Did you get a Better Business Bureau Complaint Today? I did, in fact, I got a couple of them. I thought I'd go through a play by play of how I assess these things (there will be a lot of updates as I go through this in semi-real-time.)
Oh, there will also be very little obfuscation, so be careful with that.
Here's the message itself:
RE: Case# 9060933: Alfonso Palmer
Dear Company:
As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.
The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:
http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f
The complainant has been notified of your response.
The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as Administratively Judged Resolved and our records will be updated.
If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm's response, we will notify your office with substantiation to support the consumer's position and the case will be re-opened. Cases will not be re-opened without documentation or good cause.
The BBB appreciates this opportunity to serve you. Dispute Resolution Department.
Let's take a look at the headers:
Return-path:
[email protected]
Envelope-to:
[email protected]
Delivery-date: Fri, 10 Aug 2012 09:36:10 -0400
Received: from wsip-68-99-56-167.pn.at.cox.net ([68.99.56.167]:47037)
by paradise.businessx.com with esmtp (Exim 4.77)
(envelope-from
[email protected] Fri, 10 Aug 2012 09:36:07 -0400
Received: from apache by bbb-email.org with local (Exim 4.67)
(envelope-from
[email protected])
id EG95SG-22TJQ4-AR
for
[email protected] Fri, 10 Aug 2012 07:36:01 -0600
To:
[email protected]
Subject: RE: Case# 9060933: Alfonso Palmer
X-PHP-Script: bbb-email.org/sendmail.php for 68.99.56.167
From: Better Business Bureau
[email protected]
X-Sender: Better Business Bureau
[email protected]
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0
So a simple spoof, from a likely bot-net in Cox.net, and my cheap spam-trap mailserver doesn't do any SPFor DKIM checking.
Take a look at the URL does the displayed match what's in the code? No, not at all.
pba href=http://ghanabook.com/SKpcrwai/index.htmlhttp://complainy.app.bbb.org/complaint/view/9060933/b/526398212f/a/b
Being lazy, I submit this URL to wepawet (http://wepawet.iseclab.org)
After waiting patiently it reports that the link is benign. ORLY, I think, perhaps it's just pharma-spam then.
URL
Status
Content Type
http://ghanabook.com/SKpcrwai/index.html
200
text/html
http://apartmentsinorlandonow.com/WyZFNJYu/js.js
200
application/javascript
http://216.231.139.102/w7pwr6ahpdt.php?q=jm9svoa0sj7428gu
404
text/html
Comparing this to the other samples, the first URLdiffer, but the apartmentsinorlandonow.com is in common. Perhaps the attackers are smart,and only kick out one answer? Or maybe they know wepawet's IP addresses?
The next step is use my own honeyclient instead of a known, public one. Nothing fancy, just a laptop with ubuntu on it. A couple of wgets, first to the apartmentsinorlandonow.com URL (which has only a document link to the next URL,) and the second to 216.231.139.102. I didn't even disguise the user-agent, it happily dumps more obfuscated javascript at me.
Never underestimate the value of google during analysis. A search for 216.213.139.102 turns up a very helpful report: http://urlquery.net/report.php?id=122828 Looks like an active blackhole exploit kit, and someone was looking at this a little over an hour before I was. We're after that next stage, the link to update_flashplayer.exe.
Let's pull that down with another wget request. So now I've got about 150k of Win32 executable. My new favorite little tool for static analysis is exiftool. I was aware of EXIFdata in image formats, but unaware that many other file formats also have handy metadata. In this particular example, it may be interesting to note that the file's original timestamp is 2012:-8:10 05:42:09-04:00.
I calculate the md5sum from the .exe and see if it's up on virustotal yet. I'm 5 minutes behind the first submission time and a surprising 9 out of 42 vendors detect it already.
Now that we have an executable to play with we can start doing some dynamic analysis. Sticking with my theme of lazy, I send it off to Anubis (http://anubis.iseclab.org/) and ThreatExpert (http://www.threatexpert.com/) and compare the results. I like to send off to multiple solutions since one day Anubis works better than ThreatExpert and the next it's vice versa. Other days, nothing is working and that's when you have to break down and work harder at it. Today, I'm lucky and it runs in ThreatExpert which spits out the following network artifacts:
66.55.89.149
66.55.89.150
cikonungunlugu.com
ftp.lastraautosport.com.ar
Looks like it checks-in via an HTTP POST to /forum/view/topic.php at 66.55.89.149. There are further requests for more binaries:
hxxp://cikonungunlugu.com/CMw.exe
hxxp://ftp.lastraautosport.com/ar/xjH.exe
Those are the same file, virustotal hasn't seen it yet, 14/42 hit ratio. This is about as far as using the public tools will get us. Now that I have the installers and droppers, the next step is to put it onto a real system and see what it does when I try to do some online banking...
That's going to run longer than my shift (a lot of pcap and memory capture to go through,) so while that's in the works I wanted to move in another direction. Looking at the infrastructure involved in this attack. First there's the systems doing the spamming. I don't have a lot of insight into that, because Cox isn't very forthcoming on details about the machine that sent the email. We can make an assumption that it's part of a botnet, but as for which one, or how it got compromised, there's just no details to go on.
Then there's the first landing pages. The examples that I have are down now so I messed up there. The next hop in the redirect chain are still up. Looking at my example and the others the Gregory provided below I see that most of them are wordpress sites. There are a lot of vulnerabilities to choose from for getting your code up on someone else's wordpress site. Then, we have the downloader site: 216.231.139.102. That looks like it might be a full-blown exploit kit site on first glance. (Lots of people emailing
[email protected] might help with that.) There's the check-in at 66.55.89.149 that needs a little more examination. cikonungunlugu.com appears to be registered for the purpose of distributing malware, while ftp.lastraautosport.com is probably a compromised domain.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
