Big Brother Brazil 2011 (AKA BBB 2011) malware attack
Big Brother 2011 (AKA BBB 2011) begins in Brazil and it's a motivation for social engineering attacks.
Big Brother Brasil 2011 began on January 11th in Brazil and malware authors should be celebrating, thus, because this is something very popular so it's easy to attract victims (via social engineering) to 'see' videos or pictures of the BBB 2011 participants.
We will show you a threat which came in form of a phishing and using social engineering ask recipients to click in a link in order to watch a video of a transsexual which is making the man's participants of the BBB 2011 confused.
As you can see on the original e-mail below, the attacker uses a technique known as DHA (Directory Harvest Attack) against the @hotmail.com domain in order to send the phishing message to valid e-mail addresses.
Note that when you move the mouse to the link which appears that will get you to the youtube.com, on the status bar you can see that it will not get you to the youtube.com website. It will get you to the website hxxp://twurl.nl/rbpm6s.
Below you have the source code of the phishing message:
----------------------------------------------------------------
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-PRA: globo.com (BBB 2011)
X-SID-Result: Fail
X-DKIM-Result: None
X-AUTH-Result: FAIL
X-Message-Info: DkpufaDli9Iih8M1I3rOCBHB3/E1htFb2qXrXVLfpfjlNFuHVG90WYrx2zq5Mw1fmsHKOjL4weQGCOatyx0Pn7FYN0czafnY9kSTqtv24cY=
Received: from wl01.ws.poa.ige ([201.94.125.1]) by col0-mc3-f16.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 18 Jan 2011 10:21:08 -0800
Received: from wl01.ws.poa.ige (dcrs8211 [127.0.0.1])
by wl01.ws.poa.ige (8.13.8/8.13.8) with ESMTP id p0IH1auJ030937;
Tue, 18 Jan 2011 15:01:36 -0200
Received: (from httpd@localhost)
by wl01.ws.poa.ige (8.13.8/8.13.8/Submit) id p0IH1ZXl030933;
Tue, 18 Jan 2011 15:01:35 -0200
To: baa@hotmail.com, bbb@hotmail.com, bcc@hotmail.com,
bdd@hotmail.com, bee@hotmail.com
Subject: ariadna (transesual) no bbb 2011 deixa homens confuso....
X-PHP-Script: mylove2010.info/catastrofe/feed10.php for 187.57.247.86
Date: Tue, 18 Jan 2011 15:01:34 -0200
From: "globo.com (BBB 2011)"
Reply-to: "globo.com (BBB 2011)"
Message-ID: <63a5faa6442cd3b2f870f2ac7a99bde7@mylove2010.info>
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.1718742875.rg.sm31
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
Return-Path: httpd@wl01.ws.poa.ige
----------------------------------------------------------------
As you can see on the source code, this phishing message involves three main characteristics:
A file named feed10.php A file named ariedina.jpg3 A link pointing to the website hxxp://twurl.nl/rbpm6s.
I have downloaded this script page by using the webget utility. See the screenshot below:
Analyzing the file ariedina.jpg3
I have downloaded this picture so I could analyze it and saw that it's really just a picture:
Analyzing the link hxxp://twurl.nl/rbpm6s
Analyzing youtube_video756.exe
If you run youtube_video756.exe, it will basically perform the following activities:
Indicators of compromise
Check for the existence of the following MD5 on the C:\Documents and Settings\%user%\.
edaa81ad2165c65bb340e636bf642291 b82c51f94b0e516f461b6f84a668dfde 76184bebea96f59086368b64a896d224 f590d18d7b50109c03c6237d86e8415d 52ea037028eb2274147aef1edfb64865 daa21069ae179cc0f195cd42795b592b 86802efad8fb5b8153d7c7de67cb66bb fc7592c9f2e2264c687a806459387d30 9547ff6be241b5bb8a87f0dabe3b3218 5cd6a3ac2b2d97e36091a1ecd2fd0aec
Network connections to:
hxxp://mylove2010.info/catastrofe/feed10.php hxxp://twurl.nl/rbpm6s hxxp://livinianot.com.br/ ftp.biancarox.net
id=8d1a2ece03010fe9610c852a70d13c22f9e91d93e39abc939a742d84b279ea64-1295996475
Malware Researcher