March 31, 2012Dancho Danchev By Dancho Danchev

Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

Security researchers from Webroot have intercepted a currently spamvertised malicious campaign, impersonating Hewlett Packard, and enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Subject: Re: Scan from a Hewlett-Packard ScanJet [random number]
Message: Attached document was scanned and sent to you using a Hewlett-Packard NetJet 730918SL. SENT BY : ANISSA PAGES : 5 FILETYPE: .HTM [Internet Explorer File]
Original attachment:
Malicious iFrame embedded within the .htm attachment: hxxp://

The malicious .htm has a very low detection rate, and is currently detected as JS/Kryptik.SA!tr and Mal/Iframe-AE.

Client-side exploits serving structure:

The client-side exploits serving domain is currenly fast-fluxed, namely it’s responding to multiple, dynamically changing IP addresses in an attempt by the cybercriminals behind the campaingn, to make it harder for vendors and researchers to take it down.

The campaign is attempting to exploit the “Libtiff integer overflow in Adobe Reader and Acrobat” vulnerability, also known as CVE-2010-0188 in an attempt to drop the following MD5 on the exploited hosts – MD5: 20de62566248864be3b0e413b332d731 currently detected as Win32:Sirefef-RV [Drp], Trojan.Generic.KDV.582649, HEUR:Trojan.Win32.Generic, or PWS-Zbot.gen.hv.

Webroot security researchers will continue monitoring this campaign to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button