Tuesday, June 18, 2013

openxadvertising.com Mass Malvertising Campaign

On Monday, Government Security News (GSN), reported that their website had been compromised during a mass infection. While in the case of the GSN infection, the injected content was delivered from googlecodehosting.com, we have determined that the same content was also delivered from googlecodehosting.org and googlecodehosting.net, all of which resolve to and are now offline.

In reviewing our logs for sites with the aforementioned referrers, indicating that they too were/are compromised, we have thus far identified 65 different sites (see list below), with the earliest referrers appearing on Thursday June 13 at 6:32:28 2013 GMT. Referers for the GSN site appeared as early as Jun 14th, suggesting that the site was likely compromised for a couple of days before they became aware of the situation and took steps to clean the site.

The attack leveraged the following chain of events:

1.     Malvertising – The injected code appears to have occurred in malicious advertisements used by the impacted sites, as opposed to the sites themselves. The malicious advertisements were delivered from openxadvertising.com, which is currently blocked by Google SafeBrowsing.
2.     Redirect – The content hosted at the googlecodehosting pages (now offline) has been archived on Pastebin.  As can be seen, the actual malware is being pulled from compromised WordPress sites.
3.     Infection – A malicious .jar file is delivered. At least two separate Java vulnerabilities have been observed in the attacks (CVE-2013-1493 and CVE-2013-2423), which are used to install the ZeroAccess Trojan.

The following infected domains have been identified in this attack from reviewing referer headers referencing googlecodehosting.com/net/org:

·      2475-lsxtv.voxcdn.com
·      ads.rahesabz.net
·      ads.thehiveworks.com
·      delaware.newszap.com
·      disabilitynow.org.uk
·      dj1067fm.com
·      greenhomeguide.com
·      insanescouter.org
·      lamega.com
·      marinefuel.com
·      mess.troutcave.net
·      omahanightlife.com
·      openx.multimediajamaica.com
·      pacificweddings.com
·      supernormalstep.com
·      test.theeagle.com
·      traveloregon.com
·      truthdig.com
·      vmblog.com
·      www.adrants.com
·      www.artshound.com
·      www.beginnertriathlete.com
·      www.birmingham365.org
·      www.brambletonian.net
·      www.charlestongolfguide.com
·      www.clashmusic.com
·      www.cobizmag.com
·      www.controleng.com
·      www.dragzine.com
·      www.ediblemanhattan.com
·      www.empirepage.com
·      www.environmentalleader.com
·      www.first30days.com
·      www.girlswithslingshots.com
·      www.guideposts.org
·      www.hospitalmedicine.org
·      www.hot-dinners.com
·      www.jeepsunlimited.com
·      www.jewishjournal.com
·      www.knittinghelp.com
·      www.lakestclair.net
·      www.lethbridgeherald.com
·      www.lsxtv.com
·      www.menuclub.com
·      www.nowplayingaustin.com
·      www.onedirt.com
·      www.phillyfunguide.com
·      www.popco.net
·      www.pro-touring.com
·      www.questionablecontent.net
·      www.radiohitz92fm.com
·      www.rtbookreviews.com
·      www.sayfiereview.com
·      www.sermonspice.com
·      www.spearfishingplanet.com
·      www.sportscollectorsdaily.com
·      www.stangtv.com
·      www.success.com
·      www.talentzoo.com
·      www.thejc.com
·      www.ventura-usa.com
·      www.wannabebig.com
·      www.whichbudget.com
·      www.workerscompensation.com
·      www.worthgoing.com

For those wishing to implement IDS based signatures to prevent the attacks, the following unique strings have been identified in URL paths seen to be delivering the malicious .jar files:

"/.cache/?f=site.jar&k=" OR
followed by:

This attack is very similar to one that we blogged about in May. That attack was also a mass infection, which impacted media sites and also leveraged the ZeroAccess Trojan. As a courtesy, communication has been sent to the webmasters of all impacted domains informing them of the potential infection.

- michael

Tuesday, June 4, 2013

Phishers target Yahoo users

Yahoo Mail introduced two-factor authentication in December 2011. Two-factor authentication can be used to prevent suspicious access to an account (login from a different country, numerous failed login attempts, etc.) and can be used to verify a user's identity when asking for a password reset.

Two-factor authentication has been in the news a fair bit lately as LinkedIn and Twitter have recently begun to offer the feature. We encountered an example whereby a phisher actually took advantage of heightened awareness of two-factor authentication to aid in an attack. The scam involved spoofed e-mails, which claim that all Yahoo users must turn on two-factor authentication:

Phishing e-mail to Yahoo Mail users

The e-mail has a spoofed FROM address (@yahoo.com) and a fake link to http://update.yahoo.com/. The user clicking on this link is actually redirected to a phishing page at http://www.antek.com/pics/tiles/yahoo.com.html as shown below:

Yahoo phishing page
At present, this URL is blocked by Google Safe Browsing (Firefox, Chrome, Safari) but not by Internet Explorer.

Yahoo is now shutting down their Yahoo Mail classic interface and forcing users to their new e-mail platform. This will no doubt be another great opportunity for phisher to take advantage of confused users.

Saturday, June 1, 2013

Rise in Red Kit Exploit Kit Activity

This week, a malicious pattern of activity was observed in websites being compromised, which in turn redirected to a Red Kit exploit kit (EK) landing page. Some infected websites that were seen:
  • neptunebenson[dot]com
  • route66marathon[dot]com
  • whitesteeple[dot]com 
(Warning! these sites may still be infected)

Two different mechanisms were used to infect the websites. The first one being a standard iframe injection, which leads to the Red Kit EK landing page through URL redirections. The other mechanism leverages SEO based techniques to carry out HTTP 302 redirections that lead to the RedKit EK landing page.

The snapshot below shows some of the sample URLs/SEO redirections that were seen. Please refer to this URLQuery search in order to identify other URLs exhibiting the redirection patterns.  

Upon visiting the infected webpage, it sends the user to a malicious redirection (HTTP 302). The actual exploit code as shown below is then ultimately delivered.
The first landing page uses a typical RedKit Exploit, which contains the obfuscated URL that is used to fetch the payload as shown in the highlighted box below. 
The Java Sandbox bypass exploit is carried out leveraging an unsigned applet with the suspicious parameter "__applet_ssv_validated" passed, which exploits the following vulnerabilities:  CVE-2013-1493 / CVE-2013-2423 / CVE-2012-1723.
The jar applet gets the obfuscated URL from the parameter "name", which is passed by the jnlp as shown above. It is then decoded into the final URL through the following code: 
This URL contains the encrypted binary payload. The applet creates a URL Connection Steam to download the encrypted binary stream. The binary stream is then decrypted using the AES CBC 128 bit cipher block chaining scheme. The IV (Initial Vector) and the decryption key are stored inside the applet. After decryption, it stores the binary file onto the temporary folder with a random filename by making a call to java.io.tmpdir. The snapshot below summarizes some of the important routines involved in the decryption process.
The binary file was packed using UPX and has anti-vm/anti-debugging detection routines. The binary is a Keylogger Tojan that steals credentials such as credit card numbers, passwords etc. and sends it over to a remote location. Currently, the binary is being detected only by three AV vendors as malicious. 

Binary Reports:

Jar File Report: 

It is always a good practice to keep vulnerable browser plugins such as Adobe/Java constantly updated. This protects the end user from malicious EKs leveraging known vulnerabilities. For more specfic information related to Java Plugins and how to disable them, please refer this great blog post from my colleague Julien Sobrier.