2013-07-28 - EMAIL ATTACHMENT LEADS TO MALWARE INFECTION

NOTICE:

ASSOCIATED FILES:

2025 UPDATE:

 

It's been a while since I received a malicious email, so when one appeared in a Yahoo webmail, it provided an opportunity for a blog post.  This email had a malware attachment.  Here's a screen shot of the email in my spam folder:

Let's find out where this email came from and what would happen if someone were to execute the attachment...

THE EMAIL

If you want to find out where an email came from, you need to look at the header for the message.  For Yahoo webmail, go to "Actions" and select "View Full Header" as shown below:

This brings up a window with the full header that you select, copy, and paste into a text editor.

Once you copy and paste the text into a text editor, you can view the header lines much easier.  As shown below, this email came from a mail server at 69.149.97[.]78 which is assigned to smtp.rcn[.]com.

However, this is not the original source of the message.  An email can pass through one or more mail servers before it reaches its final destination.  You can find the original sending IP address by looking for all of the "Received:" lines and finding the first one.  According to the current standard for SMTP, RFC 5321, "An Internet mail program MUST NOT change or delete a Received: line that was previously added to the message header section" (Section 4.4).

As shown below, there are two "Received:" lines.  The first one was Friday, 19 Jul 2013 at 15:26:11 GMT (11:26:11 -0400) while the second line has a time of 15:29:10 GMT.  The first "Received:" line has 87.249.16.130 as the sending IP address, which is the original sender.

Who is the original sender?  A whois check shows 87.249.16[.]130 is a Polish IP address that belongs to an Internet service provider.

We've figured out the origin of this phishing email, so let's examine the malware.

THE MALWARE

A quick check of the attachment ldr.zip on VirusTotal shows it's fairly-well identified as malware.

If you open the zip archive, it shows a file named Photo_19.07.2013_ID3698006402.jpeg.exe.  Since Windows default settings hide the file extension, you might not see the ".exe" file extension.  The file has an icon for a PDF file, even though it appears to be masquerading as a JPEG.

TRAFFIC GENERATED BY THE MALWARE

I ran the malware on a default Windows 7 SP 1 computer (a physical host, not a VM) that was monitored by another host with a default installation of Security Onion.  This malware generated three Snort-based events as shown below:

When running the malware on the Windows computer, a Windows firewall alert popped up:

The malware generated the following DNS requests:

I recorded the traffic approximately 10 minutes after executing the malware.  It generated the following traffic:

The HTTP POST to www.phonebillssuck[.]com occurred when the malware checked in.  The malware appears to be a downloader, and it generated four HTTP GET requests for more malware.  Only one of these was successful--the request GET /Dam.exe returned a malicious EXE file.  The post-infection UDP and TCP traffic appears to be endoced or otherwise encrypted.

VIRUS TOTAL RESULTS ON THE MALWARE

File name:  Photo_19.07.2013_ID3698006402.jpeg.exe
File size:  122.9 KB ( 122,880 bytes )
File name:  Dam.exe
File size:  310.8 KB ( 310,784 bytes )

FINAL NOTES

In this blog entry, we examined an email with a malicious attachment.  We examined the email and reviewed some of the traffic generated by the malware.

 

Click here to return to the main page.