Javascript Webmail Exploit

We recently received an interesting exploit that has the potential of creating an ample amount of grief for both ISPs and their customers. The code is spread using webmail providers who do not properly filter javascript in the body of HTML emails.

Our sample came from one of our readers with the notes:

I went to view the message to see what was up and it was addressed to someone other than me, had a subject line of "In the office" and had what appeared to be a blank body. However after a few seconds it showed "Loading body of message" or something similar and tried to push me to a link ijk.cc /E /ani / ani1.htm which McAfee Site Advisor blocked as harmful.
.....my traditional signature that I've always had was changed to "Troy Ball", so I freaked! I checked all the settings and found that only my signature line info was changed. What's scary is that I did nothing but view the email in webmail to start the chain of events.

This exploit does not show much in the way of original thought from the criminal element. It is, in fact, the all to often standard malicious Javascript on a compromised host leveraging a Microsoft active X control and new variant of an old Trojan backdoor to generate a ton of spam. Naturally, that should raise the question as to what, exactly then, are the interesting parts of this attack.

The very lack of innovation in this attack is interesting in that it demonstrates how confoundedly easy it is for bad people to prey on weaker people. The actual code in the attack is rather mundane and we will provide a description of what the code is doing later. It is interesting to see, however, that the malicious code behind the Javascript portion of this code has had some exposure to advanced programming techniques and demonstrates a certain amount of maturity in coding style. Of course, the coder attempted to hide their code behind format and variable name mangling as-well-as string encoding. None of these obfuscation approaches present much of a challenge in this particular code. Perhaps the coder was not trying all that hard to cover their tracks. In fact, the coder left an apparent remnant of their testing domain embedded in the code although that may just be just another attempt to cover their tracks.

That said, Pogo's "We have met the enemy and he is us!" slogan comes immediately to mind. Once again, people need to be reminded that JavaScript and ActiveX content just isn't safe. Unfortunately, past performance indicates user education only has value under certain conditions so we will continue to see such problems.

On to the JavaScript! The script has several areas worthy of remark. It sets and checks a cookie which is used to determine if mail is to be sent via web mail or from a mail application on the a.ijk.cc test domain.

The script also uses the ActiveX MSXML2.XMLHTTP or Microsoft.XMLHTTP control to stream mail through the web mail interface tailored to those of various ISPs limited to:

att
bellsouth
comcast
cox
earthlink.net
excite
mail.com
netzero
optonline
peoplepc
rr.com
verizon

Spam from the exploit appears to use one of the following mail titles:

JUST FOR YOU, That gray suit, cell phone, 11 Sep, Need help, Amazing illusion, good point, saludos, Cause you're my girl, Kid lost, Boss Is Always Right, our schedule, nice, funny shit, work vs prison, how are you, great news, my new contacts, change, resume, :), ;), Too FUNNY Humans, pls, don't forget, hola comrados, Help, question, Could You Drive Over This Bridge?, quick question, a friend, Women, alive or not?, BTW, WTF, why not?, our car, pickup, Working with idiots, Annoying Coworkers, Hi y Bye, maybe?, how are you, Love it!, Good illustration, Fun pics, spiderman :), Cute video, Age test, red bull, Cute Survey, in the office

In addition to the above target ISPs domains, the spam will attempt to appear to be from one of 211 other domains:

@2die4.com, @accountant.com, @activist.com, @adexec.com, @africamail.com, @allergist.com, @alumni.com, @alumnidirector.com, @americamail.com, @amorous.com, @angelic.com, @archaeologist.com, @arcticmail.com, @aroma.com, @artlover.com, @asia-mail.com, @asia.com, @atheist.com, @australiamail.com, @bartender.net, @been-there.com, @berlin.com, @bigger.com, @bikerider.com, @birdlover.com, @brazilmail.com, @brew-master.com, @californiamail.com, @caress.com, @catlover.com, @cheerful.com, @chef.net, @chemist.com, @chinamail.com, @clerk.com, @cliffhanger.com, @collector.org, @columnist.com, @comfortable.com, @comic.com, @consultant.com, @contractor.net, @counsellor.com, @count.com, @couple.com, @cutey.com, @cyber-wizard.com, @cyberdude.com, @cybergal.com, @dallasmail.com, @delhimail.com, @deliveryman.com, @diplomats.com, @disciples.com, @disposable.com, @doctor.com, @doglover.com, @doubt.com, @dr.com, @dublin.com, @dutchmail.com, @earthling.net, @elvisfan.com, @email.com, @engineer.com, @englandmail.com, @europe.com, @europemail.com, @execs.com, @fan.com, @feelings.com, @financier.com, @fireman.net, @footballer.com, @gardener.com, @geologist.com, @germanymail.com, @graduate.org, @graphic-designer.com, @gte.net, @hairdresser.net, @hilarious.com, @hockeymail.com, @homosexual.net, @hot-shot.com, @hour.com, @howling.com, @humanoid.net, @iname.com, @indiamail.com, @innocent.com, @inorbit.com, @instruction.com, @instructor.net, @insurer.com, @irelandmail.com, @israelmail.com, @italymail.com, @japan.com, @journalist.com, @koreamail.com, @lawyer.com, @legislator.com, @lobbyist.com, @london.com, @loveable.com, @mad.scientist.com, @madonnafan.com, @madrid.com, @mail.com, @mail.org, @mexicomail.com, @mindless.com, @minister.com, @mobsters.com, @monarchy.com, @moscowmail.com, @munich.com, @musician.org, @muslim.com, @myself.com, @nastything.com, @nightly.com, @nonpartisan.com, @null.net, @nycmail.com, @oath.com, @optician.com, @orthodontist.net, @orthodox.com, @pacific-ocean.com, @pacificwest.com, @paris.com, @pediatrician.com, @petlover.com, @photographer.net, @physicist.net, @playful.com, @poetic.com, @polandmail.com, @politician.com, @popstar.com, @post.com, @presidency.com, @priest.com, @programmer.net, @protestant.com, @publicist.com, @radiologist.net, @realtyagent.com, @reborn.com, @reggaefan.com, @registerednurses.com, @religious.com, @repairman.com, @representative.com, @rescueteam.com, @revenue.com, @rocketship.com, @rockfan.com, @rome.com, @royal.net, @rr.com, @russiamail.com, @safrica.com, @saintly.com, @salesperson.net, @samerica.com, @sanfranmail.com, @scientist.com, @scotlandmail.com, @secretary.net, @seductive.com, @singapore.com, @sister.com, @sizzling.com, @snakebite.com, @socialworker.net, @sociologist.com, @songwriter.net, @soon.com, @space-info.com, @spainmail.com, @surgical.net, @swedenmail.com, @swissmail.com, @teachers.org, @techie.com, @technologist.com, @tempting.com, @thegame.com, @theplate.com, @therapist.net, @toke.com, @tokyo.com, @toothfairy.com, @torontomail.com, @tough.com, @tvstar.com, @umpire.com, @usa.com, @wallet.com, @webname.com, @weirdness.com, @who.net, @whoever.com, @winning.com, @witty.com, @worker.com, @writeme.com, @yours.com

The exploit also uses several user IDs as the sender, such as postmaster, but there is only so much reading a list agony that one should have to go through.

Antivirus detection of the malware dll is minimal with only Ikarus, Microsoft and Panda identifying the file as potentially malicious.

Antivirus Version Last Update Result
AhnLab-V3 2007.10.31.0 2007.10.30 -
AntiVir 7.6.0.30 2007.10.30 -
Authentium 4.93.8 2007.10.30 -
Avast 4.7.1074.0 2007.10.30 -
AVG 7.5.0.503 2007.10.30 -
BitDefender 7.2 2007.10.30 -
CAT-QuickHeal 9.00 2007.10.30 -
ClamAV 0.91.2 2007.10.30 -
DrWeb 4.44.0.09170 2007.10.30 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5253 2007.10.30 -
Ewido 4.0 2007.10.30 -
FileAdvisor 1 2007.10.30 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.30 -
F-Secure 6.70.13030.0 2007.10.30 -
Ikarus T3.1.1.12 2007.10.30 Backdoor.Win32.Agent.aiy
Kaspersky 7.0.0.125 2007.10.30 -
McAfee 5152 2007.10.30 -
Microsoft 1.2908 2007.10.30 Backdoor:Win32/Agent.ACE
NOD32v2 2627 2007.10.30 -
Norman 5.80.02 2007.10.30 -
Panda 9.0.0.4 2007.10.30 Suspicious file

Backdoor.Win32.Agent.aiy/Agent.ACE has been around for some time so the lack of detection of the accompanying DLL is likely due to the use of a variant of an existing backdoor.

(Post and analysis provided by Randy V)

Mitigation:
Disable or restrict Javascript. I use the NoScript plugin for Mozilla. If you use one of the webmail providers listed above, consider switching to text only emails, or using pop3 and disabling HTML tags in your client.

If you believe you've been infected, scan your PC with a name brand anti-virus scanner, like BitDefender, Kaspersky, or Trendmicro.

Out of the shadows

Many of you may be aware of who I am, and why I cover botnets and malware. Still, most of you are not and this post is for you.

Richard Bejtlich sparked a flood of visitors to the site with a small mention in his TaoSecurity blog. I've tried to keep a low profile, enjoying the hunt without all the attention. Last year all the attention was too much.

....Once upon a time....

In October of 2004, Shadowserver was born. It was mostly created as an outlet for emotions I experienced after my fathers suicide. Like anyone would do, I spent several weeks looking through every file on his computer, and on the media found in his home. I was searching for answers.

What I found was a warez botnet using approximately 20 gig of his hard drive space. They ran a crummy bot that also ate up most of his processor power.

I taught myself how to analyze the bots network activity with a packet sniffer. Once I found out where the bot connected, I unleashed a personal campaign to shut down the network. I contacted service providers, the ISP's of other victims, and after about six weeks, the network was completely disassembled.

From then on, I was intrigued and worked to shut other networks down. After awhile I found there were so many networks that I had to focus on specific types. I focused on networks with more than 5000 drones, those launching denial of service, doing click fraud or running keyloggers.

Brian Krebs ran a very nice piece on my story and overnight Shadowserver became a household name. Dozens of people wanted to work with Shadowserver. Brian turned a small team of guys into botnet experts with the wave of his digital pencil.

We were quite successful finding botnets and getting those nets shutdown. I even showed off for law enforcement and groups of information security professionals.

Something encouraged me to go in another direction. I realized we were just playing wack-a-mole with these botnets. There were several times we saw botnets reappear days or weeks after we shut it down. Many times we were hit by denial of service attacks. Many of us collectively decided to change our focus and gather intelligence on these botnets.

The data we gathered could be submitted to FBI, US Secret Service, and foreign law enforcement. Our first attempt at gathering such intelligence was on the Witlog Botnet. Its a hard line to walk, sharing details with the public and not giving up data that will hurt a criminal investigation. Furthermore, botnet controllers tend to get upset when you share details of their network with the rest of the world.

Last year I turned The Shadowserver Foundation over to Andre and the rest of the team, in favor of a slightly more invisible roll in the fight against botnets. My mission is gathering intelligence, and once simplified, disseminating that intelligence to the general public. In September of 2006 a few of us left Shadowserver and founded this new team, DISOG.

Shortly after we put up our webpage, I was invited to give a talk at the 2007 Botnet Taskforce (FBI Press Release). I presented on what I believe could be the future of botnets. During my talk I told the room of 250+ law enforcement agents from all over the world that I thought the likely-hood of large scale peer to peer botnets were still several years away. Other researchers disagreed and there is little doubt how wrong I was!

Like they heard my words, within two months I blogged about Storm - the peer to peer botnet that has piqued the interest of more than a few people.

I will continue to post and share stories as I continue to learn, but make no mistake - I am not an expert. I am just another guy who wanted to learn something new and has had an excellent time doing it. If you want to meet the experts, visit Shadowserver, or Team Cymru.

I find it very fitting this post happened the day before the third anniversary of my fathers death.

-- Nicholas

Detecting CME711 (Storm)

For those of you just joining us...

The trojan known as CME711 by Mitre, or Peacomm, Peed, Storm, and Nuwar, infects machines using social engineering. A user will receive an email with a half dozen or less lines of text. The email suggests the user will receive a greeting card, free game, or music sharing software. Other social engineering spams attributed to Storm have been placed on blogs and webpages.

More often than not, unsuspecting users will click the link provided in these emails or blogs. For those who are unlucky enough to have not applied patches to their operating system or third party software, the authors of this trojan have left a special treat - a javascript ripped from the Mpack suit.

When an unpatched user visits an Mpack infected site, they are infected with a host of malware. No user interaction is required for infection.

For those who have applied all patches, the authors have created a professional looking webpage that may spark your interest and have you clicking links. Either way, the end result is an infection, and your PC is turned into a zombie for the Storm botnet.

The botnet communicates using the same peer to peer technology as many file sharing applications like Gnutella and EDonkey. Since it uses this technology, it is hard to determine where botnet commands originate or how many zombies are a part of this botnet. Due to the peer to peer structure, locating the person controlling this network is very difficult. Worse still, the commands issued by the botnet controller are encrypted. The network uses DNS Double FastFlux to keep researchers from shutting the malware distribution points. Over 40,000 unique IP addresses have been seen by DISOG in the last 6 months serving malicious code for Storm. The Storm botnet is truly a global pest.

Many people have written in and asked for quick ways to detect if they are infected with Storm. This is difficult because Storm uses rootkit technology, to add to the misery, the code morphs every 30 to 60 seconds. This means you are unlikely to infect yourself with the same piece of code twice.

I've tested a few of the freely available rootkit detectors, and have come up with this pattern for tests:

Install rootkit detector -> run test -> reboot -> run test again.

Sophos rootkit detector and gmer both detected the hidden files after reboot, but neither detected on the first test.

Many people are reluctant to install another piece of software and I can understand why, so I decided to test the current version of Storm's file hiding technology. What I found is that you're able to determine if you've been infected by creating one file, and then trying to list that file using the dos directory (dir) command. You are also able to do this from the GUI, however the results are a little less obvious.

For this test, click start->run and type "cmd" (without quotes). A Command Prompt window will appear. Next you will want to create a file called spooldr.test. Do so by typing 'copy con spooldr.test'. Nothing will appear to happen, you will just be pushed to a blank line below your copy con command. Type something random and press enter. Then press the F6 key. You will see ^Z and '1 file(s) copied.' then you will be returned to your command prompt (C:\Documents and Settings\whatever\>) again. What you've just done is created a file with whatever text you typed on the blank line, just like if you created a new file in notepad and saved it.

Type 'dir spooldr.test'. If you're able to see the file with the current date and time, you're not infected with this version of Storm. If you can't list this file, you're probably infected, and need to seek professional help for removal.

It is trivial for the Storm authors to change their tactics and use another pattern for hiding their files. (SEE UPDATE BELOW!) I will try to keep on top of any changes and post them here - for now this should work on most systems. I could have written a program to do this for you and I am sure someone else will. However I believe in education, and you just can't learn anything if someone does all the work for you.

My first test was to run the most recent version of Storm as a normal, unprivileged user. The bot did make contact with the Storm network, however the rootkit function did not work, and I was able to see the spooldr.cfg file, which contains the current list of peers assigned to my computer. Upon reboot the software did not restart, so my machine did not participate with the botnet any longer. Running the code as administrator was when it became dangerous. Security experts have long recommended using a non-privlidged account for normal operations and only logging in as administrator when absolutely necessary. As if you needed another reason, right?

UPDATE:

McAfee is reporting the filenames have changed from spooldr.* to noskrnl.*. They also reminded us that wincom.* was used towards the beginning of the year. Its doubtful they changed the name based on this blogpost. More likely it was just good timing. I just grabbed a new binary and its still using spooldr.* - to be safe, try all three files.

MP3 Pump and Dumps -- UPDATED

Private security lists are buzzing about the latest Storm (CME711) Pump and Dumps are coming as MP3 audio attachments. Our mail drops have not received any of these yet, because our mail servers drop those attachments.

I've removed that restriction and hope to capture some samples soon. I've heard a sample and was barely able to understand the audio, though it is in English. I do not have permission to share that sample, so I will not be posting it here.

If you have a sample you'd like to share with the other readers, please send it as a zip attachment to security at disog dot org and let us know if we can attribute it to you.


Thanks for the submissions!

From an anonymous administrator

From Brent Eads

Skype, the new messenger spam vehicle.

Many of you are aware of the 'messenger' spam pop-ups that plague most machines prior to XP SP2. These types of pop-ups are commonly found on porn and warez related websites.

Unless you've been offline for the last several years, you're also probably aware of the Skype network. Skype allows users to instant message each other, make free or low cost VoIP calls, and host virtual meetings.

As with any popular service, the bad guys will target the users. This evening I received a messenger type spam as an instant message from another Skype user.

The message stated I was infected with malicious trojans, and I should visit http:// www. alertmonitor .org/?q=updatescan (spaces added to protect from accidental clicks) to remove the infection.

How could I resist? I visited the site from my Linux laptop. The image on the right is what I saw during the system scan this website performed for me. Lo and behold, I have three windows viruses on my system (see below). Which either means this software is fake, or its got piss poor detection. At last count BitDefender reported over 150,000 unique malicious files on my laptop.


Please use common sense and don't visit unsolicited links. Additionally, don't believe everything you read - the alertmonitor site is a scam.

Lets get this party 'krackin!

The storm update has finally come, with the most recent page offering the latest in peer to peer sharing technology.
The page advertises a p2p application called Krakin, which, among other things is said to be:

Easy to install, prevents tracking, has blogs and chat platforms, and video mail.

The download link points to krakin.exe, which is a p2p client - a p2p botnet client. The page isn't lacking the MPACK javascript either. I expect this page will stick around awhile. It looks very professional. I expect the blogger spam will pick up with this run.

0.0.0.0 - UPDATED.

Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.

What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!

---

Update from Randy V:
They are back in full force. A nearly complete turn over of the active list from yesterday:

190.128.76.140 200.127.196.112 201.235.46.246 24.126.26.18 67.190.138.189 68.113.78.23 68.57.236.13 68.76.98.212 69.230.199.160 70.243.202.40 70.244.102.159 74.139.41.221 76.100.35.250 76.226.146.196 76.73.135.17 85.187.86.249 88.74.161.197

and the currently active list:

209.102.175.61 219.115.223.181 24.178.197.7 24.178.99.202 24.210.99.223 24.235.140.159 61.84.67.116 67.64.104.4 68.76.98.212 69.151.234.219 71.79.181.218 72.128.41.234 72.128.61.29 72.160.184.227 74.140.168.34 76.216.62.73 76.226.146.196 76.99.89.48 77.197.44.76 84.174.112.145 84.42.164.6 89.112.20.242 98.195.153.198 98.197.63.176

Only 201.235.46.246, 68.76.98.212 and 76.226.146.196 are in common. 76.226.146.196 is probably only a proxy.

Baseball does sound like a ripe target. There has not been a page change yet.

Update 2 (from Nicholas):
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 208.67.222.222 and 208.67.220.220. For more information visit the OpenDNS website.

Some more CME711/STORM IPs and other statistics

There have been a number of requests in mailing lists and privately for the latest Stormworm numbers. It seems people like statistics.

Since Oct 1st, 2007 we've identified 4,149 unique IP addresses participating with our honeypots, either p2p, in DDOS attacks, or spreading 'spa-m-alware' (mostly the later, since our smtp honeypot is setup to capture outgoing spam, and there is lots of it).

Additionally, our sensors have downloaded 7,202 Storm binaries, resulting in 4,661 uniquely hashed downloads since Oct 1st, 2007. A total of 43,897+ unique binaries have been captured to date.

The domains are slow to resolve again, some of them not responding at all. This is probably because the author is looking to spread the executable SuperLaugh.exe and working to change his sites. SuperLaugh will be spammed using the rouse 'a funny cat e-card.'

Lending an air of credibility to the scam SuperLaugh.com, which is a valid ecard site, also has a file called SuperLaugh.exe which is downloaded from http:// www.superlaugh.com/ icon/SuperLaugh.exe and has an MD5Sum of 571dd3cec20da6c70a3b62fa9f3637a8. Our anti-virus scanners say the legit file is harmless.

Malware Page:

Legit Page:

(The pages are both animations, the cat towards the front has a moving head, and both cats have cartoon balloons with scripted text)

In addition to the static html code, the authors are also attaching the Mpack xor'd javascript to the end of their pages. The javascript will attempt to exploit several old vulnerabilities within windows and third party software. It forces the download of file.php, a downloader.

It's still surprising to me how many ISP's are allowing these domains to resolve. The bad press coverage should be enough for the ISPs to start null routing those domains. We're still getting activity on the following domains:

ptowl.com tibeam.com kqfloat.com snbane.com yxbegan.com wxtaste.com eqcorn.com bnably.com ltbrew.com

We received an email from someone we suspect was trying to take over the Storm botnet. When we did not provide him with the requested information we believe he launched a JoeJob attack as described in the last blog entry.

We've seen researchers using TOR to capture binaries or communicate with the network, we see denial of service attacks on high profile IP's, probably related to researchers honeypots, and we suspect we've seen a few attempted take over attacks.

The authors don't appear to be letting up. The change in malware file names tells me they are getting greedy or preparing for something big.

As more black hats investigate the CME711 code, the network will become more vulnerable to takeover attacks. I hope these guys cut their losses and start breaking down the net soon. I would hate to see such a large botnet in the hands of some second rate script kiddy.

Interesting papers and DISOG JoeJob

Over the last few days I've had the pleasure of reading two very well prepared papers on Botnets. One has been published, by the guys who created BotHunter: http://www.cyber-ta.org/pubs/StormWorm/. Many thanks to the authors for the nod to our blogs page.

The other has not been published publicly, but I hope it will be soon. Keep an eye on Arbors Atlas page over the next couple days. I will update the link when the paper goes public.

In other news, DISOG has been the victim (so to speak) of a JoeJob. Several people have reported emails containing possible malicious links coming from random names @ disog.org. Please forward these emails to us at security at disog dot org if you receive them. Do not follow any links contained in email.

DISOG does not offer any software solutions for mitigation of botnets, viruses or spam. We will not offer to increase your penis size and we have no stock to sell you.

You can validate the authenticity of any DISOG email by:

• Verifying the digital signature - All DISOG emails are digitally signed with keys which can be validated through any one of the public key servers. For example, all email from me will bare my digital signature key: 0xDEA20B88 with the finger print of: 7B1D BF8B 0C0F DC6E B76F 536A CA6B D5A3 DEA2 0B88.
  

• Verifying message mime type - DISOG Staff always send plain text emails and never send non-text attachments without making prior arrangements.
  

If the email does not meet both of these conditions, it is not authentic.

We have an idea who is behind the current JoeJob campaign, however I wouldn't expect it to stop anytime soon.