Evil Printers Sending Mail
A reader reported receiving the following e-mail (modified to anonymize):
From; support@example.com
To: iscreader@example.com
Subject: Fwd: Scan from a HP Officejet #123456
A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 28628D
Sent by: FIRSTNAME
Images: 4
Attachment Type: Image (.jpg) Download
I do not have a printer like this, but it is possible that a multifunction device will send scanned documents as an e-mail in this form. In this case, the links, which I simulated above using a blue underlined font, both lead to a now defunct URL: http://freebooksdfl (dot) info/main.php . The domain is marked as "suspended for spam or abuse" in whois. One of our handlers reports seeing similar e-mail but not being able to capture any of the content on related links so far.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
MYam
Oct 20th 2011
1 decade ago
Moriah
Oct 20th 2011
1 decade ago
Sample header below:
Received: from [117.242.0.20] ([117.242.0.20]) by [snip] with SMTP;
Wed, 19 Oct 2011 09:10:58 PDT
Received: from [117.242.0.20] by [snip]; Wed, 19 Oct 2011 03:40:58 +0530
From: <support@ourdomain.com.com>
To: <[snip]@ourdomain.com>
Subject: Re: Scan from a HP Officejet #460647
Date: Wed, 19 Oct 2011 03:40:58 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0BB4_01CC8EA7.C9D62900"
X-Mailer: Microsoft Office Outlook, Build 12.0.6416
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1158
Thread-Index: AcON37T19E6VAJSH4ILH04D3SHOWLR==
Message-ID: <44ea01cc8ea7$ca08d1c0$1400f275@WENZIMMERMANVNJYnTX>
X-CM: Latest Threats II
X-pstn-disposition: quarantine
--------------------------------------------------------------------------------
Date: Wed, 19 Oct 2011 03:40:58 +0530
From: <support@ourdomain.com>
To: <[snip]@ourdomain.com>
Subject: Re: Scan from a HP Officejet #460647
A document was scanned and sentto you using a Hewlett-Packard HP Officejet 2075D.Sent by: WEN
Images : 8
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: CRP848SO0SLM3943550
Slowpoke
Oct 20th 2011
1 decade ago
Return-path: <AmyRynes@euronet.nl>
Received: from 18913056101.user.veloxzone.com.br (unverified [189.13.56.101]) by <ourserver>
(Rockliffe SMTPRA 9.0.1) with SMTP id <B0004477005@<ourserver> for <support@<ourdomain>.com>;
Wed, 19 Oct 2011 12:09:56 -0400
Received: from 18913056101.user.veloxzone.com.br (helo=lmnneja.gp) by 18913056101.user.veloxzone.com.br with esmtpa (Exim 4.66 (FreeBSD)) (envelope-from <AmyRynes@euronet.nl>) id 1WKM24-8016qo-UY for support@<ourdomain>.com; Wed, 19 Oct 2011 11:09:55 -0300
Message-ID: <5AF29915.6030706@euronet.nl>
Date: Wed, 19 Oct 2011 11:09:55 -0300
From: <hp@<ourdomain>.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; cs-CZ; rv:1.9b5) Gecko/2008041514 Lightning/1.0b2 Thunderbird/3.0a1 ThunderBrowse/3.2.8.1
MIME-Version: 1.0
To: support@<ourdomain>.com
Subject: Scan from a HP Officejet #297450
Content-Type: multipart/alternative;
boundary="------------040108090004060400000608"
Also seeing with subject "Scan from Hewlet-Packard Officejet 397458"
William
A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 4563D.
Sent by: TRESSIE
Images : 9
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: CRP186SO9SLM1649357
William
Oct 20th 2011
1 decade ago
Robin W.
Oct 20th 2011
1 decade ago
From: officejet@[domain].com [mailto:officejet@[domain].com]
Sent: Wednesday, September 28, 2011 8:59 PM
To:
Subject: Re: Scan from a HP Officejet #4310253
A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 1778A.
Sent by: KATHYRN
Images : 6
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: OFC053AA7BSX783945
Avenger
Oct 20th 2011
1 decade ago
Mike
Oct 20th 2011
1 decade ago
*******************************************************
When a system connects to http[://]gavni.bij.pl/main.php?page=8f059b09cd0e2f70, a malicious Java Archive is downloaded. The site utilizes the html tag <applet> in order to run a class file, Window.class, which is located within a folder, "support", within the Java Archive.
In addition, embedded JavaScript attempts to discover certain information about targeted system, including browser type. Of particular note, it attempts to determine the version of three plugins, Java, PDF, and Shockwave Flash. If the correct version of the Java plugin is detected it will attempt to download a Main.class file and redirect the system to http[://]gavni.bij.pl/w.php?f=27&e=2. The Main.class file is hosted at http[://]root[@]1604540625/Main.class, which resolves to 95.163.88.209 using dword URL obfuscation.
After the Java exploit is attempted, it checks to see which version of PDF is installed and depending upon the finding the website will redirect the system to either http[://]gavni.bij.pl/content/1fdp.php?f=27 or http[://]gavni.bij.pl/content/2fdp.php?f=27.
Finally, it will check to verify the Shockwave Flash version and will download either http[://]gavni.bij.pl/content/score.swf or http[://]gavni.bij.pl/content/field.swf.
******************************************************
I hope I got that right :).
Mike
Oct 20th 2011
1 decade ago
jono
Oct 20th 2011
1 decade ago
You are allowing emails purporting to be from your domain (but not!) to be accepted by your mail servers? Hint: SPF and DKIM has been defending against mail forgery like this for a long time. Might want to try it before complaining about spoofed <yourdomain> emails when there is an effective way to block it completely.
n3kt0n
Oct 20th 2011
1 decade ago