Another airline scam! This time from US Airways

Published: 2012-04-03
Last Updated: 2012-04-03 20:45:40 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
5 comment(s)

Be careful with the links showed in this diary because they might still be live and could infect your computer if not handled properly

More and more scams are seen each day. I discussed in a previous diary a phishing attack sent to users so attackers can own their computers. I will show you today another attack using the same technique and the same malicious code.

I received today the following message:

US Airways SCAM

The online reservation details link pointed to the link http://somostigreros.com.ve/s3JgEpEu/index.html. The document has a javacript pointing to four different URL:

Javascript from infected page

The javascript downloaded is the same in all the four cases and points to another link:

Link to malicious code

We arrive to an obfuscated javascript. Let's see a snip of it:

Obfuscated Javascript

After decoding the script, I got the same javascript analyzed in my previous diary, which performs the following:

  • Identification of the navigator being run.
  • Identification of Adobe Flash and Adobe Reader version.
  • Shellcode execution to download malware but this time it is downloaded from http://207.210.101.44/q.php?f=4203d&e=1.
  • Malware is the same DLL discussed in my previous diary, but at this time virustotal shows 30/42 detection ratio. Mcafee detects it as Generic.bfr!em, Symantec detects it as Suspicious.Cloud and TrendMicro detects it as TROJ_SPNR.11C912.

Additional to the measures previously discussed to mitigated this kind of threats, You can be a propagation vector for malware like the one being shown if you publish to the internet vulnerable servers. Many attackers no longer want to shutdown your server but to publish malware in not-visible locations inside your webserver or web application. Please keep in mind the following:

  • Install all available patches  to your operating system and base software. If you cannot do this because your application will stop working, you definitely need to put in place additional controls like Host Intrusion Prevention System (HIDS) and Network Intrusion Prevention System (NIPS) .
  • Test your web applications for vulnerabilities before publishing them on the Internet. If you don't do this, the attackers will be happy to do it for you.
  • If you are unsure if your web server or web application have vulnerabilities, use a Web Application Firewall (WAF). I have found useful ModSecurity to place that kind of protection.

Have you received this kind of threat inside your network? Let us know using our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org

Keywords:
5 comment(s)

Comments

Manuel, I've received the same e-mail, pointing to a different url [http://]parfumuri-ieftine.net[/]zh6jPwn1[/]index.html
(I've included the []s to avoid an accidental click).

Saludos desde Colombia
deobfuscated code is a blacole Exploit code...
Whatever font you used to display the js code, causes it to be about 20pt on my IE9.
they point to various targets, http://saffr on-cruises.co m/XTbWCY0y/index.html being one of them
And there's also a push of "Payflow Manager" (PayPal) phishing as well.
> Whatever font you used to display the js code, causes it to be about 20pt on my IE9.

It's a PNG file, i.e,. a screen-capture, not "text".

Probably done that way to avoid the text from being flagged by some virus-scanners as being "malicious".

Diary Archives