Targeted malicious code from devest@terrorism.com!

I am not sure whether to be worried or flattered, but it appears that someone is going through the trouble of creating targeted malicious code attacks by spoofing an email from me. They’ve even gone so far as to use the correct signature, return phone numbers, and to pick a topic that i am likely to actually send an email on. The only issue is that they’ve spelled my name wrong…probably to prevent any bounces from coming to me and alterting me. The message looks like this:

From: Matt Devest
Date: Sun, 1 Oct 2006 09:05:27 -0600
To: < ****@terrorism.com>
Subject: How China Steals US Military Secrets !

Dear,

FYI-

http://www.usa.tmsasia.com/collections/prc/How_China_Steals_US_Military_Secr
ets.html

Matt Devest
CEO
Terrorism Research Center, Inc.
Tel: (703)***-****
Email: Devest@terrorism.com

Obviously, if you get this message, don’t click on the attachment. My good friend Eric took a look at the target web page and provided this assessment:

Basically, the link is for a page that’s just javascript. What’s interesting is that it uses the javascript ‘unescape’ function to set values to a couple vars. the unescape function takes what looks like gibberish and when unescaped, is plain javascript code. The last part of the initial script does an ‘eval’ on the variable, which runs the code. What the code does is run another set of javascript which was previously decoded and attempts to use a VERY new IE vulnerability to cause a buffer overflow and then allows running any program as administrator on the box. More details on the actual exploit can be found at:

http://www.us-cert.gov/current/index.html#exwbfldr

As such, only Windows users running IE 6 are vulnerable to this ‘link’. From what I can find on the Microsoft website, it looks like this vulnerability might only apply to Windows 2003 Server, but that remains unclear. Microsoft did indicate they would have an update released by October 10.

In summary, whoever did this cleverly crafted email wanted to maximize his/her chances of getting a ‘hit’. The exploit is considered a 0-Day and the way it was escaped took sometime to sort through and decode. If it wasn’t for the misspelled Devost, it could almost be considered ‘perfect’…

For what it’s worth, the email came directly from a server in Utah.

IP: 205.118.75.84
OrgName: Utah Educational Network
OrgID: UEN-1
Address: 101 Wasatch Drive, Rm 215
City: Salt Lake City
StateProv: UT
PostalCode: 84112
Country: US

Probably just a poorly patched server that was hacked and used as a jump-point…