My next class:

Scam of the day: More fake CNN e-mails

Published: 2013-03-19. Last Updated: 2013-03-19 17:37:08 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

This one made it past my (delibertly porous) spam filter today. We don't cover these usually, as there are just too many of them (I just got another facebook related one while typing this). But well, from time to time its fun to take a closer look, and they make good slides for awareness talks.

CNN Cyprus Scam

The initial link sends the user to hxxp:// swiat-feromonow.pl / wiredetails.html which redirects the users to the usual obfuscated javascript at hxxp:// salespeoplerelaunch. org/ close/printed_throwing-interpreting-dedicated.php .

The later page not only uses javascript, but in addition for good measure will also try to run a java applet. Wepawet, as usual has no issues analyzing the file [1]. It discovers the usual browser plugin fingerprinting code, but no specific exploits.

ok. cool... yet more malware. But I didn't want to leave it at that, and went ahead to try and get that site shut down. First stop: whois salexpeoplerelaunch.org . The result is a legit looking contact in Michigan with a phone number, which has been disconnected :( ... so I am trying an e-mail to the listed e-mail address (just sent... no response yet, but will update this diary if I get one)

Moving on to the IP address. It is assigned to https://www.wholesaleinternet.net , a low cost dedicated server / colocation provider. Sending them an abuse request now via email, and again, will update this diary if I hear from them. Interestingly, the IP address is not "known" to serve any other domains based on a quick check of some passive DNS replication systems. I also sent an email to abuse @ szara.net which hosts the domain swiat-feromonow.pl. 

Lets see how long the link will stay up. 

[1] http://wepawet.iseclab.org/view.php?hash=dbeb07e4d46aa4cbd38617a925499c22&type=js

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cnn malware takedown
4 comment(s)
My next class:

Comments

I've pretty much given up on the process of trying to contact abuse providers. I report phishing email I get to SpamCop, PhishTank & a few others. When I encounter sites like this I report them to Badwarebusters.org & sometimes Web of Trust in hopes it will end up in most major web browsers filtering lists.
The exploit script looks like RedKit or BlackHole, If I had to guess I'd say BHEK 1.1 based on the url pattern and the use of PluginDetect 0.7.9.

Did you get a chance to examine the j1, j2, p1, p2, or f1 droppers? Unfortunately the page is down now so I wasn't able to pull them.
I just checked the initial link again and there is a new second stage domain and I was able to grab the droppers and final payload this time. Suricata and Snort are detecting it as BlackHole v2 but I don’t believe that’s the case; the exploit script is clearly using PluginDetect and the landing page was served across multiple requests which BlackHole 2.0 does not do.
https://urlquery.net/report.php?id=1519825
https://wepawet.iseclab.org/view.php?hash=dea84e914a523c53b430e17e194702ae&t=1363727946&type=js

The j1 & j2 droppers are the same (possibly varies based on user-agent, I didn’t check this), md5: 88b055562334f7b45b747c9cb5dc9c75
https://www.virustotal.com/en/file/96952cada5a3a7c6aaec09edc50d68bd0ad56a35d6dbdb756bc5e206f394b1d1/analysis/

The p1 & p2 droppers vary per-request (i.e., a new PDF is generated per-request), according to Wepawet they’re using CVE-2009-0927 (Adobe getIcon)
https://www.virustotal.com/en/file/39905d71a73bf81d785fb07ff75f80b06562bcc094f0f6087f7acad2de67e7d1/analysis/
https://wepawet.iseclab.org/view.php?hash=ab7b055dbff84f03dfb6e221d0a05a94&type=js

The f1 dropper appears to be constant, md5: db2d3584fdbacdb7fd58fadc558144ae
https://www.virustotal.com/en/file/6d55150b066434d213074c200e2d1b8485cada62d1472e0013f10c7f136c58b7/analysis/

The final executable payload has very low detection on VirusTotal, currently 3/45, md5: 9e48716f33aa98dd7ecd387d9546b70c https://www.virustotal.com/en/file/ea572f741d5d229a271d333d81b8bc28f5c6240c9b44e70ae42ab943f1a73566/analysis/

I didn’t decompile the flash object or JARs but in the past I’ve seen the Java, Reader, and Flash droppers all dropping the same payload, based on the very low detection at the moment I’m guessing that’s the case here as well. The metadata on the file appears to be gibberish so it’s a pretty safe bet that the binary rotates regularly as well.
Sorry for the long post and all of the links, hopefully it’s of use to others.
Good analysis, matt. I left you a message on VT, not sure if it went through. But, you might want to submit the files you don't want to or can't analyze to Anubis for a more detailed examination. http://anubis.iseclab.org/

Diary Archives