Saturday, June 30, 2007

More greeting card spam

The greeting card spam wave continues. Subject lines vary somewhat; here's a sampling from today:
  • You've received a greeting card from a class-mate!
  • You've received a greeting card from a colleague!
  • You've received a greeting card from a family member!
  • You've received a greeting card from a friend!
  • You've received a greeting card from a neighbor!
  • You've received a greeting card from a school mate!
  • You've received a greeting ecard from a class-mate!
  • You've received a greeting ecard from a colleague!
  • You've received a greeting ecard from a family member!
  • You've received a greeting ecard from a friend!
  • You've received a greeting ecard from a neighbour!
  • You've received a greeting ecard from a partner!
  • You've received a greeting ecard from a worshipper!
  • You've received a greeting postcard from a colleague!
  • You've received a greeting postcard from a family member!
  • You've received a greeting postcard from a friend!
  • You've received a postcard from a class-mate!
  • You've received a postcard from a colleague!
  • You've received a postcard from a family member!
  • You've received a postcard from a partner!
  • You've received an ecard from a partner!
  • You've received an ecard from a worshipper!
They are now linking to IP addresses (as opposed to .hk sites in the early stages).

The Internet Storm Center has an excellent analysis.

Here's a sample 'index.html' file:


The hex code goes on for awhile:


The file is obfuscated with XORed hexadecimal. The key in this case is '227' (it changes with each copy, for a simple form of polymorphism). This perl snippet will decode the XORed hex:

perl -e 'while(<>){
s/\\x([a-f0-9]{2})/chr(227)^pack(C,hex($1))/eg;print;}'


If you are analyzing your own code, change the '227' in the perl code to match the key in the index.html file.

The de-obfuscated code looks like this:


Among other nastiness, it retrieves the file http://XX.252.250.104/file.php, which is really a Windows executable that BitDefender identifies as: "Generic.Malware.dld!!.2526793B"

No comments: