Spam and Phishing Obfuscation Part 1: Forum Attacks --------------------------------------------------- Written by Israel Torres Thursday, 12 January 2006 Note: This article depicts real situations about real attacks with the purpose of knowing how to defend against them. The phpBB bulletin board package is notorious for being attacked by forum spammers and phishers. Most likely for a few reasons: * It is "free": You don't need to hand over cash or credit to use it. * It is open software: anyone can download it and examine how it works and modify it accordingly. * It is really easy to configure and use. Such reasons make it attractive to anyone interested in starting their own forum. This means a lot of people use it... and this is also why it becomes a target to those entities that want a lot of people to visit their sites without having to pay for advertising services. Unfortunately it is not only used by spammers trying to sell you something but it is also used by phishers trying to steal something from you as well as infect you with something to take over your computer system. In this article I will demonstrate one technique currently used involving script obfuscation combined with social engineering in a forum setting. People sign up on forums everyday and members come and go. Some members are interesting from the get go and others are pretty boring. Some have been around the block a few times and always have an avatar and profile ready to set up from the second they have been emailed that their account is active and ready to use. This combined with common forum features that welcome the newest member to the forum; allow interested (or plain bored) members to click on them to see who has teleported into their stomping grounds and get a feel for this yet to be revealed friend or foe. Social engineering plays a large part in naming an entity that isn't real or ever will post in the target forum. A common attack is to create an account with a female name in hopes of interesting the majority of males on any given forum. Another common attack is to pseudo-randomly generate a name from a set of characters and numbers as this also attracts interest - as well as to evade some simple filters out there based on string comparison. Welcome our newest member, Sheila69. "Sheila" already sounds interesting and is begging to be clicked on. Upon reading "her" profile "her" location states "she" is from Mongolia. I know what you are thinking: too far away for a personal one on one but could make due for a fun cyberchat. You are not entirely disinterested at this point so you continue reading her profile. Her hobbies say to check out her website for more info with the link posted ready to click. You notice the weird looking URL has a .ru top level domain and looks like a pseudo-random domain name. You also notice that there is a path to an html file /en/forum-shiela-profile-six-nine.htm. Your spider-sense is tingling, but since it isn't all that's tingling you decide to click on it and see what Sheila is really about. All of a sudden you get a browser alert stating a pop-up has tried to pop-up and a pop-under has tried to pop-under and then blasted into a portal page that isn't even in the language you speak. What a rip. Sheila sucks, and not the good way either. What a waste of time. You close the browser and go on about your business soon forgetting about Sheila and her fakeness. As you snore away a few hours of your life you don't notice your screensaver kick in or the lights that start to tickle your router's LEDs. A month later you won't know why your ISP is sending you warning letters about your bandwidth usage and telling you to stop scanning unauthorized networks and participating in distributed denial of service attacks. A few weeks later your computer will become unusable because all its resources are being used and you end up losing your favorite mp3s and pr0n collection and have to restore your dell back to its factory settings. Of course just like before you don't bother making a restricted user account and continue to use the default administrator account to log back into your forums and commence your digital lifestyle. Fade to black. Pwn'd So what just happened? If you don't know you are bound to relive it again and again until you do some investigation as to what in the world is happening and happening to you. In this scenario you have been social engineered into believing the newest member was a person and a female no less. In actuality Sheila doesn''t exist in real life. Sheila was created by a script that sits on the Internet all day and night finding phpBB forums that allow users to be created without too many security mechanisms such as captchas or email verification. It gets a list of vulnerable forum sites from another script that spiders the web for sites running certain types of software, and certain versions. Upon finding a suitable target it auto-generates the user and quickly sets up the profile to get the maximum number of hits while the account is being shown as being new to the rest of the forum. It is programmed for a certain URL (usually picked from a ring of spammer/phishers) that leads to a portal or a page loaded with a crouching trojan and hidden virus. Don't try this at home When you see a URL that may look suspicious you can usually (there are always exceptions [such as the recent WMF exploit + Google Desktop issue]) download the file to check its contents without rending it in your browser by using tools such as wget and cURL. Really, I am being serious don't try this on a system you have things you want to keep on. If you decide to throw caution in the wind take responsibility for your own actions. You can begin this example by downloading a public URL posted in a forum by such entities mentioned above into a temporary directory to play in. Wget Example [IT_ex1_wget_html.gif] Once you have downloaded the suspect file (and/or your AV didn't trigger) to your temporary directory you can examine it with an editor such as UltraEdit32 (this way if it is binary you won't accidentally run any macros or overflows such that you might with Microsoft default editors). If all goes well you will see html source. [IT_ex1_examine_html.gif] You can scan the html code visually by looking for keywords such as " --- and paste it into the editor (or notepad as demonstrated here). [IT_ex1_counter.info.txt_before.gif] Take a quick look and scan the code quickly for anything that looks like English. In this code you can see that the script is setting up the script language and type for execution. You can also see Lrx = something and then a whole array of assignments being made from values to variables. Lastly the function document.write which is writing to the original htm you downloaded (had it been rendered). It is telling your browser to write out the decoded values. To decode the values safely and quickly without executing the page you need to change the highlighted string of document.write to alert as demonstrated here: [IT_ex1_counter.info.txt_after.gif] Now you can copy everything with Control-A (select all) and then Control-C (copy) and paste it to a new file with a generic html template (html, head, body) as demonstrated here: [IT_ex1_jsource_copy.gif] Now this file is safe to render since we know that we are no longer writing to the document but instead showing it as a message. Open the file with your browser. [IT_ex1_jsource_run.gif] Ah Ha! The obfuscated code decodes to another script function which is telling your browser to go and fetch a file named counter.js from this site. It has a javascript extension so it is also intended to run. As you did previously you want to use wget to download this file without executing it... [IT_ex1_wget_js.gif] ... and ad nauseam. It turns out the counter.js file is similar to the original obfuscation and in turn runs another script to track the referral. Other scripts aren't so nice and take advantage of the exploit of the day and do a lot worse such as turning your computer into a DDoS zombie. The next time you see a new member sign on be more careful and try not to get social engineered into clicking that link. These mechanisms exist only because they work and dupe people every day. If you do feel the urge to find out where the other side of that link goes to use the measures I described above to fetch the information safely as not to open your system up to trouble. The best thing to do is advise the forum moderators or administrators about this member so they can investigate further and protect its forum members from being taken for a ride. There are many variations of this attack but this is the most common that I have seen around (especially recently). This ends this segment for today. I'll keep you updated with more lessons in Spam and Phishing Obfuscation in the meanwhile stay safe and out of trouble. Keeping it 'rael, Israel Torres Links: phpBB bulletin board package http://www.phpbb.com/ Phishing http://en.wikipedia.org/wiki/Phishing Spamming http://en.wikipedia.org/wiki/Spamming Social Engineering (SE) http://en.wikipedia.org/wiki/Social_engineering_(computer_security) Captcha http://en.wikipedia.org/wiki/Captcha Wget http://en.wikipedia.org/wiki/Wget cURL http://en.wikipedia.org/wiki/CURL ad nauseam http://en.wikipedia.org/wiki/Argumentum_ad_nauseam