Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 8 December 2011

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail

This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;

facebook <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
Hi,
You haven't been back to Facebook recently.You have received notifications while you were gone.
<http://static.ak.fbcdn.net/rsrc.php/v1/yS/r/I-6WhcLLGrb.gif> 1 message <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271> <http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/jqa4zOmDxSP.gif> 2 friend requests <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
Thanks,
The Facebook Team
Sign in to Facebook and start connecting
Sign in <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>

To log in to Facebook, follow the link below:
http://www.facebook.com/n/?find-friends%2F&mid=4131bdcG5af38cf3b00cG0G2b&bcode=BoDkTqHx&n_m=redc-mosul%40imfi.org <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
<http://www.facebook.com/email_open_log_pic.php?mid=4131bdcG5af38cf3b00cG0G2b>
If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, you can unsubscribe <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271> .
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303


Or for those of you using HTML e-mail (naughty naughty!);



In line with keeping this basic, for those of you not familiar with decoding these, and not wanting to run them - to decoded this latest variant, change;

window["eval"](c);


To;

eval(c);


Then comment out the following lines (I've used screenshots for these, to save your AVs going nuts);

Lines 1 and 2



Line 4



Then finally;

Line 13



Add this, just after line 13;

w=String;


Once the changes are made, simply run it in Malzilla, and you'll see the lovely mess of code in the bottom box;



Simply copy this, paste it into the top box (where the original code was - and remember to CLEAR THE CONTENTS OF THAT FIRST!), or create a new decoder tab. Click Format Code, and voila - from here you simply look for the magic ?f=, and you've got the variable you need.

As an aside, these are blocking JSUnpack/Wepawet et al now it seems.

Headers for the e-mail, for those that want them;

Return-Path: <update+zj4ougb438j9jy@2t4bv271.facebook-email.com>
Delivered-To: darren@it-mate.co.uk
X-Spam-Flag: NO
X-Spam-Score: 1.065
X-Spam-Level: *
X-Spam-Status: No, score=1.065 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
MIME_HTML_ONLY_MULTI=0.001, MPART_ALT_DIFF=0.79,
RCVD_IN_BRBL_LASTEXT=1.449, WEIRD_PORT=0.001] autolearn=no
Received: from server.longchin.com (longchin.com [152.104.144.211])
by mail4.emailconfig.com (Postfix) with ESMTP id 8E76339836C
for <darren@it-mate.co.uk>; Fri, 9 Dec 2011 06:14:22 +0000 (GMT)
Received: from mail.alpinspire.com ([71.33.236.177]) by server.longchin.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 9 Dec 2011 14:16:10 +0800
Content-Type: multipart/alternative; boundary="===============0677422325=="
MIME-Version: 1.0
Subject: 2 friends awaiting your response.
From: "Facebook" <update+zj4ougb438j9jy@2t4bv271.facebook-email.com>
Message-ID: <SERVERhGD1XyCTr9rf30000f583@server.longchin.com>
X-OriginalArrivalTime: 09 Dec 2011 06:16:11.0375 (UTC) FILETIME=[0C11BFF0:01CCB63A]
Date: 9 Dec 2011 14:16:11 +0800
To: undisclosed-recipients:;


parahole.ru itself, is housed at;

IP: 91.213.8.118
IP PTR: s118.justhost.in.ua
ASN: 15626 91.213.8.0/24 ITLAS ITL Company

Unless you've got a specific reason not to, you can safely block this entire /24.

inetnum: 91.213.8.0 - 91.213.8.255
netname: OPRIA
descr: FOP Opria Ruslan Dmitrievich
country: UA
org: ORG-ORD1-RIPE
admin-c: ORD4-RIPE
tech-c: ORD4-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-OPRIA
mnt-routes: MNT-OPRIA
mnt-routes: ITL-MNT
mnt-domains: MNT-OPRIA
source: RIPE # Filtered

organisation: ORG-ORD1-RIPE
org-name: FOP Opria Ruslan Dmitrievich
org-type: OTHER
address: 91002, 2-nd Partizansky side street 36, Lugansk, Ukraine
phone: +380677955035
abuse-mailbox: abuse@justhost.in.ua
mnt-ref: MNT-OPRIA
mnt-by: MNT-OPRIA
source: RIPE # Filtered

person: Opria Ruslan Dmitrievich
address: 91002, 2-nd Partizansky side street 36, Lugansk, Ukraine
phone: +380677955035
abuse-mailbox: abuse@justhost.in.ua
nic-hdl: ORD4-RIPE
mnt-by: MNT-OPRIA
source: RIPE # Filtered

% Information related to '91.213.8.0/24AS15626'

route: 91.213.8.0/24
descr: XSERVER
origin: AS15626
mnt-by: ITL-MNT
source: RIPE # Filtered


URLs for this one;

hxxp://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271
hxxp://static77-68-16-117.live-dsl.net:8887/facebook2/
hxxp://static77-68-16-117.live-dsl.net:8887/11mozilla/
hxxp://parahole.ru/main.php?page=2f20caeff255a186
hxxp://parahole.ru/content/1ddfp.php?f=29
hxxp://parahole.ru/content/2ddfp.php?f=29
hxxp://parahole.ru/content/hcp_vbs.php?f=29&d=0
hxxp://parahole.ru/
hxxp://parahole.ru/w.php?e=7&f=29


MD5 for the payload (SpyEye trojan of course, same as the last): 162d507cead24c6e184ea83be33fc209

References

Blackhole exploit: For those wondering, Part 2
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_05.html

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

1 comment:

spupicel said...

I feel so relieved that i deleted my facebook account just a month or so ago....although i'm a programmer i see that i'm prone to clicking stupidly on things that look the same .... i didn't with this...but wondered...how the hell? i don't have an fb account anymore...so...just mouseover the link to reveal it all.