Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Some interesting SSL SPAM - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some interesting SSL SPAM

 A few people have mentioned (Thanks Luke, Anon, et all) that they have started receiving SPAM messages along the following lines: 

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. 
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://evil-link/evil-file

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

Not sure what the evil is, as the links I received have been dead, so if you do receive one of these messages please let us know.  If you follow the link, be prepared for surprises and do it on a system that you do not care about (and that does not mean the computer belonging to the annoying fellow/gal sitting two desk away.)

One of the reasons I like this is that the reason to many people it would seem quite plausible, especially if they are running an internal CA at the site.  They may have received messages like this from their own support desk.  So in a targeted attack this could work quite nicely.  The English isn't bad either.

UPDATE

the sample file we received was named patch.exe MD5=9abc553703f4e4fedb3ed975502a2c7a
ZBOT characteristics, so trojan, keylogger, disables AV. 
http://www.threatexpert.com/report.aspx?md5=9abc553703f4e4fedb3ed975502a2c7a
If you have a sample with a different hash please upload it through the contact form.

UPDATE 2

In the samples received the URL used in the message typically has a component relating to the organisation itself.  e.g. http://something.<yourcompanydomain>.thehostingdomain/somefile.aspx   Embedding the company domain will make it look a little bit more legit to the user.

 

Mark H

Mark

391 Posts
ISC Handler
I too received it yesterday:
Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.<mysite>.com.secure.admin-data.net/ssl/id=731758587-admin@<mysite>.com-patch66701.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.


System Administrator
Anonymous
Yeah, we got it too. Verbatim to the above comment. Ran a ThreatExpert on the file. Hope it helps. http://www.threatexpert.com/report.aspx?md5=174aeb93b8d642c2cddfd9c50b0015c9
Anonymous
Our company too received this exact spam. It was scary because our domain name was listed in the subdomain of the URL and content is very deceptive as everyone trusts their IT staff. Also there was only one email message like this sent to us and it was sent to a legitimate address that only got Tagged by our spam filter appliance. This makes me term this a "laser email attack". I got some archived Linux whois and nslookup queries along with the entire email header if you'd like to look at it. Here's some rough details on the email I wrote up yesterday for my own purposes...

A server (IP based in) in Indonesia sends one email message to the legitimate email address legitimateemail@mycompanydomain.com. (Note the obfuscation of "legitimateemail" and "mycompanydomain.com" for the rest of this message.) It is sent from the email address alex@fm-ip-118.127.223.59.fast.net.id

This email message spoofs the sender email address so that the sender looks like "admin@mycompanydomainname.com"

This email message alerts/tricks the email reader that there is a server upgrade and you will need to click on a link to update your computer. The body of the message is signed with simply "System Administrator".

Inside the body of the message there is a link. This link points to http:||updates.mycompanydomain.com.secure.1-admin.com|mail|id=<10digitID>-legitimateemail@mycompanydomainname.com-patch407574.exe. Several hours after the email came in from a Linux machine I proved that the URL worked and my browser attempted to download this .exe file. This sub domain is of particular importance because the Internet is recognizing the subdomain "updates.mycompanydomain.com" which means either the Internet (DNS servers) have been tricked to resolve this or that a malicious user has actually taken the time to register an updates.mycompanydomain.com subdomain to their domain name root.

The root domain 1-admin.com is owned by a Turkish company. The whois explains that is a Turkish national policy to not disclose certain information in the public whois, so I cannot get the CIDR block for firewall blocking purposes. This domain name has also only been registered since 10/6/09 (6 days ago) and just for one year.

1-admin.com uses russian (.ru) DNS servers.

The IP address that updates.mycompanydomain.com.secure.1-admin.com currently resolves to 212.117.177.108 and this IP is regionly located in Steinsel, Luxembourg.

Countries involved: Indonesia, Turkey, Russia, Luxembourg
Anonymous
What have the subjects of these emails been?
Anonymous
The Subject I have seen the most of is: "Read carefully:Mail System Upgrade". (no quotes).
Anonymous
The one email we received and I referred to above had the Subject of, "Please note!" (no quotes).
Anonymous
Just blogged about this as well. http://www.cybersec.eu/?p=244
Anonymous
Just blogged about this as well. http://www.cybersec.eu/?p=244
Anonymous
Same attack, different email. I just started see these a few hours ago.

"Dear user of the company.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (somebody@company.com) settings were changed. In order to apply the new set of settings click on the following link:

http://company.com/owa/service_directory/settings.php?email=somebody@company.com&from=company.com&fromname=somebody

Best regards, company.com Technical Support.
Anonymous
Same attack, different email. I just started see these a few hours ago.

"Dear user of the company.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (somebody@company.com) settings were changed. In order to apply the new set of settings click on the following link:

http://company.com/owa/service_directory/settings.php?email=somebody@company.com&from=company.com&fromname=somebody

Best regards, company.com Technical Support.
Anonymous
About subdomains to 1-admin.com.
DNS resolves *.1-admin.com to the same ip. Thereby making all different kind of "subdomains" possible.
1-central.com is another domain used.

Cheers
Anonymous

Sign Up for Free or Log In to start participating in the conversation!