Arbor Networks: Security to the Core

If you don’t have an email address, or if you have a great spam filtering engine, you may not be among us throngs who have been flooded with spam linking to a “postcard from a family member”. The spams have a link in them and you’re encouraged to click:

Date: Fri, 29 Jun 2007 13:25:01 +0200
From: hallmark.com
To: You
Subject: You’ve received a postcard from a family member!

Good day.Your family member has sent you an ecard from hallmark.com.

Send free ecards from hallmark.com with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

——–
OPTION 1
——–
Click on the following Internet address or copy & paste it into your browser’s address box.

http://89.41.89.103/?18529a3ab9d352785c21a5aa8088aea28a

——–
OPTION 2
——–
Copy & paste the ecard number in the “View Your Card” box at http://89.41.89.103/

Your ecard number is 18529a3ab9d352785c21a5aa8088aea28a

Best wishes,
Postmaster,
hallmark.com

OK, so let’s pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits – QuickTime, WinZIP, and WebViewFolderIcon – all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader, in case you prefer to infect your computer manually. Depending on your browser and how it handles JavaScript, you get one or the other.

If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe. I’ve written a bit about The Storm Worm, Peacomm in ZIPs, and Peacomm in RAR files recently.

123.htm is a stock ANI exploit. The URL to download is bit shifted by 2, so we have to examine the strings of the file and bitshift it by -2 to get the proper URL (in this case http://catcher.hk/man.exe, now dead). Once we have that (bitshift is a little python program I wrote to do this easily on the command line), we have another EXE URL to examine.

So, at this point, Peacomm and its gang are upping the ante. They’re improving their methods to infect your computer, they’re gaining ground, and they’re not slowing down. This has been going on for a couple of weeks at this point. Also, there are rumors that Peacomm is launching (at present) a DDoS attack against rival spam gangs, so your infected computer may also be a DDoS bot. Peacomm infected boxes have participated in DDoS events before against rivals and anti-spam efforts.

Links around the net:

• .hk domains continue, CSIRT blog
• Riding out yet Another Storm Wave, SANS ISC website
• Unexpected postcards? Beware!!, from the Trend Micro blog.
• New Storm Worm Variant Spreads through Social Engineering, from the CERT/CC here in the US.
• Unwanted e-card conceals a Storm, from The Register.
• Vacation time greetings from the Kaspersky Analysts Weblog.

This entry was posted on Friday, June 29th, 2007 at 12:30 pm and is filed under Arbor Networks, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.