Friday, September 28, 2007

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September. As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.


Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit
function vml_exploit
function firefox_exploit
function firefox1_exploit
function wmplayer_exploit
function qtime_exploit
function yahoo_e
function winzip_exploit
function flash_exploit
function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)


What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack
Ikarus 2007.09.28 Trojan.Delf.NEB
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen
Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe
File size: 65024 bytes
MD5: ef98a662c72e3227d5c4bb3465133040
SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm
syrianembassy.co.uk/news/lv/buy-levitra.htm
syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm
syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm
syrianembassy.co.uk/news/xa/buy-site-xanax.htm
syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :
The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site. In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.