When it comes to spam messages, conventional wisdom dictates that you shouldn’t follow links or call phone numbers in the message, order products from the spammer, or open files attached to the email. We all should know by now that you should never open attached executable files, and spam filters now treat all .exe files as suspicious. When spammers began flooding inboxes with .zip files containing executables, we caught on pretty quickly as well.
But HTML isn’t executable — it’s just plain text — so does that mean it’s safe to open attachments when they’re just HTML files? Hell no! Case in point: this doozy that came through our spam bucket last week.
The message subject reads Your Funds Will Be Transfered and the body helpfully informs the recipient that I am able to complete the funds transfer late night — I hope that doesn’t mean someone sent Jimmy Fallon $28,126 from my bank account. It continues, Copies of the payment is being attached, and the message indeed has an attachment named Copies of the payment.htm which I can open and…
…uh oh. That’s where the trouble begins.
The end result: Three pieces of malware installed; Two password-stealing copies of the Zbot phishing trojan, and a remote-access backdoor to boot. Considering Zbot’s propensity for stealing bank account logins and other sensitive credentials, I suppose the subject line was correct after all. Your funds will be transferred. Just not where you thought.
A more careful look at the attachment reveals that it contains some lightly obfuscated Javascript code. When rendered in a browser, the code instructs the browser to load a page on a Web site called DreamLifeAsia, which is (suprisingly, considering the name) not a pornography site. That page contains instructions for the browser to load a one-pixel-square iframe from a page on the raceobject.ru Web site.
The raceobject.ru page contains scripting that instructs the browser to download and execute a payload from yet a third Web site, problemdollars.ru. It just so happens that these fine, upstanding Russian-registered Web sites are hosted on the same server, located at the same IP address.
Whomever scrabbled together this row of dominoes must have thought they were being really clever when they made their code hard to read. Take a look at the line below, for example. At first glance, you might not be able to determine what it’s supposed to do. It looks like gobbledygook, right?
Well, take out every other character in the line encircled in red, and the cloying concatenation code, and this is what you get:
Yeah, genius, we figured out your awesome trick. It’s the “insert a random letter between every character” encryption algorithm, first invented in the year one by a five year old girl who wanted to pass a clay tablet to her friend in class without the teacher being able to read her Aramaic. The only significant difference is that there are no little hearts drawn over the “i”s. RSA and Bruce Schneier, eat your hearts out. These guys are obviously l33t.
In the end, the page directs a vulnerable browser to download the backdoor to the victim’s computer. The backdoor pulls down Zbot. Zbot contacts its command and control server, pulls down a data file with instructions, and makes another copy of itself on the infected computer’s hard drive.
In addition, the backdoor changes all the Security Zone settings in IE, clears your cookies, changes the settings for the Windows firewall to permit Windows Explorer (not IE) to receive data from anyone on the Internet, and makes other modifications to security settings that make it far more likely a victim will further infect him- or herself.
Bottom line, it doesn’t matter what kind of attachment you get. Don’t open anything attached to a spam email in a browser. After all, it’s pretty obvious that this is just a ruse. Jimmy Fallon doesn’t need your money, just some decent Nielsen numbers in his time slot, and that’s one thing Zbot can’t steal.
That is bloody sneaky – I hate embedded scripts. GoDaddy also recently had a similar attack where the Russian website in this very article was embedded into the head of many of its users php files. It took forever to clean!!
how on earth do you stop this mess, I get 5 a day now! can not seem to filter it, it is driving me barking mad!!
We’re in the middle of a spam campaign where the spammers are sending millions of these messages. I’m getting them too. Simply delete them.
I opened an HTML attachment. Is there a way to check of my computer is infected, also can you remove the virus?
I ran a scan and it didn’t find any viruses. Also I opened the same attachment on my iPad too, is there a possibility that my iPad got infected too. I would appreciate of someone could respond and help me out.
If you are concerned about a specific file, you can submit it direct to us for review. The best way to submit these files to our team would be use the “Submit a File” feature under the System Tools tab within the program. As for an infection within you iPad, there is very little chance that your tablet was infected. If you are concerned, head into your Settings app, click Safari, and click “Clear Cookies and Data”.