Last Updated: 2012-08-10 20:58:05 UTC
by Kevin Liston (Version: 4)
Did you get a Better Business Bureau Complaint Today? I did, in fact, I got a couple of them. I thought I'd go through a play by play of how I assess these things (there will be a lot of updates as I go through this in semi-real-time.)
Oh, there will also be very little obfuscation, so be careful with that.
Here's the message itself:
RE: Case# 9060933: Alfonso Palmer
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as "Administratively Judged Resolved" and our records will be updated.
If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm's response, we will notify your office with substantiation to support the consumer's position and the case will be re-opened. Cases will not be re-opened without documentation or good cause.
The BBB appreciates this opportunity to serve you. Dispute Resolution Department.
Let's take a look at the headers:
Return-path: <firstname.lastname@example.org> Envelope-to: kliston@REDACTED Delivery-date: Fri, 10 Aug 2012 09:36:10 -0400 Received: from wsip-68-99-56-167.pn.at.cox.net ([126.96.36.199]:47037) by paradise.businessx.com with esmtp (Exim 4.77) (envelope-from <email@example.com>) id 1SzpNj-00010v-KU for kliston@REDACTED; Fri, 10 Aug 2012 09:36:07 -0400 Received: from apache by bbb-email.org with local (Exim 4.67) (envelope-from <firstname.lastname@example.org>) id EG95SG-22TJQ4-AR for <kliston@REDACTED>; Fri, 10 Aug 2012 07:36:01 -0600 To: <kliston@REDACTED> Subject: RE: Case# 9060933: Alfonso Palmer X-PHP-Script: bbb-email.org/sendmail.php for 188.8.131.52 From: "Better Business Bureau" email@example.com X-Sender: "Better Business Bureau" firstname.lastname@example.org X-Mailer: PHP X-Priority: 1 MIME-Version: 1.0
So a simple spoof, from a likely bot-net in Cox.net, and my cheap spam-trap mailserver doesn't do any SPF or DKIM checking.
Take a look at the URL does the displayed match what's in the code? No, not at all.
Being lazy, I submit this URL to wepawet (http://wepawet.iseclab.org)
After waiting patiently it reports that the link is benign. "ORLY," I think, "perhaps it's just pharma-spam then."
Comparing this to the other samples, the first URL differ, but the apartmentsinorlandonow.com is in common. Perhaps the attackers are smart,and only kick out one answer? Or maybe they know wepawet's IP addresses?
Never underestimate the value of google during analysis. A search for 184.108.40.206 turns up a very helpful report: http://urlquery.net/report.php?id=122828 Looks like an active blackhole exploit kit, and someone was looking at this a little over an hour before I was. We're after that next stage, the link to update_flashplayer.exe.
Let's pull that down with another wget request. So now I've got about 150k of Win32 executable. My new favorite little tool for static analysis is exiftool. I was aware of EXIF data in image formats, but unaware that many other file formats also have handy metadata. In this particular example, it may be interesting to note that the file's original timestamp is 2012:-8:10 05:42:09-04:00.
I calculate the md5sum from the .exe and see if it's up on virustotal yet. I'm 5 minutes behind the first submission time and a surprising 9 out of 42 vendors detect it already.
Now that we have an executable to play with we can start doing some dynamic analysis. Sticking with my theme of lazy, I send it off to Anubis (http://anubis.iseclab.org/) and ThreatExpert (http://www.threatexpert.com/) and compare the results. I like to send off to multiple solutions since one day Anubis works better than ThreatExpert and the next it's vice versa. Other days, nothing is working and that's when you have to break down and work harder at it. Today, I'm lucky and it runs in ThreatExpert which spits out the following network artifacts:
Looks like it checks-in via an HTTP POST to /forum/view/topic.php at 220.127.116.11. There are further requests for more binaries:
Those are the same file, virustotal hasn't seen it yet, 14/42 hit ratio. This is about as far as using the public tools will get us. Now that I have the installers and droppers, the next step is to put it onto a real system and see what it does when I try to do some online banking...
That's going to run longer than my shift (a lot of pcap and memory capture to go through,) so while that's in the works I wanted to move in another direction. Looking at the infrastructure involved in this attack. First there's the systems doing the spamming. I don't have a lot of insight into that, because Cox isn't very forthcoming on details about the machine that sent the email. We can make an assumption that it's part of a botnet, but as for which one, or how it got compromised, there's just no details to go on.
Then there's the first landing pages. The examples that I have are down now so I messed up there. The next hop in the redirect chain are still up. Looking at my example and the others the Gregory provided below I see that most of them are wordpress sites. There are a lot of vulnerabilities to choose from for getting your code up on someone else's wordpress site. Then, we have the downloader site: 18.104.22.168. That looks like it might be a full-blown exploit kit site on first glance. (Lots of people emailing email@example.com might help with that.) There's the check-in at 22.214.171.124 that needs a little more examination. cikonungunlugu.com appears to be registered for the purpose of distributing malware, while ftp.lastraautosport.com is probably a compromised domain.