Attention! Spammers have become smarter and got to freelancing
One day, I received one letter with a job offer. It seems to be nothing bad - a semi-formulated job offer, the topic is normal, it seems like they subscribed, in general, nothing suspicious - but this is spam ... and, as it turned out, not one I rush to warn. On weblancer.net and free-lance.ru have already responded.
On the website weblancer.net I have my mailbox in my profile. It seems to be nothing offensive, the profiles are not visible to the guests ... But no.
On the box specified in the profile, received a letter. The content was completely harmless, but it did not interest me at all. First of all, the subject matter is not mine, and secondly - I’m already so painfully busy to take something else from the top of my daily activities.
Actually, here is the text of the first message:
As it should be in such cases - I unsubscribed to the author of the letter (without suspecting anything) that I could not help, gave the address of a friend who specializes in this and forgot. Only some time later, I realized that it was in vain. It is quite logical that after reading such a letter, the recipient must respond to it: either simply out of courtesy (if he cannot accept the proposed work), or with an indication of price and time. In this case, the answer most likely served as the clockwork that launched the spam machine.
')
However, this was not the end. I received another letter, according to which it was clear that either the case was not clean, or that the woman (the author) was a stupid woman. [I apologize to all the wonderful people for such rudeness]
The text of the message is completely harmless:
The message was built correctly, in case I tried to follow the link from the first message, but I did not succeed and I wrote them a response letter that the link does not work. Yes, even if he did not follow the link, but wrote a letter indicating the cost of the work. In general, it does not matter what this letter is. The main thing is gone and the box is considered a worker ... However. I clearly indicated in the message that I can not get to work. It has already alerted me. In his thoughts flashed: "What kind of customer is such a stubborn one?". But most of all I did not like the fact that no reasons were given for the existence of that very perseverance.
I decided to dig a little. It was not necessary to go far. I looked at the source of the letter. At first glance, everything is clean and smooth. when I first viewed the “Received:” block I dropped because of its size. Usually when spam is N open relay. Then, on a second pass, where I already read the lines and between the lines I noticed an interesting fact:
Return-path: < osteomed-spb@yandex.ru >
Received: from [ 206.190.52.173 ] (port = 35993 helo = smtp104.biz.mail.re2.yahoo.com )
by mx81.mail.ru with esmtp
id 1NYL0t-000Kj8-00
for to_friends@mail.ru; Fri, 22 Jan 2010 18:01:31 +0300
Received-SPF: softfail (mx81.mail.ru: transitioning domain doesn’t designate 206.190.52.173 as permitted sender ) client-ip = 206.190.52.173; envelope-from=osteomed-spb@yandex.ru; helo = smtp104.biz.mail.re2.yahoo.com;
...
Received: from d51535928.access.telenet.be ( osteomed-spb@81.83.89.40 with login)
by smtp104.biz.mail.re2.yahoo.com with SMTP; 22 Jan 2010 06:54:49 -0800 PST
What I saw was enough for me to make sure that my suspicions were true.
The first issue of the request in Google's IP address showed an article that refreshed my memory.
206.190.52.173 is Yahoo's SMTP server. Attackers use the original IP address and information to connect to the SMTP server. 206.190.52.173 - the original IP address and they effortlessly connect to the server using data like email @ example.com @ 206.190.52.173.
Doubt that this spam I have left.
But curiosity takes its own. With extreme caution - clicked on the last link. There archive T.rar. It seems nothing offensive. But further more interesting:
I think it is not necessary to explain what this TK is ...
The second file, or rather the shortcut is also good:
DrWeb 5.0.1.12222 2010.01.22 Trojan.MulDrop.60130
Kaspersky 7.0.0.125 2010.01.22 Trojan-PSW.Win32.WebMoner.nl
NOD32 4797 2010.01.22 Win32 / TrojanDropper.Delf.NRR
Below is the original test letters. (maybe someone is interested)
It was not a one-time attack.
And finally. What I wanted from this post - pay attention and once again warn. The spammer does not sleep, the spammer becomes smarter.
Sincerely, Andrei Kumanyaev.
upd:
According tounverified data according to lmaster, the virus has the following functionality:
1) The program records all keystrokes (keylogger)
2) The malware steals data for authorization from the following programs:
- QIP
- Mail.ru Agent
- Total Commander
- SmartFTP
- OutLook
- ICQ
- The BAT!
- WebMoney
- FireFox
- IE
- Opera
3) All this program sends to the sites:
sitysan.hmsite.net/upload.php
chikoss.hmsite.net/upload.php
How it all began.
On the website weblancer.net I have my mailbox in my profile. It seems to be nothing offensive, the profiles are not visible to the guests ... But no.
On the box specified in the profile, received a letter. The content was completely harmless, but it did not interest me at all. First of all, the subject matter is not mine, and secondly - I’m already so painfully busy to take something else from the top of my daily activities.
Actually, here is the text of the first message:
.
.
- . : www.osteomed-spb.narod.ru
2 ,
: narod.ru/disk/17109516000/.rar.html
.
.
As it should be in such cases - I unsubscribed to the author of the letter (without suspecting anything) that I could not help, gave the address of a friend who specializes in this and forgot. Only some time later, I realized that it was in vain. It is quite logical that after reading such a letter, the recipient must respond to it: either simply out of courtesy (if he cannot accept the proposed work), or with an indication of price and time. In this case, the answer most likely served as the clockwork that launched the spam machine.
')
Outset
However, this was not the end. I received another letter, according to which it was clear that either the case was not clean, or that the woman (the author) was a stupid woman. [I apologize to all the wonderful people for such rudeness]
The text of the message is completely harmless:
.
.
: slil.ru/28530892
.
What confused me.
The message was built correctly, in case I tried to follow the link from the first message, but I did not succeed and I wrote them a response letter that the link does not work. Yes, even if he did not follow the link, but wrote a letter indicating the cost of the work. In general, it does not matter what this letter is. The main thing is gone and the box is considered a worker ... However. I clearly indicated in the message that I can not get to work. It has already alerted me. In his thoughts flashed: "What kind of customer is such a stubborn one?". But most of all I did not like the fact that no reasons were given for the existence of that very perseverance.
Decoupling
I decided to dig a little. It was not necessary to go far. I looked at the source of the letter. At first glance, everything is clean and smooth. when I first viewed the “Received:” block I dropped because of its size. Usually when spam is N open relay. Then, on a second pass, where I already read the lines and between the lines I noticed an interesting fact:
Return-path: < osteomed-spb@yandex.ru >
Received: from [ 206.190.52.173 ] (port = 35993 helo = smtp104.biz.mail.re2.yahoo.com )
by mx81.mail.ru with esmtp
id 1NYL0t-000Kj8-00
for to_friends@mail.ru; Fri, 22 Jan 2010 18:01:31 +0300
Received-SPF: softfail (mx81.mail.ru: transitioning domain doesn’t designate 206.190.52.173 as permitted sender ) client-ip = 206.190.52.173; envelope-from=osteomed-spb@yandex.ru; helo = smtp104.biz.mail.re2.yahoo.com;
...
Received: from d51535928.access.telenet.be ( osteomed-spb@81.83.89.40 with login)
by smtp104.biz.mail.re2.yahoo.com with SMTP; 22 Jan 2010 06:54:49 -0800 PST
- 1. The fact that a letter from a Yandex mailbox is visible to the naked answer and nothing terrible. I also send letters from mail.ru, indicating the return address is completely different.
- 2. Just remember the IP address.
- 3. HELO has already intrigued. I will give an example of HELO from a real box.
Received: from [95.108.130.120] (port=50391 helo=forward13.mail.yandex.net)
Such a record would not bother me ... But what is higher is pardon. - 4. SPF also did not tell anything good. IP is not Yandex, what to send from it ... A normal letter from Yandex naturally does not tarnish its name. For example:
Received-SPF: pass (mx52.mail.ru: domain of yandex.ru designates 95.108.130.120 as permitted sender) client-ip=95.108.130.120; envelope-from=xxx@yandex.ru; helo=forward13.mail.yandex.net; - 5. It was very curious to look at the smtp server. In real life there will be something like the following:
Received: from smtp11.mail.yandex.net (smtp11.mail.yandex.net [95.108.130.67])
by forward13.mail.yandex.net (Yandex) with ESMTP id 05383A78EA7
for <to_friends@mail.ru>; Fri, 25 Dec 2009 20:12:02 +0300 (MSK)
Received: from BIGGEST_COMP (pppoeXXXXX.mv.ru [xxx.xxx.xxx.xxx])
by smtp11.mail.yandex.net (Yandex) with ESMTPA id ADF0A673008B
for <to_friends@mail.ru>; Fri, 25 Dec 2009 20:11:51 +0300 (MSK)
However, there it did not smell.
What I saw was enough for me to make sure that my suspicions were true.
The first issue of the request in Google's IP address showed an article that refreshed my memory.
206.190.52.173 is Yahoo's SMTP server. Attackers use the original IP address and information to connect to the SMTP server. 206.190.52.173 - the original IP address and they effortlessly connect to the server using data like email @ example.com @ 206.190.52.173.
Doubt that this spam I have left.
But curiosity takes its own. With extreme caution - clicked on the last link. There archive T.rar. It seems nothing offensive. But further more interesting:
I think it is not necessary to explain what this TK is ...
The second file, or rather the shortcut is also good:
DrWeb 5.0.1.12222 2010.01.22 Trojan.MulDrop.60130
Kaspersky 7.0.0.125 2010.01.22 Trojan-PSW.Win32.WebMoner.nl
NOD32 4797 2010.01.22 Win32 / TrojanDropper.Delf.NRR
Below is the original test letters. (maybe someone is interested)
- = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -
From - Thu Jan 21 11:30:28 2010
X-Account-Key: account1
X-UIDL: 1264057825436
X-Mozilla-Status: 0003
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <osteomed-spb@yandex.ru>
Received: from [206.190.52.173] (port = 34570 helo = smtp104.biz.mail.re2.yahoo.com)
by mx86.mail.ru with esmtp
id 1NXrBQ-000LUy-00
for to_friends@mail.ru; Thu, 21 Jan 2010 10:10:24 +0300
Received-SPF: softfail (mx86.mail.ru: transitioning domain does not designate 206.190.52.173 as permitted sender) client-ip = 206.190.52.173; envelope-from=osteomed-spb@yandex.ru; helo = smtp104.biz.mail.re2.yahoo.com;
X-Mru-BL: 0: 4: 0
X-Mru-PTR: off
X-Mru-NR: 1
X-Mru-OF: unknown (ethernet / modem)
X-Mru-RC: US
Received: (qmail 23718 invoked from network); 21 Jan 2010 06:43:43 -0000
Received: from 78-21-52-174.access.telenet.be (osteomed-spb@78.21.52.174 with login)
by smtp104.biz.mail.re2.yahoo.com with SMTP; 20 Jan 2010 22:43:42 -0800 PST
X-Yahoo-SMTP: OGyL7BeswBAyEJCfyh3zpU0Ux00x
X-YMail-OSG: WTKuh7QVM1nrQKJgkpvMz8tKkMLUsVbU_7WmyKXpqW8huF3P.Hr4KALgp_rRJ_11_ZVfz_NRRKNGv85caw4QtnAnPaMwxoioUpiMTKuBgMTCM1WUYvAzHGAULqK24ACPgAGq6c93ncPofDDqhzAB0Fziu7YiETTGegojHj.AL8pjBi4HlsrA17mpje6CTdw5e6mnXd8vu6hhaHgeoWFzWc9CnYF7YlArFHE9PgpkYjMp_zW.6Il71SGNQcCYNLWFX_.367K7idAq.FRW1h9CEkkAc3tJvs.7tmeqCuSQVGPjKvAs_LtTkCJ5PQ18WGhEalI3a61m4a1CdHZE7a0xj70qecpCvWgznr10jjp2U9WTqZ.bUjkZhiu88azIxNUZ0EfIY.sZJD62a4m16J1HIrRZblO6CVISrokLFbcZNVBJdD4pkg2HwanaSlyTdYEX8KIK7jhHahLQ7VCDawCBI5xIGiJ.VpLduYXrlS7n33yhNKNqTwZo.NI-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <00f43f29-40199-02794053716319 @ user>
Reply-To: “Osteomed” <osteomed-spb@yandex.ru>
From: “Osteomed” <osteomed-spb@yandex.ru>
To: to_friends@mail.ru
Subject: www.weblancer.net
Date: Thu, 21 Jan 2010 09:43:44 +0300
MIME-Version: 1.0
Content-Type: text / html
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: Power Sending Sockets v5.1
X-Spam: Not detected
X-Mras: OK
Hello.
I need to translate the text from the site.
Theme is medicine. Here is the old site: www.osteomed-spb.narod.ru
The new site will be ready within 2 weeks, by this time I need to translate all the articles that will be posted on the site
Some of the articles can be downloaded here: narod.ru/disk/17109516000/parati.rar.html
I am interested in the cost of work and deadlines.
Krestina Lyudmila Sergeevna.
.
Second letter:
- = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -
From - Fri Jan 22 18:02:21 2010
X-Account-Key: account1
X-UIDL: 1264172491218
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <osteomed-spb@yandex.ru>
Received: from [206.190.52.173] (port = 35993 helo = smtp104.biz.mail.re2.yahoo.com)
by mx81.mail.ru with esmtp
id 1NYL0t-000Kj8-00
for to_friends@mail.ru; Fri, 22 Jan 2010 18:01:31 +0300
Received-SPF: softfail (mx81.mail.ru: transitioning domain doesn’t designate 206.190.52.173 as permitted sender) client-ip = 206.190.52.173; envelope-from=osteomed-spb@yandex.ru; helo = smtp104.biz.mail.re2.yahoo.com;
X-Mru-BL: 0: 4: 0
X-Mru-PTR: off
X-Mru-NR: 1
X-Mru-OF: unknown (ethernet / modem)
X-Mru-RC: US
Received: (qmail 51685 invoked from network); 22 Jan 2010 14:54:50 -0000
Received: from d51535928.access.telenet.be (osteomed-spb@81.83.89.40 with login)
by smtp104.biz.mail.re2.yahoo.com with SMTP; 22 Jan 2010 06:54:49 -0800 PST
X-Yahoo-SMTP: OGyL7BeswBAyEJCfyh3zpU0Ux00x
X-YMail-OSG: BcrH8xMVM1kKujC9WqJobThlV9hR32uh0usEbHcIRRYBjf9..mfgT8yxGdAHmfIjkqEKFK63wk1JRkK0tRwOeXmDDCSSfYjwiL5k3rmg7nGCAYgkvTtO2 ._ edkzutGdlmvZi7vi6ghfOG9mAP74KhNarlXPxVo0JH7ivUqeIxkOv1KVXDXYoYywkCNALAnb6TKc1s1qUhcDkOE1GfQ9h2LXu_MYEEa_YbYMCV2VJXz27qBitB96fIj7Xj8QFLRW_Y8CZ0mXzv3ra5oPdV7LaBAHd9WvgjFrDfMIN3JbM7f_yHWBwAVb2lNaowfzo2bnZMqdnbmI3uQ70jr1N9qNs1ykAlSKfEFyLWMYqJCbviUwlO84Yh3h6Y4iOhG6jcVRBxmHU.FFhWvh2Ta4Q5N.5pFXtH2f4bI.UoCV_pj7ht5Ik.wUYFeHZRIzGEb27QXRQ5jI2LAuCEMqFHUE9hK8EPirq.PJOw.VLra8M7Pr4nbh30SyHpwYhrfYZg--.
X-Yahoo-Newman-Property: ymail-3
Message-ID: <00f43916-40200-01b67464373495 @ user>
Reply-To: “Osteomed” <osteomed-spb@yandex.ru>
From: “Osteomed” <osteomed-spb@yandex.ru>
To: to_friends@mail.ru
Subject: www.weblancer.net
Date: Fri, 22 Jan 2010 17:54:52 +0300
MIME-Version: 1.0
Content-Type: text / plain
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: Power Sending Sockets v5.1
X-Spam: Not detected
X-Mras: OK
Hello.
Sorry, I sent you a wrong link.
Here is the link: slil.ru/28530892
Krestina Lyudmila Sergeevna.
.
- = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - == = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =
It was not a one-time attack.
And finally. What I wanted from this post - pay attention and once again warn. The spammer does not sleep, the spammer becomes smarter.
Sincerely, Andrei Kumanyaev.
upd:
According to
1) The program records all keystrokes (keylogger)
2) The malware steals data for authorization from the following programs:
- QIP
- Mail.ru Agent
- Total Commander
- SmartFTP
- OutLook
- ICQ
- The BAT!
- WebMoney
- FireFox
- IE
- Opera
3) All this program sends to the sites:
sitysan.hmsite.net/upload.php
chikoss.hmsite.net/upload.php
Source: https://habr.com/ru/post/81629/
All Articles