Monday, March 10, 2008

Wired.com and History.com Getting RBN-ed

Monitoring last week's IFRAME injection attack at high page rank-ed sites, reveals a simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model. So, after "CNET stops IFRAME site attacks - who's next?" in terms of high-profile sites, that is Wired.com and History.com


Key summary points :

- the same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation

- the IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and therefore automatically execute upon accessing the cached page with a popular search query

- many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network

- the main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks

- given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion

- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to

Sites currently affected next to Wired.com and History.com :

fhp.osd.mil
hcc.cc.gatech.edu
buffalo.edu
uninews.unimelb.edu.au
uvm.edu
jurist.law.pitt.edu
bushtorrent.com
torrentportal.com


Newly introduced domains within the IFRAMEs :
f3w.info (74.54.95.242)
chdjzn.info (75.125.181.78)
gmjett.info (75.125.181.89)
yscmps.info (75.125.181.124)
egkjnx.info (75.125.208.242)
qkecep.info (75.125.181.99)
qxdprq.info (75.125.181.113)
yscmps.info (75.125.181.124)
mqghrd.info (75.125.181.82)
yydcaj.info (75.125.181.122)
ecwrhk.info (75.125.181.86)
zdksgj.info (75.125.181.112)
stysqf.info (75.125.181.67)
egyffr.info (75.125.181.112)
prnprn.info (75.125.181.106)
fast-look.com (195.225.176.25)
fami4ka.net (217.20.127.217)
looseais.info (70.47.105.5)
my-ringtones.org (78.108.182.164)
eyzempills.com (81.222.139.184)
leohin.com (58.65.239.10)
is-t-h-e.com (69.50.167.165)
89.149.220.85

Where are the IFRAMEs relocating the visitor to?
search-vip.org/pharmacy/search.php?q= (195.225.178.19)
pharma-cist.com/item.php?id=156 (81.222.139.93)
vip-pharmacy.org (195.225.178.19)
adultfriendfinder.com/go/g665961
gift-vip.net/images/index1.php

Where's the malware?
The malware is loading from gift-vip.net/images/index1.php (195.225.178.19) where upon loading another IFRAME pointing to e.pepato.org/e/ads.php?b=3029 (58.65.238.59) which is using HostFresh proving hosting, dns services courtesy of INTERCAGE-NETWORK-GROUP, or the The Russian Business Network in all of its netblock diversity. It seems that pepato.org, currently hosted on one of RBN's netblocks, also made an appearance at malware embedded attack at a .gov site recently.

Scanner results : 3% Scanner(1/36) found malware!
File Size : 16643 byte
MD5 : 99eae1a189443c1a87681579cb4b5dbd
SHA1 : 89a04c4d06f51aa6d6cb54925a2c84d2bbdba06b
Arcavir - Trojan.HTML.JScript.Freebs.gen.9 under the JS:Feebs family; W32/Feebs-Fam ;JS.Feebs.Gen

Several more currently active internal pages serving variants :
e.pepato.org/e/ads.php?b=3029
e.pepato.org/e/ads_nl.php?b=1006
e.pepato.org/e/ads.php?b=1004
e.pepato.org/e/adsr.php?t=0
e.pepato.org/e/mdqt.php
e.pepato.org/e/e1004.html

Monitoring these connected incidents will continue, particularly the RBN connection, and other high profile sites' susceptibility to their attack methods.

Related embedded malware research :
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Related RBN research :
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network