Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 10 September 2008

MediaDefender have been err what now?

Alas it seems the malvelopers want us to think the "other bad guys" are watching us. I read about these e-mails yesterday, but hadn't actually received one myself - now I feel special :o)

As mentioned previously, the e-mail reads;


Dear User!

Your recent internet activity was logged on the following sites:

*    Btjunkie <http://btjunkie.org>
*    SumoTorrent <http://sumotorrent.com/>
*    isoHunt <http://isohunt.com>
*    Btscene <http://www.btscene.com/>
*    Mininova <http://www.mininova.org>
*    Fenopy <http://fenopy.com/>
*    Monova <http://monova.org>
*    Yotoshi <http://yotoshi.com/>
*    GetInvites <http://getinvites.org/>
*    Btmon <http://www.btmon.com/>

We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201§1205, 1301§1332; 28 U.S.C. § 4001 laws.

Sincerely,

MediaDefender Inc.


They've also kindly included an attachment (user-B41642-activities.zip) that they claim is a report concerning copyright stuff I've downloaded or searched for on the websites they've referenced (which would be a neat trick considering I've never been on those sites).

This attachment, just like this one is detected as WORM/Agent.FT

Needless to say, if you receive an e-mail claiming to come from MediaDefender, delete it (MD should be ignored anyway in my opinion (and indeed, in alot of others opinions too))

As usual, the following is the e-mail itself in all it's glory.


Exported by: Outlook Export v0.1.2


From: monitoring@mediadefender.com
E-mail:monitoring@mediadefender.com [ 207.171.9.16 - netblk-207-171-9-16.fiberconnexion.com ]
Date: 10/09/2008 13:45:55
Subject: Your illegal internet activities are being logged
**************************************************************************
Links
**************************************************************************

Link: http://mediadefender.com/images/md_logo.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/spacer.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_about_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_sep.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_p2ppir_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_p2pmkt_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/btn_sep.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_news_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://mediadefender.com/images/btn_contact_off.gif
    Domain: mediadefender.com
    IP: 207.171.9.16 [ netblk-207-171-9-16.fiberconnexion.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://btjunkie.org
    Domain: btjunkie.org
    IP: 93.158.65.211 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://sumotorrent.com/
    Domain: sumotorrent.com
    IP: 87.233.179.137 [ - ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://isohunt.com
    Domain: isohunt.com
    IP: 208.71.112.30 [ bthub.com ]
    hpHosts Status: Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://www.btscene.com/
    Domain: www.btscene.com
    IP: 213.239.187.52 [ btscene.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://www.mininova.org
    Domain: www.mininova.org
    IP: 87.233.147.140 [ www.mininova.org ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://fenopy.com/
    Domain: fenopy.com
    IP: 208.71.113.234 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://monova.org
    Domain: monova.org
    IP: 66.29.46.106 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://yotoshi.com/
    Domain: yotoshi.com
    IP: 222.228.121.5 [ s5.IchibaFL100.vectant.ne.jp ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://getinvites.org/
    Domain: getinvites.org
    IP: 83.149.109.52 [ nephesus.nshosters.com ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false

Link: http://www.btmon.com/
    Domain: www.btmon.com
    IP: 66.29.81.140 [ Resolution failed ]
    hpHosts Status: Not Listed
    MDL Status: Not Listed
    PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<http://mediadefender.com/images/md_logo.gif>     
<http://mediadefender.com/images/spacer.gif>     
About Us<http://mediadefender.com/images/btn_about_off.gif>      <http://mediadefender.com/images/btn_sep.gif>      <http://mediadefender.com/images/btn_p2ppir_off.gif>      <http://mediadefender.com/images/btn_sep.gif>      <http://mediadefender.com/images/btn_p2pmkt_off.gif>      <http://mediadefender.com/btn_sep.gif>      News<http://mediadefender.com/images/btn_news_off.gif>      <http://mediadefender.com/images/btn_sep.gif>      Contact Us<http://mediadefender.com/images/btn_contact_off.gif>     
<http://mediadefender.com/images/spacer.gif>     
<http://mediadefender.com/images/spacer.gif>     

Dear User!


Your recent internet activity was logged on the following sites:

*    Btjunkie <http://btjunkie.org>
*    SumoTorrent <http://sumotorrent.com/>
*    isoHunt <http://isohunt.com>
*    Btscene <http://www.btscene.com/>
*    Mininova <http://www.mininova.org>
*    Fenopy <http://fenopy.com/>
*    Monova <http://monova.org>
*    Yotoshi <http://yotoshi.com/>
*    GetInvites <http://getinvites.org/>
*    Btmon <http://www.btmon.com/>

We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201§1205, 1301§1332; 28 U.S.C. § 4001 laws.

Sincerely,

MediaDefender Inc.




**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF="http://mediadefender.com/images/md_logo.gif">http://mediadefender.com/images/md_logo.gif</A>> <BR>
 <<A HREF="http://mediadefender.com/images/spacer.gif">http://mediadefender.com/images/spacer.gif</A>>  <BR>
 About Us<<A HREF="http://mediadefender.com/images/btn_about_off.gif">http://mediadefender.com/images/btn_about_off.gif</A>>     <<A HREF="http://mediadefender.com/images/btn_sep.gif">http://mediadefender.com/images/btn_sep.gif</A>>   <<A HREF="http://mediadefender.com/images/btn_p2ppir_off.gif">http://mediadefender.com/images/btn_p2ppir_off.gif</A>>    <<A HREF="http://mediadefender.com/images/btn_sep.gif">http://mediadefender.com/images/btn_sep.gif</A>>   <<A HREF="http://mediadefender.com/images/btn_p2pmkt_off.gif">http://mediadefender.com/images/btn_p2pmkt_off.gif</A>>    <<A HREF="http://mediadefender.com/btn_sep.gif">http://mediadefender.com/btn_sep.gif</A>>          News<<A HREF="http://mediadefender.com/images/btn_news_off.gif">http://mediadefender.com/images/btn_news_off.gif</A>>          <<A HREF="http://mediadefender.com/images/btn_sep.gif">http://mediadefender.com/images/btn_sep.gif</A>>   Contact Us<<A HREF="http://mediadefender.com/images/btn_contact_off.gif">http://mediadefender.com/images/btn_contact_off.gif</A>>       <BR>
 <<A HREF="http://mediadefender.com/images/spacer.gif">http://mediadefender.com/images/spacer.gif</A>>  <BR>
 <<A HREF="http://mediadefender.com/images/spacer.gif">http://mediadefender.com/images/spacer.gif</A>>  <BR>
<BR>
Dear User!<BR>
<BR>
<BR>
Your recent internet activity was logged on the following sites:<BR>
<BR>
*       Btjunkie <<A HREF="http://btjunkie.org">http://btjunkie.org</A>><BR>
*       SumoTorrent <<A HREF="http://sumotorrent.com/">http://sumotorrent.com/</A>><BR>
*       isoHunt <<A HREF="http://isohunt.com">http://isohunt.com</A>><BR>
*       Btscene <<A HREF="http://www.btscene.com/">http://www.btscene.com/</A>><BR>
*       Mininova <<A HREF="http://www.mininova.org">http://www.mininova.org</A>><BR>
*       Fenopy <<A HREF="http://fenopy.com/">http://fenopy.com/</A>><BR>
*       Monova <<A HREF="http://monova.org">http://monova.org</A>><BR>
*       Yotoshi <<A HREF="http://yotoshi.com/">http://yotoshi.com/</A>><BR>
*       GetInvites <<A HREF="http://getinvites.org/">http://getinvites.org/</A>><BR>
*       Btmon <<A HREF="http://www.btmon.com/">http://www.btmon.com/</A>><BR>
<BR>
We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201§1205, 1301§1332; 28 U.S.C. § 4001 laws.<BR>
<BR>
Sincerely,<BR>
<BR>
MediaDefender Inc.<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <monitoring@mediadefender.com>
Delivered-To: services@[RD]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
    by smtp-in-77.livemail.co.uk (Postfix) with SMTP id 8445AEFC4ED
    for <services@[RD]>; Wed, 10 Sep 2008 13:54:00 +0100 (BST)
Received: from mediadefender.com (mail.squires.co.za [196.37.170.133])
    by smtp-in-77.livemail.co.uk (Postfix) with ESMTP id 48D4CEFC4ED
    for <services@[RD]>; Wed, 10 Sep 2008 13:51:43 +0100 (BST)
From: monitoring@mediadefender.com
To: services@[RD]
Subject: Your illegal internet activities are being logged
Date: Wed, 10 Sep 2008 14:45:55 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0008_DE9EEA5E.EDC8D727"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080910125143.48D4CEFC4ED@smtp-in-77.livemail.co.uk>
X-Original-To: services@[RD]


/edit 23-09-08

It seems these are still doing the rounds as I've just received another one. Whilst the e-mail and zip's filename is identical to the last, the infection in this one is HIDDENEXT/Worm.Gen with a new size of 324K.

http://www.virustotal.com/analisis/39fdcd263877cae49faaa6e4a2576401

Well well well, this is an interesting little sample isn't it ..... Running the file through ThreatExpert shows multiple outgoing connections (IRC, SMTP). Two GET requests were made to download additional components;

http://www.isc.org/ISC-gears2.png
http://www.isc.org/automation/n09230945.asp

Other connections include;

sco.rs-forum.biz Port: 5900
mxs.isp.com Port: 5900
206.137.17.89 Port: 5900

rs-forum.biz claims to be a parked page (yeah right!)

http://vurl.mysteryfcm.co.uk/?url=http://rs-forum.biz/&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=1&ref=

The IRC connection shows it's joining the #biohazard2 channel, and generating the following traffic;

NICK BX|162490404
USER dfewojeuaf 0 0 :BX|162490404
USERHOST BX|162490404
MODE BX|162490404 -ix
JOIN #biohazard2 youareadumbfuck
NICK BX|815533618
USER lnonqyumtlt 0 0 :BX|815533618
USERHOST BX|815533618
MODE BX|815533618 -ix
NICK BX|165626277
USER nddpsdtcfmz 0 0 :BX|165626277
USERHOST BX|165626277
MODE BX|165626277 -ix
NICK BX|238465948
USER ntzxwcaoprz 0 0 :BX|238465948
USERHOST BX|238465948
MODE BX|238465948 -ix
NICK BX|344699429
USER qcbbouebg 0 0 :BX|344699429
USERHOST BX|344699429
MODE BX|344699429 -ix


The full TE report can be found at;

http://www.threatexpert.com/report.aspx?md5=713885a1432fc4a822f9473828045952

No comments: