CME711 - April Fools

I'm a bit late posting this one - I've been working on some penetration testing projects and have been unable to monitor my honeypots.

For those who have not yet noticed:

(image captured by DISOG staff on 2008/03/31)

5 second refresh downloads funny.exe, image click downloads kickme.exe and click here link is foolsday.exe - all of which are the same file.


The email:

From: sauna@piraeusbank.co.yu
To: Me
Subject: Gotcha! April Fool!
Date: Mon, 31 Mar 2008
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

Doh! April's Fool. hxxp://69[dot]237[dot]180[dot]107

(obscuring done to protect the click-happy)

Drops a file in C:\WINDOWS\ called aromis.exe

Jose Nazario caught this one early on - check out his blog here.


I ran a quick query on my honeypot and found the following IP's serving the malicious site:

12.227.199.128, 157.252.144.83, 12.180.197.108, 201.236.232.174, 122.27.202.155, 201.223.28.183, 201.221.253.101, 201.244.162.4, 195.210.193.131, 190.51.252.2, 190.20.204.27, 201.255.219.218, 201.250.17.202, 190.164.121.145, 12.52.237.174, 201.83.126.59, 200.94.236.26, 201.233.92.206, 190.18.184.125, 194.106.95.22, 190.74.93.29, 190.99.245.190, 201.21.230.245, 12.206.243.139, 125.25.186.158, 125.25.184.146, 124.179.81.214, 190.184.11.24, 24.9.162.81, 24.207.187.180, 24.17.32.118, 209.33.54.179, 24.128.211.65, 24.128.104.153, 24.205.232.114, 24.34.213.108, 24.107.238.132, 221.156.165.195, 203.170.120.109, 59.0.132.4, 58.148.79.162, 211.247.36.237, 221.127.42.208, 59.162.171.116, 60.50.177.152, 218.53.196.196, 220.174.64.208, 68.35.77.47, 67.67.70.158, 67.186.80.253, 65.42.229.61, 67.149.51.30, 64.118.1.21, 68.114.21.117, 66.177.6.37, 63.78.245.134, 68.184.58.72, 68.40.43.30, 67.169.119.102, 67.189.224.51, 68.39.43.90, 65.191.88.121, 64.30.104.120, 65.60.228.114, 65.32.52.189, 67.185.230.180, 65.79.220.132, 68.202.92.236, 68.202.117.9, 67.42.158.183, 64.175.44.163, 67.158.13.101, 60.53.249.16, 68.127.123.188, 69.154.218.209, 71.226.39.64, 69.144.160.49, 68.63.19.201, 71.239.243.175, 70.136.17.38, 69.231.229.151, 68.83.16.79, 69.140.233.125, 69.225.253.167, 69.211.140.58, 69.246.94.16, 70.92.29.202, 74.129.21.5, 70.238.127.143, 69.207.251.224, 72.8.101.213, 71.9.7.113, 70.227.199.237, 69.183.188.168, 70.237.145.26, 71.197.38.110, 68.50.219.36, 71.142.241.127, 69.42.3.50, 74.233.128.126, 70.127.87.220, 70.126.163.86, 70.15.184.87, 71.84.167.230, 70.127.141.133, 71.75.20.9, 69.228.202.232, 74.75.186.228, 71.115.3.254, 72.186.88.186, 70.55.64.54, 69.238.88.2, 75.32.162.49, 75.18.100.96, 75.35.30.89, 76.30.141.221, 98.202.86.206, 75.143.144.223, 76.125.185.59, 76.194.244.132, 98.200.190.127, 75.4.244.196, 76.115.75.239, 76.123.171.54, 76.124.142.87, 98.195.201.101, 76.114.139.114, 98.192.11.39, 76.26.11.182, 99.129.205.142, 76.227.155.39, 76.99.94.153, 98.212.18.73, 99.162.53.130, 99.171.119.45, 76.99.195.186, 76.84.211.214, 98.220.158.148, 76.178.7.202, 76.229.114.181, 76.29.166.146, 99.130.33.79, 99.147.177.92, 76.111.136.44, 82.232.24.247, 75.4.50.13, 87.96.165.131, 89.132.71.47, 81.56.175.146, 85.155.32.253, 88.235.196.103, 80.31.76.46, 86.12.37.214, 81.97.222.20