The Anatomy of a Phishing Attack

01/19/2012
posted in:

As many of us do, before blindly purging Spam folders, you scan for senders that may have been dumped there inadvertently by the Spam filters. Other than a larger amount of emails that are unreadable for a number of reasons, you don’t notice anything unusual.

But wait, what’s this email from the New York State Department of Transportation - “I am in arrears and that I should follow the embedded link to resolve issues.” Since you were in New York State just weeks before, you pause but click on the link in the email anyway.

DO NOT FOLLOW THESE NEXT STEPS. They are for illustration only.

Thankfully, anti-virus software, in this case AVG, was running and up-to-date on the test laptop because…

AVG catches the malware

Wham-o! The Blackhole Exploit. This email is not from the New York State Department but it’s a phishing attack and AVG detected and blocked the malware.

But what would happen if anti-virus software is not running?

To find out, AVG was uninstalled from the test laptop and the laptop was moved to a safer network, outside the firewall. A couple monitoring tools were fired up so we could see what happened.

The test laptop has a rather simple method of examining malware activities:

  • CaptureBAT – from the HoneyNet Project to log changes
  • Wireshark – to view network activities
  • AVG Rescue CD – to clean up the mess when the analysis was done

A more advanced environment like GFI’s Sandbox would provide additional details, but this setup allows us to get our hands dirty!

The embedded URL goes into Chrome and the fun begins…

http://kinesiologysydney.com/wp-content/themes/default/lwmgr.html

Page is loading while malware installed

Sure enough, the site source had an embedded IFRAME.

Script runs to install malware

Themain.php CGI script, highlighted above, returns two different files identified by Microsoft as Exploit:JS/Blacole and Exploit:Win32/CVE-2010-1885.A. Both objects are obfuscated JavaScript code containing an array of known exploits to gain control of a vulnerable Windows-based computer. With anti-virus disabled and an old version of Windows XP (SP2) installed, in no time the malware was in complete control of the laptop.

Once in control, a Generic JavaScript Downloader was run which in turn pulled down a Windows binary identified as TrojanDownloader:Win32/Tracur.AI. This binary created a new file in the file system:

C:/windows/system32/zudugo.exe

Then it created new entries in the registry to enable itself as a Web proxy for redirecting browser activities. It also downloaded two encrypted data files, saving them in the …/LocalSettings/Temp directory and set itself up to start on boot by adding an entry to the Windows registry key:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

Finally, this piece of malware started to run the payload and system performance dropped off almost immediately.  What was it doing?

Sending Spam!

A quick review of the network capture showed that the malware was sending approximately 200 emails per minute. Each email was addressed to 5 different recipients meaning over 1000 email recipients where getting Spam from my machine every minute.

Needless to say, a graceful shutdown of the capture tools was performed and the machine was powered off immediately. The AVG Recovery CD was booted, signatures updated and the infection was cleaned up.

Malare sending spam

This would be considered a pretty simple infection, but the reality is that within a matter of seconds the laptop had gone from waiting for a Web page to be displayed, to cranking out thousands of Spam emails per minute. 

On second glance, the malware was a bit more sophisticated as it used an array of SMTP servers and, where possible, synchronized the email domain component with the server used to send the email to increase the chance of delivery. Also of note, a sample was taken of the mail recipients and only a few where not legitimate; suggesting that the Botnet Controllers are working with a database of known email addresses, further increasing their chances of delivering content.

Preventing new phishing attacks

A week or so later, the exploited site was still up and running, but the IFRAME (the root cause of the infection) failed to load. The Domain names used no longer existed so the attack no longer worked. Whoever was hosting the attack had cleaned things up and moved on.

The fact the exploit stopped working suggests that spammers know links advertised via Spam have a shelf life before incoming click rates drop off. Once this period passes, it’s time to pull up stakes and move on to cover their trail.

Even though this attack is no longer functional, there is no doubt, a new email will arrive tomorrow with a very similar exploit vector originating from completely different hosts scattered around the world. It will probably look different but act very similar to the one described here and it will likely dupe some poor soul into clicking on the link because they really were in New York State last month, or were expecting a FedEx/UPS/DHL delivery or who knows what coincidence will get them in trouble…

Preventing this can be as simple as having up-to-date anti-virus software running on your computer, but even this won’t ensure 100% safety. New exploits are found daily and the cycle time for getting updates into the AV customer’s hands opens a window of opportunity for attackers. The surest solution is DO NOT open document or follows links coming from unsolicited emails, no matter how much the con applies to you.

By Paul Edwards, Kindsight Security Labs

Bookmark and Share
  • Post to Twitter