Saturday, January 21, 2012

Interesting Malware in Email Attempt - URL Scanner Links

Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used to send some malware-linking spam emails to users in their contact list.

Yesterday our family email account was on the receiving end of someone -- possibly -- who fell victim to an email account hack as our email address was amongst several others included together receiving the email. I say possibly as none of us recognized the sender’s email address and it wasn’t in any of our address books. Possibly our along with the other’s email addresses had been harvested somehow and this was a fake spamming account. The “show-as” name was definitely non-standard and used some letters that related to that in the subject line.

It was pretty evident to me this was probably a dangerous site to go to, but being curiously-minded, I couldn’t pass up the chance to do some detective work.

The email originated from a yahoo mail account.

The Subject line was baited “ACH Transfer Canceled…” and the display name in the email address contained the letters “NACHA.”

ACH is meant to refer to the “Automated Clearing House” which handled financial transactions in the US overseen by the NACHA.  To most Americans, I’m betting these acronyms mean very little and they would be more taken with a sudden urge to grab some NACHOES instead. Maybe Europeans would be a little more anxious emails purporting to come from ACH and NACHA. I digress.

First thing I looked at was the message header. Lots of goodies there. We can follow the bounce between the yahoo mail sender to our ISP’s email servers. Times/dates of transmission.

Since this was a Yahoo mail account, it appears the header may actually contain the IP address of the the location the mail account was logged into from. This is the first time I have seen this so I need to do more research. The IP associated with this particular email is located in France.

The website IP Address Locator has lots of good tools for locating IP addresses as well as a feature that allows a copy/paste/analyze of email headers.

The content of the email was very thin, a single line with all the text ran together. There is a URL link markup there, however it misses getting all the characters. Hmm.

Toggling between the different modes of viewing email content in Thunderbird reveals odd results. If I look at it in original html mode I see a single line of text with an hyperlink in the middle.

If I view it in simple html most of the text is the same but a few characters are different.

If I view it in plain text, there is nothing showing.

Hovering over the hyperlink displayed shows a URL shortner link. Hmm. Set that aside for a moment.

So I back and look at the full header view again and find this in the message body:

Content-Type: text/html; charset=ISO-8859-5
Content-Transfer-Encoding: base64

Ah! So I copy/paste that large text block that follow that into this base64 online encoder / decoder and get a binary file to download! 

(More regarding content encoding methods here Content-Transfer-Encoding - MSDN, here The Content-Transfer-Encoding Header Field via freesoft.org and here Decoding Internet Attachments - A Tutorial by Michael Santovec.)

Opening that binary file in Notepad++ reveals the html code with the same actual URL embedded.

Guessing here they are using base64 coding for the content to try to get around email scanners.

OK, so let’s check out that URL.

Turns out it is using Google’s own URL shortning service: Google URL Shortener.  More info here. Google URL shortener - Web Search Help

Turns out this is a pretty cool choice from both sides of the security fence. By appending the URL with “.info” at the end of a Goog.le shortened URL we can find out the stats from Goo.gl URL shortener (Google Groups)

This is good from an attacker standpoint as they can easily monitor their success rate on the nibbles of this hook and any “hits” to the actual URL. Researchers can get info as well by monitoring the same info and how fast/long the “click-through” may happen.

h0j5wpnx.2up

Neat isn’t it?

Now that I’ve got the actual long URL that this points to, we can start tossing the URL at some on-line link analysis/scanner tools.

VirusTotal shows both TrendMicro and SCUMWARE.org report the long URL as a Malware/Malicious site.

Quttera reports it as serving up a suspicious javascript content via HTML page code.

Anubis: Analyzing Unknown Binaries provided a deeper review of the URL by capturing Windows system events in a virutal sandbox system. It accesses the Windows registry, mucks with some keys, created a cookie, reads the autoexec.bat file, mods some files and maps dll’s to memory and appears to try to download more stuff. The report is available in HTML, XML, PDF, and TXT formats.  Also, they offer a traffic.pcap file to download so you can examine the network traffic generated and perform any NFA you want to do.  This site/tool rocks from a depth of information standpoint.

urlQuery gives some more report feedback when it is sandboxed. Lots of Java script stuff. Another strong URL analysis reporting site.

Trying it a few more times changing the browser type/java version/flash version gets different results and the URL serving code reflects all kinds of different IP’s each time so that long URL seems to be hosted at a dynamic IP host allowing it to bounce around (serving up HTTP redirects) and serve up the malware code depending on platform from all over the place making it harder to track down the source.

urlQuery actually identified the network traffic code as being detected as Blackhole exploit kit v1.2 HTTP GET request.  Another clue.

I tossed the pcap file I got from Anubis into NETRESEC NetworkMiner. Nothing very interesting but my Microsoft Security Essentials alerted when the HTML page was reassembled by NetworkMiner and quarantined the file. It identified the page code as being Exploit:JS/Blacole.AR. (MS’s way of saying “blackhole” I suppose…)

Here are a series of links regarding these kinds of email spam threats in general as well as Blackhole info in particular as it relates with email spam campaigns, if you are curious.

I doubt this is the last our email inbox will see of these things, but the whole process has been quite fun to follow.

I’ve decided to leave out links/images of the actual email and the header-code/URL (short/long) but have passed it along to a number of security-spam websites in case it is of use.

A long time ago I had a list of URL-testing sites to feed a URL into to see if they were safe or not.  Most seem to have gone away, however the following forums had a number of new ones worth bookmarking. Hat tip to “PROROOTECT” for the legwork!

Here is a combined and cleaned up list based on the collective work there from PROROOTECT in both places and at least one or two I’m tossing in and a few from those lists I removed that seem dead/redirected incorrectly.  PROROOTECT does make a great point that the effectiveness of these vary, so a “bad” URL in one may come back as “clean” in another. So it’s best to run your URL through multiple sources.

Note, these are URL/web-page scanners. They are a bit different than on-line file-scanners/sandboxes used to analyze malware samples. Though a few seem to come pretty darn close with the depth of their reports/analysis.

Not “necessarily” ordered in order of usefulness.

PROROOTECT’s suggestion to use an online URL screenshotting service to capture the displayed URL safely is some good outside the box thinking. Kinda a “look-before-you-leap” thing if all the above items pass OK.

Fun trip if it wasn’t so serious…

--Claus V.

Update: I meant to add this in to the original post but got sidetracked. A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done!  I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:

University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.

2 comments:

FF Extension Guru said...

Been on both ends of a compromised email account. My Windows Live account was compromised last spring and spam/mal email was sent to everyone in my address book. The only way I found out was because several of the contacts in my address book were 'dead' so I got an Inbox full of bounce backs. Towards the end of last year a client of mine emailed (from a different) address and asked if I had received an email from him (at a different address). Turns out his Yahoo! account had gotten compromised and the same thing happened.

On a different subject, did you make a New Year's resolution in regards to posting on your blog?

Claus said...

@ Guru - Yeah. This web-mail hack thing is pretty horrible. It appears to be much more common that most people are aware. Super-strong passwords are the first line of defense but another one (IMHO) is picking an email service that has robust activity monitoring tools such as login activity.

To answer your question about blog posting "yes" but it has worked out in a semi-amusing way. I hope the new process will result in more frequent postings again. That will need to wait for a bit (and another post to describe the change.)

Most of my current "new app" material has been unloaded now from the hopper. I'm going to start turning my attention next to my for/sec pile of materials once I cull it from really dated items.

Then hopefully I can get back to the mix.

Got a FF/Mozilla related one I might toss up today...looking forward to your perspective on that one when it posts.

Cheers!

--Claus V.