On June 16th, I wrote a post about a new trend in dangerous, one-click install malware spam. As I predicted, the campaigns continue to evolve and bypass most anti-virus filters.
Late last week, we detected a related spam campaign that redirected users to a fake luxury watch web site. The original pharmacy spam that tipped us off to this trend several months ago used a URL call to action. However, two methods of operation are prevalent in these campaigns. One method uses a call to action URL that causes browsers to execute the malicious JavaScript downloader through a stealthy iFrame reference — effectively a drive-by download. The other attaches the JavaScript downloader directly to the spam message and indicates the call to action is to open the attachment. Both techniques effectively amount to a single action that can result in your computer becoming remotely controllable by cyber criminals without any indication that your system has been compromised.
If this doesn’t scare the hell out of you, then denial really is a river in Egypt.
This week, Red Condor continues to detect more waves of these emails, again spoofing Amazon.com and other well known and trusted brands. What’s particularly interesting about these campaigns is that spammers have figured out that a JavaScript downloader is a very effective syringe with which to inject malware into unsuspecting victims’ computers.
The downloader technique is effective because the spammers have found that by employing trivial code obfuscation techniques, they are able to mutate the downloader code on the fly. This makes the downloader script essentially unique every time a user clicks on the link, or for each spam that is sent out with the JS attached. Because the code is unique for each user that encounters it, AV companies cannot keep up. As a result, criminals are able to make an end-run around AV systems by using the victim’s browser to download malicious code, without the typical user interaction that AV software is more adept at detecting.
The downloaded code then attempts several distinct exploits against Java and Adobe components as well as other other vulnerabilities, which if successful, results in malware installs that are completely under the radar. In some sense, it doesn’t matter if the downloaded code is recognized by AV engines, only that the downloader itself is unrecognizable by AV programs, and that is exactly what is occurring with these campaigns.
Allow me to illustrate by way of example.
Here’s a VirusTotal scan of one of these obfuscated JS downloaders I obtained yesterday:
http://www.virustotal.com/analisis/8df4e24c81f765ae2f47947a3304f5a96fc7760c1ded4e8c3d4e6a3071d01aad-1277245473
As you can see, not a single one of the 40+ AV engines detected the downloader as anything to raise an eyebrow at.
I’ve found that by “decrypting” the obfuscated JavaScript, some AV engines do indeed detect the malicious downloader (although, typically less than 1/3 of the engines used by VT).
Here’s a scan of the same sample that I reverse obfuscated to obtain the raw, human readable JS:
http://www.virustotal.com/analisis/18bfb32fdbfcabb48ac0796d618d64fb6097053eaaef5eac2e1e327d58c2685f-1277245521
Here’s a scan of one of the malicious components fetched by the downloader (Notes10.pdf):
http://www.virustotal.com/analisis/9c833ec576beb5df92709667a2226befb51ab74d3aa1ef4aec7cad59371d85a7-1277244976
(See here for more on this exploit: http://www.kb.cert.org/vuls/id/234812)
And another malicious component fetched by the downloader (Applet10.html):
http://www.virustotal.com/analisis/291e77a55ffab2ff8d852201e6f751bee04eabccb5ce1bb526d1d28ac6ee908a-1277245586
(See here for more on this exploit: http://www.kb.cert.org/vuls/id/886582)
There is also a windows native binary executable (file.exe) that is supposed to be downloaded, but it was not being served up by the malware server during the time of my analysis. However, past incarnations have generally shown this to be Trojan software.
Signature features of these single-click malware spam campaigns include:
1. Back-to-back waves of highly varied spam templates–some are sophisticated spoofed service messages from well-known entities such as Amazon, Skype, etc. while others are merely gibberish with an .html attachment.
2. While some of these include social engineering tricks, which up until now have been exclusively used for phishing, these messages are absolutely NOT phishing attempts as has been erroneously reported by many in the blogosphere. I feel this point is important because if a victim is lured into interacting with one of these would-be phishing messages and instead arrives at a Canadian Pharmacy site, they realize they have been duped. They are not alarmed or tipped off, however, to the fact that they have likely just compromised their system.
3. Typical volume for these waves of campaigns: several hundred thousand blocked within 12 hours of a new wave, and in the neighborhood of 2-3 million after three or four days.
4. The spammers are still morphing their spam templates and switching references to different compromised hosts that serve up the iFrame (which causes the downloader to run).
5. Like preceding campaigns, these new variations are single-click (or in the case of the attached .html versions – the single action of opening the attachment) blended threats.
I strongly suspect that the Russian Business Network (a.k.a Partnerka), possibly in concert with pay-per-install groups, are behind this new trend in stealthily malicious campaigns.
I’ll say it again: These campaigns are dangerous; don’t let the benign Canadian Pharmacy or Replica Rolex drop site fool you. Given that most anti-spam solutions and AV engines continue to fail in detecting these threats, the trend is quite likely to continue.
It’s up to end users to protect themselves. A single click could be the kiss of death for the user and the organization he/she works for. The mantra: “Don’t click on spam links or open attachments from unknown senders!” is an oldie, but goodie and has never been more salient than in today’s continuously unfolding threat landscape that is our beloved Internet.
C.S.
