Skip to content

Your HP ScanJet Document Ain’t What It Seems

2012-06-06

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Spam circulating over the weekend claiming to originate from a corporate scanner is – you guessed it – malicious. Just another brick in the social engineering wall. It’s not really much of a brick, either. The attachment is an HTML file, and it supposedly came from “Marin” using a Hewlett-Packard HP Officejet 7371P, with a return address of robot@craigslist.org and a really long, really fake “Device” code.

Mail systems seem to be getting quicker to react to these kinds of spam messages. One example of the message to the right, forwarded to me by Joe Levy, our CTO, vanished into thin air before I’d managed to retrieve the message’s malicious payload. The system seemed to recognize some pattern in the message (a few minutes after it arrived) and, apparently, excised the message from all inboxes on the server. Fortunately, it’s the kind of unwanted message that also has a tendency to appear in our spam collection points, where it isn’t subject to summary execution.

Under examination, the message’s payload appears to be a chunk of HTML code, obfuscated using Javascript. It was a funky obfuscation method: the page is one giant array of numbers, delimited with a dash, so it looks like nothing at all if you view the page in a browser with scripting turned off. If one were to open the file in a browser with scripting enabled, on the other hand, the script runs, decoding the rest of the instructions on the fly. I took a third approach.

Breaking apart the Javascript, it becomes immediately apparent that something is amiss here. First, it runs through one set of exploits.

Then another, until it gets a hit, and delivers a payload.

The network traffic reveals that this is a fairly typical Blackhole exploit kit page.

The payload file naming conventions employed by this installation of the kit, including showthread.php, ap2.php, field.swf, score.swf, and w.php for the payload, have been in use for months.

Both SWF payloads are well known to antivirus companies.

When unpacked, the obfuscated code becomes visible: A long string of instructions that begin with a technique for profiling the victim’s browser based on parsing its User-Agent string.

The domain hosting the malicious content, girlsnotcryz.ru (no, really), has four different DNS A-records, on geographically diverse networks. The attack domain and page has been live since the beginning of the weekend, and it doesn’t seem to be going away anytime soon.

Each of the four IP addresses associated with this campaign host a number of other randomly-named domains that look like throwaways, which bear further scrutiny.

Mac users get shunted to our favorite ostensibly Canadian-Russian joint venture “male enhancement pill” catalog.

Computers running vulnerable Windows browsers end up with an enhancement of a different variety: a UPX-packed dropper, which had set up shop in the \Local Settings\Temp directory on the testbed using the name wpbt0.dll. Likely Cridex, it delivered both a bank phishing Trojan (likely Zbot) and a rogue antivirus to one testbed.

You’d have your hands full if the victim machine was yours. Best thing you can do is avoid opening attachments, even ones with an .HTM suffix.

DeepSee users: You can import any of the following lists of common Blackhole exploit kit file naming conventions to create Favorites. You can then use those Favorites to write Rules that will generate warning alerts.

To create a Favorite: save one or more files to your desktop, then navigate within DeepSee to Summary -> Favorites. In the Favorites window, click the blue Import button in the upper right corner. Give the Favorite a memorable name (or just use the ones above), choose List from the File Type dropdown menu, then browse to the file. Choose filename from the Field picklist. Click Save and you can immediately begin to use the Favorite.

No warranty: Your mileage may vary. Solera Networks cannot guarantee that the use of these lists to produce Favorites will result in detections of all, or any, Blackhole infection attempts, or will be free of false positives, but we’re confident that they will find the most common names employed during those infections when used as directed.

Comments are closed.

%d bloggers like this: