Skip to content

How to Dodge a Blackhole Friday

2012-11-23

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

With Black Friday marking the dubiously traditional start of the holiday shopping season, malware distributors have been ramping up the spear-phishing and spam-driven malware attacks designed to steal online banking logins. In the past month, we’ve seen an increase in the number of spam campaigns which seem to use a commercial, rather than consumer, social engineering hook.

The spam messages — the social engineering links in the kill chain — purport to originate from a number of different merchant payment processors, payroll services, and other commercial finance businesses. Recipients receive a message about some sort of large, rejected fund transfer. In each case we’ve seen recently, the spam message links to a page on a legitimate Web site that had been previously compromised, on which a single HTML file has been stored. The HTML file automatically redirects the visitor to another Web site, one that is under the direct control of the malware distributors, often (though not always) hosting exploit kit code.

In one case, we followed a link from a message that (superficially) appeared to originate from American Express; The subject line read Your November 2012 American Express Online Merchant Financial Operations Sheet. The body proposes that you follow a link to view your (sic) Online Merchant Fiscal Activism Statement. The end result on our test systems was a fistful of malware executables, all designed to engage in a specific type of fiscal activism: liberation of the assets from whatever bank accounts you manage online.

The body of this particularly oddly capitalized message reads:

Keep track of your account with your latest Online Merchant Fiscal Activism Statement from American Express. It’s available for you to Access at this secure web site link. Just click to select how you would like to Examine your statement.

The link in the message pointed not, as you’d expect, to American Express’ Web site, but to a personal Web site.

Once there, the recipient should have seen an interstitial Web page. I say it that way because the page renders as blank in both IE and Firefox. However, underlying that blankness is the following, undisplayed, social engineering copy:

Amex Operation Details | ADP – Business of your success. Small Business | Accounting Software, Pay by Mobile, Free Website Builder

You will be redirected to transfer submitted at 11/13/2012

We must complete few security checks to show your transfer details:

Be sure you have a transfer reference ID. You will be asked to enter it after we check the link. Important: Please be advised that calls to and from your wire service team may be monitored or recorded.

Redirecting to Complain details… Please wait…

For technical reasons, the sharp-as-a-marble malware distributor built a fairly elaborate backstory page that was, ultimately, useless because the text did not display in normal browsers. D’oh! In the end, the contents of this interstitial page don’t really matter, because the exploit begins to execute anyway. You just have to wonder, what’s the point of struggling to construct all that clumsy text if nobody ever sees it? Dumb cybercriminal is dumb.

This interstitial page contains a simple Javascript location.replace command pointing to a malicious Web site hosted in Hong Kong.

The fixedmib.net domain, serving up the exploit code, had only been registered 10, I say, 10 days prior to the spam message’s arrival.

The exploits attempt to employ known vulnerabilities in older versions of Java and Adobe (Acrobat) Reader to deliver malware to the victim’s computer. In our admittedly low-powered testbed systems, the infection was active in less than 40 seconds. Subsequent visits to the same page from testbeds with the same (external) IP address resulted in no infection; One can infer that the malware distributors track victim IP addresses, and actively prevent redelivery of the malicious code. Nothing new here, except that this method seems to be rapidly becoming standard malware distribution practice.

Updating to the latest versions of Acrobat and Java offer some proactive protection. In general, the use of sandboxed browsers (such as Chrome) or script-blocking browser add-ons (such as NoScript) prevent the exploit from functioning, thereby preventing infection. These files included a PDF designed to exploit CVE-2010-0188, and a Java JAR file designed to exploit CVE-2012-4681. Both exploits are easily avoided by using the latest versions of both add-ons (or uninstalling the ones you don’t need or use).

The initial payload delivered comes from a familiar malware family: Kazy, a common first-payload botnet downloader. Kazy typically copies itself to the Application Data folder of the currently logged-in user, and then hooks running processes to hide its presence on the system. It has realistic, though bogus, file properties information.

It typically uses the file naming convention of KB followed by six to eight numbers. Needless to say, finding a similarly-named file running from the root of your Application Data folder should be a cause of concern.

Kazy began performing command-and-control sessions within a minute of the infection executing on the test system, always communicating by sending encrypted HTTP-POST traffic to a server listening on port 8080.

Within about 5 minutes, it had downloaded a large encrypted file, which turned out to contain four separate second-stage malware payloads.

Kazy rotated through 11 different C&C servers over the course of a week. This graphic represents the distribution of C&C IP addresses the malware phoned home to, by number of sessions, over the previous 7 days. There were 746 pingbacks during this time.

Two of the payloads come from the Tepfer malware family; Its configuration file indicates that it targets more than 350 bank Web sites to engage in “man-in-the-browser” password theft.

Another of the second-stage payloads scanned the Windows registry for the presence of a large variety of common FTP client software, email clients, and browsers, and attempted to extract saved passwords from the location where those applications store them.

Helpfully, the malware embeds its large list of C&C servers right in the file. Oh look, it’s a shared HTTP URI naming convention we can query against! Thanks malware doodz, you make it so easy.

Over the same 7 day period, Tepfer made only 62 pingbacks to fewer C&C IP addresses, but like Kazy, it spread the work around as best it could.

The initial Kazy payload, when left to its own devices, downloaded a replacement version (also as an encrypted blob) roughly once every 12 hours, over the course of six days.

One thing to remember: These types of attacks require a user to interact with the first link in the kill chain. Everything shown here was human-initiated. If you keep vulnerable browser plugins up to date, and don’t click links in unexpected (or completely off-base) email messages, you can avoid these kinds of problems altogether, and shop, bank, or game online safely. Otherwise, well, you can see how it turned out.Solera blog stats

Comments are closed.

%d bloggers like this: