Categories

Malvertising

A cunning way to deliver malware

Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc.

Deceptive tactics

Here is an example of an unwanted warning pushed as a pop-up:

message

The text reads: “UPDATED RECOMMENDED! It is recommended that you install the software to ensure your browser is the latest version. Please update to continue.

The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.

download

It is worth noting that this webpage was totally unsolicited and is in fact very misleading. The disclaimer hiding at the bottom of the page reveals more about what this is all about:

UpdateNowPro.com is distributing Software Updater. Air Installer is an install manager that will manage the installation of the selected software. In addition to managing the installation of your selected software, this install manager will make recommendations for additional free software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications and other types of applications. You are not required to install any additional software to receive your selected software. You can completely remove the program at any time in Windows ‘Add/Remove Programs’. At the time of downloading you accept the Terms and Privacy Policy.

In other words, the program they want you to download bundles other applications, something we know all too well.

Attempting to close the page brings up yet another warning:

sure

We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download!

From PUP to exploit kit

The following Fiddler (web debugger) capture was recorded on: 2014-06-30 18:30 PT. It shows how bad guys leverage large infrastructures to hide malicious redirections behind potentially unwanted programs.

2014-06-30-18-30-51

hxxp://rvzr-a.akamaihd.net/sd/apps/fusionx/0.0.4.html?aff=1700-1043
hxxp://www.likemagicbox.com/fusionx/www/delivery/afr.php?zoneid=486&cb=6065978317
hxxp://classic.flowershopprescott.com/assets/js/jquery-1.3.1.min.js?ver=1.27.8660
hxxp://draft.traveltube.biz/d36c829bovoym7.html

Some users are getting redirected to an exploit kit while at the same time receiving the same software update page. This is a very sneaky attack involving many actors with rotating domain names for harder identification (click to enlarge):

chain2

The domain likemagicbox.com illustrated in this case was registered on 2014-06-30, the same day it started being used in this malware campaign: this is no simple coincidence!

Traffic analysis

The first URL on akamaihd.net has an external JavaScript inclusion:

1

The JavaScript contains a convoluted variable that has various identifiers corresponding to the type of ad and the geolocation of the visitor. More importantly, we see the iFrame redirecting to an abused/complicit server:

2

Once on this URL there are a couple different ad redirections (note the Yahoo advert too!). And there is this interesting code snippet:

if(document.cookie.indexOf("_epel")==-1){var page_object=document.createElement("iframe");

This checks the user’s computer for a cookie called _epel and only if it does not exist will it allow the creation of a secondary (malicious) iframe. To prevent the same user from getting redirected to it again, another little piece of code creates the aforementioned cookie before exiting:

document.cookie = "_epel=readed;

3

This dynamically created iframe is rotated every hour using a simple sub-domain generation algorithm (DGA) with alphabetically sorted keywords:

URL,Date,Registrant
co.TOASTEDROOSTERCAFE.COM,Thu Jul 3 13:04,Robert Maynard
coa.TOASTEDROOSTERCAFE.NET,Thu Jul 3 14:03,Robert Maynard
coas.TOASTGUYS.COM,Thu Jul 3 15:04,Robert Maynard
coach.TOASTHOUSE.COM,Thu Jul 3 16:06,?
coaches.TOASTHOUSEMARKET.COM,Thu Jul 3 17:02,Robert Maynard
coaching.TOASTKITCHEN.COM,Thu Jul 3 18:17,Robert Maynard
coal.TOASTMARKET.COM,Thu Jul 3 19:22,Robert Maynard
coals.TSTKITCHEN.COM,Thu Jul 3 20:12,?
coast.2NDAMENDMENTVOTERS.COM,Thu Jul 3 21:07,?
coastal.2NDAMENDMENTVOTERS.ORG,Thu Jul 3 22:02,?
coat.AIMINSINC.INFO,Thu Jul 3 23:07,Kurt Grashaw
coating.AMERICANBROTHERSINARM.COM,Fri Jul 4 00:07,Kurt Grashaw
coatings.ANALEHSHOW.COM,Fri Jul 4 01:12,Kurt Grashaw
cobra.CCNAXUSCONSTRUCTION.COM,Fri Jul 4 02:02,Kurt Grashaw
coc.GRANBYSOCCER.COM,Fri Jul 4 03:12,Kurt Grashaw
cock.LOOKINGTOVOLUNTEER.ORG,Fri Jul 4 04:02,Kurt Grashaw

Many of these root domains belong to the same persons, as if the bad guys were enumerating compromised accounts.

Malicious iframes are inserted within jquery (a very popular JavaScript library) files such as:

{subdomain.domain}/assets/js/jquery-1.3.1.min.js?ver=1.27.8660

After the URL has been used for an hour, it is discarded and the subdomain no longer responds.

4b

You may have recognized the URL for the landing page of the Nuclear Pack exploit kit:

5

The page loads a Java exploit (CVE-2013-2465?):

Java

and a Flash exploit (CVE-2014-0515?):

SWF

two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen by Malwarebytes Anti-Malware.

Parting thoughts

Earlier recorded events with a similar redirection method date back to May 2014 as documented in this security blog.

Malwarebytes is tough on PUPs and we show no mercy for exploits or malware.

We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors.

@jeromesegura


5 thoughts on “A cunning way to deliver malware

  1. Brandon Anderson says on July 11, 2014 at 2:34 pm :

    I just wanted to thank you guys regarding PUPs. When it comes to Malware if you include Adware and Spyware nobody was paying extra attention to PUPs. I have Avast, I had to turn up the PUP sensitivity which is set to medium on default and does a mediocre job.

    I also have Malwarebytes Premium which I got in 2008. Malwarebytes is my go to tool for PUPs. I love the strict guidelines and you’re the only one on the market I know that is.

    When I give PC advice, I tell people to try to Malwarebytes for cleaning up. The PUP problem is a bigger and more common problem. When PUPs pile up it becomes a performance problem. So I recommend Avast and Malwarebytes as they work together great.

    While in school I did a power point presentation on PUPs. I was actually quite frustrated how bad it was and nobody treated it like Malware. In my lab I created a couple virtual machines and infested them with everything I could. I used Virus Total to go find my Malware along with my “Potentially Unwanted Programs”. I used trial versions of different anti-viruses and analyzed detection and cleanup. Malwarebytes nailed 100% of PUPs and did a better cleanup job.

    I always check my dialogue screens when installing software. You’d be surprised how many install crap without giving you option/telling you. Thanks guys :)

  2. Jérôme Segura says on July 11, 2014 at 2:44 pm :

    Hi Brandon Anderson,

    Thanks for the comment. We appreciate your loyalty and are glad you share the same vision regarding PUPs.

    Have a great day!

  3. Peter Parker says on July 12, 2014 at 7:40 pm :

    I’m thinking that for a Power Point Presentation that’s coming up, about doing it on Computer Viruses and Malware. Any viruses or malware that might be interseting to do or suggest? Leave a reply for me.

  4. Brandon Anderson says on July 13, 2014 at 3:54 pm :

    Cryptolocker and all its variants. FBI Ransomware all its similar variants.

    Zeus Trojan and all it’s variants.

  5. Jérôme Segura says on July 14, 2014 at 9:25 pm :

    These are good suggestions Brandon :)

Leave a Reply

Subscribe to our YouTube Channel