M86 Security Labs Blog

Malicious hotel transaction spam

By Gavin Neale • July 29th, 2011 • Spam

Over the past couple of days we have been seeing numerous spam emails which claim that a wrong transaction was made on your credit card from a hotel.
The subject lines look similar to the following two subjects, with varying hotels

Hotel Sutton Place made wrong transaction
Wrong transaction from your credit card in Four Seasons Resort Scottsdale

We have also seen several different message bodies that try to explain, in fairly bad English, that your credit card has been charged by a hotel and that in order to get your money back you will need to fill in an attached form and send it to your bank.

Dear Guest!
Transaction: Visa 86878_j
This letter notifies that on July 26th, 2011 Hotel made wrong writing-down from your credit account. Total sum of decommissioning is $1937
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
The detailed copy of made writing-down you can find in the attachment.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Alexander Hargrave,
Manager of Reception Desk & Reservation Departament

Dear Client!
Transaction: Visa 4098_6e
On July 26th, 2011 Hotel made wrong transaction decommissioning from your credit card totaling $1037.
This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
In the attachment you will find expense sheet with the sum of wrong transaction writing-down.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Caleb Anketil,
Manager of Reception Desk & Reservation Departament

Attached is a Zip file named RefundFormXXX.zip, where XXX is a random three digit number. Inside this Zip file is an executable file; Refund-Form.exe which has an icon likely intended to deceive unsuspecting victims into thinking that it is in fact some type of form which they can view.

The executable inside the 'RefundForm' Zip file

Once executed this malware downloads the file soft.exe from yomwarayom2001[dot]ru (84.247.61.25). This did not run straight away so we ran it on a separate test machine and verified that this is a fake AV product named ‘Security Protection’.

A further HTTP request is sent to 188.72.202.121, shown below, which requests a module called ‘grabbers’ from load.php.

The HTTP request and response for the encrypted password stealer

The file that is retrieved, called ‘update.dat’ is in fact an encrypted Windows dll file. Once decrypted we discovered that it was a password stealer which targets a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers looking for stored passwords.

Screenshot of the disassembled password stealer showing some of the targeted applications.

Almost a day later, with still no visible signs that our test machine was infected, the HTTP request below was sent which downloaded the file 1036.exe.

HTTP download of 1036.exe

Within minutes of this download finishing, a fake AV program called ‘Personal Shield pro’ was launched.

Both the attached executable files and those that were downloaded after the initial infection had very low detection rates among anti-virus engines, which highlights the need to be very cautious when opening email attachments and to keep anti-virus software up to date.

Thanks to Rodel Mendrez for his investigation into the password stealer component.

Resurrection of CVE-2010-3333 In-The-Wild

By Yaniv Miron • July 5th, 2011 • Cybercrime

During the last few weeks we’ve seen massive use of the CVE-2010-3333 vulnerability for Microsoft Office. This eight months old vulnerability is used in popular documents such as a document that pretends to be “President Obama’s Speech”.

Microsoft Office vulnerabilities have become very popular over the last few years and here are several samples that can be found In-The-Wild that use MS10-087 / CVE-2010-3333.

A brief overview of the vulnerability can be found at mitre CVE-2010-3333

“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”

As we can see there is an exploit that is a part of the Metasploit exploit framework:

Figure 1 – Metasploit main page

The vulnerability is actually an .RTF file type vulnerability but can be launched by using a .DOC file (not an actual .DOC file but a .DOC extension).

Figure 2 – Part of the exploit from Metasploit

CVE-2010-3333 Sample Analysis

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

The following analysis was performed via Word 2003.

Here we can see the text view of the file and we can clearly see that they are using CVE-2010-3333:

Figure 3 – Text view of CVE-2010-3333 sample

Lets examine the hex view of the file:

Figure 4 – Hex view of CVE-2010-3333 sample

Now, let’s examine the beginning of the file:

{\rtf1{\shp{\*\shpinst{\sp{\sn pFragments}{\sv 1;1000000…[SNIP]…0;01234567ff000…[SNIP]…

From Microsoft Office Word 2003 Rich Text Format (RTF) Specification:

“Drawing Object Properties

The bulk of a drawing object is defined as a series of properties. The { \shp ………… control word is followed by { \*\shpinst Following the { \*\shpinst is a list of all the properties of a shape. Each of the properties is in the following format:

{ \sp { \sn PropertyName } { \sv PropertyValueInformation } }

The control word for the drawing object property is \sp. Each property has a pairing of the name (\sn) and value (\sv) control words placed in the shape property group.”

We see that it’s an .RTF file type, that contains a “sn” (Designates paragraph style.) with a PropertyName “pFragments” (Fragments are optional, additional parts to the shape. They allow the shape to contain multiple paths and parts. This property lists the fragments of the shape.). After that, we see a “sv” that contains a value, a semicolon and a second value followed by a second semicolon and a third value. The third value is the cause of the buffer overflow.

Now that we’ve seen that hackers use the vulnerability In-The-Wild, let’s try and get a better understanding of the vulnerability by using the Metasploit sample:

{\rtf1{\shp{\sp{\sn pFragments}{\sv 5;6;11111111acc8111…[SNIP]…

ASM Info:

30e9eb72 81e1ffff0000 and ecx,0FFFFh

30e9eb78 56 push esi

30e9eb79 8bf1 mov esi,ecx

30e9eb7b 0faf742414 imul esi,dword ptr [esp+14h]

30e9eb80 037010 add esi,dword ptr [eax+10h]

30e9eb83 8bc1 mov eax,ecx

30e9eb85 c1e902 shr ecx,2

30e9eb88 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] ; Overflow!

30e9eb8a 8bc8 mov ecx,eax

30e9eb8c 83e103 and ecx,3

30e9eb8f f3a4 rep movs byte ptr es:[edi],byte ptr [esi]

30e9eb91 5e pop esi

30e9eb92 5f pop edi

30e9eb93 c20c00 ret 0Ch

Debugger info:

(100.3f8): Access violation – code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0000c8ac ebx=05000000 ecx=00000023 edx=00000000 esi=025dc82c edi=00130000

eip=30e9eb88 esp=001237b8 ebp=001237f0 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

…[SNIP]…

mso!Ordinal6426+0x64d:

30e9eb88 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

In-The-Wild Samples

Here are few of the samples that we’ve found:

File Name: 2011 Insider’s Guide to Military Benefits .doc

MD5: f520c8671ddb9965bbf541f20635ef30

File Name: President Obama’s Speech.doc

MD5: 35c33bbd97d7f5629d64153a1b3e71f1

File Name: Q and A.doc

MD5: 46863c6078905dab6fd9c2a480e30ad0

The samples use different shellcodes, but as we can see, the exploit is In-The-Wild and is being used by malicious hackers.

These types of attacks are blocked by M86 Security’s Secure Web Gateway solution.

0-day exploit used in a targeted attack – CVE-2011-1255

By Avri Schneider • June 26th, 2011 • Cybercrime Malware Vulnerabilities

Time Element Memory Corruption – a remote code execution vulnerability, recently patched by Microsoft as part of MS11-050, bearing the Common Vulnerabilities and Exposures (CVE) number CVE-2011-1255 is being actively exploited in the wild.

M86 Security Labs team was contacted and asked to inspect the URL of a legitimate website of a large private company that was blocked by one of the proactive detection rules implemented in our Secure Web Gateway product.

We were asked to investigate if it was indeed a malicious page or a case of Over-Blocking.

The page looked benign, but inspecting each included JavaScript code, we saw that one of them:

Was injecting an iframe:

pointing to a malicious page that was very easilty classified as malicious due to shellcode patterns being part of the page’s DOM:

So, just another infected site – big deal right? But, after further inspection, we saw that it exploited an un-published security vulnerability in Internet Explorer. To verify this, we viewed the malicious page on the latest fully patched version of IE and saw a crash followed by execution of malicious code.

You can imagine the excitement on the team – finding a 0-day in the wild!

The excitement of finding a 0-day in the wild didn’t last that long, since soon after, Microsoft released details about this particular vulnerability.

Based on data we have reviewed from various sources, we can say with a high level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks.

We decided that we should inspect the shellcode to see what the attacker was after. It used various anti-debugging tricks, but after decoding, it revealed a clear-text URL pointing to a malicious server already listed in our repository.

The attack sample stored in our repository was an attack for the well-known iepeers.dll vulnerability exploiting CVE-2010-0806.

It is interesting to note that the first saved sample of the attack was dated 21.3.10, while details of the vulnerability were reported and patched by Microsoft’s MS10-018 security patch for Internet Explorer on 30.3.10.

Two 0-day exploits served from the same server – impressive!

We wanted to find out where else he is serving his malicious code.

Remember the code snippet shown above, showing how the attacker hid the shellcode as part of the DOM?

Hiding data in the DOM of the page is a good obfuscation technique that bypasses security software that doesn’t act as an actual browser, and where their script engine does not have access to the actual DOM.

It turns out that one of the side-effects of hiding data inside DIV elements is that it makes the data indexable by search engines.

Google searching the pattern “TTu0d0f[...snip...]d0dLL1043416UU” revealed about 16 results and as of this writing, only a few were still alive.

Here is the list of the infected sites according to Google’s search result:

Not to mention the service of caching samples for us, it’s ironic that an attacker’s obfuscation technique can be used against him to find his infection servers using a simple Google search.

Tags: 0day | CVE-2011-1255 | exploit | Internet Explorer

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik • June 4th, 2011 • Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Tags: Exploit Kits | Java | PDF | Phoenix

New Bots, Old Bots II: Donbot

By Phil Hay • June 2nd, 2011 • Spam

Last week we blogged about the rise of two botnets in our spam statistics and provided details of Xarvester. Today, we take a closer look at the other botnet in question: Donbot.

Donbot has been around for about three years but lately has surged to the top of our spam statistics chart with masses of dating and gambling spam. We recently found a suitable sample (VirusTotal report) and took a look.

When executed, the malware immediately contacted its control server at 91.212.135.158 on port 80 and did the following POST request:

POST /gateway/index HTTP/1.0

The server replied NO_TASK_WAIT. And wait we did – for a long time with the bot checking in like this roughly every 20 minutes. Then after two days the server suddenly sprang into life and responded with a download file svchosta.exe (VirusTotal report):

This led to the installation of the Donbot spamming component, where four similar processes were spawned on the infected host. These executables were all dropped in the c:\documents and settings\administrator\application data folder on our Windows XP host:

The four processes were all spamming simultaneously. When we killed some of the processes, the bot simply spawned more copies to replace them. The combined spam output rate was quite impressive, we measured 1800 messages per minute (108,000 messages per hour) in our lab. Before anyone thinks we’re spamming, rest assured that these messages were all captured by our spam sinkhole servers. This kind of spamming rate quickly leads to big numbers. For example, take a botnet of just 1000 bots, multiply that by 108,000 messages per hour and assume each host is spamming for 8 hours per day, and you get a spamming machine capable of over 800 million spam messages per day.

The control instructions and reports between the bot and its control server are all communicated in plain text. Here, for example is part of the template used in the gambling spam campaign we discussed last week.

Donbot also sends regular reports back to the server, which includes success rates and whether the host may be blacklisted at any IP blacklist (RBL). Below you can see two characteristics of Donbot traffic – the HALLO and CHUNK:

The success of sending to individual email addresses is also recorded, so that the operator can continually clean his email address lists of ‘bad’ addresses.

In amongst the template instructions, there is also a bunch of text which looks like it is pulled from a Wiki somewhere. Although we didn’t see it being used in the gambling campaign, this may be for inserting random text into spam messages.

All this is very similar to what we have seen before from Donbot (see our original write up here). What’s interesting is its sudden rise from obscurity and its high output per host. Why build a new fancy spamming botnet when you simply tweak some old ones?

Tags: Dating | Donbot | Gambling | Spam Volume | Spambots

Donbot’s “Money Maker” Gambling Scheme

By David Broome • May 26th, 2011 • Spam

Last week, we observed the Donbot botnet changed its spam campaign to one promoting online casinos. The barrage of of Fake AV we saw coming out of Donbot suddenly stopped and within 15 minutes we started receiving this new campaign.

The theme of the campaign is not entirely new, as it is one we have seen for over a year on and off in our spam traps. It is designed to encourage the reader to gamble money on roulette with what is presented as a ‘winning strategy’. Conveniently, a link to an online casino is provided to the user in order to use this strategy and make ‘easy money’.

Tags: Donbot | Gambling | MailMarshal | Online Casino | Spambots

New Bots, Old Bots: Xarvester Returns

By Phil Hay • May 24th, 2011 • Botnets

There has been quite a shake up in the spamming underworld ever since SpamIt.com closed shop and the Rustock botnet was disrupted. A look at our weekly spam statistics shows that spam volume has dropped substantially, making this year (so far) a happy one for anti-spammers. While spam output has remained low, the statistics also show quite a shakeup in the bots used to distribute spam.

Surprisingly, since around March, we have observed a big rise in spam from two botnets well known to us from the past – Donbot and Xarvester. Six months ago, spam from these botnets hardly got our attention. But now, clearly, someone has breathed new life into these spamming machines.

Xarvester first came to our attention over two years ago, when it rose to prominance after the hosting provider McColo was unplugged, decimating the then leading spamming botnet Srizbi. We have also seen Xarvester clearly linked to Spamit.com, when we discovered Spamit ‘footprints’ in Xarvester spam templates. So when we recently came across a Xarvester bot, we decided to take a closer look. The sample we used is not named Xarvester by any anti-virus vendor, Microsoft were calling it Bymot, and AVG called it simply SpamTool (VirusTotal Report). A look at the strings in the malware body confirmed to us that what we we looking at was indeed Xarvester, as we had seen these strings in previous Xarvester bots.

Both the highlighed command and control domains are hard coded into the malware and both point to the same IP address.

The spambot itself is relatively simple. When the executable is run, it first performs a query to checkip.dyndns.com to check the IP address of the host. The bot then connects to the def2010cnt[dot]biz domain on port 12309, and requests an encrypted file, which, when decrypted, proves to be a container for a bunch of files the bot needs to spam.

Again, this is very similar to what we saw with Xarvester over two years ago. The bot typically does not perform DNS lookups for each spam message, instead the IP address for each target domain are downloaded in the package. The headers of the spam messages are very uniform, and closer inspection shows that the bulk of the header is hard coded in the malware body, which is unusual when compared to many of the other bots we see today that vary headers regularly. Even the content of the message body has a familiar look to it. Compare the message body today:

With a message we saw from Xarvester two years ago:

So, Xarvester has been dusted off and is back to flogging replica watches – who would have thought?

We have updated our spambot description for Xarvester, which you can find here.

Thanks to Gavin Neale and Rodel Mendrez who contributed to the analysis of this bot.