Fake LinkedIn Invitations Serving Spam & BlackHole Exploit

In the past week or so I received spammy emails purporting to LinkedIn invitations sent from LinkedIn. They were immediately marked as spam by my junk mail filter. This was unsurprising since they were sent to a large number of people and contained spammy links.


The actual HTML message is a very crude attempt to copy the format of a LinkedIn invitation to connect message.

Aside from the fact that there are multiple recipients, the from field has a totally different email address - this should be members@linkedin.com and it says "This message was sent to username@domain.com". I received a second email but with a different name and link a few days later. 

With the HTML turned off you can see the links point to another domain.

Here's an excerpt from the headers:

Note the part that says "X-PHP-Script: some.domain/sendmail.php for 187.18.253.234" - it seems the spammers/cybercriminals compromised the site some.domain (obviously this is not the actual name of the domain) and used it to send the spam. You may have noticed that there is a timestamp in the CC field , this matches the Date field in the headers so I assume this was introduced by the script used to send the email.

In case you're wondering that IP belongs to an residential ISP in Brazil:

$ whois -h asn.shadowserver.org 'origin 187.18.253.234'

[Querying asn.shadowserver.org]

[asn.shadowserver.org]

28270 | 187.18.248.0/21 | Videomar | BR | - | VIDEOMAR REDE NORDESTE S/A

Back to the link in the email:

hxxp://<HACKED-SITE>/wp-content/themes/toolbox/wp-secure.php?c002

This pointed to a Wordpress based site for an accounting firm. The compromised Wordpress installation was serving up hidden iframes with a Google URL shortener link then redirects to malicious sites or 'online pharmacies'.

On my first attempt to retrieve the URL using curl I was redirected to microsoft.com but after adding a different User-Agent string and appropriate headers you would see with a real browser, I was redirected to another suspicious URL:

 HTTP/1.1 302 Found

< Date: Tue, 12 Mar 2013 12:29:01 GMT

< Server:

< X-Powered-By: PHP/5.2.17

< Location: hxxp://<RANDOM-HOST>.ikwb.COM/closest/<RANDOMSTRING>.php

< X-Powered-By: PleskLin

< Content-Length: 0

< Connection: close

< Content-Type: text/html

Looking up the A record for ikwb.com reveals that the domains is using Dynamic DNS from changeip:

$ dig a <RANDOM-HOST>.ikwb.COM

;; QUESTION SECTION:

;<RANDOM-HOST>.ikwb.COM.        IN A

;; ANSWER SECTION:

<RANDOM-HOST>.ikwb.COM.  31     IN A     188.93.210.200

;; AUTHORITY SECTION:

ikwb.COM.               164084 IN NS    ns3.changeip.org.

ikwb.COM.               164084 IN NS    ns2.changeip.org.

ikwb.COM.               164084 IN NS    ns1.changeip.org.

So where exactly is 188.93.210.200? We can check this via Team Cymru's whois service.

$ whois -h whois.cymru.com " -v 188.93.210.200 2013-03-12 13:23:01 GMT"

[Querying whois.cymru.com]

[whois.cymru.com]

AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | Info                    | AS Name

49352   | 188.93.210.200   | 188.93.210.0/23     | RU | ripencc  | 2009-05-22 | 2013-03-12 13:23:01 GMT | LOGOL-AS LTD Hosting Service

Hmm...Russia (yes I know Team Cymru's service is a IP to ASN mapping service and doesn't necessarily indicate an IP is in a particular country - but I also looked it up via NeuStar's GeoIP service)

Going back to the suspicious URL hxxp://<RANDOM-HOST>.ikwb.COM/closest/<RANDOM-STRING>.php - this page contained very long lines of obfuscated Javascript code. After running it through a deobfuscater at http://deobfuscatejavascript.com, it appears to uses a legitimate PluginDetect Javascript library to determine the browser you are using and which plugins your browser is running - and then accordingly serves up a exploits from the BlackHole Exploit Kit (confirmed by using Urlquery to scan the URL).

The functions j1 and j2 serve up different Java applet based exploits depending on the version of the Java Runtime you have installed.

Simarily the p1 and p2 functions serve up different urls to exploit different types of vulnerabilities depending on the version of Adobe Acrobat you have installed.

You may have noticed that the URLs have a directory named 'closest' - browsing (this was from a *nix VM - I wouldn't advise doing this with a your physical PC) to this directory I found that it contains a number of PHP scripts (no idea what they do, but it may be covered in the write-up on BlackHole form Sophos, Symantec et al):

The actual exploits are in a separate directory named 'mix':

Changing my .curlrc file to change the MIME types my client advertised changes the exploits and files that are served up. Initially the site only served up Java exploits but adding application/pdf to the Accept header, made the site serve up a malicious PDF.

Using Didier Stevens pdf-parser you can pull up stats on the pdf:

$ ../tools/pdf-parser.py -a 0bb4a.pdf
Comment: 4
XREF: 1
Trailer: 0
StartXref: 0
Indirect object: 26
  11: 52, 6, 18, 19, 20, 21, 22, 28, 31, 32, 48
 /Annot 1: 15
 /Catalog 1: 1
 /EmbeddedFile 6: 41, 42, 99999, 44, 45, 46
 /Font 3: 14, 27, 29
 /FontDescriptor 1: 30
 /Page 1: 8
 /Pages 1: 2
 /Pattern 1: 13


You can then use the --object option to view each of the EmbeddedFile objects:
$ ../tools/pdf-parser.py --object 41 0bb4a.pdf

or use --search to find javascript in the file.

It turned out that 99999 is the one containing Javascript code that sprays shell code on the heap, this can be extracted as follows
$ ../tools/pdf-parser.py --object 99999 --raw --filter 0bb4a.pdf > malcode_in_pdf

The link:

hxxp://<HACKED-SITE>/wp-content/themes/toolbox/wp-secure.php?c002

- redirects to a handful of different malicious URLs on hosts with shady domain names like ikwb.com, mrslove.com, phasingagony.biz, complicatesimageupload.biz. Please do not visit these domains! 

Note the domain registration date for the domain:

$ whois phasingagony.biz

[Querying whois.biz]

[whois.biz]

Domain Name:                                 PHASINGAGONY.BIZ

Domain ID:                                   D53756480-BIZ

Sponsoring Registrar:                        INTERNET.BS CORP.

Sponsoring Registrar IANA ID:                814

Registrar URL (registration services):       www.internet.bs

Domain Status:                               clientTransferProhibited

Registrant ID:                               INTEQMN8ZKMU5Y8K

Registrant Name:                             Amando Brummund

[SNIP]

Created by Registrar:                        INTERNET.BS CORP.

Last Updated by Registrar:                   INTERNET.BS CORP.

Domain Registration Date:                    Fri Mar 15 15:03:27 GMT 2013

Domain Expiration Date:                      Fri Mar 14 23:59:59 GMT 2014

Domain Last Updated Date:                    Fri Mar 15 15:03:27 GMT 2013

Most of the .biz domains no longer exist as it seems the registrar has caught on and suspended the domains:

$ whois phasingagony.biz

Domain Name:                                 PHASINGAGONY.BIZ

Domain ID:                                   D53756480-BIZ

Sponsoring Registrar:                        INTERNET.BS CORP.

Sponsoring Registrar IANA ID:                814

Registrar URL (registration services):       www.internet.bs

Domain Status:                               clientTransferProhibited

Registrant ID:                               INTEQMN8ZKMU5Y8K

Registrant Name:                             Suspended Domain

Registrant Organization:                     Suspended by Registrar