Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Targeting OWA users - A report from the Mailbag - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Targeting OWA users - A report from the Mailbag

We received a report from Ted of an email campaign targeting OWA users that leads to malware infections, thanks Ted!

UPDATE:  Additional information has been provided, there are changing "Subject;" lines and changing obfuscated links for users.

"The Help Desk forwarded me a new version of a SPAM / Spyware  e-mail. It makes it look like the recipient is getting an auto response from our e-mail system and wants them to click on a link.  Once you go to the website it asked you to download and install an exe that will fix your issue.  Of course this is nothing but a Trojan that will only help out the bad guys!  Below I have included a sample of the e-mail and the site it goes to. 
 
When you review the SPAM, notice the link that is displayed shows it is from our.org but the actual hyper link is to our.org.molendf.co.kr.  I have traced the IP and am blocking it so if others get through the SPAM filter our users will not be able to get to the site.  The Hyperlink is disabled in the copy below.

I submitted the file to VirusTotal to see what they found and it is very new.  They first received it yesterday.  McAfee’s latest DAT file does not see it but the Artemis part will detect it.  I have included that data and links to VirusTotal if you want to check it out".
 
From: notifications@our.org [mailto:notifications@our.org]
Sent: Friday, January 08, 2010 09:06 AM
To: Targeted User (at our.org)
Subject: For the owner of the targeteduser@our.org mailbox
 
Dear user of the our.org mailing service!
 
We are informing you that because of the security upgrade of the mailing service your mailbox (targeted.user@our.org) settings were changed. In order to apply the new set of settings click on the following link:
 
httx://our.org/owa/service_directory/settings.php?email=targeted.user@our.org&from=our.org&fromname=targeted.user
 
Best regards, Our.org Technical Support.
 
Letter ID#DRYCFEDYU4NUKP7MFGG
 
VirusTotal’s Scan of the file I uploaded today:
File settings-file.exe received on 2010.01.08 15:13:58 (UTC)
Current status: Loading ...
queuedwaitingscanningfinishedNOT FOUNDSTOPPED
Result: 17/41 (41.47%)

McAfee
5854
2010.01.07
-
McAfee+Artemis
5854
2010.01.07
Artemis!3025B97428A1
McAfee-GW-Edition
6.8.5
2010.01.08
Heuristic.BehavesLike.Win32.Trojan.H

VirusTotal’s archived scan when the first received the file:
 
 
File settings-file.exe received on 2010.01.08 12:24:53 (UTC)
Current status:
finished
Result: 16/41 (39.02%)
 
ThreatExpert Report

Patrick

193 Posts
I attended a talk last month on "webmail spam" given by Steve Romig of The Ohio State University. I'll admit I had no idea what he was going to talk about but he is a very interesting fellow and everyone in the room learned about this problem. His presentation is found at http://cio.uiowa.edu/ITsecurity/awarenesseducation/sec1109/2009-11-18-phish-iowa.pdf

It seems OSU and other universities are getting slammed by hackers compromising their accounts and using them to send out spam via their OWA system. It was causing their domain to get put on antispam blacklists.

Since the accounts are domain accounts, the attackers also were using them for remote access and other things. The graphs are astounding. They had several hundred compromised accounts at any one time. And their students do not use their system, just faculty and staff.
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!