MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

1.30.2011

Big Brother Brazil 2011 (AKA BBB 2011) malware attack

Big Brother 2011 (AKA BBB 2011) begins in Brazil and it's a motivation for social engineering attacks.

Big Brother Brasil 2011 began on January 11th in Brazil and malware authors should be celebrating, thus, because this is something very popular so it's easy to attract victims (via social engineering) to 'see' videos or pictures of the BBB 2011 participants.

We will show you a threat which came in form of a phishing and using social engineering ask recipients to click in a link in order to watch a video of a transsexual which is making the man's participants of the BBB 2011 confused.

As you can see on the original e-mail below, the attacker uses a technique known as DHA (Directory Harvest Attack) against the @hotmail.com domain in order to send the phishing message to valid e-mail addresses.



Note that when you move the mouse to the link which appears that will get you to the youtube.com, on the status bar you can see that it will not get you to the youtube.com website. It will get you to the website hxxp://twurl.nl/rbpm6s.

Below you have the source code of the phishing message:

----------------------------------------------------------------
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-PRA: globo.com (BBB 2011)
X-SID-Result: Fail
X-DKIM-Result: None
X-AUTH-Result: FAIL
X-Message-Info: DkpufaDli9Iih8M1I3rOCBHB3/E1htFb2qXrXVLfpfjlNFuHVG90WYrx2zq5Mw1fmsHKOjL4weQGCOatyx0Pn7FYN0czafnY9kSTqtv24cY=
Received: from wl01.ws.poa.ige ([201.94.125.1]) by col0-mc3-f16.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Tue, 18 Jan 2011 10:21:08 -0800
Received: from wl01.ws.poa.ige (dcrs8211 [127.0.0.1])
    by wl01.ws.poa.ige (8.13.8/8.13.8) with ESMTP id p0IH1auJ030937;
    Tue, 18 Jan 2011 15:01:36 -0200
Received: (from httpd@localhost)
    by wl01.ws.poa.ige (8.13.8/8.13.8/Submit) id p0IH1ZXl030933;
    Tue, 18 Jan 2011 15:01:35 -0200
To: baa@hotmail.com, bbb@hotmail.com, bcc@hotmail.com,
bdd@hotmail.com, bee@hotmail.com
Subject: ariadna (transesual) no bbb 2011 deixa homens confuso....
X-PHP-Script: mylove2010.info/catastrofe/feed10.php for 187.57.247.86
Date: Tue, 18 Jan 2011 15:01:34 -0200
From: "globo.com (BBB 2011)"

Reply-to: "globo.com (BBB 2011)"

Message-ID: <63a5faa6442cd3b2f870f2ac7a99bde7@mylove2010.info>
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.1718742875.rg.sm31
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
Return-Path: httpd@wl01.ws.poa.ige

----------------------------------------------------------------

As you can see on the source code, this phishing message involves three main characteristics:

  1. A file named feed10.php
  2. A file named ariedina.jpg3
  3. A link pointing to the website hxxp://twurl.nl/rbpm6s.
 
Analyzing the file feed10.php
I have downloaded this script page by using the webget utility. See the screenshot below:

wget -v mylove2010.info/catastrofe/feed10.php


As you can see above, this is a smtp engine used by this threat. Just in case I have submitted this PHP script to virustotal and you can see the results. This sounds a true smtp engine script, so there is no malware associated to this program, while it might be used by malwares.

Analyzing the file ariedina.jpg3

This is just a picture which is used to attract people to click and see a 'video' at youtube.com, however, as you can see on the source code there is a HREF instruction so when the user clicks on this picture (anywhere) it will get the user to the malicious website: hxxp://twurl.nl/rbpm6s

I have downloaded this picture so I could analyze it and saw that it's really just a picture:

wget -v http://lh4.ggpht.com/_FJQwbg0nrOk/TTGRJVC1KtI/AAAAAAAAAMs/CUvYCECUkhM/ariedina.jpg3



I have submitted this file to the virustotal website so you can get the report using the link below. There are no detection since this is just a picture.

Analyzing the link hxxp://twurl.nl/rbpm6s

Using wget pointing to the URL hxxtp://twurl.nl/rbpm6s resulted in downloading a file named youtube_video756.exe.

wget -v http://twurl.nl/rbpm6s

Analyzing youtube_video756.exe

After submitting this sample to virustotal you can see that some AV vendors detects this threat. Some of them using signatures and a couple of them using a in-cloud technology.

If you run youtube_video756.exe, it will basically perform the following activities:

Create a copy of itself using a file named Recorte de tela e Iniciador do OneNote 2007.exe on the folder "C:\Documents and Settings\%user%\Start Menu\Programs\Startup\". This process is then launched.

It connects to the ftp site ftp.biancarox.net using the username cohabrox and a password which will not be reported here just in case. It downloads 10 files (listed below) to the folder C:\documents and setings\%user%\. While all of these files have a .txt extension, they are not a true .txt file. Looking at its strings you can see that they are really executables.


Taking a look at the process strings (below), we can see several internet bank sites of Brazil and two webmail websites.



When you open Internet Explorer and type one of the target URLs, like www.bradesco.com.br (which is a true bank of Brazil), it will kill iexplorer.exe and will load a new process C:\Document and Settings\%user%\®¢Ÿª¤ª¥ž¥.txt. If you type anoher URL on the IE address bar like www.bradescoprime.com.br, another process will be launched on this case it would be the ®ž“§«š§«š.txt.

This process is a fake application which emulates the requested website and it will capture your bank agency, account, token, passwords, etc. See screenshots below:



While you are typing your bank agency, account, password, token, etc, the trojan is capturing everything and is written it to a *.bsp file on the C:\Documents and settings\%user%\. Below you have an example:


Indicators of compromise

Check for the existence of the following MD5 on the C:\Documents and Settings\%user%\.

  • edaa81ad2165c65bb340e636bf642291
  • b82c51f94b0e516f461b6f84a668dfde
  • 76184bebea96f59086368b64a896d224
  • f590d18d7b50109c03c6237d86e8415d
  • 52ea037028eb2274147aef1edfb64865
  • daa21069ae179cc0f195cd42795b592b
  • 86802efad8fb5b8153d7c7de67cb66bb
  • fc7592c9f2e2264c687a806459387d30
  • 9547ff6be241b5bb8a87f0dabe3b3218
  • 5cd6a3ac2b2d97e36091a1ecd2fd0aec
Check if the process Recorte de tela e Iniciador do OneNote 2007.exe is running or present on the folder C:\Documents and Settings\*\Start Menu\Programs\Startup\ (it's MD5 is d34c8d3ad55f65d701264a5e8e278915)

Network connections to:

  • hxxp://mylove2010.info/catastrofe/feed10.php
  • hxxp://twurl.nl/rbpm6s
  • hxxp://livinianot.com.br/
  • ftp.biancarox.net
Below you have a report from VirusTotal regarding the samples that we have analyzed here:


id=968db70645fceeb734ba941ee78d51848057762b0559709238c59d4391d1c25e-1295986300
id=961a9c536b98d02172eb48bd2e0e4881591ac1eb607bf1ea7f267f4994c6b6f6-1295986210
id=e6a33cbba7e6348c41cb7e10acac4efaf47286603d54d1c7088f8772bb0f23e8-1295986257
id=4e908de9a38bb3b90435b0d8b733ad11836a8f65bff2cd6cd247fd47a332af16-1295996254
id=d12ef9562f2deae6ef8e7d5842bf1f1425fc23ce7b6c2265a62189eac14e966f-1295985855
id=8d1a2ece03010fe9610c852a70d13c22f9e91d93e39abc939a742d84b279ea64-1295996475
id=457278ad3bc382dd5159c0be8e9f2f2e3e1cf9191861b56497c81f21f423808d-1295996615
id=55d9afec1ad24fcfec03f03cbc7be9b6c21a614db87432e925cdc8112c551c5e-1295996949
id=73cc47196be7bd8c0f7764a46cb4488266bef2ea1ffccbdbd91cd0b62c79919d-1295997136
id=26f542326786e4facd624fcb170a71c6a2e709e23c8f4cffa4715e133869316b-1295980568
id=8f5c8ad99ded74d3cc233b691a803fc6f00ac3113ad67c6f6802ac3ea0f727fc-1295389644

Bruno Caseiro
Malware Researcher

1 comentarios:

Anonymous said...

Excellent post.

Post a Comment