Spam emails from multibit.org

[whyinvestinbitcoin]

I'm regularly getting spam with Java attachments from a host of sites including multibit.org. It seems like my email has been taken from one of these servers as the scammers seem desperate to get a java package installed on my machine to I guess watch for my multibit client and take all my funds. Fortunately it's all safe from prying eyes but it is very annoying to get these emails everyday.

Where's a good place to get these packages decoded and fight back at the thieves? How can we ensure that multibit will be secure from hackers regardless? We need personal banking to be safe!

[whyinvestinbitcoin]

Some of the emails:

From: multibit@team.multibit.org

Dear User

you get new funds 10.944 BTC Please Click On the link To active your Funds
and download the invoice

https://multibit.org/releases/active/funds/10btc/1LpursCfDsiQcg6v6isdYFyKe4DNtYoXk2


Greetings


Multibit Team

From: bitcoin <zakaz@mtk-gr.ru>

Dear User

you get new funds 10.944 BTC Please Click On the link To active your Funds
and download the invoice

https://bitcoin.org/releases/active/funds/10btc/1LpursCfDsiQcg6v6isdYFyKe4DNtYoXk2


Greetings


bitcoin Team

From: Bitcoin <wallet@bitcoin.help.org>
New Wallet Update
Attachment: Wallet.jar


From:KnCMiner <info@kncminer.com>

Dear Client,

Per your request, we have canceled your service. Billing on this account will cease as of 2014-03-11. Your confirmation number is 82022629.

Should you wish to reactivate your account, please click here and fill your information. (bitly dot com/1kdPqie - mod note: careful, java malware)



And that is all in the past 3 days. I'm getting them EVERY day from various. It's like they KNOW me and the services and products I have signed up for. I have had spam presented as from blockchain.org, bitstamp, btc-e, mtgox, multibit and others. We HAVE to fight back against these clever hacking thieves. Bitcoin community STAND UP and protect what is yours to protect. These people need to go to jail pronto.

My grandma would have clicked on one of these attachments no-doubt and lost all her savings. We need robust solutions to this.

[OnkelPaul]

E-Mail sender addresses in malware mails are always spoofed (unless the phisher is a complete idiot which is unlikely in this case), these mails are not sent by multibit.org.
If you have some spam sleuthing skills, you could look at the mail headers to see whether they have a common origin, and request that the admin of the originating machine stops and removes the malware-sending software (or fixes his open-relaying hole, or whatever else causes his machine to be used by scammers).
The links that you posted are obviously not the actual malware links, most often the links in phishing mails contain different actual link targets than those implied by the link text.

Onkel Paul

[escrow.ms]

Multibit is java depended and somehow they got all multibit user's email address and obvously these are fake emails with Java drive by attachment.  If you are using Java, make sure to disable java addon in your browser and do not open any .jar file.

Ps: Can you please forward these emails to me with jar attachment?  escrow.ms@gmail.com
I would like to know where they are hosting malware and which one.

[werrindor]

Do you still get spam everyday?

[whyinvestinbitcoin]

Header from one of them: (Intersting bit: X-Get-Message-Sender-Via: host.askroz.com.au: authenticated_id: segrroz/only user confirmed/virtual account not confirmed)

Return-Path: segrroz@host.askroz.com.au
Received: from host.askroz.com.au ([122.201.116.28]) by mx.kundenserver.de (mxeue105) with ESMTPS (Nemesis) id 0MXUUI-1WgbeN20pi-00WWSP for <john@REMOVEDOBVIOUSLY>; Sun, 02 Mar 2014 18:59:58 +0100
Received: from segrroz by host.askroz.com.au with local (Exim 4.82) (envelope-from <segrroz@host.askroz.com.au>) id 1WKAg4-0008Ri-Jq for john@ REMOVEDOBVIOUSLY; Mon, 03 Mar 2014 04:59:52 +1100
Message-Id: <4f3e70ea134cc69c3e32b81ab05e94f4@www.askroz.com.au>
X-Priority: 3
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="b1_4f3e70ea134cc69c3e32b81ab05e94f4"
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - host.askroz.com.au
X-Antiabuse: Original Domain - REMOVEDOBVIOUSLY
X-Antiabuse: Originator/Caller UID/GID - [591 32007] / [47 12]
X-Antiabuse: Sender Address Domain - host.askroz.com.au
X-Get-Message-Sender-Via: host.askroz.com.au: authenticated_id: segrroz/only user confirmed/virtual account not confirmed
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/segrroz/public_html/blog/id.php
X-Source-Dir: askroz.com.au:/public_html/blog
Envelope-To: <john@ REMOVEDOBVIOUSLY >
X-Ui-Filterresults: notjunk:1;V01:K0:kNVgTSEcnB4=:yvxUiE5iVyQeuy6Hh1c1WT4qRn zn273iQU5t4Pe/Thv717UNi1KfrmESYcph21J6GUHh+mMjqBbES5bbXSFBU6rgyaZEIM5Oqrd KZlu1ZQEJr+lVB29zjSvMS43DQGaG9pFSxhJgUyBF3k78LGGIRU0mUrK2sO282CEvz8hs1WKZ qy1yxNdHUjSuMNrFM77puIeLeZ4mp0ZX0NOXWsx5866a2oZWeKgBUU6bphIj6+uwCpMoGPS52 N9eK85ufPas3sJAo7tL7j7l+fYPwCpqd6XX6aWF9EDAAcDIQ3P+uLAtQVo937GkvWFSCYwgv1 /P0zCa5p+oCagNsnmUNT8X94AxBXv0b8aqnOCtO/0qE3hux7gnpKhUcp7JQtostIPoLo6vQwE imJok7vLVFg2637oG3KHmr7909y2qKZNtl05PR5OUzXJyFAzyCRyk3t0xkeDmdrVX/TOsXR3H qofMUD2fhsTeEaEuKwopQyZTY8YPd3T3rZkTuUfgRwQgzg7mGF9k3nXmKPcYBbMhDS5BZR8BP rPCHPXSPQNb3OBCmedc9/jcdjqZoXlr1nEgdPaXinLMoUm/5JhsjOSmQtInryy+n9Riu7EpU2 pMdTAk7fj120RnvK1Ov7kqP3nSDCZzJL95OvHW9uW8gdzx55du/vol4L5AHKyw5bLPaBYdtnO u7L8wLC11PkPA2GG+EZdxWkQkA6cDtxv2HOiKwafL4LolsWxy3NUogYyon3gfhUKxSBQ6Mh/f SsWMvgFO8ixsV2Yc6ac//hlC3F/quNoDyTGX1HtmgsV0N+9SQpSilpVP+mtXKaaFbj5IPr2gr U666bSDiTWYqDTq/WKF598BpwuVfY9C2amOtzoqNj/FNPnlJpWADiaBX9h3wncgSpuek+5HOo WaDCkTdlx+fdi6/lAJXx62kVSqOxG9hHJOXTNC8emYYFN+wML+tflSKdqBl8pJ8SibbCkn/bu ADGZnepHNJJgMfMPr7PtKPg5hkz6tw3TZPvkj+V51w3kwbjyvBp0c90IxCA4TaeKu0QGsmysi jESkRmK6omOOFnlrBvwGAuVIKGfUXy8XcPs71ExSn0PW0btxj2WAbJ8upHbxk5LUHG5T9h33v PhCX5R7LruzP+RO4mpt6mxp6WpS2IQ0eCZjfsX0Wfk87qCnLM3l2kqwEHOoVZMgBimQL9JfGH JchZTrxKLYoWNsQr9qwKzr7DFZEqRJHstrt7v6Z4qt0NOlCD48rBL4i+cBg7U6sSFAsnC7lnr FIEVJgJ0zaIudvaOGMpZ/GOaF6YRxi+px0w==
Multibit is an innovative payment network and a new kind of money

[whyinvestinbitcoin]

Yes still getting spam each day. Todays spam:

From: "Bitstamp.localmachine@Bitstamp.net" <Bitstamp.localmachine@Bitstamp.net>

Hello everyone! and apologize for the delays and lack of communication are currently working on some design improvements / server.
During the week we will update this page with the status of the project, given the final stage where we are.
 
Steps For Tuesday March 4, 2014:

      Please check if your balance in this file is correct ( Same your wallet balance ) .. And replay asap if you see any problem.

END EMAIL

Note: Image is attached in the email presenting itself as a PDF. Clicking opens a URL: bitly dotc com/1fAxcqX (- mod note: careful, java malware) which downloads a JAR file Bitstamp.jar.

HEADER:

Return-Path: Bitstamp.localmachine@Bitstamp.net
Return-Path: <Bitstamp.localmachine@bitstamp.net>
Received: from mailer214.gate184.sl.smtp.com ([192.40.184.214]) by mx.kundenserver.de (mxeue006) with ESMTP (Nemesis) id 0MTR6R-1WXuli3xln-00SPb7 for <john@REMOVEDOBVIOUSLY>; Thu, 13 Mar 2014 20:46:42 +0100
Received: from [216.55.179.253] ([216.55.179.253:55267] helo=216-55-179-253.dedicated.codero.net) by sl-mta05 (envelope-from <Bitstamp.localmachine@bitstamp.net>) (ecelerity 3.3.2.44647 r(44647)) with ESMTPSA (cipher=AES256-SHA)  id B4/68-05659-E1B02235; Thu, 13 Mar 2014 19:46:38 +0000
X-Msfbl: am9obkB3aHlpbnZlc3RpbmJpdGNvaW4ub3JnQDE5Ml80MF8xODRfMjE0QHJldGFp bF9zaGFyZWRfcG9vbF8xNkA=
Dkim-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple; q=dns/txt; i=@smtp.com; t=1394739998; h=From:Subject:To:Date:MIME-Version:Content-Type; bh=HQnhOrY5DGPwzcKALpT3xpM3sEcX0m+y0xi7pQDiAGM=; b=IW9PSxYU5pbkEgXcJmGhUvO9R/dNfKYSSt39P+kdSJ6vqx472vU1qJDaYXerXS/W r9WGPy7IFxvTWR+2gDkRcMm6YYPvPo31y+L4QicThe7CJaa1wCOWpOE2J+Li4Wp7 NR1vRwsfq71JOw2CfLZ3YXUuoEfniUuKXNnoQgVH5Ts=;
Message-Id: <B4.68.05659.E1B02235@sl-mta05>
Content-Type: multipart/alternative; boundary="lAli5=_KW277LeLsNcONJCFCZn03P60Ylf"
Mime-Version: 1.0
Organization: Bitstamp.localmachine@Bitstamp.net
X-Smtpcom-Tracking-Number: 405641df-71a5-413f-ae15-e6005563a870
X-Smtpcom-Sender-Id: 6013957
X-Smtpcom-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.com
Envelope-To: <john@REMOVEDOBVIOUSLY>
X-Ui-Filterresults: notjunk:1;V01:K0:p67KrJy3dFM=:2RFiOYEcodfPz01FGnFI7OGZVM QMJEJHMvE8XA+GNy+5+oGD7qfZ0ivGjAwcp37yB44h5tyYzVR2QSMlljVn6gzVCO15jePToXJ fn7zsMk/GTrxjylKv69Q7zlksV0WHLvKNdFRttk62n/K4a84rC7Yx101OzTFGgxDhlCPaHD1v X4StWwLxVAvXHohekjsg7C4LIS9p+6jW21/OSt4a+7gqI5ErcH7zKApGu79Jwzamtbq9C5Hiq aFsDjezrbetNOZtBNeIV8pJvlgbebbNSCe5uxL0Tbpd2U1DokdKF8HNmR0nvGgV2t3Ke/d+kL rqTwp0x5BVaXPevWTSockRWNiQR2eQbkPtN93/t7mgzSKAQ5jjYqFALW8kyqibX4CaErdTAHe 0UsVgDwCF2DXOn50ggWjaExQTX0tahv6X73euF4Qy2F3Gyt2vJBCw3jpFPNPKC4ksc2uneHor n6uHLlDiWvs1aVQ9gO1r0WuA/EW1oC14kmrorSnYDqHVzsGgKjkw2FiDFNbaFNgkYfOC03JuI mTFbOHXM5Qx1qZNvHxHX7YCMomPxn77gfwcTN2xiDAmWEe6LIID02xh43bD8vczSH/Gi56pM/ +w31Sx59GkajFviLtX77QcGKjdzgmsNi2z8r6bn6xR218wzP8vmYha/mUPv703V3c98NPYv45 6RmpjiznizKV1zaitDJhkp8ZVSNvfPBtMpykUDIx4hq7+3EJ92X45tlom7kzHHJYwCkIxX5WI EoIOQb3WMaj+OTDxjQpsFLp1e1ivAw+AHiBC1M4yApiHZW/KvPnj8XwQY5uL7lcVikEuVsadq bKOyHfjzE+mPXu5odOms0bgcl9tGPDlBsZwhkAltmRk+rJWTiNtAI3K1UgXMTJZ7kycMf1YjU dHBDFDMqpFb3R27VSTgDJU89jSXSJFZs11CHrEeJTip5cqytoV9SEdaL7yHR0wZM//WLQr2CM RvKoRdzCNCymQdxIJMblL+xB8UkCYXtqyx/KCJpn1OQMii0rQjgFY8G8GJBSgQP4g61owB4Ey brHj9j/70dzBqk4vvWUbv2T0NlntWkazKYav3/eAOJuIcXD9n94BUIRJ/rbrNn2D8AeCKir9O qpwJYVEZBoAD/XUan5kItHBqMKYRVu4ddU5xuJotHXpwJhGmcpN+5o7EiNGa2cOu2Ixv5B1dH uyVIagNbtzYzQA1w8F2HaLcEAFtrw0tVhYfO4eUo6h+koxs6YcAzZ+roFSQ57i6SpnG+z6tkH NkHQiziwVsRapwe/c+OZ9HnfuenGiYxY7SeRoto1X9h1c52J1rBS3a4/eYItvZ+uddPhdQkbS QGNxTD96CjPrmwUE8XTIOZrvFenWc3VqvKbdAq+57aUXSKuNK69tuR/FPg0v6W4tybOY
Bitstamp [Trading will be suspended for 24 hours]

[Mike Hearn]

If somebody wants to reverse engineer the malware, that'd be a cool project. I also got a copy of this and took a quick look at the contents of the JAR, but it didn't seem to be doing much of anything, I couldn't even see any URLs. It needs more investigation.

Mail domains that are being abused by phishers can stop it by setting up DKIM/DMARC to tell mail providers to drop mail that's unsigned. Then the "from" address can't be set to something authentic anymore.

[escrow.ms]

If somebody wants to reverse engineer the malware, that'd be a cool project. I also got a copy of this and took a quick look at the contents of the JAR, but it didn't seem to be doing much of anything, I couldn't even see any URLs. It needs more investigation.

Mail domains that are being abused by phishers can stop it by setting up DKIM/DMARC to tell mail providers to drop mail that's unsigned. Then the "from" address can't be set to something authentic anymore.

It's easy to find Url's or ip address.  Just upload them on https://malwr.com  or https://anubis.iseclab.org/ but make sure to do it in a safe environment
(If you executed that file by mistake, your pc will get infected)

This jar file which is getting used in mails is a RAT (Adwind java RAT aka UNRECOM, which works on all OS including Mac and Linux) and same guy is spreading it via different mails.

You can see detail info here
https://malwr.com/analysis/ZmFiMWRlZWZjYzNjNGYxZGEwY2RkMjcyNGNkNzU2MDQ/

khaleeel.no-ip.info    82.205.71.29

He is using no-ip's dns hosting service, I tried to contact no-ip but they didn't gave me any response yet.
http://www.noip.com/support/knowledgebase/how-do-i-report-abuse/

[Mike Hearn]

Thanks.

[E.exchanger]

If somebody wants to reverse engineer the malware, that'd be a cool project. I also got a copy of this and took a quick look at the contents of the JAR, but it didn't seem to be doing much of anything, I couldn't even see any URLs. It needs more investigation.

Mail domains that are being abused by phishers can stop it by setting up DKIM/DMARC to tell mail providers to drop mail that's unsigned. Then the "from" address can't be set to something authentic anymore.

It's easy to find Url's or ip address.  Just upload them on https://malwr.com  or https://anubis.iseclab.org/ but make sure to do it in a safe environment
(If you executed that file by mistake, your pc will get infected)

This jar file which is getting used in mails is a RAT (Adwind java RAT aka UNRECOM, which works on all OS including Mac and Linux) and same guy is spreading it via different mails.

You can see detail info here
https://malwr.com/analysis/ZmFiMWRlZWZjYzNjNGYxZGEwY2RkMjcyNGNkNzU2MDQ/

khaleeel.no-ip.info    82.205.71.29

He is using no-ip's dns hosting service, I tried to contact no-ip but they didn't gave me any response yet.
http://www.noip.com/support/knowledgebase/how-do-i-report-abuse/

Thanks for the information escrow. I was actually waiting to see your analysis on that great work. Its actually scares the hell out of me to see these kind of malware everyday seems like there will be one day when none of will be secure , is it really possible escrow a same malware works perfect on ios as well as linuk, multi platform thing 

[jim618]

The emails have a Return-Path referring to multibit.org but don't originate from us, as pointed out above.

Very annoying of course for everyone involved.

Thanks to escrow.ms for his analysis of the malware payload.

[Mike Hearn]

DKIM/DMARC can definitely solve it then. It means setting up some DNS entries.