Today we will be reviewing a cybercriminal’s recipe for success:
- Hacking LinkedIn’s password (and possibly user-) database.
- Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
- A user unawarely clicking on the link.
- An exploit gets loaded. Malware gets dropped. Malware gets executed.
- User’s computer is now a zombie (part of a botnet).
I was forwarded an email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack. I believe however that (a part of) the user-database was breached as well.
If we verify the “To” and “CC” fields of this email, we see about 100 other recipients. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth… Here’s the email in question:
Subjects of this email might be:
“Relationship LinkedIn Mail“, “Communication LinkedIn Mail”, “Link LinkedIn Mail” or “Urgent LinkedIn Mail“. No doubt the subjects of this email will vary, and are not limited to these four.
Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:
- Adobe Reader
In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.
In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:
What’s this ? There’s a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file, which in turn spawns another file… Okay, you get the point here. Your machine is executing malware and is in the process of being infected.
You might get the following message from Adobe Reader, stating it has crashed (this is due to the exploit):
After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there’s a malicious executable which will start every time the computer boots.
The exploits’ source is probably the Blackhole exploit kit. The exploits in question are:
Unknown (at this point) Adobe Reader exploit
Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected.
The IPs above (126.96.36.199 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware.
After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. In particular, the Zeus botnet.
Today’s lesson is a very important one and is one of the basics of security:
PATCH PATCH PATCH people ! Keep ALL of your software up-to-date ! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player…. You get the picture.
This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed.
If possible, avoid using Adobe and/or Java. There are other (also free) alternatives on the market.
Finally, use an up-to-date Antivirus product to keep your machine safe should you not have done any patching. Several of Panda’s products use heuristics to determine if an exploit is being loaded on the system or a process is being injected into another process.