My next class:

Evil Printers Sending Mail

Published: 2011-10-20. Last Updated: 2011-10-20 03:56:13 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

A reader reported receiving the following e-mail (modified to anonymize):

From; support@example.com
To: iscreader@example.com
Subject: Fwd: Scan from a HP Officejet #123456

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 28628D
Sent by: FIRSTNAME
Images: 4
Attachment Type: Image (.jpg) Download

I do not have a printer like this, but it is possible that a multifunction device will send scanned documents as an e-mail in this form. In this case, the links, which I simulated above using a blue underlined font, both lead to a now defunct URL: http://freebooksdfl (dot) info/main.php . The domain is marked as "suspended for spam or abuse" in whois. One of our handlers reports seeing similar e-mail but not being able to capture any of the content on related links so far.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: malware spam
10 comment(s)
My next class:

Comments

Do you have the headers of the received email?
I too have seen these attempts to seduce noobs to open attachments. Sorry I didn't save it. :-(
We've blocked a couple hundred of these over the past week. From addresses seen include scan@ourdomain.com, support@ourdomain.com and hp@ourdomain.com.

Sample header below:

Received: from [117.242.0.20] ([117.242.0.20]) by [snip] with SMTP;
Wed, 19 Oct 2011 09:10:58 PDT
Received: from [117.242.0.20] by [snip]; Wed, 19 Oct 2011 03:40:58 +0530
From: <support@ourdomain.com.com>
To: <[snip]@ourdomain.com>
Subject: Re: Scan from a HP Officejet #460647
Date: Wed, 19 Oct 2011 03:40:58 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0BB4_01CC8EA7.C9D62900"
X-Mailer: Microsoft Office Outlook, Build 12.0.6416
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.1158
Thread-Index: AcON37T19E6VAJSH4ILH04D3SHOWLR==
Message-ID: <44ea01cc8ea7$ca08d1c0$1400f275@WENZIMMERMANVNJYnTX>
X-CM: Latest Threats II
X-pstn-disposition: quarantine

--------------------------------------------------------------------------------

Date: Wed, 19 Oct 2011 03:40:58 +0530
From: <support@ourdomain.com>
To: <[snip]@ourdomain.com>
Subject: Re: Scan from a HP Officejet #460647

A document was scanned and sentto you using a Hewlett-Packard HP Officejet 2075D.Sent by: WEN
Images : 8
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: CRP848SO0SLM3943550

We are seeing the same thing and have been for months.

Return-path: <AmyRynes@euronet.nl>
Received: from 18913056101.user.veloxzone.com.br (unverified [189.13.56.101]) by <ourserver>
(Rockliffe SMTPRA 9.0.1) with SMTP id <B0004477005@<ourserver> for <support@<ourdomain>.com>;
Wed, 19 Oct 2011 12:09:56 -0400
Received: from 18913056101.user.veloxzone.com.br (helo=lmnneja.gp) by 18913056101.user.veloxzone.com.br with esmtpa (Exim 4.66 (FreeBSD)) (envelope-from <AmyRynes@euronet.nl>) id 1WKM24-8016qo-UY for support@<ourdomain>.com; Wed, 19 Oct 2011 11:09:55 -0300
Message-ID: <5AF29915.6030706@euronet.nl>
Date: Wed, 19 Oct 2011 11:09:55 -0300
From: <hp@<ourdomain>.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; cs-CZ; rv:1.9b5) Gecko/2008041514 Lightning/1.0b2 Thunderbird/3.0a1 ThunderBrowse/3.2.8.1
MIME-Version: 1.0
To: support@<ourdomain>.com
Subject: Scan from a HP Officejet #297450
Content-Type: multipart/alternative;
boundary="------------040108090004060400000608"



Also seeing with subject "Scan from Hewlet-Packard Officejet 397458"

William




A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 4563D.

Sent by: TRESSIE
Images : 9
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: CRP186SO9SLM1649357

We've been seeing these for nearly a month. They're not really from printers, you know. :)
Been getting these for a number of weeks as well:

From: officejet@[domain].com [mailto:officejet@[domain].com]
Sent: Wednesday, September 28, 2011 8:59 PM
To:
Subject: Re: Scan from a HP Officejet #4310253

A document was scanned and sent
to you using a Hewlett-Packard HP Officejet 1778A.

Sent by: KATHYRN
Images : 6
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: OFC053AA7BSX783945
I received this from a coworker who asked me to take a look at it. The site (when it was up) that we were redirected to would attempt to exploit Java, PDF, and Flash. Depending upon the version you had installed would determine which files were downloaded. That was contained in the encrypted Javascript that was contained in the main site. It's a nasty little bugger and definitely malicious. I would recommend blocking the domain that these emails linked.
Here is a clean write up for the link. At the time, it was gavni.bij.pl (which currently redirects to something else entirely). So links will be different.

*******************************************************
When a system connects to http[://]gavni.bij.pl/main.php?page=8f059b09cd0e2f70, a malicious Java Archive is downloaded. The site utilizes the html tag <applet> in order to run a class file, Window.class, which is located within a folder, "support", within the Java Archive.
In addition, embedded JavaScript attempts to discover certain information about targeted system, including browser type. Of particular note, it attempts to determine the version of three plugins, Java, PDF, and Shockwave Flash. If the correct version of the Java plugin is detected it will attempt to download a Main.class file and redirect the system to http[://]gavni.bij.pl/w.php?f=27&e=2. The Main.class file is hosted at http[://]root[@]1604540625/Main.class, which resolves to 95.163.88.209 using dword URL obfuscation.
After the Java exploit is attempted, it checks to see which version of PDF is installed and depending upon the finding the website will redirect the system to either http[://]gavni.bij.pl/content/1fdp.php?f=27 or http[://]gavni.bij.pl/content/2fdp.php?f=27.
Finally, it will check to verify the Shockwave Flash version and will download either http[://]gavni.bij.pl/content/score.swf or http[://]gavni.bij.pl/content/field.swf.
******************************************************

I hope I got that right :).
We have also seen these emails for quite a while. Also seen subjects with Xerox WorkCentre and Xerox WorkCentre Pro.
William, Slowpoke, Avenger -

You are allowing emails purporting to be from your domain (but not!) to be accepted by your mail servers? Hint: SPF and DKIM has been defending against mail forgery like this for a long time. Might want to try it before complaining about spoofed <yourdomain> emails when there is an effective way to block it completely.

Diary Archives