Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Good Cop; Bad Cop; Domain Cop?

Published: 2016-12-08
Last Updated: 2016-12-08 13:08:24 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

When investigating events, like malware or spam hitting our systems, we often send notifications to parties from which the malicious traffic originates. One the other hand, it isn't terribly unusual, for us to receive malware notifications if some of the snippets of code we post match anti-virus patterns.

So I was not terribly surprised when I got an e-mail recently regarding one of my more "interesting" domains that I keep around for our web application security classes: . The e-mail claimed to come from an organization that calls itself "":

As far as malicious e-mails go, I would consider this one of the better once. Obviously, they harvested whois information. It would not be terribly odd to find a link in a message like that (we try to avoid them, but I have seen them used in abuse notifications for tracking). But with any link, it is better to be careful, so I pulled it in from my sacrificial machine / malware lab. 

What I got was an RTF document called Abuse_report_HSQ393.doc. Virustotal had some history for the file and identified it as a generic downloader, exploiting an older (CVE 2012-0158) vulnerability. It is kind of sad that this group wasted a pretty nice scheme with a plausible domain name and only had a 2012 vulnerability to deliver with it.

First time I tried to download the file, the site was down (it was however protected by Cloudflare). A day or so later, the site was up again, and I finally was able to download my report. It is interesting that the e-mail was signed with DKIM (my mail server adds the "[dkimok]" flag to all e-mails that have a valid signature). This should make it less likely for e-mails like this to pass spam filters.

Currently, has been suspended by its registrar.

Johannes B. Ullrich, Ph.D.

3 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

The Passwords You Should Never Use
Dec 7th 2016
1 day ago by Xme (3 comments)

Attacking NoSQL applications
Dec 6th 2016
1 day ago by Bojan (0 comments)

Hancitor Maldoc Videos
Dec 5th 2016
3 days ago by DidierStevens (0 comments)

Protecting Powershell Credentials (NOT)
Dec 2nd 2016
6 days ago by Rob VandenBrink (2 comments)

Tap Gigabit Networks on the Cheap
Dec 1st 2016
6 days ago by Johannes (8 comments)

View All Diaries →

Latest Discussions

404 Project: Compatible with mod_security?
created Dec 4th 2016
3 days ago by Ted (1 reply)

Confused about SHA1 in Certs and upcoming changes in browsers
created Dec 2nd 2016
6 days ago by Dana (1 reply)

SQL Slammer activity
created Nov 30th 2016
1 week ago by lwhitworth (2 replies)

Need help with classifying botnets via log entries
created Nov 17th 2016
3 weeks ago by Anonymous (0 replies)

Good read about PCI DSS
created Nov 16th 2016
3 weeks ago by (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
Oct 21st 2016
1 month ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 week ago by Johannes (21 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 week ago by Johannes (12 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
Feb 12th 2016
9 months ago by Johannes (25 comments)

Protecting Powershell Credentials (NOT)
Dec 2nd 2016
6 days ago by Rob VandenBrink (2 comments)