2013-07-28 - EXAMINING A PHISHING EMAIL - SUBJECT: YOU GOT MMS ID 1706000065

PCAP AND MALWARE:

 

It's been a while since I received a phishing email, so when one appeared in my Yahoo webmail, it provided an opportunity to examine a phishing attack here on the blog.  This email had a Zbot information-stealing Trojan attached.  Here's a screen shot of the email in my spam folder:

Let's find out where this email came from and what would happen if someone were to execute the attachment...

THE EMAIL

If you want to find out where an email came from, you need to look at the header for the message.  For Yahoo webmail, go to "Actions" and select "View Full Header" as shown below:

This brings up a window with the full header that you select, copy, and paste into a text editor.

Once you copy and paste the text into a text editor, you can view the header lines much easier.  As shown below, this email came from a mail server at 69.149.97.78 which is assigned to smtp.rcn.com.

However, this is not the original source of the message.  An email can pass through one or more mail servers before it reaches its final destination.  You can find the original sending IP address by looking for all of the "Received:" lines and finding the first one.  According to the current standard for SMTP, RFC 5321, "An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section" (Section 4.4).

As shown below, there are two "Received:" lines.  The first one was Friday, 19 Jul 2013 at 15:26:11 GMT (11:26:11 -0400) while the second line has a time of 15:29:10 GMT.  The first "Received:" line has 87.249.16.130 as the sending IP address, which is the original sender.

Who is the original sender?  A whois check shows 87.249.16.130 is a Polish IP address that belongs to an Internet service provider.

We've figured out the origin of this phishing email, so let's examine the malware.

THE MALWARE

A quick check of the attachment ldr.zip on VirusTotal shows it's a fairly-well identified piece of malware.  In fact, I couldn't download the attachment from Yahoo webmail, because the built-in Symantec anti-virus scanner prevented it.  I had to forward the phishing email my Time Warner Roadrunner account before I could download the attachment.

This malware is described mostly as Zbot, an information-stealing Trojan that targets usernames and passwords for online bank accounts.

If you open the ZIP file, it shows a file named Photo_19.07.2013_ID3698006402.jpeg.exe.  Since Windows default settings hide the file extension, you might not see the ".exe" file extension.  Interestingly enough, the file has an icon for a PDF file, even though it appears to be masquerading as a JPEG.

TRAFFIC GENERATED BY THE MALWARE

I ran the malware on a default Windows 7 SP 1 computer (a physical host, not a VM) that was monitored by another host with a default installation of Security Onion.  This malware generated three Snort-based events as shown below:

When running the malware on the Windows computer, a Windows firewall alert popped up:

The malware generated the following DNS requests:

I recorded the traffic approximately 10 minutes after executing the malware.  It generated the following traffic:

The HTTP POST to www.phonebillssuck.com occurred when the malware checked in.  The malware appears to be a Trojan downloader, and it generated four HTTP GET requests for more malware.  Only one of these was successful--the request GET /Dam.exe returned a malicious binary that was also identified as a Zbot-style information stealer.  The non-HTTP traffic on UDP and TCP may have been encrypted--it definitely wasn't plain text.  This other activity indicates this malware does more than just steal information.

VIRUS TOTAL RESULTS ON THE MALWARE

File name:  Photo_19.07.2013_ID3698006402.jpeg.exe
MD5:  e02373f67aafdacf97b8b48e1a966f90
File size:  120.0 KB ( 122880 bytes )
Virust Total detection ratio:  37 / 46
File name:  Dam.exe
MD5:  65871c526d52e99ad8eba98f62c2e1d9
File size:  303.5 KB ( 310784 bytes )
Virust Total detection ratio:  3 / 47

FINAL NOTES

In this blog entry, we examined a phishing email with a malicious attachment.  The attachment was a Zbot-style information stealer.  We examined the email and reviewed some of the traffic generated by the malware.

Once again, here's the PCAP of the traffic and ZIP file of the malware:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.