Malvertising on KickAssTorrents (kat.ph) , OpenX compromised to serve fake anti-virus "Security Sphere 2012"

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:


Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================

KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.

[Summary]

Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

[Details]

KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:

http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:


The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:

29 comments:

Jason D.Seimesi said...

The domain names are "roboABCD.dyndns.tv". Two I've seen are "roborira.dyndns.tv" and "robonenw.dyndns.tv".

Jason D.Seimesi said...

roboslud.dyndns.tv/cgi-bin/counter?index=2&length=8.0&found=MSIE&forum=us&page_name=2966696

Sa said...

Well i just got, a denied acces to kat.ph from esset nod 32 antivirus

Poweruser75 said...

same here from nod32... this sucks... i love that site! i do hope they figure it out soon...

Poweruser75 said...

does anyone know what's being done about this? why is kat.ph saying it's site is safe?!?! does anyone know when things will be back to normal?

Cesar R. said...

thank you wayne huang for this clear and very informative video. 

Fucku said...

yup it was about time before my nod32 blocked this site. Hope they fix this problem asap.

bakaohki said...

nice analysis, thanks - I too love fiddler, it saved me countless of hours of debugging.

Wayne Huang said...

Hi Jason, yes and so roborira should have been found four hours after robonenw: n->r, e->i, n->r, w->a ;)

Miggscrptr said...

ESET Smart Security 5 Blocked this website. *-.-

FEB-ibig Zulla said...

same here

domain registration india said...

Amazing blog, I am regular visitor of this website, keep up the good work.

cheap domain registration said...

Nice blog. I will keep visiting this blog very often.

Dj^Kingreefa said...

all i did was add kat.ph to nod32 and apply, and that was it. now works fine again.

vistasecurity 2012 virus said...

Just want to report recent virus with KAT.  I've been using KAT for years successfully, and love the site.  BUT during the last week I've gotten hit with a nasty version of the virus that appears every time I log onto site.  

web hosting in india said...

I am pleased to have read some of them on your blog.

Forum hosting said...

Really i feel very happy to visit your blog,because i will get more information in your article,thanks for sharing.

viagra blog said...

I use avst, nod i think suks))

Best web Hosting said...

The website is amazing, I have a look at out it continually and always has interesting information. Considered and very well-organized.

Register Domain Name said...

Great reading I really loved reading your blog. Thanks to sharing

commercial loans said...

Thanks, for very interesting post. I have a high regard for the valuable information
you offer in your articles.

loan rates said...

Nice information, I would like to appreciate your good work and also would like to encourage you to keep it up.

Best forum hosting said...

Thanks for sharing this information,really its very interesting and informative to me.

sildenafil said...

This is really great post and I love watch mr bean show

commercial loan interest rates said...

I am visiting your site for a past one month. I feel happy by reading these blogs. These blogs are very much useful for news   bb

glycoflex said...

This article is very interesting for me. I learned a lot new. Write more.
 

business loans said...

I am very happy to read this post..Thanks for giving us nice info. Fantastic walk-through. I appreciate this post.
I am visiting your site for a past one month.

ecommerce development said...

This is very valuable information.I found out this site to be specific ,informative and attractive too.Thanks for sharing.

outsourcing websites said...

I always appreciate someone who imparts knowledge, and so today i m also doing the same..i m pretty impressed by the useful & knowledgeable stuff..

Post a Comment