Double trouble – spam and malware payloads

Don’t you hate spam? It’s a nuisance, but not anything you really need to worry about, is it? I mean, it’s not like you ran an executable, you just found yourself somewhere trying to sell you Viagra, no harm done, right? Wrong – one recent campaign in particular highlights this fact.

Graham’s been talking about spam campaigns we’ve seen this last week containing html attachments. With topics currently covering Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets, the spam’s trying very hard to get you to open its attachment. And if you do, you get taken to a page from our old friends at Canadian Pharmacy:

Canadian Pharmacy

At which point you presumably close the window, and chalk up the experience as another annoying run-in with spam. Case closed … or is it?

When you open the attachment it loads a page from a remote website which looks something like this:

Script Redirect

The first tag, the one starting “<meta http-equiv=”refresh”, redirects the browser to another site, in this case after 3 seconds – here’s where you find yourself taken to the Canadian Pharmacy page. But the other tag, the “<iframe src” one, also redirects the browser, this time in a way that you don’t get to see.

This iframe takes you to a page detected as Troj/Iframe-EW, which tries to load more malicious content. In fact it loads both Notes10.pdf (Troj/PDFJs-JS) and Applet10.html (Troj/ExpJS-W), which try to exploit vulnerabilities in both Acrobat and Java software to download and run an executable. This file is detected as Mal/EncPk-LW, and is typically something we’d see associated with the Koobface gang.

You may be lucky, though. Whoever set up these pages didn’t always want visitors to receive the same content – when I just fetched the original page again, this time I was given the following:

Script Redirect 2

The first meta refresh tag is still there, but the iframe has been removed. In its place are multiple junk phrases and links to other sites, exactly the sort of thing we’d expect to see in blackhat SEO poisoning. It’s unclear whether the spammers deliberately changed the content after a certain amount of time to make the malware harder to investigate, or because they’ve infected enough people and now just want people to buy Viagra, or whether they’ve worked out it’s me again and don’t want to show me the malware, or if they’re simply changing the page to mix things up a bit.

Something interesting to note in passing is that in this new code, they’re intending to hide the SEO keywords by putting them inside a hidden “span” element. However, in a mistake that can only be described as Freudian, they’ve enclosed them in a “spam” element instead. Rather than hide their intentions, they’ve made them even clearer.

Obviously you can’t rely on the chance that the malware redirection isn’t active though – this campaign isn’t just trying to get you to buy Viagra, it’s also trying to infect you at the same time. Of course all of this is hypothetical anyway, since you would’t have been able to open the attachment to begin with – we detect it as Troj/JSRedir-BO.