Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather simple URL obfuscation, and Fraser Howard posted some interesting details at their blog :
"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack - my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites."
We could greatly expand those as a matter of fact. The IFRAME used leads us to verymonkey.com/goof/index.php (209.123.181.185) and verymonkey.com/test/index.php which is exploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA :
Detection rate : Result: 6/32 (18.75%)
AntiVir 2007.09.14 DR/Delphi.Gen
AVG 2007.09.14 Obfustat.NPJ
eSafe 2007.09.13 Suspicious Trojan/Worm
Ikarus 2007.09.14 Virus.Win32.Zapchast.DA
VirusBuster 2007.09.13 Trojan.Agent.JVF
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen
File size: 28672 bytes
MD5: a25ad0045d195016690b299bfb8b75d1
SHA1: ab219c50b0adc84f702c696797e81411b6eab596
Is this obfuscated IFRAME-ing a fad or a trend? I think it's a trend since IFRAME-ing to a secondary domain taking advantage of popular web malware exploitation techniques is already rated as suspicious by security vendors, and Google themselves warning you that "this site may harm your computer", and so they ought to win time. Moreover, such obfuscations are making it harder to assess how many sites and which ones exactly were victims of the attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was historically used to host banksoffscotland.co.uk scam web site in March this year. In case you wonder, it's not the RBN that's behind this malware embedded attack, but let's say it's a subsidiary of the RBN.
No comments:
Post a Comment