Friday, February 17, 2012

An Exploit Kit Was Sent To You

Unless you've got the world's best spam filter, you've probably seen one of the latest spam techniques used by malware-dropping bad guys: what appears to be an automated email informing you that a multi-function scanner/copier was used to send you a document. It's a smart concept - using your office's big Xerox machine to scan and email in a single step is pretty commonplace these days - even if the execution is often poor. Take, for example, this sample that hit one of our team-wide accounts the other day:

=================================================================
A Document was sent to you using a XEROX CORPORACE FSX43949461.
SENT BY : Abdullah
IMAGES : 1
FORMAT (.JPEG) VIEW

DEVICE: PODA20971LD5PO13911L
=================================================================
A Document was sent to you using a XEROX CORPORACE FSX43949461.
SENT BY : Abdullah
IMAGES : 1
FORMAT (.JPEG) VIEW

DEVICE: PODA20971LD5PO13911L
=================================================================

Most people just delete bad phish like these; we here at the VRT, however, like to play with them. We'd been chasing down the links on this particular flavor of email for a while, but they'd been so transient that by the time we'd clicked the links, we got nothing but 404s or dead domains. In the case above, however, we were rewarded with a heavily obfuscated chunk of JavaScript:



The resulting ownage was classic. After briefly displaying a circa-1995-looking "Loading...Please Wait..." atop the page for a moment, the browser window went away, and the virtual machine's hard drive suddenly started cranking very heavily. Looking at the packet capture, the system immediately contacted a host in Russia, and started communicating over HTTP on port 8801; several files came down, including one named "yrkrktxzfniq.exe". A quick look at that file on VirusTotal showed that it was - surprise, surprise - malicious, and goes by the name of Worm.Cridex.

The exploit kit was easy enough to detect - SID 21108 does the job - given how blatant the obfuscation was. While we're busy working on more complex kits, such as Blackhole (see SIDs 21041 - 21045, 21141, and 21259), it's nice to be able to pick off less sneaky ones like this.

No comments:

Post a Comment