Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:
Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================
In another thread, KickAss Torrents said:
===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:
===================
Hello,
It should be solved, if not let us know please.
Miroslav Jenšík
AVAST Software a.s.
===================
Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.
[Summary]
Here we summarize characteristics worth noting:
1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.
[Details]
KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940
was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:
The following is the important parts of the decoded version:
From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));
Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.
And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:
Share this: | 
|
Posts
29 comments:
The domain names are "roboABCD.dyndns.tv". Two I've seen are "roborira.dyndns.tv" and "robonenw.dyndns.tv".
roboslud.dyndns.tv/cgi-bin/counter?index=2&length=8.0&found=MSIE&forum=us&page_name=2966696
Well i just got, a denied acces to kat.ph from esset nod 32 antivirus
same here from nod32... this sucks... i love that site! i do hope they figure it out soon...
does anyone know what's being done about this? why is kat.ph saying it's site is safe?!?! does anyone know when things will be back to normal?
thank you wayne huang for this clear and very informative video.
yup it was about time before my nod32 blocked this site. Hope they fix this problem asap.
nice analysis, thanks - I too love fiddler, it saved me countless of hours of debugging.
Hi Jason, yes and so roborira should have been found four hours after robonenw: n->r, e->i, n->r, w->a ;)
ESET Smart Security 5 Blocked this website. *-.-
same here
Amazing blog, I am regular visitor of this website, keep up the good work.
Nice blog. I will keep visiting this blog very often.
all i did was add kat.ph to nod32 and apply, and that was it. now works fine again.
Just want to report recent virus with KAT. I've been using KAT for years successfully, and love the site. BUT during the last week I've gotten hit with a nasty version of the virus that appears every time I log onto site.
I am pleased to have read some of them on your blog.
Really i feel very happy to visit your blog,because i will get more information in your article,thanks for sharing.
I use avst, nod i think suks))
The website is amazing, I have a look at out it continually and always has interesting information. Considered and very well-organized.
Great reading I really loved reading your blog. Thanks to sharing
Thanks, for very interesting post. I have a high regard for the valuable information
you offer in your articles.
Nice information, I would like to appreciate your good work and also would like to encourage you to keep it up.
Thanks for sharing this information,really its very interesting and informative to me.
This is really great post and I love watch mr bean show
I am visiting your site for a past one month. I feel happy by reading these blogs. These blogs are very much useful for news bb
This article is very interesting for me. I learned a lot new. Write more.
I am very happy to read this post..Thanks for giving us nice info. Fantastic walk-through. I appreciate this post.
I am visiting your site for a past one month.
This is very valuable information.I found out this site to be specific ,informative and attractive too.Thanks for sharing.
I always appreciate someone who imparts knowledge, and so today i m also doing the same..i m pretty impressed by the useful & knowledgeable stuff..
Post a Comment