Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: American Airlines / DHL/ Fed Ex spammer take 2

30 views
Skip to first unread message

Virus Guy

unread,
May 2, 2013, 8:16:25 PM5/2/13
to
Thane wrote (in news.admin.net-abuse.email -which I can't cross-post to)

> So after several weeks of daily spammy redirect site morphs to a
> payload containing variants of Weelsof and Dofoil, spammy has upped
> the ante.
>
> The latest link on an American airlines spoof is
>
> hxxp://vcalaw.com/images/wp_pageid.html?id=_

Warning - that site attempts a browser exploit of some sort - explore
with caution.

> This leads to the following script
> hxxp://yob.newwaysys.com/ensure/origin-want_require.php");
>
> This is where I need the experts! I've tried wget and curl to
> determine the location of the redirect, but get 403 consistently.
> It could be my IP is blocked or another twist I haven't seen.
> Does anyone have any ideas?

On my win-98 system with Firefox 2.0, the first link ends up causing my
system to load the Java engine and process some java code, which in turn
tries to invoke acrord32.exe and render some sort of pdf file.

As I type this, Java and Acrord32 are each in a suspended mode,
displaying these error messages:

------
Application Error
General Exception (!)
java.lang.NullPointerException

(ok) (Details)
-------

And this:

-------
Acrobat plug-in
! This operation is not allowed
(ok)
-------

Looking at the Details for the Java error:

-------
java.lang.NullPointerException
at sun.net.www.ParseUtil.encodePath(Unknown Source)
at sun.misc.URLClassPath$Loader.getResource(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at sun.applet.AppletClassLoader.getResourceAsResource(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at sun.applet.AppletPanel$7.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.applet.AppletPanel.createSerialApplet(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

-------

Before I dismiss these error messages, I do a search for all
recently-created files.

I find:

Acr6392.TMP
Acr6390.TMP
Acr639C.TMP

Both in Windows/temp. The second and third files are zero bytes, but I
can't move or copy them (some process has control of them). The first
file is 426 bytes and contains this:

-----------
%PDF-1.5
%����
1 0 obj<</Pages 2 0 R/Type/Catalog>>
endobj
2 0 obj<</Count 0/Kids[]/Type/Pages>>
endobj
3 0
obj<</ModDate(D:20130502193858-04'00')/CreationDate(D:20130502193858-04'00')>>
endobj
xref
0 4
0000000000 65535 f
0000000016 00000 n
0000000060 00000 n
0000000105 00000 n
trailer
<</Size 4/Root 1 0 R/Info 3 0
R/ID[<3f6eedc550804941a9bcaebd0ac8c61b><3f6eedc550804941a9bcaebd0ac8c61b>]>>
startxref
195
%%EOF
-----------

I find this file in windows/application
data/sun/java/deployment/cache/6.0/host

31ba0019-40d9db35.hst

It is a text file that contains this: 184.82.108.82

I have this file in my firefox cache directory:

10D13CC8d01

Its 105 kb in size and begins with this:

<body fwqr=a41><b style="display:none;">

And then followed by a long sequence of hex digits separated by periods,
like this:

59,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103, ...

And then ends with this:

==================
</div><script>
nul="0"+"x";
function zz(){s+=(ss.fromCharCode(-37+z(nul+a[i])));}
try{document.body-=12;}catch(q){a=document[gg]("div");}
a=a[0].innerHTML;
a=a.split(".");
s="";
az=1;try{caewbtew=~2;}catch(qw){az=0;}
vq();
u=z;uu=s;
if(az)u(uu);
</script></body>
===================

I dismiss the java error, and then the adobe error. Immediately another
Acrord error pops up (same as the first). I dismiss it. Firefox then
comes back to life and displays this page:

http://www.google.com/search?q=404%20error

I still can't access the two zero-length ACR temp files. Acrord32.exe
is still running. I kill it, and this releases the files. One of them
is not zero-length any more. The file Acr6390.TMP is 179 bytes and
contains this:

=================
1 0 obj<</Pages 2 0 R/Type/Catalog>>
endobj
2 0 obj<</Count 0/Kids[]/Type/Pages>>
endobj
3 0
obj<</ModDate(D:20130502193858-04'00')/CreationDate(D:20130502193858-04'00')>>
endobj

=================

And at this point we seem to be done, with no lasting effects.

This lame attempt at a browser/java/pdf exploit just bounced off my
win-98 system.

Virus Guy

unread,
May 2, 2013, 8:29:53 PM5/2/13
to
I wrote:

> Before I dismiss these error messages, I do a search for all
> recently-created files.
>
> I find:
>
> Acr6392.TMP
> Acr6390.TMP
> Acr639C.TMP

VirusTotal finds nothing unusual about them.

> I find this file in windows/application
> data/sun/java/deployment/cache/6.0/host
>
> 31ba0019-40d9db35.hst
>
> It is a text file that contains this: 184.82.108.82

184-82-108-82.static.hostnoc.net

Opening that IP in a browser gives:

(Site under construction)

Robtex has nothing to say about that IP.

> I have this file in my firefox cache directory:
>
> 10D13CC8d01

VirusTotal identifies that file as:

McAfee JS/Exploit-Blacole.ld
McAfee-GW-Edition JS/Exploit-Blacole.ld

Detection ratio: 2/46

Thane

unread,
May 2, 2013, 10:30:14 PM5/2/13
to
Thanks for the follow up. I'm on linux so I don't see the Win98
activity. This spammer has been active for months with spoofed airline
tickets, Fed Ex delivery notices etc. and the payload is an exe file
which I've been downloading and forwarding to Sophos. I don't use a
browser for this, but use a terminal window and download using wget or
curl. Up to now, the spammer has only had a check for user agent,
targeting windows machines, but which I can fake simply in linux.

Today's posting showed a second script which I posted in NANAE. Any
feedback or help would be appreciated as I suspect this is the start of
a long run.

BTW - repeating my earlier tests now returns 404.

Thane

Virus Guy

unread,
May 2, 2013, 10:49:19 PM5/2/13
to
Thane wrote:

> >> I find this file in windows/application
> >> data/sun/java/deployment/cache/6.0/host
> >>
> >> 31ba0019-40d9db35.hst
> >>
> >> It is a text file that contains this: 184.82.108.82

> Today's posting showed a second script which I posted in NANAE.
> Any feedback or help would be appreciated as I suspect this is
> the start of a long run.

The second URL in your post was this:

hxxp://yob.newwaysys.com/ensure/origin-want_require.php

Note that yob.newwaysys.com is 184.82.108.82 -> the same IP that I found
in the .hst file.

There is still a web-server operating at that IP:

http://184.82.108.82/

"Site under construction"

But your full URL just times out.

If you want more info about it, look here:

http://urlquery.net/report.php?id=2296499

Note the various different URL's being used - each one is probably valid
for a short period of time, probably dynamically generated.

FromTheRafters

unread,
May 3, 2013, 7:16:18 AM5/3/13
to
Thane submitted this idea :
The first obfuscated script is the applet container. The second
probably goes to the PDF exploit, but I haven't deobfuscated it yet. VG
seems to be of the opinion that because W98 doesn't run the payload it
is *better* than NT based Windows machines. Informing him of his error
does no good.


FromTheRafters

unread,
May 3, 2013, 12:41:57 PM5/3/13
to

Virus Guy

unread,
May 5, 2013, 7:57:27 PM5/5/13
to
FromTheRafters wrote:

> I'm using Malzilla and PDFStreamDumper. I finally got the BHEK
> heapspray/exploit from the exploit PDF deobfuscated this morning.
> I hadn't seen base 26 representations before, but I was able to
> write a javascript program to deal with a simplified version of
> the data blob anyway.

Is that "data blob" what I referred to in ACV when I made the first post
there?

=======
I find this file in windows/application
data/sun/java/deployment/cache/6.0/host

31ba0019-40d9db35.hst

It is a text file that contains this: 184.82.108.82

I have this file in my firefox cache directory:

10D13CC8d01

Its 105 kb in size and begins with this:

<body fwqr=a41><b style="display:none;">

And then followed by a long sequence of hex digits separated by periods,
like this:

59,96,111,111,107,100,115,31,118,104,99,115,103,60,33,48,33,31,103, ...
=========

FromTheRafters

unread,
May 5, 2013, 8:56:02 PM5/5/13
to
on 5/5/2013, Virus Guy supposed :
> FromTheRafters wrote:
>
>> I'm using Malzilla and PDFStreamDumper. I finally got the BHEK
>> heapspray/exploit from the exploit PDF deobfuscated this morning.
>> I hadn't seen base 26 representations before, but I was able to
>> write a javascript program to deal with a simplified version of
>> the data blob anyway.
>
> Is that "data blob" what I referred to in ACV when I made the first post
> there?

The comma separated values are a decimal representation of the ASCII
characters for the <applet>some stuff</applet> container. The period
separated values represent the ASCII characters for the JavaScript for
the downloading of the malicious PDF, Java jar, and Shockwave flash
object. The shellcode in the second script is where I found the first
(this one was encrypted) argument string, and it also has the
obfuscated string for the GETting of the PDF.

The malicious PDF contained stream object (111) which is a compressed
obfuscated JavaScript which works on yet another blob which is the PDF
heapspray/exploit code which also has two shellcode variables. The
shellcodes there had URLs that were not encrypted like the other one
was. So, bottom line is that the blob I was talking about was quite a
lot deeper than the one you originally posted, not actually contained
within - but I couldn't have gotten there without them.

Just as an FYI some of the strings' data are for tracking so the
perpetrators can get feedback as to which exploit worked to GET the
ultimate target malware. I got three exes, one looked to them like it
was a successful PDF exploit (gleaned from the PDF's shellcode) and the
other two were from the shellcode from within the blob within the
second blob that you referred to. I noticed that the function name was
"get shellcode" but nowhere did I see a call to that function.

The only avenues left unexplored were the flash and the java ones that
I wouldn't have understood anyway because they have their own bytecode.


Thane

unread,
May 6, 2013, 12:11:44 AM5/6/13
to
I'm back. I managed to get the target file with its javascript. I have
the deobfuscated code if you need it (perhaps just catching up to you
both). I'm not a java expert and way beyond my comfort zone in this.

Thane

FromTheRafters

unread,
May 6, 2013, 12:59:24 AM5/6/13
to
Thane formulated the question :
I already have it, but thanks anyway.

> I'm not a java expert and way beyond my comfort zone in this.
>
So you've gotten the HTML file that was delivered from the PHP page and
you have deobfuscated that and have the getShellCode() function in
plain text? There are obfuscated URLs in that JavaScript (not Java)
that you can use to download the trojan downloaders to examine them.
The blob in the getShellCode() function's variable has the ultimate
target malware URL encrypted in it. That URL can be used to safely
download that which would have been the ultimate malware delivered by
the drive-by download in order to examine it.

...of course, one shouldn't execute such files.


Thane

unread,
May 6, 2013, 11:28:31 PM5/6/13
to
FromTheRafters wrote:

>>
> So you've gotten the HTML file that was delivered from the PHP page and
> you have deobfuscated that and have the getShellCode() function in plain
> text? There are obfuscated URLs in that JavaScript (not Java) that you
> can use to download the trojan downloaders to examine them. The blob in
> the getShellCode() function's variable has the ultimate target malware
> URL encrypted in it. That URL can be used to safely download that which
> would have been the ultimate malware delivered by the drive-by download
> in order to examine it.
>
> ...of course, one shouldn't execute such files.
>
>
Thanks for the very thorough description. I'm on linux so the exe files
in these exploits are somewhat isolated, but I know my limits and
appreciate the warning.

In reading some of the earlier posts here, it seems I've been working in
parallel, but only on the antispam activity. Spammy has been very active
on rolling exploited domains and morphing the payload and I've focused
on blacklisting. Laterly after some input in NANAE, in addition I've
posted mainly to Sophos and used Virustotal as a check.

Thanks to all.

Thane

FromTheRafters

unread,
May 7, 2013, 8:47:25 AM5/7/13
to
Thane presented the following explanation :
> FromTheRafters wrote:
>
>>>
>> So you've gotten the HTML file that was delivered from the PHP page and you
>> have deobfuscated that and have the getShellCode() function in plain text?
>> There are obfuscated URLs in that JavaScript (not Java) that you can use to
>> download the trojan downloaders to examine them. The blob in the
>> getShellCode() function's variable has the ultimate target malware URL
>> encrypted in it. That URL can be used to safely download that which would
>> have been the ultimate malware delivered by the drive-by download in order
>> to examine it.
>>
>> ...of course, one shouldn't execute such files.
>>
>>
> Thanks for the very thorough description. I'm on linux so the exe files in
> these exploits are somewhat isolated, but I know my limits and appreciate the
> warning.

There were no exe files in the exploit(s). :)

I know what you mean though.
>
> In reading some of the earlier posts here, it seems I've been working in
> parallel, but only on the antispam activity. Spammy has been very active on
> rolling exploited domains and morphing the payload and I've focused on
> blacklisting. Laterly after some input in NANAE, in addition I've posted
> mainly to Sophos and used Virustotal as a check.
>
> Thanks to all.

You're welcome. I've got VirusTotal's uploader and Jotti's too as
context menu items (right click functionality) - I don't know if they
have them for Linux, but if they do it is quite nice to have the ease
of submitting suspect malware files that way.


0 new messages