Tuesday, March 04, 2008

ZDNet Asia and TorrentReactor IFRAME-ed

This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. The sites' search engines seem to have been exploited to have the IFRAME injected, not embedded, within the last 24 hours, redirecting to known Russian Business Network's IPs and ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted on their sites, are appearing between the first ten to twenty search results, thanks to the sites high page ranks. Sample search queries :

jamie presley
mari misato
risa coda
kasumi tokumoto
jill criscuolo

The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link itself is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. Ppcan.net has already been assessed by Microsoft's Security Team :

"The advantage gained by faking the Referer field is nullified when pages use client-side cloaking to distinguish between fake and real Referer field data by running a script in the client’s browser to check the document.referrer variable. Example 1 shows a script used by the spam URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the document.referrer string contains the name of any major search engines. If successful the browser redirects to ppcan.info/mp3re.php and eventually to spam; otherwise, the browser stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query of the form “url:link1” is sufficient. This allows us to fake a click through from a real search engine page."

So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon visiting the IFRAME-ed pages at ZDNet Asia with the right referrer :

xpantivirus2008.com (69.50.173.10)
scanner.spyshredderscanner.com (77.91.229.106)
hot-pornotube-2008.com (206.51.229.67)
porn-tubecodec20.com (195.93.218.43)

Once the junkware inventory is empty, all pages redirect to requestedlinks.com (216.255.185.82). Let's take a peek at the codec :

Scanner results : 11% Scanner (4/36) found malware!
File Size : 85008 byte
MD5 : 6b325c53987c488c89636670a25d5664
SHA1 : c6aeeafffe10e70973a45e5b6af97304ca20b3bd
Fortinet - Suspicious
Norman - Tibs.gen200
Prevx - TROJAN.DOWNLOADER.GEN
Quick Heal - Suspicious - DNAScan

Even more interesting is the fact that literally minutes before posting this, another such campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 (92.241.162.154).

What is going on, have the sites been compromised, or the attackers are in fact smarter than those who would even bother to scan for remotely exploitable web application vulnerabilities, next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren't compromised, their SEO practices of locally caching any search queries submitted are abused. Basically, whenever the malicious attacker is feeding the search engine with popular quaries, the sites are caching the search results, so when the malicious party is also searching for the IFRAME in an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of both sites, the probability to have the cached pages with the popular key words easy to find on the major search engines, with the now "creative" combination of the embedded IFRAME, becomes a reality if you even take a modest sample, mostly names.

The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search queriesAnd given that the malicius parties can now easily tweak popular keywords to appear on ZDNet Asia and TorrentReactor's sites, thereby getting a front placement on search engines, they can pretty much shift the SEO campaign to a malware campaign by taking advantage of "event-based social engineering".

No comments:

Post a Comment