Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Did you get a Better Business Bureau Complaint Today? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Did you get a Better Business Bureau Complaint Today?

Did you get a Better Business Bureau Complaint Today? I did, in fact, I got a couple of them.  I thought I'd go through a play by play of how I assess these things (there will be a lot of updates as I go through this in semi-real-time.)

Oh, there will also be very little obfuscation, so be careful with that.

Here's the message itself:

RE: Case# 9060933: Alfonso Palmer

Dear Company:

As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.

The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:

http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f

The complainant has been notified of your response.

The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as "Administratively Judged Resolved" and our records will be updated.

If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm's response, we will notify your office with substantiation to support the consumer's position and the case will be re-opened. Cases will not be re-opened without documentation or good cause.

The BBB appreciates this opportunity to serve you. Dispute Resolution Department.

Let's take a look at the headers:

Return-path: <complaints@bbb-email.org>
Envelope-to: kliston@REDACTED
Delivery-date: Fri, 10 Aug 2012 09:36:10 -0400
Received: from wsip-68-99-56-167.pn.at.cox.net ([68.99.56.167]:47037)
	by paradise.businessx.com with esmtp (Exim 4.77)
	(envelope-from <complaints@bbb-email.org>)
	id 1SzpNj-00010v-KU
	for kliston@REDACTED; Fri, 10 Aug 2012 09:36:07 -0400
Received: from apache by bbb-email.org with local (Exim 4.67)
	(envelope-from <complaints@bbb-email.org>)
	id EG95SG-22TJQ4-AR
	for <kliston@REDACTED>; Fri, 10 Aug 2012 07:36:01 -0600
To: <kliston@REDACTED>
Subject: RE: Case# 9060933: Alfonso Palmer
X-PHP-Script: bbb-email.org/sendmail.php for 68.99.56.167
From: "Better Business Bureau" complaints@boston.bbb.org
X-Sender: "Better Business Bureau" complaints@boston.bbb.org
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0

So a simple spoof, from a likely bot-net in Cox.net, and my cheap spam-trap mailserver doesn't do any SPF or DKIM checking.

Take a look at the URL does the displayed match what's in the code? No, not at all.

<p><b><a href="http://ghanabook.com/SKpcrwai/index.html">http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f</a></b>

Being lazy, I submit this URL to wepawet (http://wepawet.iseclab.org)

After waiting patiently it reports that the link is benign.  "ORLY," I think, "perhaps it's just pharma-spam then."

URL Status Content Type
http://ghanabook.com/SKpcrwai/index.html 200 text/html
http://apartmentsinorlandonow.com/WyZFNJYu/js.js 200 application/javascript
http://216.231.139.102/w7pwr6ahpdt.php?q=jm9svoa0sj7428gu 404 text/html

Comparing this to the other samples, the first URL differ, but the apartmentsinorlandonow.com is in common.  Perhaps the attackers are smart,and only kick out one answer?  Or maybe they know wepawet's IP addresses?

 The next step is use my own honeyclient instead of a known, public one.  Nothing fancy, just a laptop with ubuntu on it.  A couple of wgets, first to the apartmentsinorlandonow.com URL (which has only a document link to the next URL,) and the second to 216.231.139.102.  I didn't even disguise the user-agent, it happily dumps more obfuscated javascript at me.

Never underestimate the value of google during analysis.  A search for 216.213.139.102 turns up a very helpful report: http://urlquery.net/report.php?id=122828  Looks like an active blackhole exploit kit, and someone was looking at this a little over an hour before I was. We're after that next stage, the link to update_flashplayer.exe.

Let's pull that down with another wget request.  So now I've got about 150k of Win32 executable.  My new favorite little tool for static analysis is exiftool.  I was aware of EXIF data in image formats, but unaware that many other file formats also have handy metadata.  In this particular example, it may be interesting to note that the file's original timestamp is 2012:-8:10 05:42:09-04:00.

 I calculate the md5sum from the .exe and see if it's up on virustotal yet.  I'm 5 minutes behind the first submission time and a surprising 9 out of 42 vendors detect it already. 

More after lunch...

 

Kevin Liston

292 Posts
ISC Handler
FWIW, I came across a similar message this morning, with a few different details:

Apparent URL: hxxp:////complaint.app.bbb.org/complaint/view/1734879/b/017797281f

Real URL: hxxp://stepbystepalisoviejo.com/aKkExEME/index.html

Calls:
hxxp://apartmentsinorlandonow.com/WyZFNJYu/js.js
hxxp://learntocleanhoods.com/j74PFssk/js.js
hxxp://www.verdeimmobiliare.it/BXNQ3ZAS/js.js
hxxp://zastrahovam.crt.bg/n4KEQ0eX/js.js

Which all point to the same destination you reference:
hxxp://216.231.139.102/w7pwr6ahpdt.php?q=jm9svoa0sj7428gu
Anonymous
RE: http://apartmentsinorlandonow.com/WyZFNJYu/

Still active, and still hosted by SOFT LAYER dot COM

So, I've E-mailed both the domain-owner and the ISP.

Should you have sent such a "heads-up" message, as part of your analysis?
Anonymous
Feel free to play along everyone, more reports might bring quicker action. Hit thedomains that Gregory noted too.

-KL
Kevin Liston

292 Posts
ISC Handler
ADP-related phishes also redirecting to this.
hacks4pancakes

48 Posts
Wake up people!! This isn't Web 1.0 anymore... If you're spending the average day battling fake-AV and removing malware from the boss' daughter's laptop, YOU ARE NOT 'GETTING' IT!

No amount of money spent on the latest & greatest "stop-all" IPS/IDS/firewalls will protect you from a targeted attack... If you /really think/ about it, who is going to be a greater threat to your SMB- the curious teenage hacker re-hashing old attacks and finding lessons to be learned from your mistakes; or your competitors who are looking for an edge (and don't mind hiring an "investigator" of questionable morals) ?

As a matter of fact, deploying a mid-range Cisco, Sonic Wall, etc. will only increase your network vulnerabilities. The bad guys are well aware of this tech, and it will be used to their advantage! It doesn't matter how many times a month you upgrade firmware/software when you have a determined attacker sitting on edge devices; providing their own 'updates,' and patiently waiting for your next move.

Advice to SMBs: Invest in human capital!
Do understand that a salary is a much greater investment than a wholesale router; but also realize the difference in potential between a person and a 'magic box. Prior training and experience can prove beneficial- but if you can find an inquisitive individual and are willing to provide the necessary support... Virtualization, encryption, multi-factor authentication, log monitoring, penetration testing, and disaster recovery can be taught to anyone with the desire to learn and access to Google.
hacks4pancakes
1 Posts
@Pscheudonym, did you mean to put this here instead? isc.sans.edu/…
Kevin Liston

292 Posts
ISC Handler
- http://blog.dynamoo.com/2012/08/mskoblastionlineru-malicious-spam-goes.html
"... 15 Aug 2012...
Subject: Re: Better Business Bureau Complaint
Attachments: Complaint_N35XL147712.htm
... hosted on the following IPs... domains are all connected and should be blocked..."
(See the site)
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!