This post is an update to yesterday’s post,
which reports of a newly spotted Yahoo! Photos phishing site. If
you haven’t read it yet, I suggest that you read it before
continuing with this post.



As mentioned in the title, this is an analysis of the mentioned
Yahoo! Photos phish, with emphasis on the how the credentials are
stolen, and where those stolen credentials ultimately end.


The Yahoo! Photos phish (that shall be henceforth known as the
“phish”) contains a form, consisting of two input text boxes (the
Yahoo! ID and Password boxes), a checkbox, and a submit button. A
portion of the form is composed of the following HTML code.



The encoded strings is equivalent to the following



The phish, after clicking the “Sign IN” button, does an HTTP POST
to a certain mailto.cgi, presumed to be a mailer CGI. This CGI file
sits in a server somewhere in Japan.


The variables are remarkably similar to the phish (also a Yahoo!
phish) discussed in this article.

/?p=38


As a test, I saved a local copy of the phish, and modified the
“Mail_To” variable and replace it with my “spambox” email address,
let’s pretend that that email address is
“spambox@somewhere.com”.


Then I placed “username” in the Yahoo! ID field and “password” in
the Password field, and clicked the “Sign In” button.


My packet log (courtesy of Ethereal) showed the following (text
wraps)



As can be seen above, the phish POSTed the following
variables



Take note of the “login” and “passwd” variable. Sweet.


The mailto.cgi, after receiving the HTTP POST, returns an HTTP 302
status code, meaning that the target page is “moved temporarily”,
and that the browser will be redirected to another page specified
in the Location field of the response.



So, after clicking on the “Sign In” button, the user is redirected
to the site http://photos.yahoo.com/ph//my_photos, which is the
value of the “Next_Page” variable. This redirection to the
legitimate Yahoo! Photos page make the phish look like it is really
the proper Yahoo! Photos site.


But what happened to the other variables?


Apparently, the mailto.cgi, which is presumed to be a mailer CGI,
mailed all those info to the email address specifed in the
“Mail_To” variable. Checking my spambox@somewhere.com mailbox, I
found this email.




The Yahoo! ID and the password can be clearly seen. However, most
of the email text is in Japanese, so I don’t know what the rest of
the email says. :)


Old-time readers will probably notice that the methodology used in
this testing is similar to the one used in this post.
This is not at all surprising, since there is uncanny similarity in
the structure of both phishing sites. This particular phish sends
the stolen credentials to this email address:
oxox0o_angel_oxox0o@yahoo.com


As mentioned in yesterday’s post, this indicates that there is a
kit available for Yahoo! phish. The availability of this kit makes
setting up a phishing site much more easier.

As a new wave of Trojan bagles came in, once
again, we started monitoring links that were downloaded by the new
bagle, now detected as TROJ_BAGLE.AH.


One of the many links in its body gave me a z.php file which when
opened was actually a base64 file…ahh it seems that this is it,
if only it were that easy.




I extracted the base64 file using winzip and came up with a file
which I thought was damaged. (No MZ/PE Header) Was this a dead end?
I wasn”t yet sure. It looks like the bagle authors weren’t
exactly going to permit me analysis that easy.


The file I extracted as I said did not have an MZ/PE header but it
did look like a chunk from a file. But there wasn’t really much to
go on so I decided it was really just a garbage file…a mistake, I
admit. :p


Out of boredom I looked again at TROJ_BAGLE.AH, tested it in an
environment with an internet and as expected downloaded a file (the
one I thought was damaged), but to my surprise, the downloaded file
executed in my test machine…and curiosity took over. =)


How did that happen?!


So I looked at the downloaded file which ran (now detected as
TROJ_BAGLE.AJ) and compared it with the one I thought was
damaged.


The discussion below proves the evolving technology of the Bagle
minded people. It downloaded a file looking like garbage and fused
it with an MZ and PE header and then later decrypted the file to
form the now TROJ_BAGLE.AJ.


This is a hex view of the downloaded file which ran
(TROJ_BAGLE.AJ)




The highlighted portion in the first picture is the MZ header that
is fused at the beginning of the downloaded file (the one extracted
from z.php). So now it is a legitimate pe file.


And a hex view of the file I thought was damaged.




The file is then decrypted to form the now (TROJ_BAGLE.AJ). The
encryption although not that hard, can be misleading. I just
thought the file was packed. I think this is better explained with
pictures. :p


This is again a hex view of TROJ_BAGLE.AJ.




See the similarities? Below are a few bytes in the highlighted
portion of TROJ_BAGLE.AJ


00 03 E0 00 00 28 00


And below is the highlighted portion of the file extracted from the
base 64 file z.php.


00 3E 00 00 02 80 00


The first half of the byte was transferred to the byte at the
left.


00 3E 00 is now 03 E0 00


This is done up to the end of the file.


For a clearer picture here are two other hex views of TROJ_BAGLE.AJ
before and after encryption.


Before encryption the file looked like this.




and after the encryption was performed…




This again shows how bagle is continually growing and thinking of
new ways to make our lives a bit harder :p… The encryption may
have been designed to do just that. To make analysis harder and
mislead analysts in to making the wrong conclusion, not to mention
avoiding the scanners that looks on files that are being
downloaded.

Today TrendLabs came across an email with
that looks like another PayPal phish, but a .EXE attachment was
found with this mail. The email points to this attachment as the
transaction details “they” want you to check. The executable
attachment has the file name PE-901-449-020.jpg.exe. The email
details are as follows;


——————————-

From:PayPal Billing Center
Subject:YOUR ACCOUNT LIMITED
Body:

Dear PayPal user,

We are currently performing regular maintenance of our security
measures. Your account has been randomly selected for this
maintenance, and you will now be taken through a series of identity
verification pages. Protecting the security of your PayPal account
is our primary concern, and we apologize for any inconvenience this
may cause.


We recently received a report of unauthorized credit card use
associated with this account. As a precaution, we have limited
access to you PayPal account in order to protect against future
unauthorized transactions.You can check your transaction details in
attachment.


Case ID Number: PE-901-449-020


Please understand that this is a security measure intended to help
protect you and your account.

Thank you,

PayPal Billing Center.


——————————-


If you checked out the details of your transaction, then you might
have already figured it out that there are no transaction details
to check. and by now a Trojan has been installed into your
computer. This Trojan is being detected as TROJ_FAKEPAL.A. This
trojan will register itself as a Browser helper Object(BHO) and
will monitor your IE activity for access to your PayPal account and
steal your confidential data. So if you happened to look at your
PayPal account after clicking the attachment to check out the
status of your real account, most likely the trojan might have
gotten the details it was sent to recover and forward the details
to its “master”. ;-)

So be extra careful when looking at attachments in your emails. The
best prevention is, if you are unsure of the email body and
especially the attachment. Do not, I repeat “DO NOT” try to open
them. Even if they came from a friend or an acquaintance or even
from a known source, because if its not a Phishing scam that’s
after you, a malware might be trying to get into your system. ;-)
So always be careful. For more tips on how to avoid being Phished
you kindly click this link “Trust me…” ;-)
http://learn_how_to_fight_phishing_scams.com.net.ph.org.whatever!


Well as you can see links can be deceiving, so don’t just go around
the web and click links to death. If you need to go to sites that
has your confidential information, TrendLabs suggests you just type
the URL in the address bar instead

We were recently surprised to find a MYTOB
variant (WORM_MYTOB.MX)
suddenly reaching the heights of an outbreak yesterday.


And then now we are receiving reports of the release of a Turkish
man who was responsible for financing the creation of
Zotob.


Atilla Ekici, known as “Coder” was released from prison
a few days ago after a 90-day stint under the long arm of the law
for apparently being responsible for the previous MYTOB and ZOTOB
outbreaks. While it seems like his trial will continue, we are not
too sure if he has already turned over a new leaf or if he will
probably get away with some ‘thing’… again. =(


More updates on this soon.

Dear Customer.


You’ve specified this e-mail as reachable.


Sorry,we were unable to process your transaction


at this time for the following reason:


Transaction Denied by Bank.


Order details:


Date: 11/21/05


Order number is: 456533


You have ordered the following:


Price


RING 1 167.50


RING 2 130.10


Setup fee 2.00


+VAT 90.02



_____________________________


Total in USD: 249.70


Please see attached file.


GOLDNOW SHOP Billing Team.


Thank you for choosing CCBill as the eMerchant for your
subscription!
___________________________________________________________________________


People all over the internet have been reporting of receiving mails
with the body looking similarly like the one above. Mails mainly
differ in the amount of their “orders”. Reports have
been going on about this new phishing scam. Some mails have links
in them that point to a phishing site. But some mails have a
different variation. They have an exe file attachment in them. As
of this writing, the detection for the Trojan with the filename
gsbill.exe is still being processed. Please beware of both the
mails that contain the phishing site and the Trojan. Both mails are
certainly a no-win situation for everybody.

We’ve just received some reports that the IE
0-day exploit mentioned in a previous entry is now in the wild.


Or rather, In-The-Wild in this case meaning:

A hacker got a hold of the exploit code, modified it, hacked some
webpage, defaced it, and put the exploit for IE in the defaced
website.


We’ve just checked the website, and it does look like the IE 0-day
exploit. We’re still checking out what it really does. Updates
later.

After looking at the source code, it was
verified to have the same shellcode as the latest IE 0-day exploit.
Due to its incompleteness (lacks other file components) it cannot
successfully spawns calc.exe on the local machine but, it was able
to copy the shellcode on the memory.


Please refer to the previous post
for additional details.

We just received a new possible BAGLE
currently spreading around:


TMIRT Honeypot already received 12 incidents in 30 minutes.

Initial Sample from TMIRT Honeypot received on: November 23, 2005
09:56 PM +0800 GMT.


MessageLabs already reported 1389 copies in 10 minutes.

Initial report received on: 5:55 AM.


Possible Subjects used are:

• Ales
• Alyce
• Androwe
• Ann
• Anthonie
• Anthonye
• Bennet
• Bennett
• Daniel
• Delivery Status Notification (Failure)
• Edmund
• Edward
• Edwarde
• Elizabeth
• Ellen
• Emanuel
• Emanuell
• Frances
• Fraunces
• Grace
• Henrie
• Henrye
• Hughe
• Isabell
• Jane
• Jeames
• Johen
• John
• Judith
• Katherine
• Katheryne
• Margarett
• Margrett
• Marie
• Michael
• Mychaell
• Nathaniel
• Nicholas
• Peter
• Robert
• Roberte
• Roger
• Rose
• Samuell
• Sindony
• Sybyll
• Valentyne
• Wynefrede
• Wynnefreede

Do hold on for more updates in this page and in the Advisories
section.

This will be detected as TROJ_BAGLE.AH

After continuously monitoring the download
links from the trojan sample, we were able to acquire a sample of
the file it tries to download (z.php; 20KB). The extracted
executable file was confirmed to be another bagle variant (19,961
bytes [unzipped]).


This has been submitted to the service team for processing.

We have witnessed the evolution of the
mobile-breed of malware like the LOCKNUT, SKULLS, CABIR and MABIR
families to name a few. Some would change your phone’s settings
while others would definitely turn your mobile device as useless as
it can be. A new activity for symbian malware has come to
existence, it now steals phonebook and sends it to other devices
via bluetooth without user confirmation.


We know how mobile phones have been a handy-dandy device for people
where they keep their schedule, the important numbers in their
lives like maybe credit card numbers or pins. So..if merely
phonebook today…. what could it be tomorrow?


Since we surely will still keep important data in our devices
(besides if not what’s the use of having one?), let’s be cautious
when installing files and be aware of the new and upcoming threats
by visiting TrendMicro. This file is now detected as SYMBOS_PBSTEAL.A

We just received a new possible BAGLE currently spreading around:
TMIRT Honeypot already received 15 incidents in 30 minutes.
Initial Sample from TMIRT Honeypot received on: November 23, 2005 09:56 PM +0800 GMT.
MessageLabs already reported 1389 copies in 10 minutes.
Initial report received on: 5:55 AM.
Major AV Detections:

• FileName : 1.zip/1.exe_
• TrendMicro : NO_VIRUS
• MailTrap : PAK_Generic.001
• Symantec : NO_VIRUS
• Kaspersky : NO_VIRUS
• McAfee : NO_VIRUS
• Sophos : NO_VIRUS
• Panda : NO_VIRUS
• Alwil : NO_VIRUS
• GeCAD (RAV): NO_VIRUS
• CAI : NO_VIRUS
• CAV : NO_VIRUS
• Ikarus : NO_VIRUS
• Ad-Aware : NO_VIRUS
• PestPatrol : NO_VIRUS
• CleanerPro : NO_VIRUS
• Size : 9,219Bytes

Major AV Descriptions: (Based from Main AV Sites)

• Trend: None
• Symantec: None
• Mcafee: None
• Kaspersky: None
• Sophos: None
• F-Secure: None

Possible Subjects used are:

• Ales
• Alyce
• Androwe
• Ann
• Anthonie
• Anthonye
• Bennet
• Bennett
• Daniel
• Delivery Status Notification (Failure)
• Edmund
• Edward
• Edwarde
• Elizabeth
• Ellen
• Emanuel
• Emanuell
• Frances
• Fraunces
• Grace
• Henrie
• Henrye
• Hughe
• Isabell
• Jane
• Jeames
• Johen
• John
• Judith
• Katherine
• Katheryne
• Margarett
• Margrett
• Marie
• Michael
• Mychaell
• Nathaniel
• Nicholas
• Peter
• Robert
• Roberte
• Roger
• Rose
• Samuell
• Sindony
• Sybyll
• Valentyne
• Wynefrede
• Wynnefreede

Do hold on for more updates in this page and in the Advisories section.

This will be detected as TROJ_BAGLE.AH

Setting up a phishing site is not that hard as you might think.

There are quite a number of sites which hosts quite a substantial number of “phishing kits.” A phishing kit is a pre-configured collection of web pages (be it in HTML or PHP or any other formats) that looks flawlessly similar to known e-commerce, financial, and banking sites, such as eBay, PayPal, and Citibank, to name a few. These kits are used to conduct what we now call as phishing attacks. Because these kits look perfectly the same as legitimate sites, unsuspecting users are often enticed into giving their personal information.

We’ve been recently tipped off about the existence of such sites. Yes, we know that these site really do exist, but I’m talking about active and working URLs, where you can download such kits. You don’t encounter those kind of sites often.

Phishing kits for the following e-commerce sites were found in those sites.

• AOL
  
• Bank of America
  
• Bank of Ireland
  
• Bank of Israel
  
• Bank of Oklahoma
  
• Barclays
  
• Charter One
  
• Citibank
  
• Citizens Bank
  
• eBay
  
• eGold
  
• HSBC-US
  
• Halifax
  
• Kent Bank
  
• PNC Bank
  
• Paypal
  
• RBC Financial Group
  
• Square Trade
  
• TCF Bank
  
• USBank
  
• Visa
  
• Wells Fargo
  
• Western Union

That’s quite a long list! It is also important to note that for some of these kits, there exist several versions, indicating that these kits are indeed constantly kept up to date. These phishing kits also contain a README file in the package. This file comes handy when setting up a scam site.

Now, on to the recipe. To build a phishing site, you’ll need these “raw” materials.

1. Phishing kit
   
2. A web server
   
3. An email address where the gathered info are to be sent
   
4. A mass mailer program

And do the following.

1. Setup the web server. The web server should have support for PHP, since most of the phishing kits are constructed using static HTML and PHP.
   
   
   
2. With the kit, you already have a complete scam site. Setup the phishing kit to a desired virtual directory. The location of the phishing kit should be carefully considered, with a URL that will most likely to fool a user. But this step is most probably done by the kit. Some kits are ZIPed with a “suggested” directory structure.
   
   
   
3. Register a domain name, using a name aimed to fool the user that they are accessing a legitimate site. Remember to use fake registration information. You don’t want to go to jail, do you? And never use your real credit card.
   
   But if you don’t want to be bothered by domain registration, it’s fine. Just use the IP address of the web server. But that’s not really a convincing scam site, isn’t it?
   
   
   
4. At this point, you should already have a working phishing site. But you still need to configure where to send the gathered information. This is where you’ll need the third raw material, email address.
   
   Phishing kits come with a configuration file, usually a PHP page. This configuration needs to be edited. This is where the email address is to be placed. Most phishing kits send gathered information to the indicated email address. Locate that configuration file in the kit, and edit as needed. Consult the README file if necessary.
   
   
   
5. With the phishing site all set up, what’s left to do is to advertise the site. The best way to advertise is, of course, spam. Most of the phishing kits we obtained already have sample phishing emails. This makes the job of a phisher a lot easier.
   
   Advertising the phishing site is, surprisingly, quite easy. There are a variety of ways, I’ll cite two.
   
   
   
   
   
   1. Mailer programs
      
      This is perhaps the easiest option. There are numerous free mailer programs available. If such program cannot be found, you could always create one, or hire someone to create one for you.
      
      An example of which is a mass mailer is the Mass E-Mailer, which can be obtained from
      
      http://www.biegelscripts.com/index.php?a=6&t=2&p=0&l=0
      
      This is a PHP, web-based mass emailer. One of the needed arguments is a text file, which contains all the email addresses to be spammed.
      
      Why am I mentioning this specific product and not others? It is because a package of this mass mailer was found in one of the sites hosting phishing kits, indicating that it is used for phishing purposes.
      
      Though mass mailers might do the job advertising the phishing site, it has one serious drawback: traceability. Since the spam emails all come from the same machine, it is very likely that the spamming run could be traced to the perpetrator.
      
      
      
   2. Botnets
      
      Botnets address the traceability drawback of mass emailers. Since the emails are sent by each individual bots, tracing back the perpetrator would definitely prove to be a much more difficult job. The bots provides the phisher the shield of anonimity. A phisher could also opt to use the individual bots as the host of the phishing site. This provides additional anonymity for the phisher; if the owner of the phishing server (the bot) is tracked, it is not the phishers butt that will be on fire.
      
      However, for this to work, the phisher needs to have serious connections in the underground world.

After all that, just constantly check your email address. Now, what to do with the gathered personal information? It’s all up to you. Use your imagination.

It may seem that I am offering a tutorial on “How to be an evil person.” But as they often say: “To fight the enemy, you must know the enemy.”