OFFICIAL SECURITY BLOG

Sub-domain on SourceForge redirects to Flash Pack Exploit Kit

August 25, 2014 | BY

We have talked about SourceForge before on this blog, in particular when they were associated with bundled software.

This time around, we are going to take a look at an infected sub-domain hosted on SourceForge responsible for a drive-by download attack.

Redirection overview

Fiddler_trace

The first redirection is located within a JavaScript file:

hxxp://ydoqux.sourceforge.net/isoochamernd.js

redir_to_statcount

This calls to stat-count.dnsdynamic.com a domain previously identified as a source of malicious activity. This one is no different:

redir

You may recognize the URL landing for the Flash Pack Exploit Kit. There is an interesting series of redirections and here’s the flow:

hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/index.php?w=anM9MSZuc29sbHZpej1qdmRhY2FoJnRpbWU9MTQwODI1MDE1NDI5NzcyNDgyNiZzcmM9MjIwJnN1cmw9YW50aWRvci5uZXQmc3BvcnQ9ODAma2V5PTgxQkZCQUJFJnN1cmk9L2FkL3NvdXJjZWZvcmdlL2FkXzA5Ny8xNTkyMDE0NjYv
hxxp://yi4dtvjlvfvos6ffvnxxklf622053f032259300cb84bd8aa84eae65a.alobakkal.net/index2.php
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/index.php
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/js/swfobject.js
hxxp://yi4dtvjlvfvos6ffvnxxklf.alobakkal.net/coder/client_do.swf

The last URL is a Flash file, VT detection here.

bytearray

Another redirection caught our attention:

hxxp://5.45.74.48/coder/gate.php?id=0oPDPAPoP6PDPAPoodjd6SPDPdojProdPrPPo6j0djdi0dPkPAodj0djdi0dP0ojPDPPjdd6ddjd0oPDPAP6Prooodji0L0ijd0o6D6Ajidkdkjtd0jtd0didjjtdkd6dPjddkdid0d0jddod6djjdP0PA

Flash

A Flash file with a peculiar name for its classes:

Flash_view

Payload

hxxp://pikistude.mol-hit.com/coder/loadfla0515.php

The payload (VT results) is detected by Malwarebytes Anti-Malware as Trojan.Agent.ED.

The video below shows the exploit happening and getting blocked by our Malwarebytes Anti-Exploit:

We have spotted similar redirections to the Flash Pack exploit kit in other popular sites as well. Whether is it part of a larger campaign is hard to say but it is particularly active at the moment.

Drive-by download attacks are the number one vector for malware infections. Legitimate websites often fall victim to malicious injections stealing incoming traffic and sending it to booby-trapped pages. Within seconds, an unpatched computer could get infected with a nasty piece of malware.

On top of keeping your computer up-to-date and running the latest versions of antivirus and anti-malware software, adding an additional layer of protection against exploits greatly reduces the attack surface the bad guys are banking on.

@jeromesegura


  • Pingback: Sub-domain on SourceForge redirects to Flash Pack Exploit Kit - nickelberg

  • Travolta-fied_name

    “… adding an additional layer of protection against exploits greatly reduces the attack surface the bad guys are banking on.”

    Amen to that, nice write up. Installing MBA-Exploit in 5… 4…3… :)

  • Heath Bothell

    Will MBAE FREE protcet me from stuff like that on other pages?

  • Jérôme Segura

    MBAM free is mainly to clean infections after the fact. The Premium version will prevent malware from getting onto the system.

  • Jérôme Segura

    Thanks.

  • Travolta-fied_name

    You’re welcome. Just installed MBA-Exploit Free… how does the program’s definitions get updated or is that only available in the premium (paid) version?

  • Jérôme Segura

    Every now and again, the program may prompt you for a global update (enhancements, bug fixes) but Anti-Exploit does not rely on signatures like traditional antivirus programs. So once you install it you’re good to go!

    The free version protects you from all types of web based drive-by downloads and Java applets.
    The premium adds protection for additional programs such as Word, Excel etc… but those are typically sent as spear phishing or spam, rather than delivered via a compromised site.

  • Jacob Moorman

    The referenced project (ydoqux) has been purged by the SourceForge Team. I’m not aware that this issue was escalated to us prior to publication. Contact info for reporting (should you find issues in the future) is available at: http://sourceforge.net/security/

  • Jérôme Segura

    Hi Jacob,

    Thanks for that. There were earlier reports of the same attack on this blog: http://malware-traffic-analysis.net/2014/08/11/index.html

    Are these ones taken care of?

    Will bookmark that sourceforge link for future reference. Thanks again!

  • Travolta-fied_name

    Ahh, I see thank you for the excellent info/description… so the program starts at Windows boot not in fact when launching a “protected” browser (as confirmed by Autoruns)…I only just now noticed the icon in systray.

  • Jacob Moorman

    Those have been handled now as well. I appreciate the heads-up!

  • Jérôme Segura

    The program starts with Windows loading and stays there. If you show the program interface, you will noticed that it will say when a new process has been launched, that this process is now protected. (typically your browser).
    That’s something I like about this product, it protects you without bloating your machine or without annoying messages. The only time it will pop up is when an exploit has been blocked, which is always good to know! :-)

  • Heath Bothell

    so that means it would clean up after infection and nothing would be there?

  • Heath Bothell

    also what is cmd.exe? i got blocked from an exploit when i clicked open texturepack folder in minecraft

  • Pingback: A Week in Security (Aug 24 – 30) | Malwarebytes Unpacked

  • Pingback: Internet Crime Fighters Organization FlashPack Exploit kit - Internet Crime Fighters Organization