To our Customers, Partners, and Friends,
Today we light the firecrackers at Armorize!
We're extremely excited to let you know that Armorize Technologies Inc. will become a part of Proofpoint Inc.! The acquisition has been approved by the Proofpoint Board of Directors and by the requisite Armorize shareholders and is expected to close in the third quarter of 2013. We owe this incredible success to our current team and to our many friends who've supported us along the way. Thank you everyone!
For me personally, the past few years have been the happiest time of my life. At Armorize I get to work with a great team, and I really appreciate the chemistry, the friendship, and the sense of mission; we're like a family and I constantly felt we were making progress, innovating, overcoming challenges, learning, improving, helping each other, helping our users, and making impossible happen. It's an incredible feeling, indescribably great, utterly satisfying, and highly addictive. It was worth every minute of the hard work! Money can't buy this and I am grateful for the amazing experience and memories. I feel very lucky.
Proofpoint is a worldwide leader in email security and it's incredible to see their progress as highlighted by Gartner's report: Magic Quadrant for Secure Email Gateways 2013.
An important reason for Proofpoint to stand out as a clear leader in Gartner's 2013 report, is its new Targeted Attack Protection (TAP) offering, which leverages Armorize's advanced malware scanning platform. Email is the primary attack vector in Advanced Persistent Threats (APT), and is often used as means to deliver malicious URLs and documents to victims.
An interesting question is: even if a victim was lured into opening a malicious URL or document, why would he or she get infected? How did the attack bypass the antivirus solutions, the UTMs, and the email security gateways? To dig into this, let's reflect back on how the antivirus industry all started: most antivirus started out aiming at detecting viruses on the PC. The keyword here isn't "virus;" it's "PC." The PC has always had very limited computation power and therefore, all along the way, antivirus' goal has been to "detect as much as possible" under constrained resources. After all, who'd like to use antivirus products that consume half of our PC's resources, and reduce our notebook's battery life by half?
This concept rooted even deeper into the antivirus industry as the Internet boomed and antivirus vendors started to integrate with all sorts of network devices – firewalls, gateways, email servers, IDS, etc. These were great new markets for the antivirus vendors, but because speed is critical and computation power is limited to what's available on an appliance, antivirus went further down the road of signature-based pattern matching.
In today's world where mature cloud technologies are readily available, an important question we ask ourselves is:
Can we scale up our detection rate proportionate to our available computation power? For antivirus, the answer is NO. Since antivirus detection rate quickly plateaus as we add resources, it is hard for antivirus to benefit from today's cloud advancements. Don't get me wrong, antivirus can still leverage the cloud to scale up their detection "volume" and "speed," but when it comes to increasing the detection rate, not really.
Aimed at detecting next generation threats, Armorize set its goal to build a detection platform whose detection rate scales up in proportion to the computation power. This allows us to leverage recent cloud advancements and increase our detection rate as cloud technologies improve.
If we look at sandboxing, which we use heavily, well, sandboxing isn't really "new." Sandboxing was a hot security technology in the early 2000, but it didn't pick up as well as expected. The reason? The concept was innovative at the time, but the mindset was not so. Vendors were trying to offer sandboxing as better antivirus products – meaning, designing sandboxing products to run on PCs and notebooks.
It wasn't a great fit at the time, again, due to the PC's limited resources. Using dedicated hardware for sandboxing is a better approach, but it still doesn't leverage modern cloud advancements.
Today at Armorize, we've successfully built a platform that combines sandbox-based attack detection with cloud-based technologies. The boost in detection rate was phenomenal. Scaling up the detection rate has become practical. This is what Proofpoint is using for their TAP (Targeted Attack Protection), and this has contributed greatly to their improved status in Gartner 2013's Magic Quadrant as a clear leader in email security.
Our new platform is focused on detecting "next generation attacks," and it doesn't just include APT. For example, an important APT requirement is to focus the attack scope. To reduce exposure and prolong attack lifespan, APT attacks limit the delivery scope and focus only on desired targets. This coincides with the requirements of the online advertising industry--targeted, selected delivery scope, differentiating bots (ex: crawlers) against humans, and so on.
For online advertisers, each click or impression costs money and therefore, it is critical for the ecosystem to be extremely accurate at differentiating between bots and humans. Serving ads to bots results in wasted advertising dollars due to the fact that there is no hope of converting a bot to a customer. For APT attackers, serving exploits to these bots runs the risk of exposing attack campaign, and so they must also be very good at differentiating visitors and at targeting content.
Because these requirements coincide, attackers have been leveraging the online advertising ecosystem to spread malware, resulting in a new type of hard-to-detect threat. We call this "malvertising," which in our view makes up another type of next generation threat.
For Armorize, the acquisition presents a Launchpad from which we plan to soar to new heights. In recnet years we've been quiet on our blog, because we've been very busy building our new platform. We've even created our own static+dynamic analysis engine that goes together with our own threat description language we call Vicara. As per the Chinese idiom, "Like adding wings to a tiger," Proofpoint's comprehensive email security platform, combined with Armorize's new cloud-based next generation defense platform, is going to change the way people consider email security. At the same time, armed with Proofpoint's resources, we'll be quickly improving all products under HackAlert Suite, including HackAlert Website Monitoring, HackAlert SafeImpression, HackAlert Vulnerability Assessment, and HackAlert CodeSecure.
Powered with Proofpoint's extensive experience in cloud computing, HackAlert Suite is going to incorporate innovations at a much faster rate. Coupled with Proofpoint's sales and customer support resources, HackAlert Suite will be able to help a much wider spectrum of businesses in their fight against next generation threats.
Starting out eight years ago, Armorize has grown solidly, step by step. We are so very excited about the future, and to have the opportunity to make a much greater impact in helping businesses protect their investments, customers, employees and Intellectual Property, allowing them to focus on their own core competencies and generate further value for all of their stakeholders.
We'd like to express our sincere gratitude to all the friends we've made along the way. It is because of your help that we have made it this far and we will always be grateful and cherish the memories.
Moving forward, please give us and Proofpoint your continued support as we strive to deliver the world's most advanced defense platform against next generation threats. Thank you!
Wayne Huang
Aug 8, 2013
Read more (rest of article)...
Malvertising on KickAssTorrents (kat.ph) , OpenX compromised to serve fake anti-virus "Security Sphere 2012"
Posted by:
Wayne Huang
on 10.15.2011
/
Categories:
Drive-by download,
fake antivirus,
HackAlert,
openx,
Web malware
/
(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)
Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:
Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================
In another thread, KickAss Torrents said:
===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:
===================
Hello,
It should be solved, if not let us know please.
Miroslav Jenšík
AVAST Software a.s.
===================
Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.
[Summary]
Here we summarize characteristics worth noting:
1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.
[Details]
KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940
was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:
The following is the important parts of the decoded version:
From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));
Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.
And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:
Read more (rest of article)...
Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:
Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================
In another thread, KickAss Torrents said:
===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:
===================
Hello,
It should be solved, if not let us know please.
Miroslav Jenšík
AVAST Software a.s.
===================
Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.
[Summary]
Here we summarize characteristics worth noting:
1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.
[Details]
KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940
was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:
The following is the important parts of the decoded version:
From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));
Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.
And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:
Read more (rest of article)...
http://jjghui.com/urchin.js mass infection ongoing
(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.
The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
Here is a text version of the above decoded script.
The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.
In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
This wave of mass injection incident is targeting ASP ASP.NET websites.
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
[Details]
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below; full text is here.
3. The above script decodes to the following:
Here is a text version of the above decoded script.
4. The above script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.nu.
Read more (rest of article)...
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.
The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
Here is a text version of the above decoded script.
The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.
In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
This wave of mass injection incident is targeting ASP ASP.NET websites.
Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.
[Details]
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below; full text is here.
3. The above script decodes to the following:
Here is a text version of the above decoded script.
4. The above script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.nu.
Read more (rest of article)...
Malvertising lifecycle case study 1--OpenX compromise on speedtest.net, spreading Security Sphere 2012 fake antivirus
Posted by:
Wayne Huang
on 10.10.2011
/
Categories:
Drive-by download,
fake antivirus,
HackAlert,
malvertising,
openx,
Web malware
/
(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)
Incident: SpeedTest.net, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.
Malware: By claiming that every application "has been infected by malware and cannot be executed," Security Sphere 2012 basically locks down the infected computer until the victim purchases a "license" for it to "clean up the infections."
Cause: SpeedTest.net runs its own online advertisement platform using OpenX, using the domain ads.ookla.com. The attackers have compromised this OpenX platform and injected an malicious iframe into every ad served. We have a video of the how visitors are infected:
Malware Lifecycle: Initially, the detection rate on VirusTotal was 0 out of 43:
The malware detects common VMs (virtual machines) and will not execute inside a VM or sandbox. This helps it avoid detection.
Below is a timeline of the malware lifecycle. We missed to submit in some spots so the timeline isn't 100% accurate, but it gives a good idea:
2011-09-XX 00:00 UTC Initial injection into SpeedTest.net and other websites
|
|
(Anvirirus companies do not have this particular malware sample and therefore no one is detecting it)
|
(We don't know how long this period was)
|
|
2011-09-30 09:23 UTC 0 / 43, we first submitted the sample to VirusTotal. Because all 43 participating antivirus vendors are in partnership with VirusTotal, they should all have this sample once we've submitted it.
2011-09-30 11:00 UTC 2 / 43, Kaspersky, NOD32
2011-09-30 15:00 UTC 3 / 43, Dr. Web
2011-09-30 19:00 UTC 7 / 43, Comodo, Emsissoft, Microsoft, Panda
2011-09-30 23:00 UTC 9 / 43, AVG, Symantec
2011-10-01 03:00 UTC 14 / 43, BitDefender, F-Secure, GData, PCTools, SUPERAntiSpyware
2011-10-01 07:00 UTC 14 / 43,
2011-10-01 11:00 UTC 17 / 43, Avast, McAfee, VIPRE
2011-10-01 15:00 UTC 17 / 43,
2011-10-01 19:00 UTC 22 / 43, Ahn-Lab-V3, Ikarus, K7AntiVirus, McAfee-GW-Edition, Sophos
2011-10-01 23:00 UTC 22 / 43,
2011-10-02 03:00 UTC 22 / 43,
2011-10-02 07:00 UTC 22 / 43,
2011-10-02 11:00 UTC 22 / 43,
2011-10-02 15:00 UTC 22 / 43,
2011-10-02 19:00 UTC 22 / 43,
2011-10-02 23:00 UTC 22 / 43,
2011-10-03 03:00 UTC 22 / 43,
2011-10-03 07:00 UTC 22 / 43,
2011-10-03 11:00 UTC 30 / 43, AntiVir, Antiy-AVL, CAT-QuickHeal, Emsisoft, TheHacker, TrendMicro, TrendMicro-HouseCall, VirusBuster
2011-10-03 15:00 UTC 30 / 43,
2011-10-03 19:00 UTC 31 / 43, nProtect
2011-10-03 23:00 UTC 31 / 43,
2011-10-04 03:00 UTC 31 / 43,
2011-10-04 07:00 UTC 31/ 43,
2011-10-04 11:00 UTC 31 / 43,
2011-10-04 15:00 UTC 31 / 43,
2011-10-04 19:00 UTC 31 / 43,
2011-10-04 23:00 UTC 31 / 43,
2011-10-05 03:00 UTC 31 / 43,
2011-10-05 07:00 UTC 31 / 43,
2011-10-05 11:00 UTC 32 / 43, eTrust-Vet
2011-10-05 15:00 UTC 32 / 43,
2011-10-05 19:00 UTC 32 / 43,
2011-10-05 23:00 UTC 32 / 43,
2011-10-06 03:00 UTC 32 / 43,
2011-10-06 07:00 UTC 32 / 43,
2011-10-06 11:00 UTC 33 / 43, Fortinet
2011-10-06 15:00 UTC 33 / 43,
2011-10-06 19:00 UTC 33 / 43,
2011-10-06 23:00 UTC 33 / 43,
2011-10-07 03:00 UTC 33 / 43,
2011-10-07 07:00 UTC 33 / 43,
2011-10-07 11:00 UTC 33 / 43,
2011-10-07 15:00 UTC 33 / 43,
2011-10-07 19:00 UTC 33 / 43,
2011-10-07 23:00 UTC 33 / 43,
2011-10-08 03:00 UTC 33 / 43,
2011-10-08 07:00 UTC 33 / 43,
2011-10-08 11:00 UTC 33 / 43,
2011-10-08 15:00 UTC 33 / 43,
2011-10-08 19:00 UTC 33 / 43,
2011-10-08 23:00 UTC 33 / 43,
2011-10-09 03:00 UTC 33 / 43,
2011-10-09 07:00 UTC 33 / 43,
2011-10-09 11:00 UTC 33 / 43,
2011-10-09 15:00 UTC 33 / 43,
2011-10-09 19:00 UTC 34 / 43, JIangmin
2011-10-09 23:00 UTC 34 / 43,
Still undetecting: ByteHero, ClamAV, Commtouch, eSafe, F-Prot, Prevx, Rising, VBA32, ViRobot
Read more (rest of article)...
Incident: SpeedTest.net, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.
Malware: By claiming that every application "has been infected by malware and cannot be executed," Security Sphere 2012 basically locks down the infected computer until the victim purchases a "license" for it to "clean up the infections."
Cause: SpeedTest.net runs its own online advertisement platform using OpenX, using the domain ads.ookla.com. The attackers have compromised this OpenX platform and injected an malicious iframe into every ad served. We have a video of the how visitors are infected:
Malware Lifecycle: Initially, the detection rate on VirusTotal was 0 out of 43:
The malware detects common VMs (virtual machines) and will not execute inside a VM or sandbox. This helps it avoid detection.
Below is a timeline of the malware lifecycle. We missed to submit in some spots so the timeline isn't 100% accurate, but it gives a good idea:
2011-09-XX 00:00 UTC Initial injection into SpeedTest.net and other websites
|
|
(Anvirirus companies do not have this particular malware sample and therefore no one is detecting it)
|
(We don't know how long this period was)
|
|
2011-09-30 09:23 UTC 0 / 43, we first submitted the sample to VirusTotal. Because all 43 participating antivirus vendors are in partnership with VirusTotal, they should all have this sample once we've submitted it.
2011-09-30 11:00 UTC 2 / 43, Kaspersky, NOD32
2011-09-30 15:00 UTC 3 / 43, Dr. Web
2011-09-30 19:00 UTC 7 / 43, Comodo, Emsissoft, Microsoft, Panda
2011-09-30 23:00 UTC 9 / 43, AVG, Symantec
2011-10-01 03:00 UTC 14 / 43, BitDefender, F-Secure, GData, PCTools, SUPERAntiSpyware
2011-10-01 07:00 UTC 14 / 43,
2011-10-01 11:00 UTC 17 / 43, Avast, McAfee, VIPRE
2011-10-01 15:00 UTC 17 / 43,
2011-10-01 19:00 UTC 22 / 43, Ahn-Lab-V3, Ikarus, K7AntiVirus, McAfee-GW-Edition, Sophos
2011-10-01 23:00 UTC 22 / 43,
2011-10-02 03:00 UTC 22 / 43,
2011-10-02 07:00 UTC 22 / 43,
2011-10-02 11:00 UTC 22 / 43,
2011-10-02 15:00 UTC 22 / 43,
2011-10-02 19:00 UTC 22 / 43,
2011-10-02 23:00 UTC 22 / 43,
2011-10-03 03:00 UTC 22 / 43,
2011-10-03 07:00 UTC 22 / 43,
2011-10-03 11:00 UTC 30 / 43, AntiVir, Antiy-AVL, CAT-QuickHeal, Emsisoft, TheHacker, TrendMicro, TrendMicro-HouseCall, VirusBuster
2011-10-03 15:00 UTC 30 / 43,
2011-10-03 19:00 UTC 31 / 43, nProtect
2011-10-03 23:00 UTC 31 / 43,
2011-10-04 03:00 UTC 31 / 43,
2011-10-04 07:00 UTC 31/ 43,
2011-10-04 11:00 UTC 31 / 43,
2011-10-04 15:00 UTC 31 / 43,
2011-10-04 19:00 UTC 31 / 43,
2011-10-04 23:00 UTC 31 / 43,
2011-10-05 03:00 UTC 31 / 43,
2011-10-05 07:00 UTC 31 / 43,
2011-10-05 11:00 UTC 32 / 43, eTrust-Vet
2011-10-05 15:00 UTC 32 / 43,
2011-10-05 19:00 UTC 32 / 43,
2011-10-05 23:00 UTC 32 / 43,
2011-10-06 03:00 UTC 32 / 43,
2011-10-06 07:00 UTC 32 / 43,
2011-10-06 11:00 UTC 33 / 43, Fortinet
2011-10-06 15:00 UTC 33 / 43,
2011-10-06 19:00 UTC 33 / 43,
2011-10-06 23:00 UTC 33 / 43,
2011-10-07 03:00 UTC 33 / 43,
2011-10-07 07:00 UTC 33 / 43,
2011-10-07 11:00 UTC 33 / 43,
2011-10-07 15:00 UTC 33 / 43,
2011-10-07 19:00 UTC 33 / 43,
2011-10-07 23:00 UTC 33 / 43,
2011-10-08 03:00 UTC 33 / 43,
2011-10-08 07:00 UTC 33 / 43,
2011-10-08 11:00 UTC 33 / 43,
2011-10-08 15:00 UTC 33 / 43,
2011-10-08 19:00 UTC 33 / 43,
2011-10-08 23:00 UTC 33 / 43,
2011-10-09 03:00 UTC 33 / 43,
2011-10-09 07:00 UTC 33 / 43,
2011-10-09 11:00 UTC 33 / 43,
2011-10-09 15:00 UTC 33 / 43,
2011-10-09 19:00 UTC 34 / 43, JIangmin
2011-10-09 23:00 UTC 34 / 43,
Still undetecting: ByteHero, ClamAV, Commtouch, eSafe, F-Prot, Prevx, Rising, VBA32, ViRobot
Read more (rest of article)...
Mass WordPress infection ongoing--most malicious domains using changeip.com
Posted by:
Wayne Huang
on 10.09.2011
/
Categories:
Drive-by download,
HackAlert,
Mass Injection,
WordPress
/
mysql.com hacked, infecting visitors with malware
(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:
[Infection Chain]
Step 1: http://www.mysql.com
Causes the visiting browser to load the following:
Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011
This is the injection point. The entire content of the above .js file can be found here.
The injected section is shown in the above screenshot. The decoded version is as follows:
The text version is available here. This script generates an iframe to Step 3.
Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/
Throws out a 302 redirect to Step 4.
Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.
Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.
[The Attacker]
We don't know much at this point. The following are information regarding the associated malicious domains.
falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET
truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm
The mysql.com website is as of now, still serving this exploit and malware.
We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com
PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1
Read more (rest of article)...
Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:
[Infection Chain]
Step 1: http://www.mysql.com
Causes the visiting browser to load the following:
Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011
This is the injection point. The entire content of the above .js file can be found here.
The injected section is shown in the above screenshot. The decoded version is as follows:
The text version is available here. This script generates an iframe to Step 3.
Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/
Throws out a 302 redirect to Step 4.
Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.
Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.
[The Attacker]
We don't know much at this point. The following are information regarding the associated malicious domains.
falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET
truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm
The mysql.com website is as of now, still serving this exploit and malware.
We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com
PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1
Read more (rest of article)...
Malvertising on Yahoo YieldManager, spreading ransomeware acting as Federal German Police (BKA)--Help solve the puzzle!
Posted by:
Wayne Huang
on 8.31.2011
/
Categories:
Drive-by download ransomware,
malvertising,
Web malware
/
Help us solve the puzzle!
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
Over the past few days, our HackAlert scanning farm has constantly detected malvertising on Yahoo YieldManager (RightMedia). Since YieldManager is one of the world's largest ad networks, websites worldwide, big and small, have all been hit. Fortunately, the exploit server is only serving the malware to German visitors.
In our following video, we demonstrated how Ziddu was thus infected to serve this German ransomware to its visitors. According to CheckSiteTraffic.com, Ziddu enjoys 1,492,133 page views and 364,825 unique visitors per day.
The malware pretends to be a crime-detection software from the Federal German Police. It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."
A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.
(Above: ziddu.com hit by malvertising on Yahoo YieldManager (RightMedia)
(Above: Even Japanese sites were hit)
(Above: The installed Ransomeware--acting as Federal German Police (BKA))
Below is our video report:
Table of contents
[Summary]
[Attack Trace]
[Malvertising Analysis--The Puzzle]
[The malware]
[Summary]
Incident type: Malvertising
Incident subtype: Drive-by download, ransomware
Responsible ad network: Yahoo YieldManager (RightMedia)
Affected websites: Very large websites like ziddu.com to worldwide websites large and small. Ziddu for example has 1,492,133 page views and 364,825 unique visitors per day.
Affected visitors: German visitors only
Fake advertiser: kineticgames.info
Exploit server: BlackHole exploit pack running on town.incredibleoutcomes.com
Malicious domains:
kineticgames.info (184.172.216.234, ASN 36351, US Dallas)
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
town.incredibleoutcomes.com (195.200.90.129, ASN 35524, Ukraine)
bundespol.net (188.229.97.2, ASN 44872, Romanina)
Associated names and emails:
einzahlung@bundespol.net
Vasiliy Pushkin, vasili006@gmail.com
Piotr Pushkin, pppiotr88@gmail.com
[Attack Trace]
Using ziddu.com as example.
Link 1: (Publisher)
Ziddu's website includes the following ad tag:
Link 3: (Ad Network) http://ad.globe7.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which throws back an HTTP 302 redirect to:
Link 4: (Ad Network) http://ad.yieldmanager.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which contains javascript that generates an iframe to:
Link 5: (Ad Network) http://ad.globe7.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which throws an HTTP 302 redirect to:
Link 6: (Ad Network) http://ad.yieldmanager.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which contains javascript that a) displays the malicious ad, and b) generates an iframe to the exploit server. Note the iframe URL ends with .jpg in order to disguise and be less obvious.
(full copy-able text can be found on snipt here>
Link 7-a: (Fake Advertiser, Creative) http://kineticgames.info/images/728x90-1-1.gif, which is the actual malicous creative (malvertisement).
Link 7-b: (Fake Advertiser, malicious script) http://kineticgames.info/pubage/728x90.jpg, although the URL ends in .jpg, it's actually serving HTML containing an iframe pointing to:
Link 8: (Malicious redirector) http://sahoreen.in/hitcounter.php?u=pubage, which contains an iframe pointing to:
Link 9: (Malicious redirector) http://belygaur.in/ts/in.cgi?pubage, which throws an HTTP 302 redirect pointing to the exploit server:
Link 10: (Exploit server) http://town.incredibleoutcomes.com/index.php?tp=7058439543afabcf, serves BlackHole exploit pack. This isn't a malicious domain registered by the attacker, but a legitimate but compromised domain.
[Malvertising Analysis--The Puzzle]
Below are some causes of malvertising:
a) The attacker pretends to be a legitimate advertiser, submits a malicious ad (malvertisement) to an ad network, and tricks the ad network into accepting the submission.
b) The ad network was compromised, and the attacker injected malicious scripts into a link in the ad-serving chain.
So which case is this? Well for this particular case, it was a bit difficult for us to determine.
Upon first look, it seems to be case (a), because the advertiser in this case--kineticgames.info (184.172.216.234, ASN 36351, US Dallas), has a whois record with a Russian name and street address, yet is using an US IP and an Indian domain name for its name server (ns1.plumdook.in).
HOWEVER, the domain was registered on Aug 9th, 2010, which was a year ago, and from the screenshot below you can see that it sees to be quite a legitimate website:
Compared to many malvertising incidents we've studied, most fake domains will have been registered very recently and will either not have any website content, or will have content illegally mirrored (copied) from other websites.
This doesn't seem to be the case. So, is it case (b), where kineticgames.info is indeed a legitimate website, but have been compromised to serve malvertisements?
Seems reasonable, but only until we look at the other associated malicious domains. These are:
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
These two domains were both created very recently, on the same day--July 7th, 2011. The whois records show the registrant to be "Piotr Poshkin," which resembles kineticgames.info's current "Vasiliy Pushkin." Furthermore, the phone number, street address, and zip codes are exactly the same as kineticgames.info's.
Kineticgames.info actually has a sister domain name: kinetic-games.com, registered on the same day last year (Aug 9th, 2010), and serving the same content. Both were initially registered under Bob Stevenson of Spain. Then, on July 14th and July 17th, 2011, kinetic-games.com and kineticgames.info were respectively transfered to the current contact (according to whois records) "Vasiliy Pushkin" of Russia.
Could it be, that it is the new owner, who is intentionally doing malvertising using these domains and the website, because the identity is seemingly legit?
Or could it be, that none of these matters, and that kineticgames.info simply have been hacked into and the attackers used it to submit malvertisement, and intentionally registered the malicious redirector domains sahoreen.in and belygaur.in to have whois records that resemble that of kineticgames.info?
Finally, two additional pieces of important information. First, according to Internet Archive (Wayback Machine), as of Jan 28th, 2011, kinetic-games.com had no actual website content--the owner was just registering the domain to sell as a premium domain:
Second, the website as of now, contains lots of vulnerabilities. It should be quite easy for someone to hack into both websites.
So what's the deal here?
We cannot make a conclusion right here. Perhaps the reader can help solve the puzzle?
[The Malware]
The malware pretends to be a crime-detection software from the Federal German Police. You can see in the screenshot above, it's using logo stolen from the real Federal German Police (Bundespolizei). It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."
A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.
This thread of ransomware has been around for a few months already, but improvements seen in this version include:
a) They now have an email "einzahlung@bundespol.net" that somewhat resembles the Federal German Police, who uses "@bundespolizei.de. The domain was registered through Bizcn.com, a registrar in China.
b) They now support two payment gateways, UKash and paysafecard.
Below is a translation of the text:
Attention!
Illegal operational activities have been detected. Based on laws of the Federal Republic of Germany, the system has been locked. The following legal violation has been detected: Your IP _______ was detected to have visited pages containing pornography, child pornography, bestiality and violence against children. At the same time, your computer has been identified to contain video files involving pornography, violence, and child pornography content! Furthermore, spam emails containing terrorism content were also sent from here. Your computer is therefore locked in order to eliminate the above illegal activities.
Your details:
IP, location, OS, ISP, etc.
In order to unlock this computer, you are obligated by law to pay a 100 Euro fine. You must make the payment within 24 hours. If payment has not been made within the allotted time, your hard disk will be irreversibly formatted.
1) Payment via Ukash:
To perform the transaction, please enter your purchased voucher code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.
2) Payment via paysafecard:
Please input the code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.
Read more (rest of article)...
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
Over the past few days, our HackAlert scanning farm has constantly detected malvertising on Yahoo YieldManager (RightMedia). Since YieldManager is one of the world's largest ad networks, websites worldwide, big and small, have all been hit. Fortunately, the exploit server is only serving the malware to German visitors.
In our following video, we demonstrated how Ziddu was thus infected to serve this German ransomware to its visitors. According to CheckSiteTraffic.com, Ziddu enjoys 1,492,133 page views and 364,825 unique visitors per day.
The malware pretends to be a crime-detection software from the Federal German Police. It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."
A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.
Below is our video report:
Table of contents
[Summary]
[Attack Trace]
[Malvertising Analysis--The Puzzle]
[The malware]
[Summary]
Incident type: Malvertising
Incident subtype: Drive-by download, ransomware
Responsible ad network: Yahoo YieldManager (RightMedia)
Affected websites: Very large websites like ziddu.com to worldwide websites large and small. Ziddu for example has 1,492,133 page views and 364,825 unique visitors per day.
Affected visitors: German visitors only
Fake advertiser: kineticgames.info
Exploit server: BlackHole exploit pack running on town.incredibleoutcomes.com
Malicious domains:
kineticgames.info (184.172.216.234, ASN 36351, US Dallas)
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
town.incredibleoutcomes.com (195.200.90.129, ASN 35524, Ukraine)
bundespol.net (188.229.97.2, ASN 44872, Romanina)
Associated names and emails:
einzahlung@bundespol.net
Vasiliy Pushkin, vasili006@gmail.com
Piotr Pushkin, pppiotr88@gmail.com
[Attack Trace]
Using ziddu.com as example.
Link 1: (Publisher)
Ziddu's website includes the following ad tag:
<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC="http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90§ion=836122"></IFRAME>Link 2: (Ad Network) http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90§ion=836122 is loaded, which contains javascript that generates an iframe to:
Link 3: (Ad Network) http://ad.globe7.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which throws back an HTTP 302 redirect to:
Link 4: (Ad Network) http://ad.yieldmanager.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which contains javascript that generates an iframe to:
Link 5: (Ad Network) http://ad.globe7.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which throws an HTTP 302 redirect to:
Link 6: (Ad Network) http://ad.yieldmanager.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which contains javascript that a) displays the malicious ad, and b) generates an iframe to the exploit server. Note the iframe URL ends with .jpg in order to disguise and be less obvious.
(full copy-able text can be found on snipt here>
Link 7-a: (Fake Advertiser, Creative) http://kineticgames.info/images/728x90-1-1.gif, which is the actual malicous creative (malvertisement).
Link 7-b: (Fake Advertiser, malicious script) http://kineticgames.info/pubage/728x90.jpg, although the URL ends in .jpg, it's actually serving HTML containing an iframe pointing to:
Link 8: (Malicious redirector) http://sahoreen.in/hitcounter.php?u=pubage, which contains an iframe pointing to:
Link 9: (Malicious redirector) http://belygaur.in/ts/in.cgi?pubage, which throws an HTTP 302 redirect pointing to the exploit server:
Link 10: (Exploit server) http://town.incredibleoutcomes.com/index.php?tp=7058439543afabcf, serves BlackHole exploit pack. This isn't a malicious domain registered by the attacker, but a legitimate but compromised domain.
[Malvertising Analysis--The Puzzle]
Below are some causes of malvertising:
a) The attacker pretends to be a legitimate advertiser, submits a malicious ad (malvertisement) to an ad network, and tricks the ad network into accepting the submission.
b) The ad network was compromised, and the attacker injected malicious scripts into a link in the ad-serving chain.
So which case is this? Well for this particular case, it was a bit difficult for us to determine.
Upon first look, it seems to be case (a), because the advertiser in this case--kineticgames.info (184.172.216.234, ASN 36351, US Dallas), has a whois record with a Russian name and street address, yet is using an US IP and an Indian domain name for its name server (ns1.plumdook.in).
HOWEVER, the domain was registered on Aug 9th, 2010, which was a year ago, and from the screenshot below you can see that it sees to be quite a legitimate website:
Compared to many malvertising incidents we've studied, most fake domains will have been registered very recently and will either not have any website content, or will have content illegally mirrored (copied) from other websites.
This doesn't seem to be the case. So, is it case (b), where kineticgames.info is indeed a legitimate website, but have been compromised to serve malvertisements?
Seems reasonable, but only until we look at the other associated malicious domains. These are:
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
These two domains were both created very recently, on the same day--July 7th, 2011. The whois records show the registrant to be "Piotr Poshkin," which resembles kineticgames.info's current "Vasiliy Pushkin." Furthermore, the phone number, street address, and zip codes are exactly the same as kineticgames.info's.
Kineticgames.info actually has a sister domain name: kinetic-games.com, registered on the same day last year (Aug 9th, 2010), and serving the same content. Both were initially registered under Bob Stevenson of Spain. Then, on July 14th and July 17th, 2011, kinetic-games.com and kineticgames.info were respectively transfered to the current contact (according to whois records) "Vasiliy Pushkin" of Russia.
Could it be, that it is the new owner, who is intentionally doing malvertising using these domains and the website, because the identity is seemingly legit?
Or could it be, that none of these matters, and that kineticgames.info simply have been hacked into and the attackers used it to submit malvertisement, and intentionally registered the malicious redirector domains sahoreen.in and belygaur.in to have whois records that resemble that of kineticgames.info?
Finally, two additional pieces of important information. First, according to Internet Archive (Wayback Machine), as of Jan 28th, 2011, kinetic-games.com had no actual website content--the owner was just registering the domain to sell as a premium domain:
Second, the website as of now, contains lots of vulnerabilities. It should be quite easy for someone to hack into both websites.
So what's the deal here?
We cannot make a conclusion right here. Perhaps the reader can help solve the puzzle?
[The Malware]
The malware pretends to be a crime-detection software from the Federal German Police. You can see in the screenshot above, it's using logo stolen from the real Federal German Police (Bundespolizei). It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."
A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.
This thread of ransomware has been around for a few months already, but improvements seen in this version include:
a) They now have an email "einzahlung@bundespol.net" that somewhat resembles the Federal German Police, who uses "@bundespolizei.de. The domain was registered through Bizcn.com, a registrar in China.
b) They now support two payment gateways, UKash and paysafecard.
Below is a translation of the text:
Attention!
Illegal operational activities have been detected. Based on laws of the Federal Republic of Germany, the system has been locked. The following legal violation has been detected: Your IP _______ was detected to have visited pages containing pornography, child pornography, bestiality and violence against children. At the same time, your computer has been identified to contain video files involving pornography, violence, and child pornography content! Furthermore, spam emails containing terrorism content were also sent from here. Your computer is therefore locked in order to eliminate the above illegal activities.
Your details:
IP, location, OS, ISP, etc.
In order to unlock this computer, you are obligated by law to pay a 100 Euro fine. You must make the payment within 24 hours. If payment has not been made within the allotted time, your hard disk will be irreversibly formatted.
1) Payment via Ukash:
To perform the transaction, please enter your purchased voucher code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.
2) Payment via paysafecard:
Please input the code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.
Read more (rest of article)...