Does anyone have a friend that regularly still sends you crap via email that usually includes a link or some pics? We are all IT security professionals here and know the preachers drill on this topic. Really, we do not like wasting our time on the junk that is sent to us. Delete, Delete, Delete.
BUT, we are also human. We are the weakest link! So, today that one friend sends something over to us. This friend has a great knack for sending water cooler stuff that can warrant a look see. This friend always plants the seed of curiosity. Today, we check our email and there it is, in our inbox. Our guard is down and the flower of curiosity is opening up. In an instant, we click...wait...No. Damn!.
The page loads...
Now. We Need To Know
Did we just infect our system?
We need to know. It is time to act fast. Get to a shell and pull that page down with a text browser ala wget or curl. It is possible for this page to disappear quickly. This sample was sent in by a reader who acted fast. By the time I got around to verifying some things on this sample, the below pasted code was gone.
The Lazy Liston
I deployed a mixture of Toms method and Daniels lazy method. (see diaries mentioned above for more info)
Below is a snapshot of the jsc run of script.js. I pasted and circled the obfuscated strings and the decoded pieces. Note the url listed matches the browser shot up above.
In summary, my diagnosis of the original email and sample with the clickable link, is it is only a spoofed email and intended to be spam. I humbly encourage all to offer any feedback to counter my assessment or offer any added value to it. Many thanks to Lode V. for sending it in!
ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.