Friday, September 7, 2012

LinkedIn Spam, exploits and Zeus: Revisited

In my post from June this year, I already reported on an excellent recipe for a cybercrook:

  1. Hacking LinkedIn's password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User's computer is now a zombie (part of a botnet).

You can find that post back here:
LinkedIn spam, exploits and Zeus: a deadly combination ?

Seems this scheme is still being successfully employed, as well the usage of the latest Java exploit (CVE-2012-4681).

Let's clearly divide this clever trick into the 3 parts.

Part 1 - the spam email:

So called reminder from LinkedIn

Example subjects of this email:
Communication LinkedIn Mail
Connection LinkedIn Mail
Contact LinkedIn Mail
Immediate LinkedIn Mail
Invitation reminders LinkedIn
Link LinkedIn Mail
LinkedIn Updates
Relation LinkedIn Mail
Relationship LinkedIn Mail
Rush LinkedIn Mail
Signaling LinkedIn Mail
Urgent LinkedIn Mail

First part of the whole set-up or scheme is of course letting the user click on a malicious link.

This is your typical social engineering trick: it seems you have pending messages from LinkedIn and you can check your inbox by clicking on the link.

Note that the other links also trigger the exploit.

Part 2 - the -in this case Java- exploit

When clicking on one of the links, you are redirected to a website which is hacked and is hosting a Javascript file:

Malicious Javascript

This Javascript is not very malicious, it just redirects to another website (again) where the exploit is hosted:

Location of the actual exploit

Eventually, you'll get on a webpage which contains heavily obfuscated Javascript. Note that the Blackhole exploit kit is responsible for this one. Here's a small part:

Small part of the code; you can see a file called Leh.jar and 2 of its classes

Leh.jar classes, which contains CVE-2012-4681 exploit code

There's an excellent article over at the Immunity blog which takes a closer look at the classes used in this exploit. Remember the classes are just a name, they don't indicate something particular (as far as I know):
Java 0day analysis (CVE-2012-4681)

Here's a link to the fully obfuscated Javascript on PasteBin:

...and here's the same file, deobfuscated:

Part 3 - the Trojan - Zeus/Zbot

I have used Revelo to deobfuscate the malicious Javascript, which now neatly shows our Trojan as well:

File called 3Wcg.exe will be downloaded and executed

When executing this file....: crashed. Badly coded or Sandbox/VM aware

As you can see from the figure above, the sample crashed upon execution... Not much to do here.

Most probably your banking credentials and/or passwords would have been stolen, or you would be sending spam.

Some more information on the associated files:

Result: 13/42
MD5: 25b67f22490800881c4e13b15f7ac477
VirusTotal Report

Result: 17/42
MD5: ddf9093ceafc6f7610dcc3fcf2992b98
VirusTotal Report
ThreatExpert Report

Result: 26/41
MD5: df79dfd605eed6d578063089a48d670b
VirusTotal Report
ThreatExpert Report
Malwr Report


Same as one of my previous posts in regards to exploits:
Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Always check the URL of a link. you can verify this by 'hovering' over the URL to check what is really behind.
If you really have messages waiting for you on LinkedIn, and you're curious, just go directly to it by typing it manually in your browser. Delete emails from unknown senders and never open any attachments from them!

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.