Friday, April 26, 2013

Analysis of a spam site

Last week, I received an e-mail from a contact of mine. Immediately, I knew something was wrong: the subject was her name between <> and the body was only a single line.

Before 12/2012, it was possible to find where an e-mail was sent using Hotmail: the header "X-Originating-IP" contained the IP of the machine used to send the e-mail through the web interface. Now, this is no longer possible, or at least not easily, as microsoft as decided to replace the "X-Originating-IP" by a "X-EIP", which contains something that seems to be a hash. If you have more information on this, let me know.


Warning: do not copy any of the following links in your browser unless you know exactly what you are doing! I have not tested any of them for possible malware. You have been warned!

The single line is actually a link (http://ruraltrauma.com/vvowfjp/xxotv685/ljr9c44/z087l8st/fwmfg). So, let's wget that bad boy.

Without a user-agent, wget doesn't hide its nature. In this case, this is welcomed by a 403 code (Unauthorized). Interesting. What about changing the user-agent to match a Windows 7 with IE9? The corresponding user-agent string is "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)". And yes, this changes the reply! The same test with a Windows XP/IE7 returns the same page.

The request to "ruraltrauma.com" returns a 302 (Moved) to "http://goodwaystoloseweightsolution.com/indexer.php?a=273446&c=wl_con", which also returns a 302 to "http://goodwaystoloseweightsolution.com/diet/GarciniaCambogiaDiet/".

There are two parameters in the middle URL: a and c. I played a bit and found the following:

  • The "a" parameter seems to be some form of counter, but isn't used to select a specific page: be it there or not, the same pages are returned;
  • Two pages are returned: 'GarciniaCambogiaDiet' and 'GreenCoffeDiet' in alternance;
  • The "c" paramter seems to select the campaign, but I was not able to find another set of sites. Yet.
Code analysis - first landing page

Let's dive into the first page. 

There are a few javascripts present: one returns the date with the day of the week and the month name, the other one is the usual "you are about to pass on a once in a lifetime opportunity, do you want to reconsider?" type of message box, executed when the user leaves or closes the page.

Most of the body is the usual crap: "facts", "user comments", "leave us a comment" (which is just a decoy, there is no form or no script attached to it). Dr Oz is mentioned in the text 

    196               <h2>Conclusion</h2>
    197 <p><a  href="go.php" target="_blank"><strong>Pure Garcinia Cambogia</strong></a>
    198  is made from HCA the finest 100% Garcinia Cambogia fruits on the
    199 planet. We offer the highest potency Garcinia Cambogia extract available
    200  which meets all of the criteria put forth by Dr. Oz. We are confident
    201 that it will work for you, as it has for so many others.</p>
And there is another mention of the Doctor at the bottom of the page. There is also a video from Youtube with Dr. Oz explaining the benefits of the various products being advertised here.

    418 <div id="footer">
    419
    420
    421  <p>
    422
    423 *The Dr. Oz Show is a registered trademark of ZoCo 1, LLC, which is not
    424 affiliated with and does not sponsor or endorse the products or services
    425  of 100% Pure Garcinia Cambogia With Svetol ®. All Rights Reserved.</p>
    426
    427 <p>*Reference on our Web Sites to any publication or service of any
    428 third party by me, domain name, trademark, trade identity, service mark,
    429  trade identity, logo, manufacturer or otherwise does not constitute or
    430 imply its endorsement or recommendation by Company, its parent,
    431 subsidiaries and affiliates.</p>
Yeah, to be on the safe side: let's mention him, but not too much. If you were wondering, the "conclusion" is written using the "clear" class style, while the bottom message is using the "footer" class style. The CSS files show that the clear will be really visible, the footer not so much (It will be this color on a white background)

One of the things that is quite impressive is the number of mentions of go.php: no less than 25 references. This is the target of pretty much every link in the file.

There is another php file used in a iframe: imp.php.

imp.php

That file is included as an iframe of size 0x0. When requested, it gives a single line, an IMG tag, that requests http://traffictrackingsys.com/imp.ashx?CID=237591&AFID=&SID=, another script. Fuzzying the CID parameters, or even removing it, didn't change the GIF file returned, which is a 1x1 pixel.

It is apparently known to be used by malware sites.

go.php

Getting this file is really interesting due to the number of redirects found:

Connecting to goodwaystoloseweightsolution.com
To http://traffictrackingsys.com/click.ashx?CID=237591&AFID=266107&SID=empty
To http://www.clclckck.com/aff_c?offer_id=48&aff_id=4
To http://wehasoffers.go2cloud.org/aff_c?offer_id=48&aff_id=4
To http://processingordersonline.com/rd/r.php?sid=155&pub=410028&c1=
To http://authenticgarciniacambogia.net/intl/special/?click_id=782623411&c1=&c2=&c3=&AFID=410028&SID=

That is no less than 5 redirects! The presence of some with parameters may indicate that the same sites may discriminate between different campaigns. More on this later.

The page contains three javascript includes, one of which couldn't be found (js/11.js). It also contains a form to order the "good", with the POST going to https://www.drstation.com/index.php?main_page=two_step_form_processor. Interestingly, the connection is done through HTTPS.

The certificate information is valid and gives:


subject=/OU=Domain Control Validated/CN=www.drstation.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

The site www.drstation.com is running the LimeLight CRM. I don't know whether the found usage is "normal" for that site or if it was compromised.

For this branch, no further analysis.

clclckck.com

This site is interesting. It sits in the path when getting the go.php file, and it takes two parameters: offer_id and aff_id (affiliate?). Let's play a little with these parameters.


offer_id = 10    aff_id = 1               <Nothing>
offer_id = 20    aff_id = 1               Green Coffee
offer_id = 30    aff_id = 1               Green Coffee
offer_id = 36    aff_id = 1               Green Coffee Beans
offer_id = 38    aff_id = 1               Green Coffee Beans
offer_id = 40    aff_id = 1               <Redirect to www.puresaffronslims.com>
offer_id = 44    aff_id = 1               Green Coffee
offer_id = 45    aff_id = 1               <Redirect to iluv.clickbooth.com>
offer_id = 46    aff_id = 1               Garcinia Cambogia
offer_id = 47    aff_id = 1               <Nothing>
offer_id = 48    aff_id = 1               Garcinia Cambogia
offer_id = 48    aff_id = 2               <Nothing>
offer_id = 48    aff_id = 3               Garcinia Cambogia
offer_id = 48    aff_id = 4               Garcinia Cambogia
offer_id = 49    aff_id = 1               <Nothing>
offer_id = 50    aff_id = 1               Green Coffee

Other random values returns one of the following: nothing, a redirect, 'Green Coffee', 'Green Coffee Beans' or 'Garcinia Cambogia'. Here is a visual representation of the path taken (redirect, POST or clicks)



There is a constant: the payment/ordering site usually posts to "www.drstation.com."

Next: the different actors.