June 03, 2007Gattling Gun Approach to Infecting Windows PCs
Wow! That is my reaction to a simple email message that managed to get through today. The "wow" factor isn't in what one normally sees if opening the message; rather, it's in the source code for the message.
The body is relatively tiny—a mere 521 characters of HTML code. But here's what that code does:
- Loads an HTML page into a hidden iframe element
- Loads an image file into a hidden img element
- Loads two different HTML pages into two more hidden iframe elements
- Loads another image file, whose URL appends an identifiable numeric code, into another hidden img element (possibly ticking a server access counter if the image were actually retrieved)
- Loads yet another image file, whose URL appends my email address, into yet another hidden img element
I started to dig into the un-appended URLs using text-only terminal software to see what these pages served up to the HTML renderer that might normally open such an email message. Within seconds, I was tracing a rat maze of downloaders and obfuscated (but easily deciphered) scripting code. Some were specifically targeting Microsoft Internet Explorer.
Life today is too short to follow all the trails, but this delivery is another example of the ways Bad Guys will attempt multiple attacks as economically (byte size wise) as possible. If the recipient has some patches already installed, one of the other attacks may do the trick. No need to try to get multiple single-attack messages through when one monster attacker stands a better chance of success.
This message, whose Subject: line is very identifiable English nonsense ("On dinner table happy secret") appears to have been circulating for the past month or so. I found numerous instances of the message having been submitted to message boards and blog comments. Thankfully, many of the message boards display only plain text. But the text message archives include easily clickable links to obtain the HTML—even more deadly because this type of action typically occurs in a web browser, rather than an often more limited email program.
I just took another glance at this message's source code, and I'm left with the same impression: Wow!Posted on June 03, 2007 at 08:44 PM