July 20, 2010 By Andrew Brandt

Beware Spam With HTML Attachments

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well.

But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! Case in point: this doozy that came through our spam bucket last week.

The message subject reads Your Funds Will Be Transfered and the body helpfully informs the recipient that I am able to complete the funds transfer late night — I hope that doesn’t mean someone sent Jimmy Fallon $28,126 from my bank account. It continues, Copies of the payment is being attached, and the message indeed has an attachment named Copies of the payment.htm which I can open and…

…uh oh. That’s where the trouble begins.

The end result: Three pieces of malware installed; Two password-stealing copies of the Zbot phishing trojan, and a remote-access backdoor to boot. Considering Zbot’s propensity for stealing bank account logins and other sensitive credentials, I suppose the subject line was correct after all. Your funds will be transferred. Just not where you thought.

A more careful look at the attachment reveals that it contains some lightly obfuscated Javascript code. When rendered in a browser, the code instructs the browser to load a page on a Web site called DreamLifeAsia, which is (suprisingly, considering the name) not a pornography site. That page contains instructions for the browser to load a one-pixel-square iframe from a page on the raceobject.ru Web site.

The raceobject.ru page contains scripting that instructs the browser to download and execute a payload from yet a third Web site, problemdollars.ru. It just so happens that these fine, upstanding Russian-registered Web sites are hosted on the same server, located at the same IP address.

Whomever scrabbled together this row of dominoes must have thought they were being really clever when they made their code hard to read. Take a look at the line below, for example. At first glance, you might not be able to determine what it’s supposed to do. It looks like gobbledygook, right?

Well, take out every other character in the line encircled in red, and the cloying concatenation code, and this is what you get:

Yeah, genius, we figured out your awesome trick. It’s the “insert a random letter between every character” encryption algorithm, first invented in the year one by a five year old girl who wanted to pass a clay tablet to her friend in class without the teacher being able to read her Aramaic. The only significant difference is that there are no little hearts drawn over the “i”s. RSA and Bruce Schneier, eat your hearts out. These guys are obviously l33t.

In the end, the page directs a vulnerable browser to download the backdoor to the victim’s computer. The backdoor pulls down Zbot. Zbot contacts its command and control server, pulls down a data file with instructions, and makes another copy of itself on the infected computer’s hard drive.

In addition, the backdoor changes all the Security Zone settings in IE, clears your cookies, changes the settings for the Windows firewall to permit Windows Explorer (not IE) to receive data from anyone on the Internet, and makes other modifications to security settings that make it far more likely a victim will further infect him- or herself.

Bottom line, it doesn’t matter what kind of attachment you get. Don’t open anything attached to a spam email in a browser. After all, it’s pretty obvious that this is just a ruse. Jimmy Fallon doesn’t need your money, just some decent Nielsen numbers in his time slot, and that’s one thing Zbot can’t steal.
wordpress blog stats

Share Button

Trackbacks

  1. […] If you hadn’t already noticed, an ongoing spam campaign where someone is sending email messages with attached HTML files continues to be a problem. The current campaign appears to be a new wave of spam similar to the one I reported about in July. […]

true