Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2012-08-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Did you get a Better Business Bureau Complaint Today?

Published: 2012-08-10
Last Updated: 2012-08-10 20:58:05 UTC
by Kevin Liston (Version: 4)
7 comment(s)

Did you get a Better Business Bureau Complaint Today? I did, in fact, I got a couple of them.  I thought I'd go through a play by play of how I assess these things (there will be a lot of updates as I go through this in semi-real-time.)

Oh, there will also be very little obfuscation, so be careful with that.

Here's the message itself:

RE: Case# 9060933: Alfonso Palmer

Dear Company:

As you are aware, the Better Business Bureau contacted you regarding the above-named complainant, seeking a response to this complaint. Your position is available online.

The following URL (website address) below will take you directly to this complaint and you will be able to view the response directly on our website:

http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f

The complainant has been notified of your response.

The BBB believes that your response adequately addresses the disputed issues and/or has exhibited a good faith effort to resolve the complaint. The complaint will close as "Administratively Judged Resolved" and our records will be updated.

If you fail to honor your agreement or if the consumer has information that disputes the accuracy of your firm's response, we will notify your office with substantiation to support the consumer's position and the case will be re-opened. Cases will not be re-opened without documentation or good cause.

The BBB appreciates this opportunity to serve you. Dispute Resolution Department.

Let's take a look at the headers:

Return-path: <complaints@bbb-email.org>
Envelope-to: kliston@REDACTED
Delivery-date: Fri, 10 Aug 2012 09:36:10 -0400
Received: from wsip-68-99-56-167.pn.at.cox.net ([68.99.56.167]:47037)
	by paradise.businessx.com with esmtp (Exim 4.77)
	(envelope-from <complaints@bbb-email.org>)
	id 1SzpNj-00010v-KU
	for kliston@REDACTED; Fri, 10 Aug 2012 09:36:07 -0400
Received: from apache by bbb-email.org with local (Exim 4.67)
	(envelope-from <complaints@bbb-email.org>)
	id EG95SG-22TJQ4-AR
	for <kliston@REDACTED>; Fri, 10 Aug 2012 07:36:01 -0600
To: <kliston@REDACTED>
Subject: RE: Case# 9060933: Alfonso Palmer
X-PHP-Script: bbb-email.org/sendmail.php for 68.99.56.167
From: "Better Business Bureau" complaints@boston.bbb.org
X-Sender: "Better Business Bureau" complaints@boston.bbb.org
X-Mailer: PHP
X-Priority: 1
MIME-Version: 1.0

So a simple spoof, from a likely bot-net in Cox.net, and my cheap spam-trap mailserver doesn't do any SPF or DKIM checking.

Take a look at the URL does the displayed match what's in the code? No, not at all.

<p><b><a href="http://ghanabook.com/SKpcrwai/index.html">http://complainy.app.bbb.org/complaint/view/9060933/b/526398212f</a></b>

Being lazy, I submit this URL to wepawet (http://wepawet.iseclab.org)

After waiting patiently it reports that the link is benign.  "ORLY," I think, "perhaps it's just pharma-spam then."

URL Status Content Type
http://ghanabook.com/SKpcrwai/index.html 200 text/html
http://apartmentsinorlandonow.com/WyZFNJYu/js.js 200 application/javascript
http://216.231.139.102/w7pwr6ahpdt.php?q=jm9svoa0sj7428gu 404 text/html

Comparing this to the other samples, the first URL differ, but the apartmentsinorlandonow.com is in common.  Perhaps the attackers are smart,and only kick out one answer?  Or maybe they know wepawet's IP addresses?

 The next step is use my own honeyclient instead of a known, public one.  Nothing fancy, just a laptop with ubuntu on it.  A couple of wgets, first to the apartmentsinorlandonow.com URL (which has only a document link to the next URL,) and the second to 216.231.139.102.  I didn't even disguise the user-agent, it happily dumps more obfuscated javascript at me.

Never underestimate the value of google during analysis.  A search for 216.213.139.102 turns up a very helpful report: http://urlquery.net/report.php?id=122828  Looks like an active blackhole exploit kit, and someone was looking at this a little over an hour before I was. We're after that next stage, the link to update_flashplayer.exe.

Let's pull that down with another wget request.  So now I've got about 150k of Win32 executable.  My new favorite little tool for static analysis is exiftool.  I was aware of EXIF data in image formats, but unaware that many other file formats also have handy metadata.  In this particular example, it may be interesting to note that the file's original timestamp is 2012:-8:10 05:42:09-04:00.

 I calculate the md5sum from the .exe and see if it's up on virustotal yet.  I'm 5 minutes behind the first submission time and a surprising 9 out of 42 vendors detect it already. 

Now that we have an executable to play with we can start doing some dynamic analysis.  Sticking with my theme of lazy, I send it off to Anubis (http://anubis.iseclab.org/) and ThreatExpert (http://www.threatexpert.com/) and compare the results.  I like to send off to multiple solutions since one day Anubis works better than ThreatExpert and the next it's vice versa.  Other days, nothing is working and that's when you have to break down and work harder at it.  Today, I'm lucky and it runs in ThreatExpert which spits out the following network artifacts:

  • 66.55.89.149
  • 66.55.89.150
  • cikonungunlugu.com
  • ftp.lastraautosport.com.ar

Looks like it checks-in via an HTTP POST to /forum/view/topic.php at 66.55.89.149.  There are further requests for more binaries:

  • hxxp://cikonungunlugu.com/CMw.exe
  • hxxp://ftp.lastraautosport.com/ar/xjH.exe

Those are the same file, virustotal hasn't seen it yet, 14/42 hit ratio.  This is about as far as using the public tools will get us.  Now that I have the installers and droppers, the next step is to put it onto a real system and see what it does when I try to do some online banking...

That's going to run longer than my shift (a lot of pcap and memory capture to go through,) so while that's in the works I wanted to move in another direction.  Looking at the infrastructure involved in this attack.  First there's the systems doing the spamming.  I don't have a lot of insight into that, because Cox isn't very forthcoming on details about the machine that sent the email.  We can make an assumption that it's part of a botnet, but as for which one, or how it got compromised, there's just no details to go on. 

Then there's the first landing pages.  The examples that I have are down now so I messed up there.  The next hop in the redirect chain are still up.  Looking at my example and the others the Gregory provided below I see that most of them are wordpress sites.  There are a lot of vulnerabilities to choose from for getting your code up on someone else's wordpress site.  Then, we have the downloader site: 216.231.139.102.  That looks like it might be a full-blown exploit kit site on first glance.  (Lots of people emailing noc@continuumdatacenters.com might help with that.)  There's the check-in at 66.55.89.149 that needs a little more examination.  cikonungunlugu.com appears to be registered for the purpose of distributing malware, while ftp.lastraautosport.com is probably a compromised domain.

Keywords:
7 comment(s)

ISC Feature of the Week: Report Fake Tech Support Calls

Published: 2012-08-10
Last Updated: 2012-08-10 19:48:13 UTC
by Adam Swanger (Version: 1)
0 comment(s)

Overview

Ever been sitting down to dinner with the family and get that phone call saying your computer has a virus and miraculously the person on the other end knows all about it and how to fix it immediately!? This week we cover https://isc.sans.edu/reportfakecall.html where you can send information about the call to help us better understand how common these calls are and what they might hope to achieve.

The form has been available for a few months and calls continue to be reported so  please take a moment to look it over in case you ever receive one of these calls. Never do any of the things they ask on a production or personal computer! As soon as there is sufficient data to generate meaningful reports, we'll let ya know so you can see the common threads of these calls.

Features

Previous coverage

Here's how to get to the form on the ISC website

The form is all optional information you choose to submit about the call. If we make an edit function later you will be able to append/amend your submission if you are logged into the ISC/DShield site when you fill out the form. We will not associate any reporting information with your id or email address. Please do not enter any personal information (like your phone number, or any data like credit card numbers the attacker tried to extract). If you suffered any damage from the attack, you may consider contacting law enforcement.

The form collects general information like caller's gender, non native accent to specific details like URL you might have been asked to visit and their phone number if callerID displayed it. Check out the entire form at https://isc.sans.edu/reportfakecall.html to get an idea of what to ask if you receive one of these cold calls of fill in and please submit if you have details to share.

 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

Keywords: ISC feature
0 comment(s)
ISC StormCast for Friday, August 10th 2012 http://isc.sans.edu/podcastdetail.html?id=2728

Blizzard Compromise-- what they missed in their user communication

Published: 2012-08-10
Last Updated: 2012-08-10 01:51:02 UTC
by Kevin Liston (Version: 2)
5 comment(s)

James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html

There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq

I'm going to repeat a little of what they said about what was accessed:

Here's a summary of the data that we know was illegally accessed:
North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia

Email addresses
Answers to secret security questions
Cryptographically scrambled versions of passwords (not actual passwords)
Information associated with the Mobile Authenticator
Information associated with the Dial-in Authenticator
Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia)

Email addresses

China-based accounts

Unaffected

At this time, there’s no evidence that financial information of any kind has been accessed. 
This includes credit cards, billing addresses, names, or other payment information. 

Note the bit in bold: "Answers to secret security questions."  As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge.

So, Blizzard's recommendation to "change your password" is largely ineffective for North American customers.  If you're concerned about your account, change your security questions, and go with their two-factor solution too.

UPDATE: After spending 15 minutes on the battlenet website I couldn't find an easy way to change/update the security question.  The best I could do was add SMS alerts to authorize any password resets.

Keywords:
5 comment(s)
Diary Archives