sudosecure.net

Looks like the Authors of the Storm Worm have started to spam out phishing emails to our inboxes, so be ready tomorrow morning to warn your users. The following domain names are being used as the phishing sites (caution as these are also malicious sites):

• accounts.digitallnsight.net/onlineserv/CM/
• digitalinsight.bankdata1.com/onlineserv/CM/
• digitalinsight.bankdata1.net/onlineserv/CM/
• digitalinsight.bankdatacentral.com/onlineserv/CM/
• digitalinsight.bankdatacentral.net/onlineserv/CM/
• digitalinsight.cmcenter.net/onlineserv/CM/
• digitalinsight.ebanking-network.com/onlineserv/CM/
• digitalinsight.secure-processor.net/onlineserv/CM/
• digitalinsight.secure-server3.com/onlineserv/CM/

These domains were all live links embedded in the body of the spam messages. Here is the actual spam message being sent:

Subject: Read carefully - Important Notification

Dear Administrator,

We inform you that your account is about to expire.
It is strongly recommended to update it immediately. Update form is located &<a href="hxxp://digitalinsight.bankdata1.com/onlineserv/CM/">here.
However, failure to confirm your records may result in account suspension.

Confidential: Please be advised that the information contained in this email
message, including all attached documents or files, is privileged and
confidential and is intended only for the use of the individual or individuals
addressed. Any other use, dissemination, distribution or copying of this
communication is strictly prohibited. This is the automated message. Please
don't reply.

Unlike most other spam phishing attempts this particular version is really well laid out and designed in such a way that I am sure many users will be fooled into visiting these sites. The actual phishing page looks like this:

This is a very basic looking page asking for the users Company ID, Company Password, User ID, and User Password. Also notice the notice in red tells the user to use their Financial Institution login page for future maintenance. I am guessing the notice is just an additional touch to aid in the Social Engineering going on here. All of this seems to be standard stuff, but wait there is an iframe reference that caught my eye right away. The iframe path is:

hxxp://xx.xx.xx.xx/cgi-bin/index2.cgi?lite

The IP is rotated with every query, so it isn't as simple as adding an IP block to protect your user base. This iframe leads to none other than some deeply obfusticated JavaScript code. I used Bobby's Malzilla tool for the deobfustication, which can be downloaded here: Malzilla. I highly recommend checking this tool out and if you like it throw Bobby a bone or two by donating to his project, as he has spent many hours adding the features upon request from the community.

Ok, back to the Phishing stuff, in this PDF you will find the complete deobfustication of this iframe redirection: badness_storm_phish. Now this really struck me as odd, but this script decodes exactly like the "ngg.js" SQL Injections flooding the internet right now. Even the binary is the same to include the selection if/else logic used in the code to choose your binary. So does this mean the Storm Worm Authors can now be traced over to some of the SQL injection stuff being tracked so well over at ShadowServer.org: Full list of Injected Sites. I can't confirm this trace back, but it is definitely the same obfustication being used by the "ngg.js" stuff. So either it is the same organization, or the SQL injection organization is now paying the Storm Worm authors to distribute Spam for them. Who really knows, as I am just guessing here. One other idea would be the SQL injections work on the phishing sites, but I really don't think that is the case here.

The binary being downloaded after all the iframe redirection badness occurs is fairly well detected by the mass majority of Antivirus companies, which is a good thing. Here is a link to my scan results: Result: 21/33 (63.64%). I didn't run the binary in my lab, but it looks like it is either a proxy bot or a spam bot according to the Virus Detection results.

The rest of the spam I captured tonight during this lab run involved the same old Canadian Pharmaceutical links, with the same old subject lines. Here is a list of the domains involved in that portion of the spam:

• advancedcaremedical.eu
• americanmedicalguide.eu
• childrenseparate.com
• happenhalf.com
• lottube.com
• maysection.com
• medicalhealthdeath.eu
• medicaljobsgroup.eu
• medicalworldinc.eu
• medicalworldlink.eu
• needcertain.com
• nowcarry.com
• prepaream.com
• themedicalmarket.eu
• thoughgrand.com
• valleyearth.com
• wellnesssurgical.eu
• womenmedicalcenter.eu
• yellowyear.com

Some of these domains are new to my lists, so if you don't have them in your blacklists or content filters I would add them now as well.

To finish out tonights post here is my entire Spam capture log for all of the above just in case your interested: smtplogs.txt. As always if you have questions or comments feel free to ping me anytime.