Obfuscated javascript in HTML mail virus attempts / 2012-03-14

2012-03-14 Obfuscated javascript in HTML mail virus attempts 7 years ago
For amusement I peeked into the HTML code in one of those Your Page is loading... mails. This one had as Subject: Fwd: Scan from a Hewlett-Packard ScanJet 673022.

The source code is obfuscated javascript. But with hints from Advanced obfuscated JavaScript analysis - ISC dairy I learned about spidermonkey which is available under Ubuntu 8.04 LTS (not under 10.04). With the js javascript shell and a few modifications to the script, changing eval to print I was able to find out where the code wanted to go next: http://dhjikjsdhfkksjud.ru:8080/images/aublbzdni.php. That name resolves to a lot of addresses:
$ host dhjikjsdhfkksjud.ru
dhjikjsdhfkksjud.ru has address 118.97.9.60
dhjikjsdhfkksjud.ru has address 125.19.103.198
dhjikjsdhfkksjud.ru has address 190.81.107.70
dhjikjsdhfkksjud.ru has address 200.169.13.84
dhjikjsdhfkksjud.ru has address 210.109.108.210
dhjikjsdhfkksjud.ru has address 211.44.250.173
dhjikjsdhfkksjud.ru has address 219.94.194.138
dhjikjsdhfkksjud.ru has address 62.85.27.129
dhjikjsdhfkksjud.ru has address 89.218.55.51
dhjikjsdhfkksjud.ru has address 95.156.232.102
dhjikjsdhfkksjud.ru has address 111.93.161.226
On the first try to fetch the above url I got something which looked a lot like http://www.google.nl/. But retrying this with a user-agent looking more like a recent MSIE gave me quite different html/javascript code (4057 bytes md5sum 2ebb9a7dfb9b10ffdd49d9b3f0a8c2df sha256 330c1362ac968da1e3c653a18d01c6464f1c40a717174659fcb6538b553bffea), Antivirus scan for 2ebb9a7dfb9b10ffdd49d9b3f0a8c2df The readable parts try to fetch:
  • As embedded shockwave flash movie: http://dhjikjsdhfkksjud.ru:8080/images/brcweqgshnxqh.swf (macromedia flash, 7790 bytes, md5sum 289a35c701f0d709dcd5e260478c26b6 sha256 b946c4a81e0b3458f8e74d93057fed084a4658d3a19f795761a4ae2c23a5b6d1), Antivirus scan for 289a35c701f0d709dcd5e260478c26b6
  • As an iframe: http://dhjikjsdhfkksjud.ru:8080/images/kobzfoivdpdzilx.php a PDF file with builtin javascript (13199 bytes, md5sum 5ed4daefc479824d64ec5daf48564b22 sha256 d9a6ffb89860c970bcd6f91ad74ff6ac44e94a51ba1850d7be5a518a4574955f) Antivirus scan for 5ed4daefc479824d64ec5daf48564b22
  • As a java applet: http://dhjikjsdhfkksjud.ru:8080/images/ftgvcoylgmdz.jar (13028 bytes, md5sum aefa842a18a8d19bb661107ba6e77699 sha256 4aa50efb99114bf4215e44f91d1aa5d818aa974b8a8cca2657454c2833b0a0a9) Antivirus scan for aefa842a18a8d19bb661107ba6e77699
  • As a java applet: http://dhjikjsdhfkksjud.ru:8080/images/jvkzcvdryzar.jar (13361 bytes, md5sum 68358f8f1fd6c01d7e29e445ca646623, sha256 dab184aeea5b8155155c0ebf55450b5cfd168bf59b744e447f7760fe1ba419c7) Antivirus scan for 68358f8f1fd6c01d7e29e445ca646623
As the virustotal links show these are all known attacks.

The rest of the html file is more obfuscated javascript. Searching for one of the md5sums finds me Fwd: Scan from a Xerox W. Pro #0099345 dropping Bugat - spamalysis where someone already did the same as I did.

Update 2012-03-15: Next day, Subject: Fwd: Scan from a Hewlett-Packard ScanJet #4101 and the next domain: dhjikjsdhfkksjud.ru. Again lots of IPs and really short ttl:
;; ANSWER SECTION:
dhjikjsdhfkksjud.ru.    60      IN      A       210.109.108.210
dhjikjsdhfkksjud.ru.    60      IN      A       211.44.250.173
dhjikjsdhfkksjud.ru.    60      IN      A       219.94.194.138
dhjikjsdhfkksjud.ru.    60      IN      A       62.85.27.129
dhjikjsdhfkksjud.ru.    60      IN      A       78.83.233.242
dhjikjsdhfkksjud.ru.    60      IN      A       78.107.82.98
dhjikjsdhfkksjud.ru.    60      IN      A       83.238.208.55
dhjikjsdhfkksjud.ru.    60      IN      A       89.218.55.51
dhjikjsdhfkksjud.ru.    60      IN      A       95.156.232.102
dhjikjsdhfkksjud.ru.    60      IN      A       111.93.161.226
dhjikjsdhfkksjud.ru.    60      IN      A       118.97.9.60
dhjikjsdhfkksjud.ru.    60      IN      A       125.19.103.198
dhjikjsdhfkksjud.ru.    60      IN      A       173.203.51.174
dhjikjsdhfkksjud.ru.    60      IN      A       173.203.211.157
dhjikjsdhfkksjud.ru.    60      IN      A       190.81.107.70
dhjikjsdhfkksjud.ru.    60      IN      A       194.85.97.121
dhjikjsdhfkksjud.ru.    60      IN      A       200.169.13.84
dhjikjsdhfkksjud.ru.    60      IN      A       202.149.85.37
dhjikjsdhfkksjud.ru.    60      IN      A       209.114.47.158
dhjikjsdhfkksjud.ru.    60      IN      A       210.56.23.100
dhjikjsdhfkksjud.ru.    60      IN      A       210.56.24.226

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004308 seconds.