Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Riding out yet Another Storm Wave - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Riding out yet Another Storm Wave

Sadly you won't need a surf board for this one.  Just to give you a
heads up, there is a new round of emails with malicious links that is
making its way to the inbox of many folks.  If you haven't gotten one
yet, just give it time.   Here is quick summary of what we have found. 

The subject line that we have gotten examples
of have all been identical.  You may have gotten something else.

"Subject: You've received a postcard from a family member!"


The following is an excerpt from the email body.  (WARNING:  Do NOT
FOLLOW THE LINKs below UNLESS YOU KNOW WHAT YOU ARE DOING!!)

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://200.82.187.228/?08a823e96272575cbc68911e6c36a4

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://200.82.187.228/

Your ecard number is
08a823e96272575cbc68911e6c36a4



The ecard numbers in the URL above are variable across SPAM samples.

Several additional examples for pattern freaks :):
ee7c634591933434671c16a2e59b1
c3de8293ec6968e3ca03
8517a32e6b9ea6878b15d7703a3b01

bdad81d9b
7cd64e28cae3d7703a3b01bdad81d9b8
e8293ec6968e3ca036e47840d8e117868911e6
ca9a885b5e6291c3de8293ec6968e3
35601e5ee713076a3db57338
6e47840d8e117868911e6c3

The website has an interesting javascript that appears to have multiple ways to exploit a browser in order to compromise a system.  If javascript is enabled, then you get:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7  which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get ecard.exe = MD5: 30051dc10636730e4d6402ef8e88fd04.  Here is what a user would see:

 "We are currently testing a new browser feature. If you are not able to
view this ecard, please click here to view in its original format."

Here is a listing of just a handful of the 10s to 100s of thousands of
infected home systems.  Every storm infected system is potentially
capable of hosting the malware and sending the SPAM, but only a few will
be used in any given SPAM run depending on how many emails they want
sent and how many web hits they're expecting. You will notice the
Country/Network diversity and the predominance of broadband providers
(data courtesy of Team Cymru)

AS    | IP              | BGP Prefix       | CC | Registry | AS Name
5603  | 194.165.121.126 | 194.165.96.0/19  | SI | ripencc  | SIOL-NET
SiOL Internet
29737 | 24.192.186.35   | 24.192.184.0/21  | US | arin     |
WOW-INTERNET - WideOpenWest
16810 | 67.62.169.71    | 67.62.0.0/16     | US | arin     | CAVTEL02 -
Cavalier Telephone
7132  | 69.219.170.133  | 69.208.0.0/12    | US | arin     | SBIS-AS -
AT&T Internet Svcs/Ameritech
7132  | 70.232.83.200   | 70.224.0.0/11    | US | arin     | SBIS-AS -
AT&T Internet Svcs/SBC Global
3320  | 84.133.236.88   | 84.128.0.0/10    | DE | ripencc  | DTAG
Deutsche Telekom/Dialin.net
12392 | 85.27.49.108    | 85.27.48.0/22    | BE | ripencc  | ASBRUTELE
AS/Brutele SC
21502 | 85.69.86.171    | 85.69.0.0/16     | FR | ripencc  |
ASN-NUMERICABLE/Modulonet.fr
18881 | 201.47.44.156   | 201.47.32.0/19   | BR | lacnic   | Global
Village Telecom
25515 | 213.140.230.102 | 213.140.224.0/19 | RU | ripencc  | CTCNET-AS
Joint-Stock Central Telecom.
8642  | 85.226.199.228  | 85.224.0.0/13    | SE | ripencc  | B2 B2
Bredband/bredbandsbolaget.se

As you can see, detection is skimpy at this point. The key detect below
is "Tibs". (aka Storm/Nuwar/Peacomm)

Complete scanning result of "ecard.exe", received in VirusTotal at
06.28.2007, 21:24:37 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.28.2007  no virus found
AntiVir 7.4.0.34 06.28.2007 HEUR/Crypted
Authentium 4.93.8 06.27.2007  no virus found
Avast 4.7.997.0 06.27.2007  no virus found
AVG 7.5.0.476 06.28.2007  no virus found
BitDefender 7.2 06.28.2007  no virus found
CAT-QuickHeal 9.00 06.27.2007  no virus found
ClamAV devel-20070416 06.28.2007  no virus found
DrWeb 4.33 06.28.2007  no virus found
eSafe 7.0.15.0 06.27.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3747 06.28.2007  no virus found
Ewido 4.0 06.27.2007  no virus found
FileAdvisor 1 06.28.2007  no virus found
Fortinet 2.91.0.0 06.28.2007  no virus found
F-Prot 4.3.2.48 06.28.2007  no virus found
F-Secure 6.70.13030.0 06.28.2007 Tibs.gen118
Ikarus T3.1.1.8 06.28.2007  no virus found
Kaspersky 4.0.2.24 06.28.2007  no virus found
McAfee 5062 06.27.2007  no virus found
Microsoft 1.2701 06.28.2007  no virus found
NOD32v2 2360 06.28.2007  no virus found
Norman 5.80.02 06.27.2007 Tibs.gen118
Panda 9.0.0.4 06.28.2007 Suspicious file
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 06.27.2007 VIPRE.Suspicious
Symantec 10 06.28.2007  no virus found
TheHacker 6.1.6.140 06.28.2007  no virus found
VBA32 3.12.0.2 06.27.2007  no virus found
VirusBuster 4.3.23:9 06.27.2007  no virus found
Webwasher-Gateway 6.0.1 06.28.2007 Heuristic.Crypted

Aditional Information
File size: 7915 bytes
MD5: 30051dc10636730e4d6402ef8e88fd04
SHA1: 05368309bf89a78d680e239f58ec39bb0f8963b6

 

 

Lorna

162 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!