented  the EU Privacy and Electronic Communications Directive, 2002.  But they’re sending it from the USA. Other text in the email suggests it’s not from an English-speaking country (not even the USA), and it’s probably a scam. But Amazon doesn’t t seem to mind – they don’t even have an abuse reporting system for ISPs plagued by this stuff.

It’s tempting to simply block all Amazon SES IP addresses, but this will cause collateral damage. Spam filtering isn’t likely to detect it any other way, as the sending server is set up correctly, with SPF records and so on, so the Bayesian filter in a spam classifier will be over-ruled. However, this correctness can be used against it…

Let’s be clear here – it’s easy enough to block the whole of SES. You can get its address range just by looking at it’s SPF records:

%nslookup
> set type=TXT
> amazonses.com
Server: 127.0.0.1
Address: 127.0.0.1#53
amazonses.com text = "v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all"

I suspect this may cover more than SES, but SES is certainly covered by it. However, blocking it will, as I mentioned earlier, block some innocent stuff that you do want. This is a job for Spamassassin.

I’m experimenting by adding the following to SA’s local.cf file:

header AMAZON_SES Received =~ /amazonses.com/
score AMAZON_SES 3.5
describe AMAZON_SES Sent from Amazon SES - often used by spammers

The the appropriate score to weight it by is an interesting question. By default good SPF records are ignored anyway; if they were not then it would obviously be a good idea to negate a positive score here. So I’ve picked 3.5 as this matches a clear Bayesian score rather than for any good statistical reason. Check back later to see how well it works.

More comment spammer email analysis

Since my earlier post, I decided to see what change there had been in the email addresses used by comment spammers to register. Here are the results:

 

Freemail Service  %
hotmail.com 22%
yahoo.com 20%
outlook.com 14%
mailnesia.com 8%
gmail.com 6%
laposte.net 6%
o2.pl 3%
mail.ru 2%
nokiamail.com 2%
emailgratis.info 1%
bk.ru 1%
gmx.com 1%
poczta.pl 1%
yandex.com 1%
list.ru 1%
mail.bg 1%
aol.com 1%
solar.emailind.com 1%
inbox.ru 1%
rediffmail.com 1%
live.com 1%
more-infos-about.com 1%
dispostable.com <1%
go2.pl <1%
rubbergrassmats-uk.co.uk <1%
abv.bg <1%
fdressesw.com <1%
freemail.hu <1%
katomcoupon.com <1%
tlen.pl <1%
yahoo.co.uk <1%
acity.pl <1%
atrais-kredits24.com <1%
conventionoftheleft.org <1%
iidiscounts.org <1%
interia.pl <1%
ovi.com <1%
se.vot.pl <1%
trolling-google.waw.pl <1%

As before, domains with <1% are still significant; it’s a huge sample. I’ve only excluded domains with <10 actual attempts.

The differences from 18 months ago are interesting. Firstly, mailnesia.com has dropped from 19% to 6% – however this is because the spam system has decided to block it! Hotmail is also slightly less and Gmail and AOL are about the same. The big riser is Yahoo, followed by laposte.net (which had the highest percentage rise of them all). O2 in Poland is still strangely popular.

If you want to know how to extract the statistics for yourself, see my earlier post.

jpmoryan.com malware spam

Since about 2pm(GMT) today FJL has been intercepting a nice new zero-day spammed malware from the domain jpmoyran.com (domain now deleted). Obviously just one letter different from J P Morgan, the domain was set up in a fairly okay manner – it would pass through the default spamassassin criteria, although no SPF was added as it’s being sent out by a spambot.

The payload  was a file called jpmorgan.exe (spelled correctly!) with an icon that was similar to an Adobe PDF file. Is it malware? Well yes, but I’ve yet to analyse just what. It’s something new.

 

Text of the message is something like:

 

Please fill out and return the attached ACH form along with a copy of a voided check (sic).

Anna Brown
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Anna.Brown@jpmchase.com
GRE Project Accounting

Be careful.

 

Update: 19:30

As a courtesy, I always let affected companies know they’re being attacked, with variable results. J P Morgan’s cyber security department in New York took about 30 minutes to get to; they couldn’t cope with the idea that (a) I was not in America; and (b) I wasn’t even a customer of theirs. I eventually ended up speaking to someone from the “Global(sic) Security Team” who told me that if I was a customer I didn’t need to worry about it, but I could sent it to abuse@… – and then put the phone down on me. This was an address for customers to send “suspicious” emails to. I doubt they’ll read it, or the malware analysis. If you’re a J P Morgan customer, you might want to have a word about their attitude.

Scammers ask for money for Ukrainian Government

We have intercepted a large number of spam e-mails sent from various compromised systems, pretending to be from the Ukrainian government and asking for donations to fight off those nasty Russian backed separatists. Having checked, there is a pretty good chance that the scammers are actually based in Russia. It’s unclear whether this is in fact the work of president Putin, but perhaps he is trying to collect extra cash before the sanctions come into effect.

We have yet to see any serious attempt at exploiting the situation in Gaza, which is something of a surprise. Most likely they’re not making it through the basic spam filters.

Botnet shows itself with New Year spam :)

The crims have been at it again this Christmas season (more elsewhere). The latest interesting activity has been a flood of emails with :) as the subject and “Happy new year !” as the text-only payload. Don’t feel left out if you didn’t get one, as they’re only being sent to email addresses made of random numbers at various domains I monitor.

What are the crims up to? Probably testing out mail servers to see if they’ll accept things to random addresses. Every domain should, and deliver them to a human postmaster (not that many net newbies are even aware of this rule). However, there’s nothing to say they can’t also go to analysis tools.

What makes this latest caper interesting is that the botnet they’re coming from doesn’t show up on the usual lists of such things – it’s either new or extended rapidly from an old one. New botnets popping up after Christmas aren’t uncommon as the seasonal fake greeting cards and amazon purchase confirmation trojans are relentless in the days before, together with the lack of staff available over the holiday to deal with them. However, I find this one unusual as most of the IP addresses used to send out the probes are from Europe (Germany and Spain in particular).