tag:blogger.com,1999:blog-804714437673009003.post7546458922120956670..comments2024-02-23T09:06:13.967+00:00Comments on Dynamoo's Blog: HP Spam / HP_Scan_06292013_398.zip FAILUnknownnoreply@blogger.comBlogger22125tag:blogger.com,1999:blog-804714437673009003.post-65060950946822381112013-08-29T12:10:02.789+01:002013-08-29T12:10:02.789+01:00We received a variant of this email yesterday. The...We received a variant of this email yesterday. The email was from Staples titled "Staples Advantage Invoice Delivery". Anonymoushttps://www.blogger.com/profile/11686946556660301937noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-61178006143987092722013-06-21T09:45:52.034+01:002013-06-21T09:45:52.034+01:00Password Stealer
Connects to :
bagdup. com : 80 ...Password Stealer<br /><br />Connects to :<br /><br />bagdup. com : 80 (174.140.168.239)<br />Anonymoushttps://www.blogger.com/profile/08157960990606632522noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-38143860207512728662013-06-20T10:38:03.547+01:002013-06-20T10:38:03.547+01:00Allow me to add the details as following pastebin:...Allow me to add the details as following pastebin: <a rel="nofollow">http://pastebin.com/raw.php?i=ErPMafRf</a><br /><br />Is a buggy RAT/#bonet was used in this shot of campaign, hope to be as buggy as possible for the future too. ;-)<br /><br />#MalwareMustDie!unixfreaxjphttps://www.blogger.com/profile/03820036912869056071noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-33154307320908000402013-06-19T21:37:56.549+01:002013-06-19T21:37:56.549+01:00Shhhh... Don't tell them they are broken!Shhhh... Don't tell them they are broken!TravisX²https://www.blogger.com/profile/11035266026603738986noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-20811328902058474072013-06-19T21:21:30.771+01:002013-06-19T21:21:30.771+01:00This is some sort of error on the part of the spam...This is some sort of error on the part of the spammer(s). They've been sending broken zip attachments for at least two weeks now.<br /><br />If you want to see what those bytes mean, plug them into a base64 encoder and everything should make sense.<br /><br />For example, enter 12BAE8AC16AC7BAE into the hex field here: http://home.paulschou.net/tools/xlate/Anonymoushttps://www.blogger.com/profile/08527053052628308069noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-86093042571926712082013-06-19T20:53:03.585+01:002013-06-19T20:53:03.585+01:00I have noticed that the file name(s) are changing....I have noticed that the file name(s) are changing. HP_Scan_ stays the same but the ##### at the end keeps changing.<br />TravisX²https://www.blogger.com/profile/11035266026603738986noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-19912902632706636462013-06-19T20:20:52.787+01:002013-06-19T20:20:52.787+01:00Getting a few of these too.
Attachment names same...Getting a few of these too.<br /><br />Attachment names same bytes: <br /><br />HP_Scan_06192013.zip (12 BA E8 AC 16 AC 7B AE)<br /><br />HP_Scan_06292013_398.zip (12 BA E8 AC 16 AC 7B AE)Unknownhttps://www.blogger.com/profile/04584522119447455338noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-77597421673122169492013-06-19T20:11:03.201+01:002013-06-19T20:11:03.201+01:00Has anyone figured out what the deal is?
I thought...Has anyone figured out what the deal is?<br />I thought it might have contained just a link to where the package was hosted but you guys just found the short strings.<br />Perhaps the infected server that is sending it out has AV that started stripping them before sending.<br />TravisX²https://www.blogger.com/profile/11035266026603738986noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-71905089878139891702013-06-19T20:10:38.203+01:002013-06-19T20:10:38.203+01:00These are using a spoofed address to appear to com...These are using a spoofed address to appear to come from a printer inside your organisation, they are coming externally though.<br /><br />We block EXE-in-ZIP files at the perimeter though, so I too was concerned that these were coming from an internal source and were being stripped off by something internal. But it wasn't the case.<br /><br />And yes.. the users have been calling the Conrad Longmorehttps://www.blogger.com/profile/11751822299235747323noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-5945718951042423432013-06-19T20:07:21.391+01:002013-06-19T20:07:21.391+01:00I'm having the same issue.
ESET stripped the o...I'm having the same issue.<br />ESET stripped the ones I got earlier today(which had larger package) but the ones this afternoon are not being flagged and also appear to small (338 Bytes in outlook, 162 bytes on disk)<br />TravisX²https://www.blogger.com/profile/11035266026603738986noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-44450113497834219852013-06-19T19:59:19.644+01:002013-06-19T19:59:19.644+01:00Had the same emails at our organization, they'...Had the same emails at our organization, they're showing up as ~300 B attachments in Outlook. Downloaded it a linux vm and viewed the files in a hex editor they're only 8 B.<br /><br />McAfee Email Gateway picked them up and flagged some of them but we've had users calling all day about them so it must not be getting all of them.<br /><br />The ones we are receiving appear to be Chrishttps://www.blogger.com/profile/14457747594775007622noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-51530577083962044162013-06-19T19:57:22.323+01:002013-06-19T19:57:22.323+01:00This comment has been removed by the author.Chrishttps://www.blogger.com/profile/14457747594775007622noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-20337356539710769732013-06-19T19:37:25.043+01:002013-06-19T19:37:25.043+01:00We've gotten several dozen of these today, but...We've gotten several dozen of these today, but I can't tell if they're from an internal machine that's been compromised, or some external source that happens to have contacts in our company (most seem to go to an invalid mailbox). Symantec Mail Security is quarantining them, but I'd like to figure out how to stop them altogether. Any thoughts?<br />Thanks.Anonymoushttps://www.blogger.com/profile/06701606386957087759noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-26327984717670751962013-06-19T18:13:38.970+01:002013-06-19T18:13:38.970+01:00if clicked on will it cause any problems??if clicked on will it cause any problems??jasermdhttps://www.blogger.com/profile/05408869949873812768noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-73080379574384562402013-06-19T17:50:07.461+01:002013-06-19T17:50:07.461+01:00Yes, weirdly it seems to be bigger when displayed ...Yes, weirdly it seems to be bigger when displayed in email (about 300 bytes), although perhaps that includes part of the MIME encoding. <br /><br />Yesterday it was Dunn and Bradstreet with the same characteristis.Conrad Longmorehttps://www.blogger.com/profile/11751822299235747323noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-80950559365741066242013-06-19T17:39:43.078+01:002013-06-19T17:39:43.078+01:00"I've got one that is over 100k"
10..."I've got one that is over 100k"<br /><br />100 k or 100 BAnonymoushttps://www.blogger.com/profile/02467270968136324327noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-6767789310494521282013-06-19T17:38:17.912+01:002013-06-19T17:38:17.912+01:00Three people in my organization also got it. All a...Three people in my organization also got it. All around one 100 bytes, one 133 bytes. Anonymoushttps://www.blogger.com/profile/02467270968136324327noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-16076661628982962242013-06-19T17:31:51.226+01:002013-06-19T17:31:51.226+01:00This comment has been removed by the author.recoverycomedyhttps://www.blogger.com/profile/13780351779119320070noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-78336798517293835212013-06-19T17:31:16.721+01:002013-06-19T17:31:16.721+01:00Thanks for publishing this. I was expecting a doc...Thanks for publishing this. I was expecting a document and I figured this was a virus, but a part of me still wanted to open it. After finding your article glad I didn't. Strange that you're the only posting I've found about this. recoverycomedyhttps://www.blogger.com/profile/13780351779119320070noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-55794438344209793912013-06-19T17:14:29.891+01:002013-06-19T17:14:29.891+01:00I'm getting these too but my attachments are l...I'm getting these too but my attachments are larger - ~300 Bytes.Anonymoushttps://www.blogger.com/profile/13233757553465905122noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-67215794110374321132013-06-19T17:14:17.577+01:002013-06-19T17:14:17.577+01:00I've got one that is over 100kI've got one that is over 100kAnonymoushttps://www.blogger.com/profile/14164917775598610393noreply@blogger.comtag:blogger.com,1999:blog-804714437673009003.post-34026484685002584082013-06-19T16:56:09.148+01:002013-06-19T16:56:09.148+01:00I just ran through the same exact process with thi...I just ran through the same exact process with this file. And came to the same conclusion. <br /><br /><br />Looks like the baddie should have used a decent crypter.<br /><br /><br />Anywhoo did you catch the typo in the e-mail that was sent too. LoL.<br /><br />"use the adobe acrobat"Anonymoushttps://www.blogger.com/profile/00460593669683352356noreply@blogger.com