Phishing with obfuscated javascript, shellcode and malware
by Manuel Humberto Santander Pelaez (Version: 1)
Be careful with the links showed in this diary because they are live and could infect your computer if not handled properly
Phishing e-mail artwork is becoming more effective everyday. Users are having a bad time trying to distinguish the fake sites from the real ones. I am going to show you a different phising e-mail that does not take the user to a website to try to steal a password but installs malware to the computer using obfuscated javascripts and shellcodes.
I received today the following message:
This looked strange. I reviewed the link and pointed me to http://thedizzybaker.com/wp-includes/int-market.html. The following javascript appeared:
This javascript is obfuscated. I used firebug to get more information and got an iframe pointing to other website:
Following the new link, we find another obfuscated javascript. Let's see a snip of it:
Now here is where the malicious stuff begins. After deobfuscating the script, we find the following:
- The script tries to determine which navigator is running the system:
- The script tries to determine the Adobe Flash and Adobe Reader version installed:
- A shellcode is executed:
Let's take a look to the shellcode. It executes the following instructions:
- kernel32.VirtualProtect: This function is called in the shellcode to establish a 255-byte memory segment where the memory protection attributes can be modified. For more information about the available attributes, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786%28v=vs.85%29.aspx.
- kernel32. LoadLibraryA: This function is called to load the urlmon.dll library, which is used to transfer information using the http protocol. A couple of functions inside the file are:
- urlmon.URLDownloadToFileA: The function is called to download http://migdaliasbistro.net/w.php?f=f7d19&e=1 and save it to wpbt0.dll.
- kernel32.WinExec: This function is called to register the dll using regsvr32 -s and then executed.
- kernel32.TerminateThread: This function is called to end the execution of the shellcode.
The file download in step 3 is a dll with MD5 c3124a2981d8e1b9e13e8c21c96448f7. Virustotal shows a 7/43 detection ratio. It injects into explorer.exe and performs inline hooking to ntdll.dll. Once it is installed, it reports to hbirjhcnsuiwgtrq.ru, which resolvs to the following ip addresses: 94.20.30.91, 98.103.133.13, 173.203.211.157, 211.44.250.173, 46.137.85.218, 83.170.91.152, 87.120.41.155 using a http POST to the /rwx/B2_9w3/in/ location.
Such threats are increasing and control of these involves the establishment of malware control measures as part of te Information Security Architecture of the company, like the following:
- Antimalware perimeter defense: I recommend using the Trend Micro and Mcafee web gateways. They are scalabe and integrates very good with the antimalware monitoring system inside the corporation. This measure allows to protect users from downloading malicious code like javascript and executables.
- Host IPS: The antimalware control is not enough in these days as the threats are evolving and the antivirus companies are not capable anymore to control in real time all the emerging malware attacks. This tool is used to prevent the materialization of the vulnerabilities on computers, such as buffer overflow, code injection, among others. Thus, the computer is protected until the virus signature is out so the antimalware program is able to deal with the respective threat.
- Antimalware: This is the conventional antimalware control that is sold by the antivirus companies.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
Comments
this is a great post. can you help to explain more how you decode the obfuscated code and with firebug and eventually found the shellcode? I wanted to replicate your findings to educational purposes
Zack
Mar 3rd 2012
1 decade ago
concerned newbie
Mar 3rd 2012
1 decade ago
First I want to say thank you for posting this Phishing campaign. Secondly I wanted to request if you can update this post with the original sender (email), subject of the email and if possible the Internet headers?
The reason for this request is because this will facilitate in the creation of rules in which we can redirect email before end users receive them and also identify if anyone already got them but either deleted it or have yet to click on the link within the body of the email.
Thanks
itg33k
Mar 3rd 2012
1 decade ago
lordchariot
Mar 3rd 2012
1 decade ago
From: noreply@careerbuilder.com
Subject: Your Intuit.com order confirmation.
IMG SRC="http://about.intuit.com/sbweb/common/images/header/logo_bar/intuit_logo.gif"
A HREF="hxxp://premiumsoft.com.ar/foobar/index.html"
(Note: http changed to hxxp to protect the foolish, what appears to be a 8-character token replaced by 'foobar' to protect me :) )
Headers: (Again, with a whole bunch of potentially identifying info redacted)
Delivered-To: me@recipient.com
Received: by 10.204.57.194 with SMTP id xxx;
Thu, 1 Mar 2012 xx:xx:xx -0800 (PST)
Received: by 10.180.90.225 with SMTP id xxx;
Thu, 01 Mar 2012 xx:xx:xx -0800 (PST)
Return-Path: <noreply@careerbuilder.com>
Received: from 123-162-192-190.cab.prima.net.ar ([190.192.162.123])
by mx.google.com with ESMTP id xxx;
Thu, 01 Mar 2012 xx:xx:xx -0800 (PST)
Received-SPF: fail (google.com: domain of noreply@careerbuilder.com does not designate 190.192.162.123 as permitted sender) client-ip=190.192.162.123;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of noreply@careerbuilder.com does not designate 190.192.162.123 as permitted sender) smtp.mail=noreply@careerbuilder.com
Received: from apache by careerbuilder.com with local (Exim 4.63)
(envelope-from <noreply@careerbuilder.com>)
id xxx
for <me@recipient.com>; Thu, 1 Mar 2012 xx:xx:xx -0300
To: <me@recipient.com>
Subject: Your Intuit.com order confirmation.
Date: Thu, 1 Mar 2012 xx:xx:xx -0300
From: "INTUIT INC." <noreply@careerbuilder.com>
Message-ID: <xxx@careerbuilder.com>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------xxx"
This is a multi-part message in MIME format.
--------------xxx
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-2"
J
Mar 5th 2012
1 decade ago
Chris W
Mar 5th 2012
1 decade ago
davidj2
Mar 6th 2012
1 decade ago
This confirms my theory. I find that most of these phishing scams are cross-linking the legitimate images from the original site in their attack.
Would others concur that this is the typical methodology you see?
I would think these high-value target sites would be able to detect these and serve warning graphics instead of the legitimate logos.
lordchariot
Mar 7th 2012
1 decade ago