Categories

Exploits

A Tumblr of trouble

Like many other social networking sites, Tumblr is a hot spot for malware infections, spam and other security issues.

I thought this one was kind of interesting (out of the daily lot) because it disguises  itself as a legitimate JavaScript hosted under “static.tumblr.com“, a placeholder for all sorts of CSS, themes, and other content that can be directly linked to.

Without further ado, let’s jump right in and check out this URL: http://static.tumblr[dot]com/dds2p3m/lFlmxvjl0/ocewjqpv.js

iframe

The script above contains:

  1. variables
  2. a condition check
  3. an action

The main variable (agent) is defined by the userAgent property which returns the user’s operating system and browser versions. For example, on a Windows XP computer running Internet Explorer 8, we may get the following value:

User-agent header sent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

The other variables (n, n2, n3) are subsets of agent, looking for the presence of certain strings such as “Tumblr”, “facebookexternalhit” and in particular where they appear (indexOf).

The condition check revolves around the -1 value, which would be returned if  the string searched for was not found.

if((n > -1) || (n2 > -1) || (n3 > -1)){     // the search for the strings returned a hit.
      do this;     // action #1
} else {
     do that;    // action #2
}

This checks if any of the three variables (n, n2, n3) are greater than -1, which is kind of a double negative here… (could simply have used an “equals”).

I can’t see how the userAgent could include those keywords, indicating that the result of this condition would always be “action #2″.

I can only think of using this check as a disguise but I may have overlooked something. If you have an idea, feel free to leave a comment at the bottom of this page.

Now let’s take a look at the action itself. It immediately jumps to mind that whoever wrote this piece wanted to ‘mask’ it by doing multiple “document.write” statements. We can concatenate all of them into a single document.write and show its content:

decoded

As you see, it’s a fair amount of work for a simple iframe… but perhaps it’s worth the trouble just to remain undercover. There are some good reasons for that, as we will see later on.

This URL throws a red flag right away with its “pw” country code top-level domain often associated with spam and malware. This one is no different as it is simply used as a redirect to yet another suspicious URL:

redir

Facebook.com? Not quite, it is just a smart disguise in a long enough domain name that once again ends with a .pw.

It turns out to be a phish for Facebook credentials (pardon the lack of graphics):

phish

As it happens, there’s more to it than a phishing scam. The webpage is stuffed with a rather interesting blurb at the very bottom of its source code:

phishloaded

To better understand what it does, we can ‘beautify’ the code:

scriptbeautified

We can see another iframe that is triggered so long as certain conditions are met:

  • user is new (no previous cookie stored on the PC)
  • operating system must be Windows
  • browser must be MSIE, Firefox or Opera
  • user must be real (i.e. not a bot or crawler)

A very unique cookie (expires in 2024!) is dropped after the page is viewed.

This time the iframe fires up a drive-by download (Nuclear EK):

exploitlanding

List of URLs involved:

http://rs10s1.landscaperbang[dot]pw/5892994-701_7d0162609M7_d5b6-b7a-0Hcbd_3V/6/ed9678f1bc90f85b7c845b8bc376f073.html
http://rs10s1.landscaperbang[dot]pw/2162814969/1387197720.pdf
http://rs10s1.landscaperbang[dot]pw/2162814969/1387197720.htm
http://rs10s1.landscaperbang[dot]pw/2162814969/1387197720.jar
http://rs10s1.landscaperbang[dot]pw/f/1387197720/2162814969/6
http://rs10s1.landscaperbang[dot]pw/f/1387197720/2162814969/2
http://rs10s1.landscaperbang[dot]pw/f/1387197720/2162814969/2/2

The payload is detected by Malwarebytes Anti-Malware as Trojan.Dorkbot.ED.

All in all, this was a pretty sneaky attack especially given the fact that the compromised website had multiple references to “static.tumblr.com” and only one of them was malicious:

capture

Social networking sites, and especially personal profile pages may contain malicious code which could silently infect your PC. To protect from such threats you can:

  • Keep your operating system, browser and plugins up-to-date.
  • Run an antivirus / anti-malware solution.
  • Mitigate zero day attacks by reducing your surface of attack (remove unnecessary plugins, software). Alternatively, you can also use Malwarebytes Anti-Exploit to thwart attempts that exploit software vulnerabilities.

Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.


2 thoughts on “A Tumblr of trouble

  1. Jason Cousins says on December 29, 2013 at 5:03 pm :

    Very nice! I came across this today wondering if there was a drive by in there. So if you are using chrome, the drive by will not activate?

  2. Jerome Segura says on December 29, 2013 at 5:58 pm :

    Chrome and as far as I know Firefox (latest version) will block Java applets from running if your Java version is outdated. So basically, running these browsers is safer than running and older IE (7, 8). As far as how secure the latest version of IE is, it’s debatable, but personally I would go with Chrome for better protection.

Leave a Reply

Subscribe to our YouTube Channel