UPS Scam Email Links to Black Hole

Here we see a fake UPS email suggesting that a package has arrived.

Recipients of this scam email may be inclined to click on one or both of the links. The first link does take you to ups.com. The second one leads the recipient to an exploit kit.

A common, innocent-looking 404 page not found error appears. Oh well, I guess the link is broken…

Not quite. The page is in fact rigged to deliver malware. Look closely and you’ll even see the iframes embedded on the page. Viewing the source code reveals the ugly truth.

The bottom part of the page holds the script that converts the seemingly random characters above into malicious content.

Most of the code is nonsense and merely tries to make itself look innocent (or it could be a way to evade Javascript analyzers which I didn’t pursue).

The function “createCSS” and the middle portion with the for..loop that calls it stores a value of “va” in a variable which is combined later to form “eval”. It also arranges to have “string.fromCharCode” stored in a variable for later use. The real meat is the portion at the very bottom and it is here that the exploit kit author has done something very interesting…

The variable “zueiw” is assigned “eval(‘eval’);” which turns it into a function:

function eval() {
[native code]
}

The next line assigns the strange-looking values that dominates the page’s source code to the “aa” variable. This is then passed to the above eval function with surrounding left and right brackets. This transforms “v*6.25,v*6.9375,v*6.1875,v*7.3125…” into “100,111,99,117…” WTF?!? It’s magic!

Not magic. But clever programming!

A couple of lines up there from here are these two lines:

eeq = new Date(2010,11,3,2,21,4);
v=eeq.getSeconds() * 4;

The variable “v” contains the value of 16. The eval function evaluates v*6.25 (or 16 x 6.25) to equal 100.

The for..loop at the very end of the script then converts the decimal values to ASCII characters and when put all together, results in the following:

The Black Hole Exploits Kit is quite popular with hackers and its widespread use is evidence of that. The current version appears to be 1.1.0.

The exploits include:
* MDAC – IE 5-6, Windows 98/me, 2000, 2003, XP
* HCP – IE 7-8, Windows 2000, XP
* PDF – Acrobat Reader v. 6-9.2, works on all browsers
* PDF LibTiff – Acrobat Reader v. 8-9.3, works on all browsers (bypasses ASLR + DEP)
* Java SMB – Windows 2000, 2003, XP, Vista, 7 Java SMB, all browsers
* Java OBE – Windows 2000, 2003, XP, Vista, 7 Java OBE, all browsers
* Java TRUST – All browsers
* Java SKYLINE – IE

Here’s a shot of the statistics page:

Annual License: $ 1,500
Semiannual License: $ 1,000
3-month License: $ 700
Rent for one month: $ 500
Rent for one week: $ 200

This entry was posted in Exploit Packs, Malscript and tagged , , . Bookmark the permalink.

4 Responses to UPS Scam Email Links to Black Hole

  1. bastik says:

    Always the same:
    – A faked email
    – an iframe
    – and JavaScript (seems the most critical part of the whole exploit, beside the exploit them self)

    if possible disable JavaScript (use Opera or FF with NoScript).

    I also recommend to disable Java in the browser if you have Java installed, because you need it to run java apps locally, but do not use any online service that uses Java.

    Also change from the Adobe Reader to any other PDF viewer and disable JavaScript and execution of executable files. You may even think if you need to view PDFs in your browser, since it’s harder to convince you to open a PDF.

    Thank you for your work.

  2. bastik says:

    Does one think it’s possible to analyze JavaScript on the fly?

    In order to create a extension for same browsers.

    Most of the obfuscated JavaScript code looks very strange to me and if I would need to approve each script before it runs I would refuse to run most of them. (Although I may would have run the “color code”-script.)

    I don’t see any legitimate purpose of using “v*6.25,v*6.9375,v*6.1875,v*7.3125…”, some tool may would detect such stuff (along with all other stuff you posted before) and skip/disable the script before it gets executed.

  3. daigoume says:

    It’s really a nice and helpful piece of information. I’m glad that you shared this helpful info with us. Please keep us informed like this. Thanks for sharing.

  4. Ben O says:

    Like perl, vbs or any other scripting language the underlying execution of functions
    with specific orders will always be picked up by a SMART heuristic scanner; if it has
    all of the correct reverse engineering functions.

    As we all learnt with perl; it can usually be decrypted with a simple command, although with javascript we cant apply this – we will Always be able to un – obfuscate code.

    Bastik,

    running a FULL heuristic check or even a pass on each +/or filtering every remote JavaScript file could be insane if you look at msn.co.uk ( for example ) , my advice to everyone out there; grab a smart dns service ! such as opendns ! – they link into various malware databases + notably blacklist any flagged domains by blocking your access.

    Newly sprung domain’s with 0days will ALWAYS be a problem, as malware evolves we clearly will see our methods of defence evolve aswell; ( The Arms Race ).

Leave a Reply