Phishing with obfuscated javascript, shellcode and malware

Published: 2012-03-02
Last Updated: 2012-03-03 05:02:38 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
8 comment(s)

Be careful with the links showed in this diary because they are live and could infect your computer if not handled properly

Phishing e-mail artwork is becoming more effective everyday. Users are having a bad time trying to distinguish the fake sites from the real ones. I am going to show you a different phising e-mail that does not take the user to a website to try to steal a password but installs malware to the computer using obfuscated javascripts and shellcodes.

I received today the following message:

Intuit SPAM

This looked strange. I reviewed the link and pointed me to The following javascript appeared:

First Javascript

This javascript is obfuscated. I used firebug to get more information and got an iframe pointing to other website:

Iframe within malicious javascript

Following the new link, we find another obfuscated javascript. Let's see a snip of it:

Javascript snip

Now here is where the malicious stuff begins. After deobfuscating the script, we find the following:

  •  The script tries to determine which navigator is running the system:

Navigator Detection

  •   The script tries to determine the Adobe Flash and Adobe Reader version installed:

Flash Version

Adobe Reader Version

  •  A shellcode is executed:

Shellcode executed

Let's take a look to the shellcode. It executes the following instructions:

  1. kernel32.VirtualProtect: This function is called in the shellcode to establish a 255-byte memory segment where the memory protection attributes can be modified. For more information about the available attributes, see
  2. kernel32. LoadLibraryA: This function is called to load the urlmon.dll library, which is used to transfer information using the http protocol. A couple of functions inside the file are:URLMON Functions
  3. urlmon.URLDownloadToFileA: The function is called to download and save it to wpbt0.dll.
  4. kernel32.WinExec: This function is called to register the dll using regsvr32 -s and then executed.
  5. kernel32.TerminateThread: This function is called to end the execution of the shellcode.

The file download in step 3 is a dll with MD5 c3124a2981d8e1b9e13e8c21c96448f7. Virustotal shows a 7/43 detection ratio.  It injects into explorer.exe and performs inline hooking to ntdll.dll. Once it is installed, it reports to, which resolvs to the following ip addresses:,,,,,, using a http POST to the /rwx/B2_9w3/in/ location.

Such threats are increasing and control of these involves the establishment of malware control measures as part of te Information Security Architecture of the company, like the following:

  • Antimalware perimeter defense: I recommend using the Trend Micro and Mcafee web gateways. They are scalabe and integrates very good with the antimalware monitoring system inside the corporation. This measure allows to protect users from downloading malicious code like javascript and executables.
  • Host IPS: The antimalware control is not enough in these days as the threats are evolving and the antivirus companies are not capable anymore to control in real time all the emerging malware attacks. This tool is used to prevent the materialization of the vulnerabilities on computers, such as buffer overflow, code injection, among others. Thus, the computer is protected until the virus signature is out so the antimalware program is able to deal with the respective threat.
  • Antimalware: This is the conventional antimalware control that is sold by the antivirus companies.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

8 comment(s)
ISC StormCast for Friday, March 2nd 2012


Diary Archives