Monday, January 07, 2008

MySpace Phishers Now Targeting Facebook

The "campaigners" behind the MySpace phishing attack which I briefly assessed in previous posts seem to have started targeting Facebook as well. Ryan Singel comments, and quotes me in a related article :

"Hackers for the first time are targeting the popular social networking site Facebook with a phishing scam that harvests users' login details and passwords. Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords."

Compared to their previous MySpace phishing campaign that was also serving malware in between, this was was purely done for stealing accounting data of Facebook users only. And as we're on a Facebook malicious campaigns topic, impersonating Facebook's login or web presence from a blackhat SEO perspective to serve malware is always trendy. Take this fake facebook login subdomain serving malware for instance - facebook-login.vylo.org (209.160.73.132) redirects to iscoolmovies.com/movie/black/0/2/541/1/ which attempts to load 209.160.73.132/download/502/541/1/ where 209.160.73.132/dw.php is the adware in this case - Adware:Win32/SmitFraud. And yet another one - facebook-login-61248sf1.krantik.info (89.149.206.225) whose once deobfuscated javascript attempts to load topsearch10.com/search.php (209.8.25.156). Spammy, yammy.

Massive RealPlayer Exploit Embedded Attack

This malware embedded attack is massive and ugly, what's most disturbing about it is the number of sites affected, which speaks for coordination at least in respect to having established the infrastructure for serving the exploit before the vulnerability became public :

"One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week."

According to SANS, there are only two domains involved in the attack uc8010.com/0.js and ucmal.com/0.js however, there's also a third one, namely rnmb.net/0.js. This attack is nothing else but "embedded malware as usual", javascript obfuscations, multiple IFRAME redirectors to and from internal pages, and scripts within the domains. Let's assess those that are still active :

- n.uc8010.com/0.js returns "ok ^_^" message and loads c.uc8010.com/ip/Cip.aspx (61.188.39.218) which says "Hello", furthermore, c.uc8010.com/0/w.js loads c.uc8010.com/1.htm; count38.51yes.com/click.aspx?id=389925362&logo=1 and s106.cnzz.com/stat.php?id=742266&web_id=742266

The internal structure is as follows :

c.uc8010.com/1.htm - attempts MDAC ActiveX code execution (CVE-2006-0003) in between the following
c.uc8010.com/046.htm - javascript obfuscation
c.uc8010.com/r.htm - real player exploit
c.uc8010.com/014.js - javascript obfuscation
c.uc8010.com/111.htm - unobfuscated real player exploit

- ucmal.com/0.js (122.224.146.246) - another obfuscation

- rnmb.net/0.js says "ok! ^_^ Don't hank me !" but compared to the first two that are still active, this one is down as of yesterday, despite that it still remains embedded on many sites

Detection rate for the unobfuscated exploit :
Result: 17/32 (53.13%) - Exploit-RealPlay; JS/RealPlay.B
File size: 3003 bytes
MD5: a85a28b686fc2deedb8d833feaacef16
SHA1: 0282e945ded85007b5f99ddee896ed5e31775715

Detection rate for the obfuscated exploit :
Result: 11/32 (34.38%) - JS/Agent.AMJ!exploit; Trojan-Downloader.JS.Agent.amj
File size: 2880 bytes
MD5: d363ffca061ebf564340c4ac899e3573
SHA1: 1226d3d9fcc5052a623b481b48443aeb246ab5db

A lot of university, and international government sites continue to be embedded with the script, and so is Computer Associates site according to this article :

"Part of security software vendor CA's Web site was hacked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."

Compared to each and every malware embedded attack that I assessed in 2007, including all of Storm Worm's campaigns, they were all relying on outdated vulnerabilities to achieve their success, but this one is taking advantage of the now old-fashioned window of opportunity courtesy of a malicious party enjoying the given the lack of a patch for the vulnerability. Why old-fashioned? Because malware exploitation kits like MPack, IcePack, WebAttacker, the Nuclear Malware Kit and Zunker, changed the threatscape by achieving a 100% success rate through first identifying the victim's browser, than serving the exact exploit. Another such one-vulnerability-serving malware embedded attack was the MDAC exploits farm spread across different networks I covered in a previous post. It's also interesting to note that a MDAC live exploit page was also found within what was originally thought to be a RealPlayer exploit serving campaign only. Shall we play the devil's advocate? The campaign would have been far more successful if a malware exploitation kit was used, as by using a single exploit only, the campaign's success entirely relies on the eventual presence of RealPlayer on the infected machine.