Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used to send some malware-linking spam emails to users in their contact list.
Yesterday our family email account was on the receiving end of someone -- possibly -- who fell victim to an email account hack as our email address was amongst several others included together receiving the email. I say possibly as none of us recognized the sender’s email address and it wasn’t in any of our address books. Possibly our along with the other’s email addresses had been harvested somehow and this was a fake spamming account. The “show-as” name was definitely non-standard and used some letters that related to that in the subject line.
It was pretty evident to me this was probably a dangerous site to go to, but being curiously-minded, I couldn’t pass up the chance to do some detective work.
The email originated from a yahoo mail account.
The Subject line was baited “ACH Transfer Canceled…” and the display name in the email address contained the letters “NACHA.”
ACH is meant to refer to the “Automated Clearing House” which handled financial transactions in the US overseen by the NACHA. To most Americans, I’m betting these acronyms mean very little and they would be more taken with a sudden urge to grab some NACHOES instead. Maybe Europeans would be a little more anxious emails purporting to come from ACH and NACHA. I digress.
First thing I looked at was the message header. Lots of goodies there. We can follow the bounce between the yahoo mail sender to our ISP’s email servers. Times/dates of transmission.
Since this was a Yahoo mail account, it appears the header may actually contain the IP address of the the location the mail account was logged into from. This is the first time I have seen this so I need to do more research. The IP associated with this particular email is located in France.
The website IP Address Locator has lots of good tools for locating IP addresses as well as a feature that allows a copy/paste/analyze of email headers.
The content of the email was very thin, a single line with all the text ran together. There is a URL link markup there, however it misses getting all the characters. Hmm.
Toggling between the different modes of viewing email content in Thunderbird reveals odd results. If I look at it in original html mode I see a single line of text with an hyperlink in the middle.
If I view it in simple html most of the text is the same but a few characters are different.
If I view it in plain text, there is nothing showing.
Hovering over the hyperlink displayed shows a URL shortner link. Hmm. Set that aside for a moment.
So I back and look at the full header view again and find this in the message body:
Content-Type: text/html; charset=ISO-8859-5
Ah! So I copy/paste that large text block that follow that into this base64 online encoder / decoder and get a binary file to download!
(More regarding content encoding methods here Content-Transfer-Encoding - MSDN, here The Content-Transfer-Encoding Header Field via freesoft.org and here Decoding Internet Attachments - A Tutorial by Michael Santovec.)
Opening that binary file in Notepad++ reveals the html code with the same actual URL embedded.
Guessing here they are using base64 coding for the content to try to get around email scanners.
OK, so let’s check out that URL.
Turns out this is a pretty cool choice from both sides of the security fence. By appending the URL with “.info” at the end of a Goog.le shortened URL we can find out the stats from Goo.gl URL shortener (Google Groups)
This is good from an attacker standpoint as they can easily monitor their success rate on the nibbles of this hook and any “hits” to the actual URL. Researchers can get info as well by monitoring the same info and how fast/long the “click-through” may happen.
Neat isn’t it?
Now that I’ve got the actual long URL that this points to, we can start tossing the URL at some on-line link analysis/scanner tools.
VirusTotal shows both TrendMicro and SCUMWARE.org report the long URL as a Malware/Malicious site.
Anubis: Analyzing Unknown Binaries provided a deeper review of the URL by capturing Windows system events in a virutal sandbox system. It accesses the Windows registry, mucks with some keys, created a cookie, reads the autoexec.bat file, mods some files and maps dll’s to memory and appears to try to download more stuff. The report is available in HTML, XML, PDF, and TXT formats. Also, they offer a traffic.pcap file to download so you can examine the network traffic generated and perform any NFA you want to do. This site/tool rocks from a depth of information standpoint.
urlQuery gives some more report feedback when it is sandboxed. Lots of Java script stuff. Another strong URL analysis reporting site.
Trying it a few more times changing the browser type/java version/flash version gets different results and the URL serving code reflects all kinds of different IP’s each time so that long URL seems to be hosted at a dynamic IP host allowing it to bounce around (serving up HTTP redirects) and serve up the malware code depending on platform from all over the place making it harder to track down the source.
urlQuery actually identified the network traffic code as being detected as Blackhole exploit kit v1.2 HTTP GET request. Another clue.
I tossed the pcap file I got from Anubis into NETRESEC NetworkMiner. Nothing very interesting but my Microsoft Security Essentials alerted when the HTML page was reassembled by NetworkMiner and quarantined the file. It identified the page code as being Exploit:JS/Blacole.AR. (MS’s way of saying “blackhole” I suppose…)
Here are a series of links regarding these kinds of email spam threats in general as well as Blackhole info in particular as it relates with email spam campaigns, if you are curious.
- Prevalent Exploit Kits Updated with a New Java Exploit - M86 Security Labs Blog
- An analysis of the ACH spam campaign - M86 Security Labs Blog
- Cutwail Spam Campaigns Lure Users to Blackhole Exploit Kit - M86 Security Labs Blog
- “Steve Jobs Alive!” Spam Campaign Leads To Exploit Page - M86 Security Labs Blog
- All Posts tagged Malicious Spam - M86 Security Labs Blog
- Malicious email scam "Re: Scan from a Xerox W. Pro #XXXXXXX" returns with a new face - IT Secure Site more on a related Blackhole email spam attempt.
- Blackhole exploits kit attack growing - Zscaler Research
- Exploit Kit in my Morning Email (BlackHole Exploit Kit . . . Maybe) - ReverSecurity
I doubt this is the last our email inbox will see of these things, but the whole process has been quite fun to follow.
I’ve decided to leave out links/images of the actual email and the header-code/URL (short/long) but have passed it along to a number of security-spam websites in case it is of use.
A long time ago I had a list of URL-testing sites to feed a URL into to see if they were safe or not. Most seem to have gone away, however the following forums had a number of new ones worth bookmarking. Hat tip to “PROROOTECT” for the legwork!
- Free Online On-demand URL Security Scanners - MalwareTips forum
- FREE ONLINE SECURITY SCANS For Suspicious URL Link - Sysinternals Forums
Here is a combined and cleaned up list based on the collective work there from PROROOTECT in both places and at least one or two I’m tossing in and a few from those lists I removed that seem dead/redirected incorrectly. PROROOTECT does make a great point that the effectiveness of these vary, so a “bad” URL in one may come back as “clean” in another. So it’s best to run your URL through multiple sources.
Note, these are URL/web-page scanners. They are a bit different than on-line file-scanners/sandboxes used to analyze malware samples. Though a few seem to come pretty darn close with the depth of their reports/analysis.
Not “necessarily” ordered in order of usefulness.
- IP Address Locator - Track IP, Search IP, Find IP, Trace IP Lookup, What Is My IP Address Location
- TrueURL - decode short URLs
- Decode Short URL Decoder - cekPR.com - decode short URLs
- TinyURL.com - preview a TinyURL
- LongURL - decode short URLs
- Untiny - decode short URLs
- base64 online encoder / decoder - decode base 64 code in emails
- Quttera - FREE Online Heuristic URL Scanner
- Anubis - Analyzing Unknown Binaries
- vURL Online - Quickly and safely dissect malicious or suspect websites
- HTTP Web-Sniffer 1.0.37 - view HTTP request/response headers
- Finjan URL Analysis - URL analysis
- VirusTotal - Free Online Virus, Malware and URL Scanner
- UrlVir.com - URL scanner using domain, IP or MD5 hash value. Hosted by NoVirusThanks
- SURBL Blacklist lookup - check database for known websites that have appeared in unsolicited (spam) emails. More on the program here: SURBL
- URLVoid.com BETA - scan website for malware, threats and other bad things.
- URL & Link Scanner - Scan URLs for malicious code - URLVoid.com BETA to scan URL with multiple AV engines.
- WAVE - Web Accessibility Evaluation Tool - may not tell you if a site is “malicious” but provides a visual report on the site as well as any funky coding going on.
- Comodo Site Inspector - scan page to see if it generates malicious activity or hosts malware.
- Website Security Check - Unmask Parasites. Scans site for evidence of exploit code.
- Norton Safe Web, from Symantec - is a site safe?
- Dr.Web - is a site safe?
- Trend Micro Site Safety Center - is a site safe?
- AVG LinkScanner Online- is a site safe?
- F-Secure Browsing Protection Portal - Can you trust a site?
- AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone - Can you trust a site? (Aussie edition)
- Online Link Scan - Virus, Trojan, Adware and Malware Scanner using a variety of scanning engines.
- PhishTank - site to report suspicious/phishing URL sites.
- Check page for sh*t - resources including a URL check in Google spyware checker.
PROROOTECT’s suggestion to use an online URL screenshotting service to capture the displayed URL safely is some good outside the box thinking. Kinda a “look-before-you-leap” thing if all the above items pass OK.
- Shotbot - Screenshot Bot | Ascreen Generator - generates jpeg thumbnails of public websites.
- IE NetRenderer - Browser Compatibility Check - I like this one in that you can pick your browser version from a selection. If the URL/page responds differently based on your browser, then this might show it.
- thumbalizr - thumb your webpages
- url2png - website screenshot service
- loads.in - webpage load screenshots in multiple browser with option to pick from from over 50 locations worldwide
- ShrinkTheWeb - website screenshot service
Fun trip if it wasn’t so serious…
Update: I meant to add this in to the original post but got sidetracked. A recent Digital Forensics Case Leads post has mention of a super-fantastic investigation/forensic report involving anonymous emails. This is must-read material, not just in terms of the investigative methodology but also the way the report was composed and presented. Very clearly done! I’m keeping a saved copy of the report for future reference; both technically and as a report template. From the post via the link above:
University of Illinois recently released a detailed investigation report (PDF) regarding anonymous emails allegedly sent by its Chief of Staff to the University's Senates Conference. The report is an interesting read, and also serves as a potentially useful model for those looking for report samples and templates.