LinkedIn Blackhole Spam Fails the Smell Test

Looks like someone’s spam campaign got up on the wrong side of the bed this morning: A badly malformed message appears to be trying to convince the reader it originates with LinkedIn, the business-centric social network.

Hardly any message at all, the spam body consists entirely of ReportIDA161580AD75, which precedes a goo.gl shortlink. The laughable pidgin-English quality of the spam’s subject – last login was Failed xxxxxxxxxxxxx — breaks the illusion completely.  The fact that whoever sent this didn’t even try to mask the message’s true origin (a Yahoo mail account) just makes this kind of sad, really.

And yet, on any campaign such as this, some people will be taken in by this phony, broken down soundstage of a ruse, peeling paint and all. When that happens, if those likely-victims happen to click the wrong link in the wrong spam, on a computer with a vulnerable browser, and do so quickly enough to hit the malicious Web site while it’s still online. Well, it’s a bit like this.

The shortlink pointed the browser at k3yrt7a.frontscheeky.com. Early in the morning, DeepSee identified the geolocation of the IP address to which this domain resolved as Lahore, Pakistan.

Later in the day, however, the IP address had changed and pointed to a server located in Mexico. Then it went haywire. The domain now has a crazy amount of DNS diversity — at least twenty IP addresses from around the world all resolve to this bizarre domain name.

The frontscheeky link immediately bounces the browser into the waiting arms of stoneheadge.net, which is operating the Blackhole exploit kit. The first page we hit on stoneheadge, main.php, consists of a single Javascript that decodes a ginormous (and yes, that’s a technical term) array of hexadecimal-encoded data.

The script isn’t even all that complicated. But that array — hoo boy.

That’s a big array. It takes the browser a few seconds to crunch the numbers. Then it looks like a fairly typical Blackhole driveby: The Javascript instructs the browser to download and open a maliciously-crafted PDF; next, two Adobe Flash files, and finally an executable payload (the w.php URI at the end)

The security community seem to have come to a broad consensus on this point.

Check out the timestamps in the attack shown above; it only took the exploit kit 21 seconds to deliver malware, from the moment I clicked that malicious link.

The attack seems to always progress the same way: main.php; malicious PDF call (fdp2.php above but the names change frequently); field.swf & score.swf; w.php (.exe payload, Microsoft calls it Cridex.B). Of course, now that I’ve called attention to their extremely repetitive and boringly predictable infection routine, it will be up to the Blackholers to decide whether they want to change up their game.

The executable payload exhibited a skillful mastery of the art of word salad tossing, most thoroughly in its file properties. Clearly, if malware ever ceases to be a lucrative career for these guys, they could transition to publishing, writing hard-boiled pulp detective novels by committee, and coming up with titles like The Herr Lane Drugs Vain Gulls Caper. How gauche.exe

When we detonated the malware on our test system, we discovered two things. First, the file has an alternate name for itself, in a default location. Just to make sure we don’t miss it, the malware creators were kind enough to put it in there—twice. Sure enough, we found a copy of the executable with that name, in that location.

Second, the Trojan likes to handle its private business in private, so it phones home using SSL, this time with jahramainso.com, a Web domain hosted in that central Asian hub of high tech, Kazakstan. You know, the Silicon Steppes, home to Baikonur, the Cape Canaveral of the Caspian?

Jahramainso.com seems to be hosted on an IP range with a very poor reputation. I can’t imagine how such a thing could occur. It is an immense coincidence, no doubt.

It pays to dump the process from memory. We also found references there to jahramainso, as well as to volondoko.com, bubenlor.com, and jahenkos.net.

Looks like our future command and control network all ready for us. All four domains were registered on January 11th, just a little over a week ago. They all are hosted on the same Kazakh IP address, but all use nameservers based in China, and were registered through a Chinese registrar, Bizcn.

With the exception of Jahramainso.com, they lack the full WHOIS data in their registration details. It’s not as if it matters; it’s all going to be falsified anyway, so why waste everyone’s time? I just don’t know why anyone with oversight authority over domain registrars lets registrars get away with this kind of shenanigans.

So, your campaign is well and truly pwned now, your secrets laid open. Remember malware guys, there’s no need to torture yourself in a job you’re obviously terrible at and hate to do. You could just switch gears now, throw in the towel. There’s no shame in the admission of defeat, especially when you suck at it this hard. Look towards the future. You could be doing something you’re good at, something that you love to do — tossing salads — by the end of next week.