An Actual Attempt to Pwn me.
I just received an actual malicious e-mail that actually attempts to do bad stuff to my computer. I usually delete them quickly (as you should), but this one I'm going to dissect, so you can get an idea what criminals are doing nowadays technology wise.
First, the most important aspect of these e-mails is human gullibility: The email starts with "Notice to appear" and has the following text:
"This is to inform you to appear in the Court on the May 24 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come."
Second: you are tricked to open an attachment. The attachment is malicious, I will go into this later.
At this point you should have deleted the e-mail already. If you wish to verify that it was bogus, you can easily check that (1) there is no police officer outside your door with a warrant, and (2) nothing else. So just go ahead and delete notices like these. The cops will send you a paper letter, not an e-mail.
Going another step further, we can look at the e-mail headers and see stuff in the headers like this:
From: "State Court" <firstname.lastname@example.org>
I don't think the state court uses a .com address, do you? If you do think, perhaps you should look at what shop.denioj.com
looks like (go ahead and open that in a browser, it's not malicious or bad). Ahhh, it's a Honk Kong rip off illegal football paraphenalia website. They just got "joe jobbed" and someone is relaying these e-mails illegally through their mail server, that's all.
So no, this isn't in any way legitimate, and they don't even try very hard to conceal it. They're not looking to break into my
computer, but they are looking to break into gullible
people who are not tech savvy. People who panic, click the attachment.
Alright, so what's in the attachment: "00560291.zip"?
Smart move by these guys: don't directly attach an executable file which surely would set off virus scanners. Ok so there's a zip file, you'd have to open it and extract it which takes you out of gmail potentially or outside of Outlook. It's meant to distract you and make you uncomfortable if you're not computer literate.
Now, most virus scanners actually look inside
zip files and will scan the files in there, so a bad executable file in there will also be found. So criminals like these like to come up with alternate ways to "obfuscate" and "avoid" scanning software.
In this case, the zip file contains a file named "00560291.doc.js".
(presumably to make sure they keep paying 20$ for PowerArchiver2000, and if my condescending tone is taking it too far, please stop reading, or pretend that this is narrated either by Morgan Freeman to soothe your experience, or Joe Pesci if you prefer a more absurdist colorization).
... it hides the extension from the user, so this files shows up for most computer users as "00560291.doc". And of course they want you to double click it, right? yes?
So what's in the script? Let's dig a step deeper:
A few thousand lines like these. It's called obfuscation, again, it's just probably simple code, but made really hard to read by humans. I'm not sure why, it's probably obfuscated because it's so easy to use obfuscation software, but I doubt these criminals are dumb enough to expose themselves, right?
Let's go and scan through this a bit deeper then:
ahh, they're stuffing a bunch of stuff in a variable, and then
which ends up, thusly, calling `eval` on `q89`. Presumably the bad code is in `q89` and that is then executed. neat.
Now, I could try to un-obfuscate this all myself, or I can just execute the code and see what it does. But it would be kinda dumb to do this on my own PC. Fortunately, there's plenty of online sandbox tools around that you can use to execute code safely away from your system.
After taking away the eval, and just dumping the output of q89, we get:http://pastebin.com/A4KsPCaE
(Am I a leet hacked for posting an exploit on pastebin, or what?)
Now, one can read the text there to get a good idea of what is going on, or just read my excellent summary:
If that code runs on your computer, and it has access to your data files (meaning, you executed it in your normal desktop), then it goes and downloads a little executable tool that encrypts all your files and sends the secret key to a bunch of servers on the internet that the attackers presumably control.
The attackers then wait for you to pay the bitcoin fee, and then send you the decryption code so that you can access your files again. The cost is about 230$, which isn't that much actually, apparently they make more money if the price isn't too high for people to pay it, but low enough that most people can get over it.
I'd like to stress the following parts of the exploit:
fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
fp.WriteLine(" - Nobody can help you except us.");
fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc.");
fp.WriteLine(" - Your files can be decrypted only after you make payment.");
fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt).");
This isn't necessarily true, actually, there are fortunately tools already out there that can decrypt these files (it depends on the encryption used, of course) in many variants of this exploit, but in general it's entirely correct - you're likely out of luck attempting to decrypt your stuff yourself.
I hope you enjoyed this deep dive in the terribly shallow web. This exploit isn't brilliant, not by far, it's actually one of the simplest I've seen in a long time.
Make sure you don't fall for them, and educate your friends and coworkers. If you are the person who regularly shares hoaxes and internet scares, you can repent by sharing this with your friends - I won't mind a bit.