Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - WHOIS contact spam with malicious security maintenance script attachment InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

WHOIS contact spam with malicious security maintenance script attachment

Published: 2007-02-19
Last Updated: 2007-02-19 22:15:50 UTC
by Patrick Nolan (Version: 5)
0 comment(s)

We received a report from Hugh Brower that there is a spammed email destined for whois contacts that contains a malicious php attachment. The email is spoofed to look like it's from the domain's hosting provider. The email attempts to trick the recipient into executing the attachment. Currently the attachment information is;

Attachment Name webguard.php
File size: 130990 bytes
MD5: 1071956063131f0fd178ace92ab526bb
SHA1: c47dd28e336030e3d940b66e2884aba91124a831


Additional linformation developed shows that WHOIS contact information is NOT the only source of recipient email addresses. In one instance the recipient's email address was only on the website.

Johannes has a preliminary analysis of the first script reported above that shows that the script harvests critical system configuration information, emails information, sets up a shell, and dumps a perl irc bot. Look for a netcat listener on port 4500.


We've received additional reports (Thanks to Andy Sutton!), a variant shows that a spoofed sender is the US FDIC (Federal Deposit Insurance Corporation) , this email variants script attachment detail;

File Name vprotect.php
File size: 156686 bytes
MD5: 43f3c330f6e85943fd4a60c3b89787e2
SHA1: d58bcb698417cbcf005a0e26e9e962a5097892d9

**NOTE** Emails we have received contain virtually identical content instructions. The attachment and spoofed sender differ.


Matt Jonkman dropped us a note pointing out an identical attachment attack. See BleedingSnort. He reports "Initial hits we saw were on the 9th and earlier. The fbi is aware, the original sites in use were shut down.".


We have previously referenced this attack in John Bambanek's February 9th Diary item here. Arbor made a post late today containing details of a similar attack and details it's techniques.

The email says;

"Subject: Hosting Regular Security Maintenance

Dear yourdomainhost valued Members

Regarding our new security regulations, as a part of our yearly maintenance we have provided a security guard script in the attachment.

So, to secure your websites, please use the attached file and (for UNIX/Linux Based servers) upload the file "webguard.php" in:

"./public_html" or (for Windows Based servers) in: "./wwwroot" in your site.

If you do not know how to use it, you can use the following instruction:

For Unix/Linux or Windows based websites that use PHP/CGI/PERL/ASP:

1) Download the attachment named "webguard.php"

2) Login to your site Control panel.

3) Open "File Manager" window.

4) Go through "Public_html" or "htdocs" (for UNIX/Linux Based servers),

but for Windows Based server, please Go through "wwwroot" directory.

5) Choose "Upload Files"

6) Upload the file "webguard.php"

7) Check its URL too "", if it is ok

Thank you for using our services and products. We look forward to providing you with a unique and high quality service.

Best Regards"

The attack has targeted more than one domain but does not appear to be widespread at the moment. Additional details will be posted as they develop.

Thanks Hugh!

And thanks Handlers!

0 comment(s)
Diary Archives