By Andrew Brandt
When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well.
But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! Case in point: this doozy that came through our spam bucket last week.
The message subject reads Your Funds Will Be Transfered and the body helpfully informs the recipient that I am able to complete the funds transfer late night — I hope that doesn’t mean someone sent Jimmy Fallon $28,126 from my bank account. It continues, Copies of the payment is being attached, and the message indeed has an attachment named Copies of the payment.htm which I can open and…
…uh oh. That’s where the trouble begins.
The end result: Three pieces of malware installed; Two password-stealing copies of the Zbot phishing trojan, and a remote-access backdoor to boot. Considering Zbot’s propensity for stealing bank account logins and other sensitive credentials, I suppose the subject line was correct after all. Your funds will be transferred. Just not where you thought.
The raceobject.ru page contains scripting that instructs the browser to download and execute a payload from yet a third Web site, problemdollars.ru. It just so happens that these fine, upstanding Russian-registered Web sites are hosted on the same server, located at the same IP address.
Whomever scrabbled together this row of dominoes must have thought they were being really clever when they made their code hard to read. Take a look at the line below, for example. At first glance, you might not be able to determine what it’s supposed to do. It looks like gobbledygook, right?
Well, take out every other character in the line encircled in red, and the cloying concatenation code, and this is what you get:
Yeah, genius, we figured out your awesome trick. It’s the “insert a random letter between every character” encryption algorithm, first invented in the year one by a five year old girl who wanted to pass a clay tablet to her friend in class without the teacher being able to read her Aramaic. The only significant difference is that there are no little hearts drawn over the “i”s. RSA and Bruce Schneier, eat your hearts out. These guys are obviously l33t.
In the end, the page directs a vulnerable browser to download the backdoor to the victim’s computer. The backdoor pulls down Zbot. Zbot contacts its command and control server, pulls down a data file with instructions, and makes another copy of itself on the infected computer’s hard drive.
In addition, the backdoor changes all the Security Zone settings in IE, clears your cookies, changes the settings for the Windows firewall to permit Windows Explorer (not IE) to receive data from anyone on the Internet, and makes other modifications to security settings that make it far more likely a victim will further infect him- or herself.
Bottom line, it doesn’t matter what kind of attachment you get. Don’t open anything attached to a spam email in a browser. After all, it’s pretty obvious that this is just a ruse. Jimmy Fallon doesn’t need your money, just some decent Nielsen numbers in his time slot, and that’s one thing Zbot can’t steal.