Bounced spam to my own email address

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Bounced spam to my own email address

Postby trobbins » Wed Aug 20, 2014 4:54 pm

The Russians are sending spam spoofing an address on my domain.
It appears that most recipients addresses are to .ru domains.

Мы, группа программистов из Российской Федерации, обеспокоены всеми
санкциями, которые западные страны вводят против РФ. Мы приготовили свой
ответ, ниже Вы сможете найти ссылку на написанную нами программу.
Откройте ее на Вашем компьютере, и она начнет скрытно атаковать
правительственные структуры тех стран, которые ввели данные санкции.
Наша программа работает скрытно, занимает не больше 15% исходящего
канала, не более 100 Мегабайт траффика за день и не занимает
процессорные мощности. После перезагрузки Вашего компьютера программа
завершает свою активность, и если Вы желаете - можете запустить ее
заново.
Вместе мы победим!


Ссылка на программу: http://5.248.70.142/setup.exe
Запасная ссылка: http://195.114.158.61/setup.exe
При необходимости выключите временно свой антивирус.


Translated:
We, a group of programmers from the Russian Federation, all concerned
sanctions that Western countries impose against Russia. We have prepared a
response, below you will find a link to a program written by us.
Open it on your computer, and it will begin secretly attack
government agencies of the countries that have adopted those sanctions.
Our program works secretly, takes no more than 15% of the outgoing
channel is not more than 100 megabytes of traffic per day and occupies
processing power. After rebooting your computer program
completes its activity, and if you want to - you can run it
again.
Together we will win!

Link to the program: http://5.248.70.142/setup.exe
Replacement link: http://195.114.158.61/setup.exe
If necessary, turn off your antivirus temporarily.
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2556
Joined: Thu Apr 12, 2007 6:55 pm

Re: Bounced spam to my own email address

Postby trobbins » Wed Aug 20, 2014 5:17 pm

Analysis:
Code: Select all
Antivirus    Result    Update
AVG    Crypt_s.EZS    20140820
AVware    Backdoor.Win32.Kelihos.e (v)    20140820
Ad-Aware    Gen:Variant.Symmi.7956    20140820
AhnLab-V3    Backdoor/Win32.Kelihos    20140820
AntiVir    HEUR/Malware    20140820
Antiy-AVL    Trojan[PSW]/Win32.Tepfer    20140820
Avast    Sf:ShellCode-AV [Trj]    20140820
Baidu-International    Trojan.Win32.InfoStealer.aF    20140820
BitDefender    Gen:Variant.Symmi.7956    20140820
CAT-QuickHeal    Backdoor.Kelihos.F5    20140820
DrWeb    BackDoor.Slym.3781    20140820
ESET-NOD32    a variant of Win32/Kelihos.G    20140820
Emsisoft    Gen:Variant.Symmi.7956 (B)    20140820
F-Secure    Gen:Variant.Symmi.7956    20140820
Fortinet    W32/Kryptik.BJWM!tr    20140820
GData    Gen:Variant.Symmi.7956    20140820
Ikarus    Backdoor.Win32.Kelihos    20140820
Kaspersky    Trojan-PSW.Win32.Tepfer.sber    20140820
Malwarebytes    Trojan.Kelihos.SDNRGen    20140820
McAfee    Artemis!EE0BF790F43C    20140820
MicroWorld-eScan    Gen:Variant.Symmi.7956    20140820
Microsoft    Backdoor:Win32/Kelihos.F    20140820
Qihoo-360    Win32/Trojan.3a7    20140820
Rising    PE:Trojan.Win32.Generic.172C6C98!388787352    20140820
Tencent    Win32.Trojan-qqpass.Qqrob.Akox    20140820
TrendMicro-HouseCall    Suspicious_GEN.F47V0820    20140820
VIPRE    Backdoor.Win32.Kelihos.e (v)    20140820
AegisLab       20140820
Agnitum       20140819
Bkav       20140820
ByteHero       20140820
CMC       20140820
ClamAV       20140820
Commtouch       20140820
Comodo       20140820
F-Prot       20140820
Jiangmin       20140815
K7AntiVirus       20140820
K7GW       20140820
Kingsoft       20140820
McAfee-GW-Edition       20140820
NANO-Antivirus       20140820
Norman       20140820
Panda       20140820
SUPERAntiSpyware       20140820
Sophos       20140820
Symantec       20140820
TheHacker       20140817
TotalDefense       20140820
TrendMicro       20140820
VBA32       20140820
ViRobot       20140820
nProtect       20140820


Behavior Info:
Code: Select all
 Opened files
C:\d7bf8fda5722d2fdb8d2a9426f3bc0df5055563f662a58a028a41b3b82b821fc (successful)
C:\tmp.exe (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
/dev/urandom (failed)
C:\WINDOWS\system32\Packet.dll (successful)
C:\WINDOWS\system32\wpcap.dll (successful)
C:\WINDOWS\system32\drivers\npf.sys (successful)
C:\WINDOWS\system32\drivers\NPF.sys (successful)
\\.\Global\NPF_{54C7D140-09EF-11D1-B25A-F5FE627ED95E} (failed)
\\.\Global\NPF_{22A16F66-CB92-4B66-8BDE-26B5CD34553F} (successful)
Show all
 Read files
C:\WINDOWS\system32\rsaenh.dll (successful)
\\.\Global\NPF_{22A16F66-CB92-4B66-8BDE-26B5CD34553F} (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
C:\WINDOWS\Registration\R000000000007.clb (successful)
C:\WINDOWS\system32\shdocvw.dll (successful)
C:\WINDOWS\system32\stdole2.tlb (successful)
c:\autoexec.bat (successful)
 Written files
C:\WINDOWS\system32\Packet.dll (successful)
C:\WINDOWS\system32\wpcap.dll (successful)
C:\WINDOWS\system32\drivers\npf.sys (successful)
 Deleted files
C:\tmp.exe (successful)
 Code injections in the following processes
IEXPLORE.EXE (successful)
 Created mutexes
RasPbFile (failed)
 Opened mutexes
RasPbFile (successful)
 Searched windows
CLASS: MS_AutodialMonitor
NAME: (null)
CLASS: MS_WebcheckMonitor
NAME: (null)
 Opened service managers
MACHINE: localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)
 Opened services
NPF (successful)
nm (failed)
ProtectedStorage (successful)
RASMAN (successful)
 Hooking activity
TYPE: WH_MOUSE
METHOD: SetWindowsHook (successful)
TYPE: WH_KEYBOARD
METHOD: SetWindowsHook (successful)
 Runtime DLLs
kernel32.dll (successful)
advapi32.dll (successful)
dnsapi.dll (successful)
iphlpapi.dll (successful)
mswsock.dll (successful)
ole32.dll (successful)
oleaut32.dll (successful)
psapi.dll (successful)
shell32.dll (successful)
user32.dll (successful)
Show all
 Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
 HTTP requests
URL: http://93.76.6.243/index.htm
TYPE: GET
USER AGENT: Mozilla/5.0 (Windows NT 5.0; rv:21.0) Gecko/20100101 Firefox/21.0
URL: http://95.43.99.51/setup.htm
TYPE: GET
USER AGENT: Mozilla/5.0 (Windows NT 5.1) Gecko/20100101 Firefox/14.0 Opera/12.0
URL: http://95.43.99.51/online.htm
TYPE: GET
USER AGENT: Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00
URL: http://2014br.biz/page_alph.php
TYPE: GET
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
 DNS requests
2014br.biz (118.232.61.45)
 TCP connections
46.109.174.17:80
178.150.244.54:80
93.76.6.243:80
95.43.99.51:80
109.87.106.164:80
 UDP communications
1.70.154.156:53
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2556
Joined: Thu Apr 12, 2007 6:55 pm

Re: Bounced spam to my own email address

Postby trobbins » Wed Aug 20, 2014 5:19 pm

The bounced spam has that .exe file on numerous IP addresses.
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2556
Joined: Thu Apr 12, 2007 6:55 pm

Re: Bounced spam to my own email address

Postby Red Dwarf » Thu Aug 21, 2014 7:06 am

Three of my fraud domain reporting addresses are getting the same treatment
Мы, группа программистов из РФ, обеспокоены необоснованными санкциями, которые западные страны вводят против России. Мы приготовили свой ответ, далее Вы найдете ссылку на нашу программу. Запустите ее на Вашем компьютере, и она начнет тайно атаковать правительственные сайты тех стран, которые ввели эти несправедливые санкции. Программа выполняется тихо, занимает не более 10% исходящего канала, не больше 20 Мегабайт траффика в сутки и практически не занимает процессорные мощности. После перезагрузки Вашего компьютера программа завершает свою деятельность, и если Вы хотите - то Вы можете запустить ее опять.

Вместе мы победим!

Ссылка на нашу программу: http://116.64.36.53/setup.exe
Резервная ссылка: http://192.35.222.90/setup.exe

По возможности выключите на время свой антивирус.

and
Ссылка на программу: http://87.226.16.42/setup.exe
Резервная ссылка: http://77.121.203.95/setup.exe

and
Ссылка на нашу программу: http://192.35.222.90/setup.exe
Дополнительная ссылка: http://87.226.16.42/setup.exe

and
Линк на нашу программу: http://216.162.174.204/setup.exe
Резервный линк: http://176.36.131.68/setup.exe

and
ìÉÎË ÎÁ ÐÒÏÇÒÁÍÍÕ: http://176.36.131.68/setup.exe
úÁÐÁÓÎÏÊ ÌÉÎË: http://192.35.222.90/setup.exe
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Bounced spam to my own email address

Postby Red Dwarf » Wed Aug 27, 2014 10:53 pm

A write-up on this is at
http://www.computerworld.com/article/2599061/security/hackers-prey-on-russian-patriotism-to-grow-the-kelihos-botnet.html
The links in the email messages point to a version of the Trojan program used in the Kelihos, or Hlux, botnet, security researchers from Websense said Friday in a blog post. This four-year-old botnet has been associated over time with various malicious activities including sending spam; stealing passwords from browsers, FTP clients and other programs; stealing and mining Bitcoins; providing backdoor access to computers and launching DDoS attacks, they said.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 4 guests

cron