=================================================================
A Document was sent to you using a XEROX CORPORACE FSX43949461.
SENT BY : Abdullah
IMAGES : 1
FORMAT (.JPEG) VIEW
DEVICE: PODA20971LD5PO13911L
=================================================================
A Document was sent to you using a XEROX CORPORACE FSX43949461.
SENT BY : Abdullah
IMAGES : 1
FORMAT (.JPEG) VIEW
DEVICE: PODA20971LD5PO13911L
=================================================================
Most people just delete bad phish like these; we here at the VRT, however, like to play with them. We'd been chasing down the links on this particular flavor of email for a while, but they'd been so transient that by the time we'd clicked the links, we got nothing but 404s or dead domains. In the case above, however, we were rewarded with a heavily obfuscated chunk of JavaScript:
The resulting ownage was classic. After briefly displaying a circa-1995-looking "Loading...Please Wait..." atop the page for a moment, the browser window went away, and the virtual machine's hard drive suddenly started cranking very heavily. Looking at the packet capture, the system immediately contacted a host in Russia, and started communicating over HTTP on port 8801; several files came down, including one named "yrkrktxzfniq.exe". A quick look at that file on VirusTotal showed that it was - surprise, surprise - malicious, and goes by the name of Worm.Cridex.
The exploit kit was easy enough to detect - SID 21108 does the job - given how blatant the obfuscation was. While we're busy working on more complex kits, such as Blackhole (see SIDs 21041 - 21045, 21141, and 21259), it's nice to be able to pick off less sneaky ones like this.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.