Pages

Wednesday, September 19, 2012

CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)


Here are two samples of Java CVE-2012-4681 exploit - one from the original targeted attack described in our post on August 30, 2012 and the other from today's spam redirecting to Blackhole 2.0 exploit kit and using CVE-2012-4681 adapted from the Metasploit framework.
The Blackhole 2.0 ad is translated and posted at malware.dontneedcoffee.com along with a very good analysis.
The spam campaigns are probably different but the one I encountered was using the subject "ADP Invoice Reminder" with ADP_Online_Invoice_DoNotReply@adp.com address sent from what it looks like a spam botnet. The body of the email looks very convincing  - see the legitimate ADP email below in comparison to the fake one. The links are legitimate compromised websites redirecting to the Blackhole exploit server. The payload is Zeus (Gameover P2P version not Citadel). Many websites already cleaned and giving error 404 and some are still active. I posted approximately 50 headers below for those who deal with spam filters as well as pcap and other information.

CVE #

CVE-2012-4681 
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Download

 
ORIGINAL 0-DAY  - Read more here at DeepEndResearch.org
Download all the files (exploit and payload)  (contact me if you need the password)

BLACKHOLE 2
Download all the files and the pcap  (contact me if you need the password)



  1. eca85beb81a61c7955da16182c4e1e45 diJPN.exe
  2. 84dc1ef3e507886e65f694cfff1ace9f index(1).html
  3. 86946ec2d2031f2b456e804cac4ade6d java.jar
  4. 1d7d43de789f9d90e1ad6e23bab5c61a js(1).js
  5. d06b095ee74ecc16cd461c9f964486de systems-links_warns.php
  6. 3f3ccdfa88fdfa5af3daeb9425ccec89 systems-links_warns.php%3fljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07
  7. ae8d9905e99b228714f814b090810d3e systems-links_warns.php%3ftf=0206360203&le=35353306040934370b06&i=02&jy=b&fg=h
  8. 253c703c40c857d18e3859d0dc6c37c2 systems-links_warns.php%3fyqabyh=0206360203&pldrsl=41&oacozf=35353306040934370b06&etrhphy=0b0006000200030b07
  9. 577bc6b390440098715f9f474696778f viewtopic.php
  10. d41d8cd98f00b204e9800998ecf8427e ycys.exe
  11. 0849cfe65b98ba5fcd9a9ec61a671d09 abcd.bat
  12. f938cba971be5cabff12ed865c8c8708 tmp1acdeaca.bat
  13. a788c9a1de40788f0c0da8ad2dcf159c tmp9d9790f4.bat
  14. 0f976014ddfb658e611091ed3fc75567 tmpd80f1a37.bat





BLACKHOLE 2.0 SPAM Original message

As you see the fake message looks rather convincing to those who got real ADP emails before.
The url looks like a real website, because it is  (not a fake random character one) -
 e.g http://groupe-cmb[.]com/zc0XNMxZ/index.html and sender is like you see below or ADP_Online_Invoice_DoNotReply@adp.com






Headers Examples
Received: from [130.153.37.146] (account DoNotReply@adp.com HELO cjvmeqduvrv.siimgn.biz)
Date:
From:
X-Mailer: The Bat! (v2.01) Business
X-Priority: 3 (Normal)
Message-ID: <8607864097 data-blogger-escaped-.340xsu99453622=".340xsu99453622" data-blogger-escaped-stbjqwkd.xgixswewdtjw.ru="stbjqwkd.xgixswewdtjw.ru">
================================================================================================================================
Received: from 189-77-78-203.ded.intelignet.com.br ([189.77.78.203]) by xxxxxxxxxxxxxxxx
Received: from (192.168.1.34) by ADP.com (189.77.78.203) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Sep 2012 15:49:31 -0300
Message-ID: <5058b182 data-blogger-escaped-.306070=".306070" data-blogger-escaped-com="com">
Date: Tue, 18 Sep 2012 15:49:31 -0300
From: "ADP_FSA_Services@ADP.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
================================================================================================================================
Received: from [186.134.142.75] ([186.134.142.75]) by xxxxxxxxxxxxxxxxxxx
Received: from [61.189.27.40] (helo=cktov.wrhwrmyvudhwz.org)
Date:
From:
X-Mailer: The Bat! (v2.00.5) Personal
X-Priority: 3 (Normal)
Message-ID: <6094750341 data-blogger-escaped-.eqd3fup6310901=".eqd3fup6310901" data-blogger-escaped-iteibhmz.faqnicxhm.va="iteibhmz.faqnicxhm.va">
================================================================================================================================
Received: from livebox ([90.165.21.114]) by naxxxxxxxxxxxxxxxx
Received: from [202.170.182.137] (account ADP_FSA_Services@ADP.com HELO aafwzgc.grqyjsihiufik.ua)
From: "ADP_FSA_Services@ADP.com"
Subject: ADP Invoice Reminder
Date: Tue, 18 Sep 2012 20:34:19 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: enqutxo 58
Message-ID: <5903434183 data-blogger-escaped-.ih550rq7216042=".ih550rq7216042" data-blogger-escaped-ecfgoauiews.unjttrgmx.su="ecfgoauiews.unjttrgmx.su">
================================================================================================================================
Received: from schoon.cherokee.24wireless-alta.ncn.net ([207.32.51.71]) xxxxxxxxxxxxxxxxxxx
Received: from [164.105.14.124] (account ADPClientServices@adp.com HELO oorim.eadcth.tv)
From: "ADP_FSA_Services@ADP.com"
Subject: ADP Invoice Reminder
Date: Tue, 18 Sep 2012 12:40:33 -0600
Message-ID: <3117788381 data-blogger-escaped-.rkihw101282=".rkihw101282" data-blogger-escaped-wewili.ytanfqfehqxr.org="wewili.ytanfqfehqxr.org">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: hrvqejekrr 87
Content-Language: en
================================================================================================================================
Received: from 189-77-78-203.ded.intelignet.com.br ([189.77.78.203]) by xxxxxxxxxxxxxx
Received: from (192.168.1.34) by ADP.com (189.77.78.203) with Microsoft SMTP Server id 8.0.685.24; Tue, 18 Sep 2012 15:49:31 -0300
Message-ID: <5058b182 data-blogger-escaped-.306070=".306070" data-blogger-escaped-com="com">
Date: Tue, 18 Sep 2012 15:49:31 -0300
From: "ADP_FSA_Services@ADP.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------06010700809080805040108"
================================================================================================================================
Received: from [123.236.57.154] ([123.236.57.154]) by xxxxxxxxxxxxxxxxxxxxxxx
Received: from [167.56.187.184] (helo=qyiwfgtkkoemz.gxdkgpatewqaxcs.ru)
From: "ADPClientServices@adp.com"
Subject: ADP Invoice Reminder
Date: Wed, 19 Sep 2012 00:02:53 +0530
MIME-Version: 1.0
Content-Type: multipart/alternative;
================================================================================================================================
Received: from 23-24-76-113-static.hfc.comcastbusiness.net ([23.24.76.113]) by xxxxxxxxxxxx
Received: from [196.198.28.168] (account ADP_Online_Invoice_DoNotReply@adp.com HELO xmzbgbivrxihmor.dkspjhib.net)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:48:51 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: qkhoovc_04
Message-ID: <5730492396 data-blogger-escaped-.7m8dlohc908847=".7m8dlohc908847" data-blogger-escaped-hcbjvufn.siodbeequpkdj.su="hcbjvufn.siodbeequpkdj.su">
================================================================================================================================
Received: from 23-24-76-113-static.hfc.comcastbusiness.net ([23.24.76.113]) by xxxxxxxxxxxx
Received: from [196.198.28.168] (account ADP_Online_Invoice_DoNotReply@adp.com HELO xmzbgbivrxihmor.dkspjhib.net)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:48:51 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: qkhoovc_04
Message-ID: <5730492396 data-blogger-escaped-.7m8dlohc908847=".7m8dlohc908847" data-blogger-escaped-hcbjvufn.siodbeequpkdj.su="hcbjvufn.siodbeequpkdj.su">
================================================================================================================================
Received: from [92.46.248.197] ([92.46.248.197]) by xxxxxxxxxxxxxxxxxxxxxxx
Received: from [82.109.28.88] (account ADP_Online_Invoice_DoNotReply@adp.com HELO plnjsqulteumcvk.intistwz.ua)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 19:39:35 +0500
Message-ID: <9606641265 data-blogger-escaped-.x12kr404333=".x12kr404333" data-blogger-escaped-rpnswsgpwwkii.ftsxtvkye.ua="rpnswsgpwwkii.ftsxtvkye.ua">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: feait-32
Content-Language: en
================================================================================================================================
Received: from PowerBox ([189.27.131.211]) by xxxxxxxxxxxx
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 11:43:12 -0300
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
3.0609E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="windows-1250"
================================================================================================================================
Received: from 173-166-62-118-newengland.hfc.comcastbusiness.net ([173.166.62.118]) by xxxxxxxxxxxxxxxxxxwith SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:38:30 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
1.0302E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
================================================================================================================================
Received: from ool-4b7fd7d2.static.optonline.net ([75.127.215.210]) by xxxxxxxxxx218.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.63) by adp.com (75.127.215.210) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 09:35:03 -0500
Message-ID: <5051e2b2 data-blogger-escaped-.508080=".508080" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 09:35:03 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------01070100404080205010201"
This is a multi-part message in MIME format.
1.0701E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [94.202.66.92] ([94.202.66.92]) by xxxxxxxxxxxxx
Received: from [147.179.98.137] (account ADP_Online_Invoice_DoNotReply@adp.com HELO lbbamteov.zzyinxxidzrq.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 18:33:37 +0400
Message-ID: <2681072594 data-blogger-escaped-.ibozq715204=".ibozq715204" data-blogger-escaped-veldalsurn.bxxjxtvbgyz.biz="veldalsurn.bxxjxtvbgyz.biz">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: xifywauon_33
Content-Language: en
------=_dpohbb_97_28_15
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from 070-155-244-208.sip.mia.bellsouth.net ([70.155.244.208]) by xxxxxxxxxxxxxx
Received: from [202.43.192.113] (account ADP_Online_Invoice_DoNotReply@adp.com HELO oknjush.jqywial.biz)
Date:
From:
X-Mailer: The Bat! (v2.00.18) Business
X-Priority: 3 (Normal)
Message-ID: <4180193091 data-blogger-escaped-.rqxrix3f483549=".rqxrix3f483549" data-blogger-escaped-splahpptmw.ekaqetbilciimux.net="splahpptmw.ekaqetbilciimux.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------514975CB08A4B6"
------------514975CB08A4B6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [50.20.84.34] ([50.20.84.34]) xxxxxxxxxxxxxxx
Received: from apache by adp.com with local (Exim 4.67)
Subject: ADP Invoice Reminder
X-PHP-Script: adp.com/sendmail.php for 50.20.84.34
From: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Sender: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id: <7k97er data-blogger-escaped--2ozij1-oo="-2ozij1-oo" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 09:27:28 -0500
This is a multi-part message in MIME format.
9.0504E+21
Content-Type: text/plain; charset="us-ascii"; format=flowed
================================================================================================================================
------------=_1348015405-19759-15
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: binary
Received: from h173.120.21.98.static.ip.windstream.net ([98.21.120.173]) xxxxxxxxx
Received: from [193.192.168.185] (account ADP_Online_Invoice_DoNotReply@adp.com HELO agbllldbnbvqxfq.kwekxwunruavuq.org)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:24:43 -0500
Message-ID: <9945353135 data-blogger-escaped-.n34kt359651=".n34kt359651" data-blogger-escaped-xulhnn.aqbmuiwpaml.va="xulhnn.aqbmuiwpaml.va">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: zckimbfsi 31
Content-Language: en
------=_iubkqawcfu_82_91_90
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [24.139.251.184] ([24.139.251.184]) xxxxxxxxxxxxxxxxx
Received: from [39.37.52.55] (account ADP_Online_Invoice_DoNotReply@adp.com HELO lccxzxjzqhwhtyd.xtxdcuiowmmqzf.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 10:24:09 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: unrhtqp 61
Message-ID: <3804914771 data-blogger-escaped-.rpvcdesl360645=".rpvcdesl360645" data-blogger-escaped-ustrgqo.bqcotvovdgn.va="ustrgqo.bqcotvovdgn.va">
------=_addfge_56_00_60
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [69.1.166.203] ([69.1.166.203]) by xxxxxxxxxx193.xxxxxxxxxx148.10]) with SMTP;
Received: from [191.107.29.87] (account ADP_Online_Invoice_DoNotReply@adp.com HELO acugjd.jbwkjvv.biz)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:23:27 -0600
Message-ID: <3352505874 data-blogger-escaped-.gjsi7735271=".gjsi7735271" data-blogger-escaped-uxotixegwronu.mecilsfyumhmcd.su="uxotixegwronu.mecilsfyumhmcd.su">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: cpljdp 25
Content-Language: en
------=_zfejdxzc_63_04_85
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from 66-191-80-206.static.stpt.wi.charter.com ([66.191.80.206]) by xxxxxxxxxx191.xxxxxxxxxx148.14]) with SMTP;
Received: from [195.177.56.41] (helo=sdskigthgawwjzy.rzspg.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:23:21 -0600
Message-ID: <0448970980 data-blogger-escaped-.8u3oi698875=".8u3oi698875" data-blogger-escaped-qebdrdptnwwc.eegqizbijhn.va="qebdrdptnwwc.eegqizbijhn.va">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: wlbyzidlja 13
Content-Language: en
------=_zkitvmggp_11_95_41
Content-Type: text/plain;
================================================================================================================================
Received: from [197.1.163.242] ([197.1.163.242]) by xxxxxxxxxx216.xxxxxxxxxx148.13]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 15:19:01 +0100
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <665d473c2835fa4b155f711ae51564b1 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
4.0707E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="windows-1250"
================================================================================================================================
Received: from [94.129.178.12] ([94.129.178.12]) by xxxxxxxxxx186.xxxxxxxxxx148.14]) with SMTP;
Received: from [200.147.197.89] (helo=jrffi.acazltkn.ua)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 17:24:01 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: wyxmmpcmw_06
Message-ID: <4790825076 data-blogger-escaped-.iwv8s00u835579=".iwv8s00u835579" data-blogger-escaped-zaojruyalmm.inlvllesiakk.com="zaojruyalmm.inlvllesiakk.com">
------=_jtumdemziq_25_26_54
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from wsip-24-234-114-201.lv.lv.cox.net ([24.234.114.201]) by xxxxxxxxxx236.xxxxxxxxxx148.11]) with SMTP;
Received: from [173.79.28.58] (account ADP_Online_Invoice_DoNotReply@adp.com HELO dlcznjzm.jlofsviolxhtqqk.biz)
Date:
From:
X-Mailer: The Bat! (v3.51.10) Professional
X-Priority: 3 (Normal)
Message-ID: <6486138621 data-blogger-escaped-.v8ruhvy7078817=".v8ruhvy7078817" data-blogger-escaped-hajpo.anhdetbxaco.com="hajpo.anhdetbxaco.com">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------1F1A271284963E"
------------1F1A271284963E
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from host17432004053.direcway.com ([174.32.53.40]) by xxxxxxxxxx201.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.183) by adp.com (174.32.53.40) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 08:13:44 -0600
Message-ID: <5051e750 data-blogger-escaped-.602090=".602090" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 08:13:44 -0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101103 Thunderbird/3.1.6
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------02070100402010209030406"
This is a multi-part message in MIME format.
2.0701E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [178.91.24.25] ([178.91.24.25]) by xxxxxxxxxx241.xxxxxxxxxx148.13]) with SMTP;
Received: from apache by adp.com with local (Exim 4.67)
Subject: ADP Invoice Reminder
X-PHP-Script: adp.com/sendmail.php for 178.91.24.25
From: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Sender: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id:
Date: Thu, 13 Sep 2012 20:09:15 +0600
This is a multi-part message in MIME format.
8.0709E+21
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
================================================================================================================================
Received: from rrcs-97-78-55-219.se.biz.rr.com ([97.78.55.219]) by xxxxxxxxxx223.xxxxxxxxxx148.14]) with SMTP;
Received: from [50.182.21.51] (account ADP_Online_Invoice_DoNotReply@adp.com HELO wizrzlujcvbye.bihxivkxuqqrlck.org)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 09:04:37 -0500
Message-ID: <5270606855 data-blogger-escaped-.qsl61967594=".qsl61967594" data-blogger-escaped-zzoplyw.aycvlhrkyo.ru="zzoplyw.aycvlhrkyo.ru">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: qlywgmzna.54
Content-Language: en
------=_dngv_71_64_28
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from 187-79-152-18.user.veloxzone.com.br ([187.79.152.18]) byxxxxxxxxxx148.14]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 11:02:40 -0300
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
================================================================================================================================
Received: from [178.91.15.141] ([178.91.15.141]) by xxxxxxxxxx161.xxxxxxxxxx148.11]) with SMTP;
Received: from (192.168.1.41) by adp.com (178.91.15.141) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 20:00:57 +0600
Message-ID: <5051d929 data-blogger-escaped-.407040=".407040" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 20:00:57 +0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------07070600903010508070107"
This is a multi-part message in MIME format.
7.0706E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from bd3d668a.virtua.com.br ([189.61.102.138]) by xxxxxxxxxx190.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.99) by adp.com (189.61.102.138) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 10:53:35 -0300
Message-ID: <50517edd data-blogger-escaped-.803050=".803050" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 10:53:35 -0300
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------01040400309010705020301"
This is a multi-part message in MIME format.
1.0404E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from ABTS-AP-dynamic-090.182.169.122.airtelbroadband.in ([122.169.182.90]) by xxxxxxxxxx180.xxxxxxxxxx148.11]) with SMTP;
Received: from [148.2.138.85] (account ADP_Online_Invoice_DoNotReply@adp.com HELO sufmidabiu.vfgewdpybjjrjm.ua)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 19:12:00 +0530
Message-ID: <5482274669 data-blogger-escaped-.p5fp0597374=".p5fp0597374" data-blogger-escaped-rkhgwsgoplxww.mzndb.tv="rkhgwsgoplxww.mzndb.tv">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: ztqttspoqo.26
Content-Language: en
------=_goqxpvebp_47_73_18
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from mail.yeagerboyd.com ([199.72.146.106]) by xxxxxxxxxx197.xxxxxxxxxx148.13]) with SMTP;
Received: from (192.168.1.157) by adp.com (199.72.146.106) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 07:37:09 -0600
Message-ID: <5051df6d data-blogger-escaped-.808030=".808030" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 07:37:09 -0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------07040500104020905030801"
This is a multi-part message in MIME format.
7.0405E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
7.0405E+21
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from rrcs-67-79-53-66.sw.biz.rr.com ([67.79.53.66]) by xxxxxxxxxx242.xxxxxxxxxx148.10]) with SMTP;
Received: from [137.159.24.177] (helo=sodmayqttqguj.xqzxs.tv)
Date:
From:
X-Mailer: The Bat! (v3.5.25) Professional
X-Priority: 3 (Normal)
Message-ID: <0851818309 data-blogger-escaped-.bq9jfz3m183339=".bq9jfz3m183339" data-blogger-escaped-finwhygommlepr.ijscsgbgf.biz="finwhygommlepr.ijscsgbgf.biz">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------33F1EFAEBAAB889"
------------33F1EFAEBAAB889
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit
================================================================================================================================
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: binary
Received: from c-75-73-205-69.hsd1.mn.comcast.net ([75.73.205.69]) by xxxxxxxxxx199.xxxxxxxxxx148.14]) with SMTP;
Received: from (192.168.1.223) by adp.com (75.73.205.69) with Microsoft SMTP Server id 8.0.685.24; Thu, 13 Sep 2012 07:28:14 -0600
Message-ID: <5051d931 data-blogger-escaped-.803020=".803020" data-blogger-escaped-adp.com="adp.com">
Date: Thu, 13 Sep 2012 07:28:14 -0600
From: "ADP_Online_Invoice_DoNotReply@adp.com"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100328 Thunderbird/2.0.0.24
MIME-Version: 1.0
Subject: ADP Invoice Reminder
Content-Type: multipart/alternative;
boundary="------------09020200307030404040901"
This is a multi-part message in MIME format.
9.0202E+21
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from static.cmcti.vn ([203.205.24.229]) by xxxxxxxxxx232.xxxxxxxxxx148.14]) with SMTP;
Received: from [104.12.110.159] (account ADP_Online_Invoice_DoNotReply@adp.com HELO dwfiaohnsxccfpb.oyoemmimpa.ua)
Date:
From:
X-Mailer: The Bat! (v3.81.14 Beta) Home
X-Priority: 3 (Normal)
Message-ID: <6200073131 data-blogger-escaped-.nou4zou6824436=".nou4zou6824436" data-blogger-escaped-omkuhqd.ustzdky.net="omkuhqd.ustzdky.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------CD138B87CE9A363"
#NAME?
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from c-174-54-26-57.hsd1.pa.comcast.net ([174.54.26.57]) by xxxxxxxxxx210.xxxxxxxxxx148.13]) with SMTP;
Received: from [196.140.87.23] (helo=gbbfxoarrijcr.ojlwzadlj.org)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:21:11 -0500
Message-ID: <4636851932 data-blogger-escaped-.k1xdj570016=".k1xdj570016" data-blogger-escaped-ljijxniqs.yfqghui.com="ljijxniqs.yfqghui.com">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: nluigh_88
Content-Language: en
------=_mrdcr_81_15_31
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from c-174-54-26-57.hsd1.pa.comcast.net ([174.54.26.57]) by xxxxxxxxxx210.xxxxxxxxxx148.13]) with SMTP;
Received: from [197.181.174.54] (helo=cchpjthydmq.urfeubxydz.ru)
Date:
From:
X-Mailer: The Bat! (v2.00.5) Educational
X-Priority: 3 (Normal)
Message-ID: <0621156856 data-blogger-escaped-.pq85ns5j693295=".pq85ns5j693295" data-blogger-escaped-zegojfzqmkogn.cmlwfcqxjo.net="zegojfzqmkogn.cmlwfcqxjo.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------D1C1B698DAFC7B4"
#NAME?
Content-Type: text/plain; charset=windows-1250
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from user216-178-83-54.netcarrier.net ([216.178.83.54]) by xxxxxxxxxx242.xxxxxxxxxx148.14]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 08:21:00 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <0dbe7958c363fd71225386920234896e data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
5.0106E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="Windows-1252"
================================================================================================================================
X-SenderBase: -1.8
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AitYAAXRUVBgCtuuUmdsb2JhbAAQCC0OgjaCWqU0iEaHWQJ8GAEbU4M1CgEoA1IHGgEaBAWGAIF8C4NvhFKzXosQGoFHgSsOgj1gA4hVmBWHQFiBRYE/
X-IronPort-AV: E=Sophos;i="4.80,417,1344225600";
d="scan'208,217";a="353258294"
Received: from rrcs-96-10-219-174.midsouth.biz.rr.com ([96.10.219.174])
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 07:31:40 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <5e5474088b01108020cb30be4c585b21 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
4.0904E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="Windows-1252"
================================================================================================================================
Received: from [41.73.224.41] ([41.73.224.41]) by xxxxxxxxxx230.xxxxxxxxxx148.10]) with SMTP;
Received: from [134.135.172.152] (helo=tqwctknjywru.wdhfoue.va)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Thu, 13 Sep 2012 13:26:46 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: qocrg 51
Message-ID: <0171683514 data-blogger-escaped-.27hbnt9q450809=".27hbnt9q450809" data-blogger-escaped-dglxnsmfcwbfnhu.bbugoylb.biz="dglxnsmfcwbfnhu.bbugoylb.biz">
------=_vbkayah_83_23_59
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [175.110.106.135] ([175.110.106.135]) by xxxxxxxxxx229.xxxxxxxxxx148.14]) with SMTP;
Received: from [172.28.56.49] (account ADP_Online_Invoice_DoNotReply@adp.com HELO agcdeynjhwlfgzd.qtghcxftrzndo.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Wed, 12 Sep 2012 07:42:29 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: uvttp 88
Message-ID: <9647050176 data-blogger-escaped-.pigbejbo049735=".pigbejbo049735" data-blogger-escaped-anfzzovetn.kfftlb.va="anfzzovetn.kfftlb.va">
------=_dveura_43_69_04
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [79.106.14.85] ([79.106.12.67]) by xxxxxxxxxx176.xxxxxxxxxx148.10]) with SMTP;
Received: from [109.83.46.46] (helo=beywddqdklaygnq.wexzbbe.com)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Wed, 12 Sep 2012 16:42:25 +0100
Message-ID: <8499975104 data-blogger-escaped-.2fqw9094998=".2fqw9094998" data-blogger-escaped-czjrsn.ezqtw.org="czjrsn.ezqtw.org">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: jnhrtzn-29
Content-Language: en
------=_rogdop_61_77_16
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [175.110.106.135] ([175.110.106.135]) by xxxxxxxxxx229.xxxxxxxxxx148.14]) with SMTP;
Received: from [206.110.8.102] (account ADP_Online_Invoice_DoNotReply@adp.com HELO gworqecp.wuzdfju.com)
Date:
From:
X-Mailer: The Bat! (v3.71.01) Home
X-Priority: 3 (Normal)
Message-ID: <4122797397 data-blogger-escaped-.e8u33rb9015237=".e8u33rb9015237" data-blogger-escaped-vclexmzhvwjvkum.dlrye.net="vclexmzhvwjvkum.dlrye.net">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------678AE86DB5F379B"
------------678AE86DB5F379B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [197.0.127.4] ([197.0.127.4]) by xxxxxxxxxx191.xxxxxxxxxx148.14]) with SMTP;
Received: from apache by adp.com with local (Exim 4.67)
Subject: ADP Invoice Reminder
X-PHP-Script: adp.com/sendmail.php for 197.0.127.4
From: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Sender: "ADP_Online_Invoice_DoNotReply@adp.com"
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-Id:
Date: Wed, 12 Sep 2012 13:47:25 +0100
This is a multi-part message in MIME format.
6.0803E+21
Content-Type: text/plain; charset="Windows-1252"; format=flowed
================================================================================================================================
Received: from bb116-14-165-7.singnet.com.sg ([116.14.165.7]) by xxxxxxxxxx229.xxxxxxxxxx148.10]) with SMTP;
Received: from [77.66.26.175] (account ADP_Online_Invoice_DoNotReply@adp.com HELO xpkjlpgsdu.shantobufy.biz)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Tue, 11 Sep 2012 03:28:27 +0800
Message-ID: <1893259097 data-blogger-escaped-.xo6mm419623=".xo6mm419623" data-blogger-escaped-rwzqsq.vpphvxfvxncv.net="rwzqsq.vpphvxfvxncv.net">
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: cqvfxraq 46
Content-Language: en
------=_ryxrfrsyk_93_92_50
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from ip-204-12-179-43.sag.speednetllc.com ([204.12.179.43]) by xxxxxxxxxx206.xxxxxxxxxx148.11]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Mon, 10 Sep 2012 13:13:59 -0500
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <826a17e3ae5174661ec3b07d0d1bcc69 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
This is a multi-part message in MIME format.
6.0304E+21
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="windows-1250"
================================================================================================================================
Received: from [193.138.153.55] ([193.138.153.55]) byxxxxxxxxxx148.13]) with SMTP;
Received: from [11.60.151.151] (helo=yzjmdveblxcmx.nnoxhhzmsuhkm.ua)
Date:
From:
X-Mailer: The Bat! (v3.0.0.15) Home
X-Priority: 3 (Normal)
Message-ID: <6476433821 data-blogger-escaped-.cu6yk8u2177890=".cu6yk8u2177890" data-blogger-escaped-hdxeeli.zirxfga.org="hdxeeli.zirxfga.org">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------33C7A418F1A9DC6F"
------------33C7A418F1A9DC6F
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
================================================================================================================================
Received: from [27.0.100.150] ([27.0.100.150]) by xxxxxxxxxx199.xxxxxxxxxx148.13]) with SMTP;
Received: from [45.139.97.41] (helo=zqbksulszcqp.hagsxueccl.net)
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Subject: ADP Invoice Reminder
Date: Mon, 10 Sep 2012 21:45:49 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-Mailer: jxfnsip 93
Message-ID: <9542918508 data-blogger-escaped-.4w72rmn8957341=".4w72rmn8957341" data-blogger-escaped-aceab.upvemmonfxej.com="aceab.upvemmonfxej.com">
------=_kwsdyv_60_26_78
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
================================================================================================================================
Received: from [193.138.153.55] ([193.138.153.55]) byxxxxxxxxxx148.13]) with SMTP;
Received: from apache by adp.com with local (Exim 4.63)
Subject: ADP Invoice Reminder
Date: Mon, 10 Sep 2012 16:45:46 +0100
From: "ADP_Online_Invoice_DoNotReply@adp.com"
Message-ID: <401fcaec045823fbd91776a54c3b4725 data-blogger-escaped-adp.com="adp.com">
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
================================================================================================================================
Received: from [89.253.172.26] ([89.253.172.26]) by xxxxxxxxxx212.xxxxxxxxxx148.13]) with SMTP;
Received: from [53.29.118.157] (helo=aidkjiedg.okffgowvjjcm.tv)
Date:
From:
X-Mailer: The Bat! (v3.5) Educational
X-Priority: 3 (Normal)
Message-ID: <3111556318 data-blogger-escaped-.lzwloeh3671668=".lzwloeh3671668" data-blogger-escaped-dscjjswmplopvu.dpqxpkno.com="dscjjswmplopvu.dpqxpkno.com">
Subject: ADP Invoice Reminder
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------01174D1F41DF4C"
------------01174D1F41DF4C
Content-Type: text/plain; charset=windows-1250
Content-Transfer-Encoding: 7bit

List of X-Mailers (from 50 messages)
X-Mailer: cpljdp 25
X-Mailer: cqvfxraq 46
X-Mailer: enqutxo 58
X-Mailer: feait-32
X-Mailer: hrvqejekrr 87
X-Mailer: jnhrtzn-29
X-Mailer: jxfnsip 93
X-Mailer: nluigh_88
X-Mailer: PHP
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
X-Mailer: qkhoovc_04
X-Mailer: qlywgmzna.54
X-Mailer: qocrg 51
X-Mailer: The Bat! (v2.00.18) Business
X-Mailer: The Bat! (v2.00.5) Educational
X-Mailer: The Bat! (v2.00.5) Personal
X-Mailer: The Bat! (v2.01) Business
X-Mailer: The Bat! (v3.0.0.15) Home
X-Mailer: The Bat! (v3.5) Educational
X-Mailer: The Bat! (v3.5.25) Professional
X-Mailer: The Bat! (v3.51.10) Professional
X-Mailer: The Bat! (v3.71.01) Home
X-Mailer: The Bat! (v3.81.14 Beta) Home
X-Mailer: unrhtqp 61
X-Mailer: uvttp 88
X-Mailer: wlbyzidlja 13
X-Mailer: wyxmmpcmw_06
X-Mailer: xifywauon_33
X-Mailer: zckimbfsi 31
X-Mailer: ztqttspoqo.26
X-PHP-Script: adp.com/sendmail.php for 178.91.24.25
X-PHP-Script: adp.com/sendmail.php for 197.0.127.4
X-PHP-Script: adp.com/sendmail.php for 50.20.84.34

"Content type" variants  (depends on the mailing software on the sending computer)
------------=_1348015405-19759-15
------=_addfge_56_00_60
------=_dngv_71_64_28
------=_dpohbb_97_28_15
------=_dveura_43_69_04
------=_goqxpvebp_47_73_18
------=_iubkqawcfu_82_91_90
------=_jtumdemziq_25_26_54
------=_kwsdyv_60_26_78
------=_mrdcr_81_15_31
------=_rogdop_61_77_16
------=_ryxrfrsyk_93_92_50
------=_vbkayah_83_23_59
------=_zfejdxzc_63_04_85
------=_zkitvmggp_11_95_41
boundary="----------01174D1F41DF4C"
boundary="----------1F1A271284963E"
boundary="----------33C7A418F1A9DC6F"
boundary="----------33F1EFAEBAAB889"
boundary="----------514975CB08A4B6"
boundary="----------678AE86DB5F379B"
boundary="----------CD138B87CE9A363"
boundary="----------D1C1B698DAFC7B4"
boundary="------------01040400309010705020301"
boundary="------------01070100404080205010201"
boundary="------------02070100402010209030406"
boundary="------------06010700809080805040108"
boundary="------------07040500104020905030801"
boundary="------------07070600903010508070107"
boundary="------------09020200307030404040901"
------------01174D1F41DF4C
------------1F1A271284963E
------------33C7A418F1A9DC6F
------------33F1EFAEBAAB889
------------514975CB08A4B6
------------678AE86DB5F379B

List of some of the compromised domains

arksylhet.com
badshahpromotions.co.uk
centroedusantaterezinha.org
chambe-aix.com
colombianfashion.com
curatatorie-sibiu.ro
davidicke.pl
domaister.com
dpwparking.com
ecoaction21.fr
estetiqueroman.ro
fengshuitonight.com
ferretsac.com
firetowerguard.com
groupe-cmb.com
hmlanding.com
innovahogar.es
jusprev.org.br
justwebdesign.co.za
karpar.gr
lehoapaper.com
muzee.org
nailtaxi.com
onewaytransportproducts.com
sloanegroup.com
sv.thanmadailuc.com
trends-und-freizeit.de
ukhs.dk
wnyportal.com
www.golfer360.de

URLs in spam messages redirecting to the exploit kit

http://arksylhet. com/A67iD4eo/index. html
http://arksylhet. com/QSpUShbL/index. html
http://badshahpromotions. co. uk/zpVjiR/index. html
http://centroedusantaterezinha. org/foRHmF8/index. html
http:///Wjn56cM6/index. html
http://chambe-aix. com/yCkWRN/index. html
http://chambe-aix. com/yYiD9SAs/index. html
http://colombianfashion. com/Mt1T26/index. html
http://curatatorie-sibiu. ro/fbwoGoYB/index. html
http://curatatorie-sibiu. ro/QeHis8s/index. html
http://davidicke. pl/0qaSfRv/index. html
http://davidicke. pl/mZbkMz/index. html
http://davidicke. pl/x1s0xB8z/index. html
http://domaister. com/LD2nAc/index. html
http://dpwparking. com/PYG35et/index. html
http://ecoaction21. fr/QBA8Re4S/index. html
http://estetiqueroman. ro/KD31RjXc/index. html
http://fengshuitonight. com/JTARZz/index. html
http://fengshuitonight. com/vRNXQq/index. html
http://ferretsac. com/wBbsvpF/index. html
http://ferretsac. com/wc4hACm/index. html
http://ferretsac. com/z7ShYa3/index. html
http://firetowerguard. com/AEuifWY/index. html
http://groupe-cmb. com/JWBpK7qd/index. html
http://groupe-cmb. com/ukKmLYf0/index. html
http://groupe-cmb. com/zc0XNMxZ/index. html
http://hmlanding. com/60QuVZQ/index. html
http://innovahogar. es/4oRnMr/index. html
http://innovahogar. es/V2dSnzdv/index. html
http://innovahogar. es/ZUCufHc/index. html
http://jusprev. org. br/aZhDGJ1e/index. html
http://justwebdesign. co. za/X1dWrR/index. html
http://karpar. gr/mMDBNKhE/index. html
http://karpar. gr/yoTkZUm0/index. html
http://karpar. gr/yUyj1crG/index. html
http://lehoapaper. com/hUvbnijs/index. html
http://muzee. org/AA9njNS/index. html
http://nailtaxi. com/yjgSuE/index. html
http://onewaytransportproducts. com/auVejpR/index. html
http://sloanegroup. com/1n70Gvt/index. html
http://sv. thanmadailuc. com/9vy1FW/index. html
http://sv. thanmadailuc. com/UotPEhM/index. html
http://sv. thanmadailuc. com/x4MSyKCz/index. html
http://trends-und-freizeit. de/4UDFo4/index. html
http://ukhs. dk/ZjUP5CCZ/index. html
http://wnyportal. com/cKodnh/index. html
http://justwebdesign. co. za/X1dWrR/index. html





In this particular case, these Snort signatures alerted about the spam arrival. 
SOURCEFIRE SNORT 
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"EXPLOIT-KIT Blackhole possible email Landing to 8 chr folder"; flow:to_server,established; content:"href=|22|http|3A 2F 2F|"; content:"/index.html|22|"; within:50; pcre:"/\x2f[a-z0-9]{8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:24171; rev:1; )
EMERGING THREATS
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:4;)




Exploit kit URL/IP

The links redirect to

69. 194. 193. 34/links/systems-warns. php - used in emails above
46. 249. 37. 122/links/systems-warns. php - found on internet


As the Blackhole Kit 2.0 ad promises, the actual exploit links are dynamically generated and usable only once and expire and probably will be difficult to predict

Our case:
69.194.193.34/links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 << PDF  exploit

69.194.193.34/systems-links_warns.php?nfezhok=0906343704&sbipbq=3dzz7ecg=35353306040934370b06&qara=0b0007000400040b07  < << PDF  exploit ( second test)


69.194.193.34/links/systems-links_warns.php?tf=0206360203&le=35353306040934370b06&i=02&jy=b&fg=h << Java exploit

Compare to links by a different actor described by Kafeine http://malware.dontneedcoffee.com/2012/09/BHEK2.0landing.html



http://46.249.37.118 /links/differently-trace.php?
zexl=36070905070437020234050505343634353405060636060a330902340a033505

Blackhole 2.0 now has the following exploits

  1. CVE-2006-5559 MDAC - still works well on IE6  (listed in the ad)
  2. CVE-2012-0507 Java Atomic   (listed in the ad)
  3. CVE-2012-1723 - Java Byte (listed in the ad)
  4. CVE-2010-0188 - PDF Libtiff  (listed in the ad)
  5. CVE-2012-4681 (seen in the wild)


The last version of 1.x is 1.2.5 (released Aug.30, 2012 with CVE-2012-4681 added later), it still has all the older exploits plus

  1. CVE-2012-1889 - IE XML
  2. CVE-2012-1723 - Java
  3. CVE-2012-4681 - Java
  4. CVE-2010-0188 - PDF Libtiff
  5. 3 older PDF exploits for v. < 8.0
  6. CVE-2006-5559  MDAC
  7. CVE-2010-1885 - HCP
  8. CVE-2011-0559 -Flash + 1 more older unspecified Flash CVE
  9. CVE-2011-2110 - Flash




The main landing page
The classic WAIT PLEASE 
CVE-2012-0507

Screenshots of some of the legitimate compromised websites









Traffic

Download the full pcap file above 

GET /data/java.jar.pack.gz HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_06
Host: 69.194.193.34
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
If-Modified-Since: Tue, 18 Sep 2012 07:17:22 GMT
HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:42:18 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 162

GET /links/systems-links_warns.php?ljpcwedu=0206360203&unnioab=41&phjf=35353306040934370b06&jct=0b0006000200030b07 HTTP/1.1
Host: 69.194.193.34
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://69.194.193.34/links/systems-links_warns.php
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Wed, 19 Sep 2012 02:41:57 GMT
Content-Type: application/pdf
Connection: keep-alive
Content-Length: 18637
X-Powered-By: PHP/5.3.14-1~dotdeb.0
Accept-Ranges: bytes
Content-Disposition: inline; filename=ef177.pdf
%PDF-1.6
%....
52 0 obj<</Length 42/Root 1 0 R/Info 3 0 R/Filter/FlateDecode/W[1 2 1]/Index[5 1 7 1 9 4 23 4 50 3]>>stream
x.bbb0b`b```.G0.....!...w.310Z...2....w...
endstream
endobj

TCP TRAFFIC HOSTS

92.43.108.70 80 Germany AS33891 Core-Backbone GmbH
84.246.225.142 80 France AS34274 ELBMULTIMEDIA ELB MULTI
74.125.132.104 80 United States AS15169 Google Inc.
74.125.132.94 80 United States AS15169 Google Inc.
89.106.12.145 80 Turkey AS39582 Grid Bilisim Teknolojil
64.71.131.88 80 United States AS6939 Hurricane Electric
112.78.2.145 80 Vietnam AS45538 Online data services
216.246.98.78 80 United States AS23352 Server Central Network
69.194.193.34 80 United States AS14670 Solar VPS
174.121.152.5 80 United States AS21844 ThePlanet.com Internet
199.7.54.190 80 United States AS36624 VeriSign Global Registr
199.7.52.190 80 United States AS36620 VeriSign Global Registr
63.245.217.81 443 United States AS53371 Mozilla Corporation
213.155.112.85 8080 Turkey AS8685 Doruk Iletisim ve Otomas
89.40.119.200 11611 Romania AS41950 NETLOG COMPUTER SRL
190.69.173.62 11781 Colombia AS3816 TELECOMUNICACIONES S.A.
72.248.245.188 16999 United States AS14751 One Communications Corp
89.69.109.243 17681 Poland AS6830 UPC Broadband Holding B.
109.234.114.78 24862 Georgia AS47921 LUNET LLC
178.163.88.81 27000 Russian Federation AS8416 Infoline Ltd.

UDP TRAFFIC HOSTS

Address Port Bytes Country AS Number ISP
182.72.166.6 29984 125 India AS9498 BHARTI Airtel Ltd. Bharti Broadband
85.107.181.118 17648 127 Turkey AS9121 Turk Telekomunikasyon An Turk Telekom
63.254.227.46 23466 128 United States AS22663 Prominic.NET Inc.
83.93.226.168 28233 141 Denmark AS3292 TDC Data Networks Tele Danmark
79.0.8.195 24612 145 Italy AS3269 Telecom Italia S.p.a. Telecom Italia
222.128.254.2 23311 156 China AS4808 CNCGROUP IP network Chin China Unicom Beijing province n
12.96.109.50 11088 160 United States AS7018 AT&T Services Inc.
186.39.132.44 12878 163 Argentina AS22927 Telefonica de Argentina Telefonica de Argentina
192.168.106.131 1076 168 - - -
82.59.154.81 17335 169 Italy AS3269 Telecom Italia S.p.a. Telecom Italia
113.166.213.7 11378 173 Vietnam AS45899 VNPT Corp VDC
68.170.61.220 20328 176 United States AS10835 Visionary Communication Visionary Communications
108.2.156.170 13246 178 United States AS19262 Verizon Online LLC Verizon Internet Services
72.230.166.215 27024 181 United States AS11351 Road Runner HoldCo LLC Road Runner
27.108.211.115 18136 181 Philippines AS6648 Bayan Telecommunications Bayan Telecommunications
207.255.157.162 13889 186 United States AS11776 Atlantic Broadband Fina Atlantic Broadband
64.53.221.153 14187 194 United States AS29859 WideOpenWest Finance LL WideOpenWest
123.20.196.85 11297 195 Vietnam AS45899 VNPT Corp VDC
110.55.5.191 24922 196 Philippines AS6648 Bayan Telecommunications Bayan Telecommunications Incorp
192.168.106.131 1079 202 - - -
95.10.33.213 15718 207 Turkey AS9121 Turk Telekomunikasyon An Turk Telekom
201.62.128.19 21593 210 Brazil AS23106 Empresa de Infovias S/A Way TV Belo Horizonte S.A.
151.74.71.172 29086 216 Italy AS1267 Infostrada S.p.A. WIND Telecomunicazioni S.p.A
114.42.67.39 18497 225 Taiwan AS3462 Data Communication Busin CHTD
37.206.138.114 18301 233 Italy AS3269 Telecom Italia S.p.a. Telecom Italia S.p.A.
92.114.119.237 11837 234 Romania AS6910 Dial Telecom S.R.L. Sc Digital Cable Systems SA
114.47.243.188 14796 238 Taiwan AS3462 Data Communication Busin CHTD
24.146.212.193 11451 247 United States AS6128 Cablevision Systems Corp Optimum Online
190.55.226.224 15258 268 Argentina AS27747 Telecentro S.A. Telecentro S.A. - Clientes Resi
119.242.125.198 11788 269 Japan AS2518 NEC BIGLOBE Ltd.
178.75.237.12 27584 275 Bulgaria AS42248 Vida Optics TVV Optilink Ltd
79.14.79.134 24815 275 Italy AS3269 Telecom Italia S.p.a. Telecom Italia
37.99.51.1 11968 277 Kazakhstan AS21299 ORBITA-PLUS Autonomous 2Day Telecom LLP
201.87.81.21 21611 279 Brazil AS19182 Rede Ajato Ltda Comercial Cabo TV S\343o Paulo
190.198.1.85 11450 287 Venezuela AS8048 Servicios Venezuela
180.192.185.36 28379 288 Philippines AS9497 Digital Telecommunicatio Digital Telecommunications Phil
68.63.130.33 17878 293 United States AS7922 Comcast Cable Communicat Comcast Cable
151.50.236.170 29034 296 Italy AS1267 Infostrada S.p.A. WIND Telecomunicazioni S.p.A
183.100.54.194 12623 298 Korea Republic of AS4766 Korea Telecom
176.223.54.156 23169 300 Romania AS6910 Dial Telecom S.R.L. Digital Cable Systems SA
93.221.69.29 19174 303 Germany AS3320 Deutsche Telekom AG Deutsche Telekom AG
37.45.214.205 17842 304 Belarus AS6697 Republican Association B Republican Association BELTELEC
67.77.243.4 28864 305 United States AS6222 Embarq Corporation Embarq Corporation
96.30.155.22 12299 306 Canada AS11260 EastLink EastLink
209.5.182.110 17494 310 Canada AS3602 Rogers Cable Communicati Rogers Cable
74.71.140.38 15029 310 United States AS11351 Road Runner HoldCo LLC Road Runner
67.65.147.74 11126 311 United States AS7132 AT&T Internet Services AT&T Internet Services
62.5.128.33 24761 312 Russian Federation AS8359 MTS MTS OJSC MTS OJSC
192.168.106.131 68 684 - - -
192.168.106.254 67 684 - - -
66.148.80.28 24833 821 United States AS14361 HopOne Internet Corpora HopOne Internet Corporation
195.169.125.228 29902 1356 Netherlands AS1103 SURFnet The Netherlands
66.148.64.18 24305 2021 United States AS14361 HopOne Internet Corpora HopOne Internet Corporation
194.94.127.98 25549 2219 Germany AS680 Verein zur Foerderung ein Verein zur Foerderung eines Deu
192.168.106.131 1325 2414 - - -
192.168.106.2 137 2586 - - -
192.168.106.131 137 2586 - - -
192.168.106.2 53 2784 - - -
108.217.233.48 16503 3272 United States AS7018 AT&T Services Inc.
72.248.245.188 28722 3365 United States AS14751 One Communications Corp One Communications Corporation
77.70.94.249 19923 3512 Bulgaria AS35141 Megalan - Autonomous Sy Megalan Network Ltd.
190.69.173.62 26145 3700 Colombia AS3816 TELECOMUNICACIONES S.A. COLOMBIA TELECOMUNICACIONES S.A
192.168.106.131 18707 30916 - - -



Payload - Zeus

Payload is the classic Zeus of the older version. You can download all the files above. See below a couple of  slides from my May 2012 presentation showing the basic difference (there are several but this is the easiest to check) between Zeus Gameover and Citadel (Citadel as of May 2012 :) .

In our case, it created registry key
HKU\S-1-5-21-1715567821-1275210071-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run\{5A5943C0-5A07-AD41-0C12-888728E4AB95}: ""C:\Documents and Settings\Laura\Application Data\Wyyh\ycys.exe""




















Wyyh\ycys.exe"

Deleting cookies


Deleted files














Automatic scans



https://www.virustotal.com/file/37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453/analysis/
SHA256: 37d801882221dbc8f9da510e9531434ffb63faf61052c0263b658ca227b9a453
SHA1: 4290441b2edc07c606ffb3b6407c6b7df99413f3
MD5: 86946ec2d2031f2b456e804cac4ade6d
File size: 32.2 KB ( 33010 bytes )
File name: 86946ec2d2031f2b456e804cac4ade6d
File type: ZIP
Tags: cve-2012-4681 exploit zip
Detection ratio: 11 / 43
Analysis date: 2012-09-18 23:35:03 UTC ( 6 hours, 13 minutes ago )
AhnLab-V3 Java/Exploit.Gen 20120918
Comodo UnclassifiedMalware 20120918
Emsisoft Exploit.Java.CVE-2012-4681!IK 20120918
ESET-NOD32 Java/Exploit.CVE-2012-4681.AM 20120918
F-Secure Exploit:Java/CVE-2012-4681.H 20120919
Ikarus Exploit.Java.CVE-2012-4681 20120918
Kaspersky HEUR:Exploit.Java.CVE-2012-4681.gen 20120919
McAfee JV/Exploit-Blacole!zip 20120919
McAfee-GW-Edition JV/Exploit-Blacole.r 20120918
Sophos Troj/JavaDl-FC 20120919
TrendMicro-HouseCall TROJ_GEN.F47V0918 20120919

Additional information
#exploit

http://69.194.193.34/links/systems-links_warns.php
http://69.194.193.34/data/java.jar
Posted 9 hours, 19 minutes ago by BornSlippy Useful (0) Not useful (0) Abuse (0)
seem via URLS in spam
hxxp://conteruns.com/fix/Gam.jar
hxxp://afternewvision.net/fix/Gam.jar

https://www.virustotal.com/file/0e80aa63d9069f8325ed4d66327270a8c063fe94485e5266c0bb2eb117fe2e05/analysis/1348033795/
Zbot - MD5 will change with each run


SHA256: 0e80aa63d9069f8325ed4d66327270a8c063fe94485e5266c0bb2eb117fe2e05
File name: diJPN.exe
Detection ratio: 9 / 43
Analysis date: 2012-09-19 05:49:55 UTC ( 0 minutes ago )
BitDefender Trojan.Generic.KD.731993 20120919
Emsisoft Trojan.Win32.Zbot!A2 20120919
F-Secure Trojan.Generic.KD.731993 20120919
GData Trojan.Generic.KD.731993 20120919
Kaspersky Trojan-Spy.Win32.Zbot.exnj 20120919
McAfee PWS-Zbot.gen.amk 20120919
McAfee-GW-Edition PWS-Zbot.gen.amk 20120919
Sophos Troj/DwnLdr-KFF 20120919
Symantec Suspicious.Cloud.5 20120919

Additional information
ssdeep
6144:59LMYYoC3oI3XKASU/jIddf1LgRfqLbjm8JlXkK6dCEwUCitW1RUWFM:5SiRAZ/jcdu9qL/m8JlXiHw8
TrID
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
ExifTool
CodeSize.................: 10752
SubsystemVersion.........: 4.0
InitializedDataSize......: 325632
ImageVersion.............: 1.0
ProductName..............:
FileVersionNumber........: 1.1.1.42
UninitializedDataSize....: 1024
LanguageCode.............: French (Swiss)
FileFlagsMask............: 0x0000
CharacterSet.............: Windows, Latin1
LinkerVersion............: 2.56
OriginalFilename.........:
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............:
TimeStamp................: 2012:09:18 09:04:59-07:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............:
ProductVersion...........:
FileDescription..........:
OSVersion................: 4.0
FileOS...................: Unknown (0)
LegalCopyright...........:
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............:
LegalTrademarks..........:
FileSubtype..............: 0
ProductVersionNumber.....: 1.1.1.42
EntryPoint...............: 0x1240
ObjectFileType...........: Executable application
Sigcheck
publisher................:
product..................:
internal name............:
copyright................:
original name............:
file version.............:
description..............:
Portable Executable structural information
Compilation timedatestamp.....: 2012-09-18 16:04:59
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001240

PE Sections...................:

Name        Virtual Address  Virtual Size  Raw Size  Entropy  MD5
.text                  4096         10308     10752     6.04  6bba50c1eac13adea8a339afc6faf36e
.data                 16384          3328      3584     0.30  13aad2cc87311cfaa958fb13e3bd6798
.rdata                20480        307808    308224     7.97  84080c9735bea1e12ad86806e1b8f0dc
.bss                 331776           544         0     0.00  d41d8cd98f00b204e9800998ecf8427e
.idata               335872          1700      2048     4.05  a5ffd9ab2a5a1127e2d1cbdf60d9cc2f
.rsrc                339968           664      1024     2.16  35dc6e0fa2ce4f92074e14bfae7347bf
qej                  344064          4096       512     0.00  bf619eac0cdf3f68d496ea9344137e8b
ldc                  348160          4096      4096     2.98  a214eafb14c8b08b14d9f92b22d97fac
ucd                  352256          4096       512     0.00  bf619eac0cdf3f68d496ea9344137e8b
pmh                  356352          4096       512     0.00  bf619eac0cdf3f68d496ea9344137e8b

PE Imports....................:

[[GDI32.dll]]
GetRegionData

[[KERNEL32.dll]]
CreatePipe, GetAtomNameA, CreateSemaphoreA, AddAtomA, Beep, SetUnhandledExceptionFilter, FindAtomA, GetStartupInfoA, ExitProcess, CreateFileA, GetCommandLineA, Sleep, GetModuleHandleA

[[msvcrt.dll]]
_cexit, __p__fmode, malloc, fopen, __p__environ, signal, strcmp, free, _onexit, atexit, abort, _setmode, __getmainargs, fprintf, fflush, _iob, sin, __set_app_type

[[ole32.dll]]
CoCreateGuid, BindMoniker

[[ws2_32.dll]]
gethostbyname, getpeername

[[USER32.dll]]
GetMessageA, CreateWindowExA, LoadCursorA, LoadIconA, DispatchMessageA, ShowWindow, TranslateMessage, PostQuitMessage, DefWindowProcA, MessageBoxW, GetPropA, RegisterClassExA

PE Resources..................:

Resource type            Number of resources
RT_VERSION               1


4 comments: