Is it Spam or Is it Malware?

Published: 2013-02-08
Last Updated: 2013-02-08 13:53:27 UTC
by Kevin Shortt (Version: 1)
12 comment(s)

The Friend

Does anyone have a friend that regularly still sends you crap via email that usually includes a link or some pic's?  We are all IT security professionals here and know the preacher's drill on this topic. Really, we do not like wasting our time on the junk that is sent to us. Delete, Delete, Delete.

BUT, we are also human. We are the weakest link!  So, today that one friend sends something over to us.  This friend has a great knack for sending 'water cooler' stuff that can warrant a look see.  This friend always plants the seed of curiosity. Today, we check our email and there it is, in our inbox. Our guard is down and the flower of curiosity is opening up.  In an instant, we click...<wait>...No. Damn!.
 
 
The page loads...

Browser Shot



Now.  We Need To Know


Did we just infect our system?  

We need to know.  It is time to act fast.  Get to a shell and pull that page down with a text browser ala wget or curl.   It is possible for this page to disappear quickly.  This sample was sent in by a reader who acted fast.  By the time I got around to verifying some things on this sample, the below pasted code was gone.

There are many diaries posted about javascript obfuscation over the years.  The two that rise to the top are from Tom Liston [1] and Daniel Wesemann [2] .  If your interested in understanding this process further by diving in deeper, I recommend those diaries as required reading.
 


 

The Lazy Liston

 
I deployed a mixture of Tom's method and Daniel's lazy method. (see diaries mentioned above for more info)
 
I stripped the HTML, reformatted the Javascript, and added some useful lines for debugging. The image is highlighted with red showing my additions, blue showing unnecessary HTML, and black showing the javascript code that gets debugged.

prepared script

I used jsc to help me out with the prepared script above.  jsc is a command line utility that allows you to run javascript interactively.  I inserted a debug and a couple of readline statements to assist.  The readline allows me to pause the script to view the output.  Pressing enter continues it.  

Below is a snapshot of the jsc run of script.js.   I pasted and circled the obfuscated strings and the decoded pieces.  Note the url listed matches the browser shot up above.

In summary, my diagnosis of the original email and sample with the clickable link, is it is only a spoofed email and intended to be spam.  I humbly encourage all to offer any feedback to counter my assessment or offer any added value to it.  Many thanks to Lode V. for sending it in!

 


-Kevin

--
ISC Handler on Duty

12 comment(s)

Comments

My approach to this is simple:

Never without "noscript".

I am getting an odd effect whereby clicking on link 1 takes me back to this page. However, if I click on the same link in the Daniel Weseman page (link 2), I get the error "Sorry, the page you where looking for could not be displayed at this time." Odd!
I have spotted the problem(s): Link 1 says "...storid=1917" instead of "...storyid=1917" (missing 'y'). The link in Daniel Wesemann's page is ".../isc2.sans.edu/" rather than ".../isc.sans.edu/".

Hope this helps!
These types of scams are fairly common. A lot of spam sites will scrape content off regular news sites then include spam info about some product or service. In fact, the FTC's OnGuard site just issued a consumer warning about them yesterday: http://www.onguardonline.gov/blog/trusting-your-sources?utm_source=twitterfeed&utm_medium=twitter
The server-side PHP on this malware infected blog could vary its payload based on some detections (IP geolocation, browser, Java or Flash installed, OS). Or if it uses iframes / remote script hrefs, those may do the same.

I don't assume that's what happened here, but using wget/curl to get the source or trying to safely download a malware sample, is likely to fail.

If the attacker backdoored the site they may change the redirect, or upload different code, at any time after the link was emailed to people. So it's still a threat even if it was initially something inoccuous.
Also see Chris Mohan's "catch of the day" ISC diary entry, about how this can be turned to your advantage. Add the compromised WP site to your web filter for maybe 30 days, firstly to protect your staff, and also to educate anyone who is detected to click through to it.

Taking it further, if policy is to log all web activity, you could search those logs for previous hits on the infected blog; you could maybe scan unread mails in mailboxes for the URL and spam/trash them.
Jens - great advice. noscript is a great defense.

Thanks for the Q/A patermann. I fixed the links.

Steven, excellent input. For what it is worth, I did open the page reviewed above to capture the browser shot in a secured VM. I ran regshot before and after the page load to confirm nothing malign was at play. Your note about about it changing at any time is definitely true and does not mean the link will always be benign.
FYI, apparently the entire rushnws.com site serves that same page regardless of the subdomain part.

I'll repeat this again: when analysis of obfuscated javascript yields a domain name, *PLEASE* report that domain name to MalwareDomains.com so that it can be filtered by others. In this case I'd have reported both madepo.altervista.org and rushnws.com

Thanks!
@John: How do you actually report a URL to malwaredomains.com? The only submission process I could find was to report it to malwaredomainlist.com/forums/
@pogue:

For malwaredomains.com you can email to the contact address on the "About us" page: http://www.malwaredomains.com/?page_id=2

I've been informed that if you know that it is hosting only spam rather than malware they (malwaredomains.com) would rather not be notified, they are only interested in malware host sites and (I assume) C&C hosts. I don't know whether malwaredomainlists.com has a similar policy, I haven't asked them.

It would be a good idea to submit to both. I don't know to what degree they overlap. I combine both lists for my proxy's filter, but some people may only use one or the other.

Diary Archives