Skip to content

‘E-Payment’ Drive-Bys Deliver Fresh Malware to your Door


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A spam campaign currently underway links unsuspecting recipients to drive-by attack Web sites. Those sites are responsible for the distribution of a predictable panoply of malware, using exploits. US-CERT, the Internet incident first-responders in the US, decided to issue a warning about the spam because they’ve been getting reports about it, too.

The messages allege that some form of electronic payment made by the recipient has not passed muster with an agency of dubious nomenclature: It runs a number of variations on “The Electronic Payments Association,” with the space characters between those words, and others in the message subject and body, replaced with underscores and/or hyphens, at random intervals. The gist of the message: Some sort of Internet purchase or electronic payment has failed, and “The details regarding this matter are available in our secure section.” Indeed. My advice? Leave other people’s secure sections alone.

The campaign, which I’ve seen for less than a week, links to the malicious pages using Google’s own link-shortening service, They don’t remain active for very long — Google has been, to its credit, actively policing its service for this kind of abuse — but if you are unfortunate (or, in my case, fortunate) enough to click one of the links while it’s still live, the site hosting the exploits pushes a malicious executable down to your computer in less than 30 seconds. Beat that, Memphis Raines!

PICS OR IT DIDN'T HAP...oh. Okay, then.

At first check, last night, only 6 of the 43 antivirus vendors represented in Virustotal detected the executable payload as malware. Gotta be better by now. Main.php is just a script, but 2ddfp.php delivers a malicious PDF. A Java file named v1.jar runs between two Flash files, field.swf and score.swf. Finally, w.php pushes down an executable file.

All of the examples of the spam we’ve seen lead to one or another domains hosting the Blackhole Exploit Kit, one of several in common use by malware distributors. The kit loads code into the browser that invokes a range of vulnerable third-party applications, including Windows Media Player, Oracle’s Java and Adobe’s Flash, to download the malicious payload. A rapid fire series of redirections leads the browser into the honeytrap. The page uses the naming convention main.php with a 16 characters of hexadecimal in the query string for page. (The Bulgarian-hosted domain where stage one of the exploit was spewing out yesterday,, is on at least one blacklist)

The kit varies the sequence of the attack scripts, depending on the browser that trips the tripwire. The sequence shown above is how the kit reacts to Internet Explorer. But this is how it pushes past Safari:

Yeah, I noticed the .class files named after our four favorite top-level domains. None of those .class files were found on the server, by the way. Scripts error out much, mal-monkey?

Our first destination is the script on The query against the .html file makes it distinctive in the log. Normally one would use the suffix .asp or .php for script files. Then it’s a shotgun blast of ajaxam.js, a redirection script. Next, it’s the main.php?page= — obfuscated in a bizarre way: The script builds malicious commands out of a large array of numbers. That part isn’t bizarre. What’s odd is that, in this case, the numbers are each on their own line in the file, not in a giant block like they normally are.

Over the course of the day, the main.php script changed. This shows how a pieces of one version on the left are different from a later one, on the right. One thing that was always the same was the framing code which decoded the array of numbers into something else.

At the top of the script, and at the bottom…

…with thousands of rows of numbers and commas in between.

Didn’t matter in the end, because Safari eventually bit it and succumbed. So did Firefox:

The infection, which first appears as an executable named with a lot of numbers like the ones in the screenshots above, has some odd side-effects. For one, the Safari browser no longer functions on an infected machine. It just seems to quit before its program window appears, a behavior that, if it is deliberate, would (ostensibly) drive more users to Internet Explorer or Firefox, instead, both of which are able to launch post-infection. Reinstalling Safari has no effect.

Oh, and did I mention that the malware creator gave a nod to the company Piriform, which makes the CCleaner history-cleaning tool, in the file properties of the malware?

The infected machine continues to beacon out to its CnC server at the blacklisted ( was registered through SpiritDomains, which itself has a chequered past.

And — if you believe the WHOIS data, which I would not recommend — here is where our alleged botnet domain registrant kingpin allegedly lives, in a rural part of New Jersey a half-block’s walk from a nice lake. Maybe this is one of those well-paid work-at-home jobs I keep hearing about…

The exploits in use by the kit appear to function properly when viewed in Internet Explorer 6 or 7; Firefox 3, 6, 7, and 8 (without NoScript — with NoScript running, the initial attack does not function); and Safari 5.x. I did most of my tests under Windows XP with the known-vulnerable Java JRE 6u21 installed, Adobe Flash 10, and Adobe Reader 9. The latest release of the Java JRE, version 6u29, did not, at first, seem to be vulnerable, but my tests weren’t exhaustive; It just didn’t complete the infection process with the latest build, which is good news. Internet Explorer 8 did this, however, which means there’s more reason for hope in the world:

Here’s your bottom-line bottom line:

  • – Don’t assume that clicking a link is any safer than running an attachment you downloaded from email.
  • – Update Java, Adobe Reader, Adobe Flash, and whatever browser you’re using, and do it now.
  • – Criminals pushing keyloggers, like these knuckleheads, want your stuff so they can have a happy holiday too. Don’t give them the merry Christmas you earned for yourself.

Solera blog stats

%d bloggers like this: