Did you get a Better Business Bureau Complaint Today?

Published: 2012-08-10
Last Updated: 2012-08-10 20:58:05 UTC
by Kevin Liston (Version: 4)
7 comment(s)

Did you get a Better Business Bureau Complaint Today? I did, in fact, I got a couple of them.  I thought I'd go through a play by play of how I assess these things (there will be a lot of updates as I go through this in semi-real-time.)

Oh, there will also be very little obfuscation, so be careful with that.

Here's the message itself:

RE: Case# 9060933: Alfonso Palmer

Dear Company:

As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.

The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:

http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f

The complainant has been notified of your response.

The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as "Administratively Judged Resolved" and our records will be updated.

If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm's response, we will notify your office with substantiation to support the consumer's position and the case will be re-opened. Cases will not be re-opened without documentation or good cause.

The BBB appreciates this opportunity to serve you. Dispute Resolution Department.

Let's take a look at the headers:

Return-path: <complaints@bbb-email.org>
Envelope-to: kliston@REDACTED
Delivery-date: Fri, 10 Aug 2012 09:36:10 -0400
Received: from wsip-68-99-56-167.pn.at.cox.net ([68.99.56.167]:47037)
	by paradise.businessx.com with esmtp (Exim 4.77)
	(envelope-from <complaints@bbb-email.org>)
	id 1SzpNj-00010v-KU
	for kliston@REDACTED; Fri, 10 Aug 2012 09:36:07 -0400
Received: from apache by bbb-email.org with local (Exim 4.67)
	(envelope-from <complaints@bbb-email.org>)
	id EG95SG-22TJQ4-AR
	for <kliston@REDACTED>; Fri, 10 Aug 2012 07:36:01 -0600
To: <kliston@REDACTED>
Subject: RE: Case# 9060933: Alfonso Palmer
X-PHP-Script: bbb-email.org/sendmail.php for 68.99.56.167
From: "Better Business Bureau" complaints@boston.bbb.org
X-Sender: "Better Business Bureau" complaints@boston.bbb.org
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0

So a simple spoof, from a likely bot-net in Cox.net, and my cheap spam-trap mailserver doesn't do any SPF or DKIM checking.

Take a look at the URL does the displayed match what's in the code? No, not at all.

<p><b><a href="http://ghanabook.com/SKpcrwai/index.html">http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f</a></b>

Being lazy, I submit this URL to wepawet (http://wepawet.iseclab.org)

After waiting patiently it reports that the link is benign.  "ORLY," I think, "perhaps it's just pharma-spam then."

URL Status Content Type
http://ghanabook.com/SKpcrwai/index.html 200 text/html
http://apartmentsinorlandonow.com/WyZFNJYu/js.js 200 application/javascript
http://216.231.139.102/w7pwr6ahpdt.php?q=jm9svoa0sj7428gu 404 text/html

Comparing this to the other samples, the first URL differ, but the apartmentsinorlandonow.com is in common.  Perhaps the attackers are smart,and only kick out one answer?  Or maybe they know wepawet's IP addresses?

 The next step is use my own honeyclient instead of a known, public one.  Nothing fancy, just a laptop with ubuntu on it.  A couple of wgets, first to the apartmentsinorlandonow.com URL (which has only a document link to the next URL,) and the second to 216.231.139.102.  I didn't even disguise the user-agent, it happily dumps more obfuscated javascript at me.

Never underestimate the value of google during analysis.  A search for 216.213.139.102 turns up a very helpful report: http://urlquery.net/report.php?id=122828  Looks like an active blackhole exploit kit, and someone was looking at this a little over an hour before I was. We're after that next stage, the link to update_flashplayer.exe.

Let's pull that down with another wget request.  So now I've got about 150k of Win32 executable.  My new favorite little tool for static analysis is exiftool.  I was aware of EXIF data in image formats, but unaware that many other file formats also have handy metadata.  In this particular example, it may be interesting to note that the file's original timestamp is 2012:-8:10 05:42:09-04:00.

 I calculate the md5sum from the .exe and see if it's up on virustotal yet.  I'm 5 minutes behind the first submission time and a surprising 9 out of 42 vendors detect it already. 

Now that we have an executable to play with we can start doing some dynamic analysis.  Sticking with my theme of lazy, I send it off to Anubis (http://anubis.iseclab.org/) and ThreatExpert (http://www.threatexpert.com/) and compare the results.  I like to send off to multiple solutions since one day Anubis works better than ThreatExpert and the next it's vice versa.  Other days, nothing is working and that's when you have to break down and work harder at it.  Today, I'm lucky and it runs in ThreatExpert which spits out the following network artifacts:

  • 66.55.89.149
  • 66.55.89.150
  • cikonungunlugu.com
  • ftp.lastraautosport.com.ar

Looks like it checks-in via an HTTP POST to /forum/view/topic.php at 66.55.89.149.  There are further requests for more binaries:

  • hxxp://cikonungunlugu.com/CMw.exe
  • hxxp://ftp.lastraautosport.com/ar/xjH.exe

Those are the same file, virustotal hasn't seen it yet, 14/42 hit ratio.  This is about as far as using the public tools will get us.  Now that I have the installers and droppers, the next step is to put it onto a real system and see what it does when I try to do some online banking...

That's going to run longer than my shift (a lot of pcap and memory capture to go through,) so while that's in the works I wanted to move in another direction.  Looking at the infrastructure involved in this attack.  First there's the systems doing the spamming.  I don't have a lot of insight into that, because Cox isn't very forthcoming on details about the machine that sent the email.  We can make an assumption that it's part of a botnet, but as for which one, or how it got compromised, there's just no details to go on. 

Then there's the first landing pages.  The examples that I have are down now so I messed up there.  The next hop in the redirect chain are still up.  Looking at my example and the others the Gregory provided below I see that most of them are wordpress sites.  There are a lot of vulnerabilities to choose from for getting your code up on someone else's wordpress site.  Then, we have the downloader site: 216.231.139.102.  That looks like it might be a full-blown exploit kit site on first glance.  (Lots of people emailing noc@continuumdatacenters.com might help with that.)  There's the check-in at 66.55.89.149 that needs a little more examination.  cikonungunlugu.com appears to be registered for the purpose of distributing malware, while ftp.lastraautosport.com is probably a compromised domain.

Keywords:
7 comment(s)

Comments

FWIW, I came across a similar message this morning, with a few different details:

Apparent URL: hxxp:////complaint.app.bbb.org/complaint/view/1734879/b/017797281f

Real URL: hxxp://stepbystepalisoviejo.com/aKkExEME/index.html

Calls:
hxxp://apartmentsinorlandonow.com/WyZFNJYu/js.js
hxxp://learntocleanhoods.com/j74PFssk/js.js
hxxp://www.verdeimmobiliare.it/BXNQ3ZAS/js.js
hxxp://zastrahovam.crt.bg/n4KEQ0eX/js.js

Which all point to the same destination you reference:
hxxp://216.231.139.102/w7pwr6ahpdt.php?q=jm9svoa0sj7428gu
RE: http://apartmentsinorlandonow.com/WyZFNJYu/

Still active, and still hosted by SOFT LAYER dot COM

So, I've E-mailed both the domain-owner and the ISP.

Should you have sent such a "heads-up" message, as part of your analysis?
Feel free to play along everyone, more reports might bring quicker action. Hit thedomains that Gregory noted too.

-KL
ADP-related phishes also redirecting to this.
Wake up people!! This isn't Web 1.0 anymore... If you're spending the average day battling fake-AV and removing malware from the boss' daughter's laptop, YOU ARE NOT 'GETTING' IT!

No amount of money spent on the latest & greatest "stop-all" IPS/IDS/firewalls will protect you from a targeted attack... If you /really think/ about it, who is going to be a greater threat to your SMB- the curious teenage hacker re-hashing old attacks and finding lessons to be learned from your mistakes; or your competitors who are looking for an edge (and don't mind hiring an "investigator" of questionable morals) ?

As a matter of fact, deploying a mid-range Cisco, Sonic Wall, etc. will only increase your network vulnerabilities. The bad guys are well aware of this tech, and it will be used to their advantage! It doesn't matter how many times a month you upgrade firmware/software when you have a determined attacker sitting on edge devices; providing their own 'updates,' and patiently waiting for your next move.

Advice to SMBs: Invest in human capital!
Do understand that a salary is a much greater investment than a wholesale router; but also realize the difference in potential between a person and a 'magic box. Prior training and experience can prove beneficial- but if you can find an inquisitive individual and are willing to provide the necessary support... Virtualization, encryption, multi-factor authentication, log monitoring, penetration testing, and disaster recovery can be taught to anyone with the desire to learn and access to Google.
@Pscheudonym, did you mean to put this here instead? https://isc.sans.edu/diary.html?storyid=13849
- http://blog.dynamoo.com/2012/08/mskoblastionlineru-malicious-spam-goes.html
"... 15 Aug 2012...
Subject: Re: Better Business Bureau Complaint
Attachments: Complaint_N35XL147712.htm
... hosted on the following IPs... domains are all connected and should be blocked..."
(See the site)
.

Diary Archives