You can tell it’s nearing the holidays as many of us start trading virtual greeting cards. One of my colleagues’ boss received an email inviting him to retrieve a virtual greeting card from his friend Mary. The links showed that it belonged to Hallmark Greetings so he was very close to clicking on the link (www.halmark-greetings.com). However, at the last moment he noticed that it was missing an “L” so he paused and then asked for a second opinion.
That missing “L” saved his computer from a likely malware infection.
I went ahead and examined the website and grabbed the source code. It was heavily obfuscated.
Here’s how the page looked like if you did visit the page. Besides the Java applet, there were three textareas with code in them and a 4-digit number which turned out to be very important.
Here’s the entire script that I cleaned up a bit:
The gibberish at the bottom is the obfuscated code. There were about 11,000 characters there so we can safely assume that it is exploit code. The top portion de-obfuscates this gibberish. The key to the de-obfuscation is the 4-digit number between the paragraph tags at the top. Essentially, the script grabbed every 1,113rd character as it looped through all the characters of the gibberish to form the final code.
You can insert the following into the script and grab the output after the de-obfuscation routine. Be sure you comment out the next part as it will execute the code (the “0x65,118,0×61,108” spells EVAL).
document.write(kzklc); //insert here
Here are the results of our de-obfuscation:
By reviewing the code, it is definitely exploit code. Actually it’s several exploits including one for QuickTime, Flash 9.0.x, and Flash 10.0.x. It also calls the IEPeers and MDAC exploit code should the victim’s PC not have these software installed. Depending on your browser, you will get another batch of exploits.
This code exploited Java and Acrobat versions 8.0.0 to 9.3.0 and versions 9.3.1 to 9.3.4.