Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 8 December 2011

Fake Firefox e-mail leading to SpyEye trojan

This little chap arrived in my spam box today, and almost got over-looked (I was checking the newest e-mails leading to the Blackhole exploit (one of which, couldn't decide if it was from LinkedIn or the FDIC)), and not surprisingly, is fake.

The Payload, all 593KB of it, infects the unwitting victim with the SpyEye trojan. VT detection is utterly rubbish of course - only 2 vendors detecting it.

http://www.virustotal.com/file-scan/report.html?id=5aad76afe0ee8121bd53d8137f6542ae56ac30ec34a9e6da19310d452093ad10-1323373580

Quite why Sophos is calling it Ropian, is puzzling.

The URL you're linked to, is on a FastHosts IP, and redirects to a different folder on the same server, to download the actual payload.

hxxp://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy
--> hxxp://static77-68-16-117.live-dsl.net:8887/upd4/firefox-8.0.1.exe


IP: 77.68.16.117
IP PTR: static77-68-16-117.live-dsl.net
ASN: 15418 77.68.0.0/17 FASTHOSTS-INTERNET Fasthosts Internet Ltd. Gloucester, UK

E-mail body (for those of us that use plain text)

Facebook <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

<http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Facebook recommends that you upgrade to the
faster and smarter Firefox 8.

Get It Now <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Introducing the new and improved Firefox 8, optimized for Facebook

• Browse faster than the previous version of Firefox.

• Easily organize and arrange your tabs into groups.

• Get on-the-go access to your saved Firefox settings across multiple computers.

• Access the new Facebook features as profile viewers and much more!

Get your free upgrade now <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> .

Already upgraded? Thank you.

Facebook

All your favorite stuff, all in one place. Make Facebook your home <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> .

Visit Firefox on Facebook   <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Share:  <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Mozilla, Firefox, and the Firefox logo are trademarks or registered trademarks of Mozilla..

Update Marketing Preferences <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>    |   Privacy Policy <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>    |    Web Beacons in Email <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

RefID: sr-12012817



E-mail headers:

Return-Path: <updater@pi73rjvy.firefoxx.com>
Delivered-To: darren@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 1.443
X-Spam-Level: *
X-Spam-Status: Yes, score=1.443 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.723, MIME_HTML_ONLY_MULTI=0.001, MPART_ALT_DIFF=0.79,
RCVD_IN_BRBL_LASTEXT=1.449, SPF_FAIL=0.001, WEIRD_PORT=0.001]
autolearn=no
Received: from mail.erieconstruction.net (erieconstruction.net [72.240.57.234])
by mail4.emailconfig.com (Postfix) with ESMTP id 33D76398366
for <darren@it-mate.co.uk>; Thu, 8 Dec 2011 02:35:20 +0000 (GMT)
Received: from mail.alpinspire.com (mail.alpinspire.com [71.33.236.177])
(authenticated bits=0)
by mail.erieconstruction.net (8.14.4/8.14.3) with ESMTP id pB82kgOX025376
for <darren@it-mate.co.uk>; Wed, 7 Dec 2011 21:46:50 -0500
Date: Wed, 7 Dec 2011 21:46:50 -0500
Message-Id: <201112080246.pB82kgOX025376@mail.erieconstruction.net>
Content-Type: multipart/alternative; boundary="===============0038370588=="
MIME-Version: 1.0
Subject: [SPAM] Introducing the new and improved Firefox 8, optimized for
Facebook. 72.240.41.100
From: "Mozilla Firefox" <updater@pi73rjvy.firefoxx.com>
To: undisclosed-recipients:;

No comments: