The combination of the recent RealPlayer exploit and MDAC is a fad, but the very same is getting embraced in the short-term by malicious parties in China that have also started combining the Internet Explorer VML Download and Execute Exploit (MS07-004), thanks to recent localized forum postings on modifying the third exploit. Let's assess several sample domains.8v8.biz/ms07004.htm (58.53.128.98) is such a domain that's serving a combination of these starting with Exploit-MS07-004 :
Result: 12/32 (37.5%)
File size: 3432 bytes
MD5: bafab9b8e38527e9830047fd66b39532
SHA1: b81abcf63a2c4bcf43526f28aec20fca2f58d67c
8v8.biz/1.htm - MDAC also loads 8v8.biz/06014.html in between 8v8.biz/r.htm - real player unobfuscated, wheere all of these attempt to load 8v8.biz/v.exe - Worm.Win32.AutoRun.bkx; Win32/Cekar!generic
Result: 27/31 (87.10%)
File size: 19501 bytes
MD5: 7b101f7baeae0ebab9ecc06fdb9542dc
SHA1: 36ffa50ce3873fb04c13c80421c205a7760f47ca
The binary is using a default set of known executables of anti malware products, and is installing a default debugger injected upon execution of any of these, and is therefore successfully killing many of the applications.
Another exploit serving domain with a very diverse set of exploits used, but again serving the faddish RealPlayer plus MDAC combination is uc147.com (218.107.216.85) :
uc147.com/test/MS07004.htm
uc147.com/test/PPs.htm
uc147.com/test/biaxing06014.Htm
uc147.com/test/index.htm
uc147.com/test/Click_here.html
uc147.com/test/PPLIVE.htm
uc147.com/test/Thunder.html
uc147.com/test/bf.htm
uc147.com/test/Open.htm
uc147.com/test/ms06014.htm
uc147.com/test/jetAudio%207.x.htm
where all are trying to load uc147.com/zy.exe :
Result: 24/32 (75%)
File size: 15456 bytes
MD5: 3a0804d8e12706e97cdda6aa4f50ef5f
SHA1: cfd2f158a658dc0d8618c35806b94008b4fb1c0f
The third domain is great example of what's an emerging trend rather than a fad, namely the use of comprehensive multiple IFRAMES loading campaigns. qx13.cn/3.htm (61.174.61.94) (IE COM CreateObject Code Execution (MS06-042) which loads sp.070808.net/23.htm, (75.126.3.218) where the following try to load as well :
sp.070808.net/in.htm
wc.070808.net/37.htm
az.sbb22.com/hh.htm
um.uuzzvv.com/uu.htm
fa.55189.net
acc.jqxx.org/40.htm
ktv.mm5208.com/25.htm
Two other IFRAMES within within qx13.cn/3.htm, w.aeaer.com/ae.htm (75.126.3.216) loads the same IFRAMES, and qi.ccbtv.net/btv.htm (66.90.79.138) again loads the same IFRAMEs. It gets even more complicated and the ecosystem more comprehensive as the secondary IFRAMEs logically load many others such as :
68yu.cn/s29.htm
ermei.loveyoushipin.com/pic/9041.htm
yun.yun878.com/web/6619038.htm
ppp.749571.com/ww/new82.htm
2.xks08.com/dm1.htm?60
ad.2365.us/110
The more complicated and dynamic these IFRAME-ing attacks get, the higher the campaign's lifecycle becomes, making it harder the determine where's the weakest link, and making it easier for the malicious parties to evaluate which node needs a boost by including new domains spread across different netblocks like this case.
No comments:
Post a Comment