Javascript Webmail Exploit
We recently received an interesting exploit that has the potential of creating an ample amount of grief for both ISPs and their customers. The code is spread using webmail providers who do not properly filter javascript in the body of HTML emails.
Our sample came from one of our readers with the notes:
The very lack of innovation in this attack is interesting in that it demonstrates how confoundedly easy it is for bad people to prey on weaker people. The actual code in the attack is rather mundane and we will provide a description of what the code is doing later. It is interesting to see, however, that the malicious code behind the Javascript portion of this code has had some exposure to advanced programming techniques and demonstrates a certain amount of maturity in coding style. Of course, the coder attempted to hide their code behind format and variable name mangling as-well-as string encoding. None of these obfuscation approaches present much of a challenge in this particular code. Perhaps the coder was not trying all that hard to cover their tracks. In fact, the coder left an apparent remnant of their testing domain embedded in the code although that may just be just another attempt to cover their tracks.
That said, Pogo's "We have met the enemy and he is us!" slogan comes immediately to mind. Once again, people need to be reminded that JavaScript and ActiveX content just isn't safe. Unfortunately, past performance indicates user education only has value under certain conditions so we will continue to see such problems.
On to the JavaScript! The script has several areas worthy of remark. It sets and checks a cookie which is used to determine if mail is to be sent via web mail or from a mail application on the a.ijk.cc test domain.
The script also uses the ActiveX MSXML2.XMLHTTP or Microsoft.XMLHTTP control to stream mail through the web mail interface tailored to those of various ISPs limited to:
In addition to the above target ISPs domains, the spam will attempt to appear to be from one of 211 other domains:
The exploit also uses several user IDs as the sender, such as postmaster, but there is only so much reading a list agony that one should have to go through.
Antivirus detection of the malware dll is minimal with only Ikarus, Microsoft and Panda identifying the file as potentially malicious.
Backdoor.Win32.Agent.aiy/Agent.ACE has been around for some time so the lack of detection of the accompanying DLL is likely due to the use of a variant of an existing backdoor.
(Post and analysis provided by Randy V)
Mitigation:
Disable or restrict Javascript. I use the NoScript plugin for Mozilla. If you use one of the webmail providers listed above, consider switching to text only emails, or using pop3 and disabling HTML tags in your client.
If you believe you've been infected, scan your PC with a name brand anti-virus scanner, like BitDefender, Kaspersky, or Trendmicro.
Our sample came from one of our readers with the notes:
I went to view the message to see what was up and it was addressed to someone other than me, had a subject line of "In the office" and had what appeared to be a blank body. However after a few seconds it showed "Loading body of message" or something similar and tried to push me to a link ijk.cc /E /ani / ani1.htm which McAfee Site Advisor blocked as harmful.This exploit does not show much in the way of original thought from the criminal element. It is, in fact, the all to often standard malicious Javascript on a compromised host leveraging a Microsoft active X control and new variant of an old Trojan backdoor to generate a ton of spam. Naturally, that should raise the question as to what, exactly then, are the interesting parts of this attack.
.....my traditional signature that I've always had was changed to "Troy Ball", so I freaked! I checked all the settings and found that only my signature line info was changed. What's scary is that I did nothing but view the email in webmail to start the chain of events.
The very lack of innovation in this attack is interesting in that it demonstrates how confoundedly easy it is for bad people to prey on weaker people. The actual code in the attack is rather mundane and we will provide a description of what the code is doing later. It is interesting to see, however, that the malicious code behind the Javascript portion of this code has had some exposure to advanced programming techniques and demonstrates a certain amount of maturity in coding style. Of course, the coder attempted to hide their code behind format and variable name mangling as-well-as string encoding. None of these obfuscation approaches present much of a challenge in this particular code. Perhaps the coder was not trying all that hard to cover their tracks. In fact, the coder left an apparent remnant of their testing domain embedded in the code although that may just be just another attempt to cover their tracks.
That said, Pogo's "We have met the enemy and he is us!" slogan comes immediately to mind. Once again, people need to be reminded that JavaScript and ActiveX content just isn't safe. Unfortunately, past performance indicates user education only has value under certain conditions so we will continue to see such problems.
On to the JavaScript! The script has several areas worthy of remark. It sets and checks a cookie which is used to determine if mail is to be sent via web mail or from a mail application on the a.ijk.cc test domain.
The script also uses the ActiveX MSXML2.XMLHTTP or Microsoft.XMLHTTP control to stream mail through the web mail interface tailored to those of various ISPs limited to:
attSpam from the exploit appears to use one of the following mail titles:
bellsouth
comcast
cox
earthlink.net
excite
mail.com
netzero
optonline
peoplepc
rr.com
verizon
JUST FOR YOU, That gray suit, cell phone, 11 Sep, Need help, Amazing illusion, good point, saludos, Cause you're my girl, Kid lost, Boss Is Always Right, our schedule, nice, funny shit, work vs prison, how are you, great news, my new contacts, change, resume, :), ;), Too FUNNY Humans, pls, don't forget, hola comrados, Help, question, Could You Drive Over This Bridge?, quick question, a friend, Women, alive or not?, BTW, WTF, why not?, our car, pickup, Working with idiots, Annoying Coworkers, Hi y Bye, maybe?, how are you, Love it!, Good illustration, Fun pics, spiderman :), Cute video, Age test, red bull, Cute Survey, in the office
In addition to the above target ISPs domains, the spam will attempt to appear to be from one of 211 other domains:
@2die4.com, @accountant.com, @activist.com, @adexec.com, @africamail.com, @allergist.com, @alumni.com, @alumnidirector.com, @americamail.com, @amorous.com, @angelic.com, @archaeologist.com, @arcticmail.com, @aroma.com, @artlover.com, @asia-mail.com, @asia.com, @atheist.com, @australiamail.com, @bartender.net, @been-there.com, @berlin.com, @bigger.com, @bikerider.com, @birdlover.com, @brazilmail.com, @brew-master.com, @californiamail.com, @caress.com, @catlover.com, @cheerful.com, @chef.net, @chemist.com, @chinamail.com, @clerk.com, @cliffhanger.com, @collector.org, @columnist.com, @comfortable.com, @comic.com, @consultant.com, @contractor.net, @counsellor.com, @count.com, @couple.com, @cutey.com, @cyber-wizard.com, @cyberdude.com, @cybergal.com, @dallasmail.com, @delhimail.com, @deliveryman.com, @diplomats.com, @disciples.com, @disposable.com, @doctor.com, @doglover.com, @doubt.com, @dr.com, @dublin.com, @dutchmail.com, @earthling.net, @elvisfan.com, @email.com, @engineer.com, @englandmail.com, @europe.com, @europemail.com, @execs.com, @fan.com, @feelings.com, @financier.com, @fireman.net, @footballer.com, @gardener.com, @geologist.com, @germanymail.com, @graduate.org, @graphic-designer.com, @gte.net, @hairdresser.net, @hilarious.com, @hockeymail.com, @homosexual.net, @hot-shot.com, @hour.com, @howling.com, @humanoid.net, @iname.com, @indiamail.com, @innocent.com, @inorbit.com, @instruction.com, @instructor.net, @insurer.com, @irelandmail.com, @israelmail.com, @italymail.com, @japan.com, @journalist.com, @koreamail.com, @lawyer.com, @legislator.com, @lobbyist.com, @london.com, @loveable.com, @mad.scientist.com, @madonnafan.com, @madrid.com, @mail.com, @mail.org, @mexicomail.com, @mindless.com, @minister.com, @mobsters.com, @monarchy.com, @moscowmail.com, @munich.com, @musician.org, @muslim.com, @myself.com, @nastything.com, @nightly.com, @nonpartisan.com, @null.net, @nycmail.com, @oath.com, @optician.com, @orthodontist.net, @orthodox.com, @pacific-ocean.com, @pacificwest.com, @paris.com, @pediatrician.com, @petlover.com, @photographer.net, @physicist.net, @playful.com, @poetic.com, @polandmail.com, @politician.com, @popstar.com, @post.com, @presidency.com, @priest.com, @programmer.net, @protestant.com, @publicist.com, @radiologist.net, @realtyagent.com, @reborn.com, @reggaefan.com, @registerednurses.com, @religious.com, @repairman.com, @representative.com, @rescueteam.com, @revenue.com, @rocketship.com, @rockfan.com, @rome.com, @royal.net, @rr.com, @russiamail.com, @safrica.com, @saintly.com, @salesperson.net, @samerica.com, @sanfranmail.com, @scientist.com, @scotlandmail.com, @secretary.net, @seductive.com, @singapore.com, @sister.com, @sizzling.com, @snakebite.com, @socialworker.net, @sociologist.com, @songwriter.net, @soon.com, @space-info.com, @spainmail.com, @surgical.net, @swedenmail.com, @swissmail.com, @teachers.org, @techie.com, @technologist.com, @tempting.com, @thegame.com, @theplate.com, @therapist.net, @toke.com, @tokyo.com, @toothfairy.com, @torontomail.com, @tough.com, @tvstar.com, @umpire.com, @usa.com, @wallet.com, @webname.com, @weirdness.com, @who.net, @whoever.com, @winning.com, @witty.com, @worker.com, @writeme.com, @yours.com
The exploit also uses several user IDs as the sender, such as postmaster, but there is only so much reading a list agony that one should have to go through.
Antivirus detection of the malware dll is minimal with only Ikarus, Microsoft and Panda identifying the file as potentially malicious.
Antivirus Version Last Update Result
AhnLab-V3 2007.10.31.0 2007.10.30 -
AntiVir 7.6.0.30 2007.10.30 -
Authentium 4.93.8 2007.10.30 -
Avast 4.7.1074.0 2007.10.30 -
AVG 7.5.0.503 2007.10.30 -
BitDefender 7.2 2007.10.30 -
CAT-QuickHeal 9.00 2007.10.30 -
ClamAV 0.91.2 2007.10.30 -
DrWeb 4.44.0.09170 2007.10.30 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5253 2007.10.30 -
Ewido 4.0 2007.10.30 -
FileAdvisor 1 2007.10.30 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.30 -
F-Secure 6.70.13030.0 2007.10.30 -
Ikarus T3.1.1.12 2007.10.30 Backdoor.Win32.Agent.aiy
Kaspersky 7.0.0.125 2007.10.30 -
McAfee 5152 2007.10.30 -
Microsoft 1.2908 2007.10.30 Backdoor:Win32/Agent.ACE
NOD32v2 2627 2007.10.30 -
Norman 5.80.02 2007.10.30 -
Panda 9.0.0.4 2007.10.30 Suspicious file
Backdoor.Win32.Agent.aiy/Agent.ACE has been around for some time so the lack of detection of the accompanying DLL is likely due to the use of a variant of an existing backdoor.
(Post and analysis provided by Randy V)
Mitigation:
Disable or restrict Javascript. I use the NoScript plugin for Mozilla. If you use one of the webmail providers listed above, consider switching to text only emails, or using pop3 and disabling HTML tags in your client.
If you believe you've been infected, scan your PC with a name brand anti-virus scanner, like BitDefender, Kaspersky, or Trendmicro.
Labels: javascript, Reader Submission, targeted malware, Webmail
posted by Nicholas at
03:22
0 Comments:
Post a Comment
<< Home