Holiday season is near and just as we have expected, a malware comes to exploit the occassion. Add to that the fact that pharmaceutical come-ons and ploys via spammed emails are increasing these days makes this incident worthy of a write-up.
Early this morning, we received a report that an email with an htm attachment was being spammed in the net. A screenshot of the email is seen below.
The email attachment, Holliday_Pharmacy-Blowout-Deals_HERE.htm(take note of the spelling for Holliday) entices people to view the html file.
This is a fresh approach in terms of mail-propagating malwares since it uses an html file as an attachment rather than the usual exe or zip file. But since html files can still execute code, they are still very dangerous to view, specially if they coming from an email you are not expecting.
Upon viewing the attachment, the javascript code inside it is executed which loads the site:
http://BrightBoo{blocked}0eF7ce8fc50T34b5400d5593Bf11ea
A couple of minutes earlier, the site was inaccessible; however, after a round of trials leeching the site, we finally were able to dig up some nasties.
From here on we have another case of an FTBM, or what is known as the Follow The Bouncing Malware scenario, which ultimately leads to the installation of a bot in your systems. Below is a summary of the malware track (so far…)
- Holliday_Pharmacy-Blowout-Deals_HERE.htm
- the malicious attachment; contains an obfuscated javascript code that loads the site “http://BrightBooksDire{blocked}fc50T34b5400d5593Bf11ea” which is detected by Trend Micro as JS_REDIR.AI.
- http://BrightBooksDi{blocked}8fc50T34b5400d5593Bf11ea(index.ht{blocked}34b5400d5593Bf11ea)
- This contains another obfuscated javascript code that loads http://{blocked}/404.php detected by Trend as JS_REDIR.AJ.
- http://{blocked}/404.php
- contains another obfuscated javascript code that loads http://{blocked}/external.php, detected as JS_WONKA.AC, through an iframe.
- http://{blocked}/external.php
- contains an obfuscated vbscript code which downloads and executes the file http:// {blocked}/win32_update.exe through the MS06-014 vulnerability. The file downloaded is already detected by Trend Micro as TROJ_SMALL.FAR.
- http://{blocked}/win32_update.exe (TROJ_SMALL.FAR)
- downloads and executes http{blocked}.com/exp/01.exe and http://{blocked}.com/exp/02.exe, both detected by Trend as TROJ_DELF.DGRand WORM_IRCBOT.RVrespectively.
- http://{blocked}/exp/01.exe
- This drops other malicious files in the systems.
- http://{blocked}/exp/02.exe
- This is a Bot malware.
- http://{blocked}/index.html
- This html redirects to http://{blocked}/exp/exploit.php. They will be detected by Trend as HTML_REDIR.AQand JS_PSYME.FTrespectively.
- http://{blocked}/exp/exploit.php
- This contains javascript code which downloads the file hxxp://olatesuite.com/exp/loader_exe.php and saves it to the local computer as “c:ie7_update.exe. The downloaded file will be detected as TROJ_DLOADER.IAT
Every malicious code and behavior that has been described above will not be seen by the user; instead, a blank 404 or Not Found page will be seen. Sneaky!
As we are still further analyzing the files, we will just update this blog once more information are gathered.
In the meantime, here are things you can do to mitigate this holiday menace.
- Since the jump off point of the malwares is from an HTM document, try disabling javascript in your browser. You can also use Mozilla FireFox with the NoScript plugin. This will virtually destroy all chances of the malware to kick off.
- Also, the malware author used the MS06-014 exploit to download and execute an exe file. This wouldn’t be a problem if your systems are updated with the latest patch from Microsoft. If you’re not patched yet, well I guess this is as good a time as any to start patching, don’t you think?
- So we better watch out, and better not cry… We just have to be aware of these Holiday computer threats so that our holidays will indeed be merry, bright and peaceful! Cheers!