Symantec observed a spike of malicious spam activity in the early morning of March 16. These spam samples use subject lines related to the recent natural disaster in Japan and political unrest in the middle east. This blog discusses the end-to-end analysis of the attack.
As shown in the samples below, the spam mail uses subject lines related to the nuclear disaster due to series of explosions at Japanese nuclear plants, earthquake and tsunami effects on the global economy, and unrest in middle east.
Below are some of the subjects used in the attack.
Subject: Japanese Stocks May Defy Earthquake, Gain as Global Demand Drives Exports - Bloomberg
Subject: Quake-prone California questions nuclear safety - Reuters
Subject: Yen slips as risk aversion flows subside - Reuters
Subject: Japan Adds to Global Economy Woes
Subject: Apple delays Ipad 2 launch in Japan - Inquirer
Subject: European hospitals may aid Japan
Subject: Protesters on roof of Libyan embassy in London - AFP
Subject: Japan radiation: 'People are worried'
Subject: VIDEO: Gaddafi's troops retake Ras Lanuf
Subject: VIDEO: Attempt to calm Japan nuclear fears
Subject: Japan quake may be world's costliest disaster
Subject: Troops Attack Bahrain Protesters
A search for these subjects on the internet shows that the subject lines are picked up from the news headlines of various news agencies such as BBC, CNN, WSJ, Reuters, and many others. This is an old trick, using disasters, celebrity names, or political issues to lure recipients into opening malicious URLs or attachments.
In this particular case, clicking on the URL n the spam email will take users to a malicious Web site that hosts the Blackhole exploit kit. Earlier we blogged about the Blackhole exploit kit’s continued success rate. At present, the BlackHole exploit kit is the most prevalent Exploit toolkit in the wild because of its powerful set of exploits. Malicious Web sites, in turn, will download any of the below mentioned exploits as per the individual user’s environment.
CVE-2010-1885: Help Center URL Validation Vulnerability
CVE-2006-0003: Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability
CVE-2009-1671: Sun Java Runtime Environment ActiveX Control Remote Buffer Overflow Vulnerability
The code seen below checks for the installed version of Adobe Reader and accordingly serves a malicious PDF.
The image below shows the obfuscated content inside the PDF once downloaded.
The decoded script contains three PDF vulnerabilities.
CVE-2008-2992: Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability
CVE-2009-0927: Adobe Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability
CVE-2009-4324: Adobe Reader 'newplayer()' JavaScript Method Remote Code Execution Vulnerability
Spammers are known to create curiosity in their spam messages to interest users to get them to open and perhaps install the executable. Also, through brand names such as well known news agencies, heart wrenching tragedies, or celebrity names gives them the much required credibility to gain trust in the recipient’s mind and push the message through. The good news is that Symantec customers are protected from this attack. Symantec has multilayered protection against these attacks in the form of antispam, antivirus, IPS, and Reputation service.
Products such as NortonSafeWeb should be used to verify links before clicking on them. Below is the screenshot of NortonSafeWeb warning the user about the domain used in this attack.
We at Symantec urge users to follow the standard practice of not opening any suspicious links/attachments received in unsolicited mail or from an unexpected sources. We recommend that our users install all security patches and definitions regularly.
Note: My thanks to the co-author of this blog, Parveen Vashishtha.