LogMeIn.com SSL certificate has been suspended – Malware

23 01 2013

I have been a little behind with updating this blog, mainly due to work & family commitments, but its also because I have been making my way through the book “Practical Malware Analysis” and had setup a sandpit in which to play around with some fun new toys to analyze executable files. Huge thanks to NoStartchPress – do yourself a favour & get hold of a copy of it: http://nostarch.com/malware

So there I was, happily reading email when I received one that said my LogMeIn.com SSL certificate had been suspended ….. my initial thought was WTF ? I dont have a LogMeIn.com SSL certificate, after opening the mail, seeing the alert that Google had kindly provided & then viewing the source of the email, seeing that it links to a zip file, my spidey sense was on full alert….

LogMeIn.com SSL Cert Email

So off to the google I went & sure enough, the first couple of hits are LogMeIn “Investigating” and a Threat alert from Cisco.

The first thing I notice, is that it appears to be distributed, in that its not just one email server sending these messages

My Email (62.149.131.234 & 62.149.158.121)

Return-Path: <me@localhost.com>
Received: from smtpsmart1.aruba.it (smtpweb121.aruba.it. [62.149.158.121])
by mx.google.com with SMTP id g49si29182110eep.242.2013.01.22.04.34.13;
Tue, 22 Jan 2013 04:34:13 -0800 (PST)
Received-SPF: neutral (google.com: 62.149.158.121 is neither permitted nor denied by best guess record for domain of me@localhost.com) client-ip=62.149.158.121;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 62.149.158.121 is neither permitted nor denied by best guess record for domain of me@localhost.com) smtp.mail=me@localhost.com
Received: (qmail 9120 invoked by uid 89); 22 Jan 2013 12:34:12 -0000
Received: by simscan 1.2.0 ppid: 5136, pid: 8683, t: 1.6385s
scanners: clamav: 0.88.4/m:40/d:1945 spam: 3.1.4
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
smtpsmart1.fe.aruba.it
X-Spam-Level: *****
X-Spam-Status: No, score=5.2 required=6.5 tests=BAYES_50,HTML_IMAGE_ONLY_20,
MIME_HTML_ONLY,RDNS_NONE,SPF_FAIL autolearn=disabled version=3.2.5
Received: from unknown (HELO webs1224.aruba.it) (62.149.131.234)
by smtpsmart1.fe.aruba.it with SMTP; 22 Jan 2013 12:34:10 -0000
Received: from webs1224 ([127.0.0.1]) by webs1224.aruba.it with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 22 Jan 2013 13:33:35 +0100

From the LogMeIn.com post (80.67.28.160)

X-Msg-Ref: server-9.tower-85.messagelabs.com!1358859129!34525498!1
X-Originating-IP: [80.67.28.160]
X-SpamReason: No, hits=1.8 required=7.0 tests=HTML_60_70,
HTML_IMAGE_ONLY_20,HTML_MESSAGE,MIME_HTML_ONLY,ML_RADAR_SPEW_LINKS_18,
spamassassin:
X-StarScan-Received:
X-StarScan-Version: 6.7; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10352 invoked from network); 22 Jan 2013 12:52:10 -0000
Received: from charybdis.ispgateway.de (HELO charybdis.ispgateway.de)
(80.67.28.160)  by server-9.tower-85.messagelabs.com with SMTP; 22 Jan 2013
12:52:10 -0000
Received: (qmail 17828 invoked from network); 22 Jan 2013 12:51:49 -0000
Received: from unknown (HELO charybdis.ispgateway.de) (127.0.0.1)  by
localhost with SMTP; 22 Jan 2013 12:51:49 -0000
Received: (from u195401@localhost)      by charybdis.ispgateway.de
(8.14.4/8.13.6/Submit) id r0MCpWg0016765;      Tue, 22 Jan 2013 13:51:32 +0100
Date: Tue, 22 Jan 2013 13:51:32 +0100

So anyway, back to the content, the link in the email to download a new SSL certificate is actually a link to a ZIP file. Note, the site is now requesting a login to get to the link.

http:/ / www [dot] austinpolishsociety [dot] org/bod/ssl_cert_logmein.zip

This ZIP file contains one file ssl_cert_logmein.scr

root@bt:~/BADFILES/LogMeIn-SSL# unzip -l ssl_cert_logmein.zip
Archive:  ssl_cert_logmein.zip
Length      Date    Time    Name
———  ———- —–   —-
324608  2013-01-22 03:38   ssl_cert_logmein.scr
———                     ——-
324608                     1 file
root@bt:~/BADFILES/LogMeIn-SSL# file ssl_cert_logmein.scr
ssl_cert_logmein.scr: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
root@bt:~/BADFILES/LogMeIn-SSL# md5sum ssl_cert_logmein.scr
dc2b9b72189957c8d3ce9d15d0f35bf1  ssl_cert_logmein.scr

another quick google & we see that this file has hit the malware & virus check sites already malwr.com and virustotal.

So even without executing this guy, I can already tell its neither my “expired SSL cert” nor is it an screen saver (per the scr file extension).

I plan to run this in a sandbox & see what else I can find, several sites are reporting it phones home, and virustotal is flagging it as Zeus / zbot – so remote control and/or banking credential capture …. nasty little bugger.

Interestingly when I downloaded the zip & scanned it with MS Security Essentials – no virus reported ….. wonder how long it will take to get a sig down for it.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: