Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Security Guard Script e-mail scam InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security Guard Script e-mail scam

Published: 2007-02-09
Last Updated: 2007-02-09 22:40:01 UTC
by John Bambenek (Version: 1)
0 comment(s)
There is a spam making the rounds that is targetting customers of ISPs. The template of the e-mail is attached below and the attackers are using some sort of method to specifically mention the proper ISP name being used by the victim.  In short, it's trying to get you to upload scripts to your webserver and run them.  So far, the reverse engineering is ongoing, but it is obfuscated PHP or ASP code that will run once you go that page.

So far, I've seen that it sends an email to firstbts@gmail.com and tries to get a 0-byte file from 66.246.240.45.  I'm create a VMware image to continue to reverse engineer, but these e-mails are scams of the typical social engineering variety. It seems most Anti-Virus picks this up already.

== START EMAIL ==

Dear <<insert ISP name here>> valued members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "guard.php" in: "./public_html" or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux based websites that use PHP/CGI/PERL:
1) Download the attachment named "guard.zip"
2) Extract file "guard.php"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "Public_html" or "htdocs"
6) Choose "Upload Files"
7) Upload the file "guard.php"
8) Check its URL too "http://www.yoursite.com/guard.php", if it is ok

For Windows based websites that use ASP:
1) Download the attachment named "guard.zip"
2) Extract file "guard.asp"
3) Login to your site Control panel.
4) Open "File Manager" window.
5) Go through "wwwroot" directory
6) Choose "Upload Files"
7) Upload the file "guard.asp"
8) Check its URL too "http://www.yoursite.com/guard.asp", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards
<<insert ISP name here>>

== END EMAIL ==

--
John Bambenek, bambenek/at/gmail/dot/com
University of Illinois
Keywords:
0 comment(s)
Diary Archives