FYI: Just got this to my Tor relay mail address, with a zip file attached extracting to a '.scr' win exe. Curiously routed via a .gov.uk mail relay...
GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: dba1e52929f6ca9d1a1bf87e4ff469cf GB2546241.zip MD5: fb1141494829b144b0075035022cfbb9 GB03022014.scr
Samples available on request. Full mail headers attached.
==========
From defeats871@richszabo.com Mon Feb 03 14:06:39 2014 Return-path: defeats871@richszabo.com Received: from [217.109.27.97] (helo=WNACDHPXR) Received: from mail1.bemta14.messagelabs.com by server.justinarcher.net Received: from gateway-102.energis.gsi.gov.uk (HELO mx.hosting-w.gsi.gov.uk) (62.25.106.208) by server-10.tower-205.messagelabs.com X-Env-Sender: gateway.confirmation@gateway.gov.uk
From: gateway.confirmation@gateway.gov.uk To: tor@phra.gs Subject: Your Online Submission for Reference 485/GB2546241 Could not process Date: Mon, 3 Feb 2014 22:16:02 +0100
The submission for reference 485/GB2546241 was successfully received and was not processed. Check attached copy for more information. This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
==========
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey,
It doesn't seem to be targetted. It looks like your email was sucked into a spamlist to send malware too. For malware researchers, the sample can be obtained over here: https://malwr.com/analysis/YjQ1Y2FjZTcxMTgxNDgwNmE4MWIyYjIzN2RjNWM1YTc/
Jurre
On 02/03/2014 10:33 PM, phrag wrote:
FYI: Just got this to my Tor relay mail address, with a zip file attached extracting to a '.scr' win exe. Curiously routed via a .gov.uk mail relay...
GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: dba1e52929f6ca9d1a1bf87e4ff469cf GB2546241.zip MD5: fb1141494829b144b0075035022cfbb9 GB03022014.scr
Samples available on request. Full mail headers attached.
==========
From defeats871@richszabo.com Mon Feb 03 14:06:39 2014 Return-path: defeats871@richszabo.com Received: from [217.109.27.97] (helo=WNACDHPXR) Received: from mail1.bemta14.messagelabs.com by server.justinarcher.net Received: from gateway-102.energis.gsi.gov.uk (HELO mx.hosting-w.gsi.gov.uk) (62.25.106.208) by server-10.tower-205.messagelabs.com X-Env-Sender: gateway.confirmation@gateway.gov.uk
From: gateway.confirmation@gateway.gov.uk To: tor@phra.gs Subject: Your Online Submission for Reference 485/GB2546241 Could not process Date: Mon, 3 Feb 2014 22:16:02 +0100
The submission for reference 485/GB2546241 was successfully received and was not processed. Check attached copy for more information. This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
==========
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
- -- Developer at https://www.useotrproject.org/
Your mailserver received it from an Orange France IP 217.109.27.97 . Before that you can't really trust the headers. GD
On 02/03/2014 10:33 PM, phrag wrote:
FYI: Just got this to my Tor relay mail address, with a zip file attached extracting to a '.scr' win exe. Curiously routed via a .gov.uk mail relay...
GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: dba1e52929f6ca9d1a1bf87e4ff469cf GB2546241.zip MD5: fb1141494829b144b0075035022cfbb9 GB03022014.scr
Samples available on request. Full mail headers attached.
==========
From defeats871@richszabo.com Mon Feb 03 14:06:39 2014 Return-path: defeats871@richszabo.com Received: from [217.109.27.97] (helo=WNACDHPXR) Received: from mail1.bemta14.messagelabs.com by server.justinarcher.net Received: from gateway-102.energis.gsi.gov.uk (HELO mx.hosting-w.gsi.gov.uk) (62.25.106.208) by server-10.tower-205.messagelabs.com X-Env-Sender: gateway.confirmation@gateway.gov.uk
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, 03 Feb 2014 22:33:05 +0100 phrag phrag@phra.gs allegedly wrote:
FYI: Just got this to my Tor relay mail address, with a zip file attached extracting to a '.scr' win exe. Curiously routed via a .gov.uk mail relay...
GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows
I don't think there is anything sinister about this. Yesterday, an old friend of mine sent me the same details relating to an attack he had seen (completely unrelated to Tor). The attachments he sent me were confirmed by virustotal as containing the zeus trojan - usually used in theft of banking credentials.
The fact that the attack appears to come from UK GSI email servers is odd, but since the NHS website was compromised yesterday (1), I speculate it may be related - i.e. somebody may be taking a swipe at UK Gov services for reasons which escape me....
(1) http://www.theregister.co.uk/2014/02/03/nhs_choices_website_serves_up_100s_o...
Mick ---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
tor-relays@lists.torproject.org
-
Geoff Down -
Jurre van Bergen -
mick -
phrag