Thursday, November 8, 2012

"You received a voice mail" leads to malware

I have a few colleagues who got an e-mail with a page saying "You received a voice mail", followed by a link pretending to be a wave file.

The first link leads to a page with a table of three items on different servers, called js.js. These are basic redirectors. Out of the three, only two works and return the exact same javascript code, a redirection to a PHP page on a website.

That second URL returns an obfuscated massive Javascript: the author took some time to correctly do the work: a few tautologies such as "if(document.body) {}" and others add some weight, certains function names are split in different string variables, pieced together and eval'd into other variable to be used as functions. And that's only the decoding portion.

A massive i tag contains a 112 attributes, all identified by integers. In the HTML code, they are not in order, but the code re-order everything and builds a large string, which is passed to a second function whose role is to:

  • if the first character of the current pair of character is "=", go to the next pair;
  • decode the value as a base-23 integer, convert into a character and add it to the decoded string.   

The result is another javascript script which is evaluated. Its exact role is not yet known, but here are a few notes:

  • it detects the OS and browser;
  • it searches for a number of Adobe, MS DOMXML and others plugins and gets the versions;
  • there is a mention of a PDF file in the code;
  • two URLs are mentioned, one was taken down already and was used to download a file called "update_flash_player.exe", confirming that it may be trying to exploit some flash vulnerabilities, the other one was still live at the moment of the analysis and was used to serve an executable (Info on VirusTotal). Yesterday at around 6PM EST, the detection rate was 4/44.


Once that object executed, it contacted a forum, then attempted a download from three different sites, which returned the same executable. My only guess at this time is the author planned for some redundancy should some of the sites be taken down. The additional download was also submitted to VirusTotal (info). As of yesterday, around the same time, the detection rate was 6/44.

When executed, these additional did nothing during the analysis period. They may be dormant or waiting for some condition to be met.

The analysis continues!