Tuesday, May 21, 2013

Darkleech attack continues to grow

The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked)  injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page. Sucuri published up a great write up about the Darkleech infection mechanism on the server side.

We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the Blackhole Exploit Kit v2. We identified the following sites being compromised in the past week within observed Zscaler traffic:

202.218.253.214
bazzillbasics.com
bigfishermanseafood.com
clasificados.zocalo.com.mx
colima.vendidoalas3.com.mx
embarque.com
kimindschool.com
mapas.guiaroji.com.mx
mediagazer.com
middleschoolbook.com
mpsrail.co.uk
new.schoolnotes.com
newsofthepast.com
norwalkmedicalgroup.com
reports.valeopartners.com
studioartsdallas.com
unit2.euro2day.gr
v2.wallpaperzip.com
www.264thegrill.com
www.acadianabusiness.com
www.alancristea.com
www.aqua-medic.com
www.aquapurawater.ca
www.backroads.org
www.beachcamsusa.com
www.bsgco.com
www.chicagohomeestates.com
www.compactpowercenter.com
www.companyrescue.co.uk
www.eastpak.com
www.euro2day.gr
www.flowersandservices.com
www.fortworthzoocoupons.net
www.freedieting.com
www.gite-mer.com
www.grandlifehotels.com
www.jackshainman.com
www.momentumtraining.biz
www.nevadasecuritylicense.com
www.qualityenvironmental.co.uk
www.ranabroadband.net
www.rentalsource.com
www.servo2go.com
www.superiorvalves.com
www.theacme.com
www.trulia.com
www.vbbound.com
www.visit-montenegro.com
www.volpifoods.com

The following list shows the list of IPs and websites observed serving the Blackhole Exploit kit landing page.

129.121.101.227
129.121.104.90
129.121.108.220
129.121.113.217
129.121.120.211
129.121.168.226
129.121.194.244
129.121.199.90
129.121.201.230
129.121.45.181
129.121.55.185
129.121.61.189
129.121.65.124
129.121.85.166
143.95.13.5
143.95.1.6
143.95.17.5
143.95.1.8
143.95.2.6
143.95.7.6
149.47.113.128
149.47.149.225
149.47.154.201
149.47.205.179
149.47.21.162
149.47.218.128
149.47.22.176
149.47.225.171
149.47.245.128
173.233.133.30
173.233.133.43
173.233.134.138
173.244.221.89
174.37.210.122
174.37.210.127
208.166.50.27
208.43.236.169
208.69.183.138
208.69.183.205
209.126.248.63
216.154.208.125
64.247.176.220
64.247.180.106
65.75.145.203
65.75.168.252
65.75.174.197
65.75.176.120
65.75.184.70
65.75.185.243
65.75.188.211
65.75.190.59
67.213.213.23
69.89.4.92
69.89.5.224
69.89.9.47
adanakenthaber.com
aftabcurrency.eu
akmusik.org
alzagh.com
aminexchange.net
austriawanderer.com
basquet-atletico.lendanearlongisland.com
boomchoon.co.uk
budgettyremaintenance.co.uk
cariparker.co.uk
cinselmarket.org
countryandleisureclothing.co.uk
egyptwanderer.com
elkadytrans.com
firstbytemicro.com
foryouroccasions.co.uk
georgemediahouse.co.uk
gheep.co.uk
gshcontracts.co.uk
hcxmy.com
hungarywanderer.com
lcwceramics.co.uk
leventerkekkuaforu.com
lovehost.co.uk
moneystopltd.co.uk
mpsrail.co.uk
mtlssc.org.uk
ondervreemdevlag.nl
partitioningsoutheast.co.uk
platjadarovirtual.com
rika.100pixels.co.uk
sms.nozom.com.eg
teddyrepair.co.uk
upminstercontainers.com
wallpapers.animalz.gr
wcwr.co.uk

The following pattern in the URL was observed:

\/[a-z0-9]{16,32}\/q.php

We also identified the following user-agent strings when the redirection was made:

Java/1.6.0_26
JNLP/1.7.0 javaws/10.21.2.11 () Java/1.7.0_21
JNLP/6.0 javaws/1.6.0_03 (b05) Java/1.6.0_03
JNLP/6.0 javaws/1.6.0_26 (b03) Java/1.6.0_26

The user agents found while visiting these infected sites were mainly: MSIE_7_X, MSIE_8_X and MSIE_9_X.

Upon visiting an infected website, it redirects to a standard BEK v2 landing page as shown below.


The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection, as shown in the image below. However, this URL was not accessible (404 error response), at the time of writing, hence it was not possible to retrieve the malicious binary file.


Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the dark leech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections is can be a challenging task. For further details on the vulnerability and how the server can be patched, please refer to CVE-2012-1557.

Thursday, May 16, 2013

Fake YouTube page targets Chrome users

Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encountered fake YouTube page host at http://facebook-java.com targets Google Chrome users only.

Fake YouTube page

We have found a many malicious sites that specifically target Internet Explorer or Firefox users, but not often Google Chrome users. In this example, any click on the fake video player or the fake ad attempts to install the following extension for Google Chrome: https://chrome.google.com/webstore/detail/nhmibhinlbilhaflldckbeokphjoifhi.


JavaScrip code that installs a Chrome extension


You may have noticed that the extension is hosted in the official Google Chrome store. Google disabled the installation of extensions for 3rd party sites in June 2012, and silent installs in late 2012.

The Chrome store page does not show any information about the extension:


Let's install the extension hosted at http://facebook-java.com/.

List of permissions requested by the extension
A new icon is added next to the URL bar:
The link redirects to http://www.getjava.net/. This shows the same page as facebook-java.com. It tries to install another extension from the Chrome store, but this one has already been removed.

getjava.net
Now that the extension has been installed, it is not possible to open Tools or Settings in Chrome. Instead, a tab opens to https://www.facebook.com/?get_cod whenever those functions are accessed. The corresponding code in the malicious extension shows how it is done:

Overrides any tab wit ha URL starting with chrome://
Thereafter, in every webpage viewed four different malicious scripts are inserted. The author uses the Google URL shortener to include the malicious JavaScript:
  • http://goo.gl/9Ky9t => http://profonixcoder.com/yeni/pro.php
  • http://goo.gl/gQhF6 => http://profonixcoder.com/yeni/twitter.php (down)
  • http://goo.gl/t7snI => http://profonixcoder.com/yeni/youtube.php (down)
  • http://goo.gl/jUEgY => http://profonixcoder.com/yeni/askfm.php (down)
Only the first script is available currently. It works on Facebook pages. It shares links using the user's account. By the name of the other files, we can assume they do something similar on YouTube, Twitter and Ask.fm

It looks like the author of this malicious extension doesn't have a high opinion of Google's security by using Google for hosting the extension and using their URL shortener to inject the malicious JavaScript.

Tuesday, May 7, 2013

Facebook Scam for Stalkers

If you are like me, you might feel bad about leaving your dog home alone all day while you are at work.  So to alleviate his boredom, I've let him sign up for his own Facebook.  Being new to the social media scene has already resulted in one tragedy. Well, my dog has done it again.  This time he was paranoid over whether his girlfriend from across the street was cheating on him.  So of course when he sees the new FBStalker26.com, he must try it.

On Version 26! So Advanced. So Legit.
Being a human, I know that this is obviously a phishing attempt trying to trick my dog into revealing his username and password to Facebook or worse.  Usually a Facebook scam's success is determined by the paranoia of who is looking at your profile or how many free iPads you can win.  Once you realize that, these phish attempts are almost elementary to recognize.

Always look at the address bar before entering your creds.
 The link from that photo will take you immediately to a new page where you are meant to log in again with your Facebook credentials.  A quick glance at the address bar will show you that you are not in Kansas anymore.  Don't do it!  Don't enter that information!



Oh no you did it...Now your username/password have been compromised, they still won't have an easy time into your account due to higher security policies from Facebook.  Unfortunately, my dog was gullible enough to enter in his security question and answer, only to be disappointed by a 404 error immediately after that entering his data.  Looks like he'll never know who is stalking him now, but don't worry...he won't have access to his own Facebook account for much longer.

Monday, May 6, 2013

Popular Media Sites Involved in Mass Compromise

Update (May 9): OSIRT had the opportunity to review the infected web app code for one of the compromised sites and has a great write-up to explain what was happening from a server-side vantage point.

Today, Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise.

Sadly, mass compromises are now the norm. Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used.  When IE is used to view one of the infected pages, the following code is sent to the browser:


Ofuscated JavaScript injected into a webpage at WTOP.com
Deobfuscated version of the injected code
This obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp.biz and hopto.org) involved and the actual URLs (which are numerous), conform to the following pattern:

   \/[a-z0-9]{14,15}\/[a-z0-9]{32}\/
Example URL

Once redirected to the malicious URLs, Fake AntiVirus scams and the ZeroAccess Trojan are delivered to the victim. MD5s for malware delivered include the following:

2e1997982c4dde48a995df5061f1438f
2b150bd07bb74426d676d8cb47451fd0
62547040ac637b63c2d531e17438597a
8858050e303cca778e5083ed4e442763
eee9941e4d01b65061f4fb621b2d708d
b43c1d19d35e3606a7b6227cef561986

Thus far, Zscaler has identified the following compromised sites:
 
Media Sites
  • WTOP Radio (Washington, DC) - wtop.com
  • Federal News Radio (Washington, DC) - federalnewsradio.com
  • The Christian Post - christianpost.com
  • Real Clear Science - realclearscience.com
  • Real Clear Policy - realclearpolicy.com
Others
  • scubaboard.com
  • mrsec.com
  • menupix.com
  • xaxor.com
  • gvovideo.com
At the time of posting, these compromised sites were still offering up malicious content.

Friday, May 3, 2013

Fake Flash player on DropBox

Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash updates:

  • hxxp://kivancoldu.com/, redirects to hxxp://click-videox.com/

http://kivancoldu.com on 05/02/2013
  • hxxp://fastcekim.com/, redirects to hxxp://click-videox.com/
  • hxxp://kivanctatlitug.tk/ d(down)
hxxp://kivanctatlitug.tk/
The fake warning at the top of the page alternates between English and Turkish.

What is interesting is that the malicious executables are actually hosted in a DropBox account and have not been taken down since they were found about seven days ago. I have spotted two different executables so far:
These two files have similar behavior. They disable all Windows features: UAC, Firewall, AV, Safe Boot, etc. The malware then drops variants of the Sality virus, some of which have a good detection rate amongst AV vendors.

Interestingly, there is a link on the malicious websites that shows how many people visited it. There were 1,412 unique visitors in a single day.

There is another peak of traffic report and on 05/02 registered 1,700 visitors...and counting.

These sites keep popping up and the are still able to fool users.