Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home — specifically, Seattle Washington. They’re seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:
Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It’s interesting to note that the “Date of Offense” is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.
If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.
If the exploit is successful, it will download and execute a file named “info.exe” from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).
We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It’s also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.
While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.
The best way to remain protected against this type of attack is to:
• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages
Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email — only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/
— Tareq Saade, Microsoft Security Response Center
Leave a reply