Spam Analysis

The other day I received a piece of spam that sur­prised me. First, because I was sim­ply shocked that I got a piece of spam. I haven’t received a sin­gle piece of spam at that address in years! This led to my sec­ond obser­va­tion: the spam was sent to one per­son and car­bon copied to three oth­ers, all at the same domain name. Now that’s tricky! Here lots of spam­mers are try­ing to use PDFs or images to get their spam through, and this per­son just made it look like a typ­i­cal busi­ness email.

SPAM Message

If you both­ered to take a look at the image above, you noticed a link to www [dot] med123window [dot] org. Now I’m always up for an adven­ture, so I logged into my trusty *nix box and pulled the page down with wget. Using cat to look at the con­tents, I noticed that it con­tained noth­ing but a big encoded JavaScript. Take a look at it here.

The script would use the JavaScript func­tion unescape to turn the hex val­ues into ASCII and then pass that result on to the eval func­tion for it to be loaded and exe­cuted at run­time. Maybe it’s because I look at mal­ware all day, but is it just me, or is there no good rea­son for eval to exist?

I could have used a JavaScript based sand­box approach that would allow the code to be unescaped and dis­played in a textarea, but I’ve heard reports that some mali­cious code is wise to that attempt and can defeat it. So I went with a method they can’t defeat. It’s called perl. And it’s beautiful!

The method I used here was to take input off of STDIN, find all occur­rences of \x??, con­vert each to the cor­re­spond­ing ASCII value, and then finally parse that result for use of HTML encod­ing that uses hex in the form %??. Here’s the result­ing pro­gram.
(** Note: In both exam­ples above the ques­tion marks would be replaced with a hex value 0–9 or A-F)

Here’s the out­put after both rounds of con­ver­sion through my script.

Spam Analysis - Round 2

Thank­fully, this tries to load a page off of non-standard port 8088 which is blocked by default in my gen­eral egress rule set. It’s blocked in yours too, right?

If we use a machine that does have access to the port we can view this site by pro­vid­ing a fake sub­do­main match­ing the pat­tern the script above would use. When I saw it I was actu­ally fairly impressed. The design and lay­out was very well done, looked pro­fes­sional, and dare I say even bet­ter than some legit cor­po­rate web sites!

The main site: Spam Analysis - Main Site The Check-Out Cart: Spam Analysis - Check Out

Now here’s what’s always baf­fled me about these sites.…. They are sell­ing drugs, right? So why are peo­ple will­ing to pay large sums of money for drugs when they could get from their doc­tor for a co-pay if they really needed them? Also, who says this dealer can be trusted?! They are an annoy­mous web­site that uses shad­ing mar­ket­ing tac­tics to get peo­ple to their site. What’s to say that the check out isn’t just to col­lect credit card num­bers and never send you a sin­gle pill? Even more dire, what’s to stop them from putting arsenic in every pill? It’s not like they are reg­u­lated by the FDA.

* shrugs * I may not under­stand why peo­ple go to these sites, but I can at least accept that some­one must, oth­er­wise there wouldn’t be so much effort put into get­ting the adver­tise­ment out.

Detailed WMF Analysis

As a fol­low up to the pre­vi­ous post I thought it might be use­ful to give an exam­ple of how these mul­ti­ple sets of infor­ma­tion could be used.

Here’s the process:
1) Snort Alert about WMF NumOb­jects being 0
2) I’m unable to deter­mine if the machine is patched
3) I look at net­work ses­sions lead­ing up to and then after the WMF file was accessed, noth­ing I wouldn’t expect
4) Look at event logs on the affected host and con­clude there was no abnor­mal activ­ity on the host

At this point I’m pretty sure the alert was a false pos­i­tive. But I’d like to know for sure. My plan of action then becomes to pull the pull the sus­pect file out of my full con­tent col­lec­tion sys­tem onto a *nix box. From there it can be eas­ily sent to www.virustotal.com for a quick check, as well as man­u­ally ana­lyzed by me.

Here’s some com­mands I ran and their respec­tive results.

  • file attach.wmz results in attach.wmz: gzip com­pressed data, from Win/32, max speed
  • gzip –dvf –suf­fix .wmz attach.wmz replaces it with attach
  • file attach results in attach: ms-windows meta­font .wmf
  • xxd attach pro­vides the fol­low­ing out­put:
    wmf_code

From here I was able to ver­ify that the file did indeed have a (ZERO) in the Num­berO­fOb­jects field using the infor­ma­tion pro­vided at this site: http://wvware.sourceforge.net/caolan/ora-wmf.html

Didier Stevens kindly pro­vided some assis­tance through the Secu­rity Cat­a­lyst Com­mu­nity by pro­vid­ing a tem­plate for the 010 Edi­tor. The tem­plate along with my analy­sis of the file is coming…