Skip to content

Persistent Worm Fires Hotel Reservation Spam Volleys at UK Emails

2012-07-20

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A self-perpetuating campaign to spam malware via email attachments has been rotating through the customary social engineering messages — mainly variations of the shipping confirmation scam — but switched gears to a new campaign using a fake hotel reservation confirmation email last week. The new scam presents the victim with a message purportedly from Priceline subsidiary booking.com, informing the recipient that “We have received a reservation for your hotel” — yes, you. Didn’t you know you owned or operated a hotel? Well, you do now, apparently, and when the guests arrive, Mr. Fawlty, don’t mention the war.

Like the earlier Trojan samples retrieved from this campaign — executables, wrapped in Zip files — that have trickled into my Darknet mailboxes over the past month, the hotel reservation malware hooks itself to wuauclt.exe, the Windows Update client application, a legitimate component of the operating system. Also like the earlier samples, this one receives its instructions from the same command-and-control server, loadmetoday.com, hosted (as I write this) in Russia by McHost.

The server hosting this CnC domain, at IP address 178.208.91.28, hosts one other domain, verisignme.com. Normally, I’m not inclined to assume the worst from a correlation such as this — I’ll wait until I’ve seen the domain engage in malicious activities — but the suspicious name gives me pause about the registrant’s motives.

Well, that and the fact that both domains are supposedly registered to Jimmy Carter, and I just don’t have a lot of confidence that the 39th President of the United States is behind shenanigans of this magnitude: The Trojan brought down other bot clients that, in turn, connected to their own CnC servers and retrieved still more payloads, including SMTP spamming tools.

The messages say:

Booking Confirmation
(10 digit number)
We have received a reservation for your hotel.
Please refer to the attached file now to acknowledge the reservation and see the reservation details:
Arrival: (random date in the near future) Number of rooms: 1
Customer Service Team

Attached to the message is a Zip file named Booking_Hotel_Reservation_Details-(10-digit number).zip. The 10 digit number in the filename usually doesn’t match up with the number in the message body. I discovered later that the SMTP spamming component, sending out new copies of this message from infected PCs, generates new, random numbers in the subject and body of the message.

Earlier versions of the message, with Zip files containing malware attached, claimed to be shipping confirmations from FedEx and DHL.

Another spam with a Zip attachment used the Subject line Why did you put this photo online? with a simple message: “Hi there, I got to show you this picture in attachment. I can’t tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who’s that dude??.” Thanks for the tip, anonymous ninja turtle, but I think she looks more like your mom.

Still another message claimed to come from LinkedIn, lacking an attachment, but the fake Can I place your photo on my web site? message linked to a Web page hosting an exploit kit. Vegas event massage, indeed.

A different email message, bundled with an HTML attachment, claimed to be a job offer from Careerbuilder. The file attachment contained only obfuscated Javascript; When opened in a browser window, the script ran and delivered the browser into a site hosting exploits.

The various payloads that arrived at the end connected with loadmetoday.com, so it seems reasonable to assume they’re all part of a related campaign. One common characteristic of the infection is that, using tools like Process Explorer, you’ll see an extra instance of wuauclt.exe running. The Trojan also duplicates itself into the %temp% folder of the currently logged-in user after execution, and sets a Run key in the registry that will execute the duplicate after a reboot.

The communication between the bot client and server always used the same bare-bones User-Agent string: Mozilla/4.0

The first day I ran the Trojan, it tried to retrieve a payload from the /foto/pm.exe path on a server named brik.nl (hosted on IP address 195.8.208.74), but the file wasn’t present on the server. By 48 hours later, it successfully retrieved the file /test/pm.exe from the aro.nu server (also hosted at 195.8.208.74). Finally, Tuesday morning just before 10:25am local time, the infected host pulled down its final payload, named up.exe, from meltonmowbraysc.co.uk (91.186.0.5), and my testbed was hosed less than a day later.

The botnet employed encryption more frequently than I’m accustomed to seeing: The CnC traffic to three different machines, 78.46.46.77, 78.46.93.177, and 78.46.87.164, was encrypted with SSL. The CnC traffic to loadmetoday wasn’t sent over HTTPS, but the messages were still encoded. The more frequent use of encryption suggests a (slightly) more sophisticated adversary, who (at least) knows how to set this stuff up.

In addition, some of the executable payloads sported a digital signature. Of course, the signature was generated by an untrusted certificate, and was pretty easy to spot if you know where to look.

But seriously: who (other than myself and a few other “crypto-OCD” people I know) ever inspects the Digital Certificate this closely? The answer is: almost nobody. In fact, even if you delve into the details, the certificate offers confusing, contradictory information. In one location, the cert’s properties are clearly labeled as not valid.

Yet elsewhere in the properties sheet, Windows reports that “The Certificate is OK” — well that clears it all up. All that means is the certificate has been crafted correctly for the OS to interpret it; Its OK-ness has no bearing on its validity.

I also observed odd behavior at Virustotal. This digitally signed malware payload was, initially, detected by 13 out of the 42 antivirus engines within the service. I’ve come to expect a typical malware sample to have more detections as time goes on; In this case, 57 hours later, the file was actually detected by fewer engines: only 10 out of 42. As I write this, the file stands at 22 detections out of 41 engines, a meh! antivirus detection rate of slightly over 50% —a week since it was first uploaded for scanning.

That payload, or another one which it pulled down, rendered one of my testbed systems temporarily inoperable: The malware executed a command to mark every file with the “hidden” attribute, then set the Windows registry key to hide any files marked in this way from view, and finally triggered an error that sent the PC into a bluescreen-reboot loop.

While testing the botnet one day, I observed one of the infected hosts performing a lot of DNS queries for mail server addresses.

After about 30 minutes of this, the host went into overdrive, blasting out a spam “Reservation Confirmation” message with a Zipped attachment.

In the eight seconds it ran before I put an end to it, the bot dispatched more than 200 messages.

The Subject line of each message was prefixed with a unique, random six digit number. The message body otherwise looked virtually identical to the “Booking.com” one I had received. Virustotal indicated that the payload is a RAT called Andromeda.

Interestingly enough, virtually all of them were sent to UK email addresses. Of note: 11 of the messages were sent to email addresses apparently used by employees of the UK’s National Health Service.

I also suppose that diamonds are a malware distributor’s best friend, because three of the messages were addressed to individuals at the London headquarters of the De Beers Group, the world’s largest diamond mine operator and diamond exporter.Solera blog stats The only good news: Nobody’s built malware that can steal diamonds—yet.

DeepSee users: You can import any of the following lists of distinguishing characteristics to create Favorites. You can then use those Favorites to write Rules that will generate warning alerts (in DeepSee 6.0 – 6.2.2), or to write Actions that can trigger alerts or Data Enrichment, using real-time extractor (DeepSee 6.5+ only).

  • User-agent string used by the bot client

  • Email subject line used by “Loadmetoday” mal-spam

  • Email sender addresses used by “Loadmetoday” spam component

To create a Favorite: save one or more of the files above. Navigate within DeepSee to Summary -> Favorites. In the Favorites window, click the blue Import button in the upper right corner. Give the Favorite a memorable name (or just use the text above), choose List from the File Type dropdown menu, then browse to the file. In the Field picklist, choose the correct category for the list you’re importing (the category name is included in each file’s name). Click Save and you can immediately begin to use the Favorite as its own query term in the Path Bar.

No warranty: Your mileage may vary. Solera Networks cannot guarantee that the use of these lists to produce Favorites will result in detections of all, or any, infection attempts, or will be free of false positives.

Comments are closed.

%d bloggers like this: