Friday, September 14, 2007

U.S Consulate St. Petersburg Serving Malware

If that's not a pattern and good timing, it's a malicious anomaly. On the 31 of August, 2007, Bank of India was serving malware courtesy of the Russian Business Network. This week, evidence that the U.S Consulate in St. Petersburg, Russia was serving malware to its visitors proved to be true. The web site is now clean, but assessing the IFRAME-ed URLs used in the attack is possible as they're still reachable. It's still unknown for long the IFRAMEs remain embedded at the Consulate's web site, as well as when were they cleaned, but the attack was still active on the 2nd of September, 2007, just two days after Bank of India's malware attack. It's also worth mentioning that compared to the most recent malware embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME itself is obfuscated but the live exploit URL isn't.


Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather simple URL obfuscation, and Fraser Howard posted some interesting details at their blog :

"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack - my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites."

We could greatly expand those as a matter of fact. The IFRAME used leads us to verymonkey.com/goof/index.php (209.123.181.185) and verymonkey.com/test/index.php which is exploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA :

Detection rate : Result: 6/32 (18.75%)
AntiVir 2007.09.14 DR/Delphi.Gen
AVG 2007.09.14 Obfustat.NPJ
eSafe 2007.09.13 Suspicious Trojan/Worm
Ikarus 2007.09.14 Virus.Win32.Zapchast.DA
VirusBuster 2007.09.13 Trojan.Agent.JVF
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen

File size: 28672 bytes
MD5: a25ad0045d195016690b299bfb8b75d1
SHA1: ab219c50b0adc84f702c696797e81411b6eab596

Is this obfuscated IFRAME-ing a fad or a trend? I think it's a trend since IFRAME-ing to a secondary domain taking advantage of popular web malware exploitation techniques is already rated as suspicious by security vendors, and Google themselves warning you that "this site may harm your computer", and so they ought to win time. Moreover, such obfuscations are making it harder to assess how many sites and which ones exactly were victims of the attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was historically used to host banksoffscotland.co.uk scam web site in March this year. In case you wonder, it's not the RBN that's behind this malware embedded attack, but let's say it's a subsidiary of the RBN.