Dissecting FireEye's Career Web Site Compromise

Remember when back in 2010, I established a direct connection between several mass Wordpress blogs compromise campaigns, with the campaign behind the compromised Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to redirect all the campaign traffic to my Blogger profile?

It appears that the cybercriminal/gang of cybercriminals behind these mass Web site compromise campaigns is/are not just still in business, but also -- Long Tail of the malicious Web -- managed to infect FireEye' (external network) Careers Web Site.

Let's dissect the campaign, expose the malicious domains portfolio behind it, provide MD5s for a sample exploit, the dropped malware, and connect it to related malicious campaigns, all of which continue to share the same malicious infrastructure.

Sample redirection chain:
hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jump/ (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?updnew (CHROME) -> hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735cd/face-book.php

Detection rate for a sample malicious script found on the client-side exploits serving site:
MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic-js.iacgm

Sample detection rate for the served client-side exploit:
MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR_JAVA.EXEC

Detection rate for a sample dropped malware:
MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C

The following malicious MD5s are known to have been downloaded from the same IPs (cdn.adsbarscipt.com (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44):
MD5: 82e1013106736b74255586169a217d66
MD5: 01771c3500a5b1543f4fb43945337c7d
MD5: dbf6f5373f56f67e843af30fded5c7f2

Additionally, the campaign is also known to have dropped MD5: 01771c3500a5b1543f4fb43945337c7d

Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) phones back to the following C&C servers:
main-firewalls.com (67.228.177.174; 74.204.171.69; 85.195.104.90) - Email: alex1978a@bigmir.net
simple-cdn-node.com (109.120.143.109) - Email: alex1978a@bigmir.net
akamai.com/gate.php

Deja vu! We've already seen alex1978a@bigmir.net in Network Solution's (2010) mass Wordpress blogs compromise, a campaign which is also directly connected with the compromise of the Web site of the U.S Treasury.

The sample also attempts to download the following additional malware variants:
main-firewalls.com/6.exe
main-firewalls.com/1.exe
simple-cdn-node.com/1.exe - MD5: 05d003a374a29c9c2bbc250dd5c56d7c

Responding to 67.228.177.174 are also the following malicious domains:
aodairangdong.com
bolsaminimall.com
catch-cdn.com
corp-firewall.com
himarkrealty.com
ngnetworld.com
ritz-entertainment.com
server.evietmusic.com
viettv24.com
vpoptv.com        
plussolarsolutions.com
artistflower.com
autoairsystems.com   
eighteas.com
greenpowersurvey.com
phattubi.com
ritz-entertainment.com
saigoncitymall.com

The following malicious MD5s are also known to have phoned back to the same IP (67.228.177.174) in the past:
MD5: 05636d38090e5726077cea54d2485806
MD5: 53b73675f1b08cf7ecfc3c80677c8d2e
MD5: 0f424ff9db97dafaba746f26d6d8d5c0
MD5: 633d6de861edc2ecf667f02d0997f10e
MD5: d13ead2b8a424b5e9c5977f8715514c4
MD5: bfc9803c94cc8ba76a916f8e915042e4
MD5: a04d33ced90f72c1a77f312708681c07
MD5: 7e6e15518cc48639612aa4ff00a2a454
MD5: 98d78ef8cc5aee193a7b7a3c3bb58c87
MD5: a030d6e35d736db9dd433a8d2ac8a915
MD5: 1f7a6ed70be6e13efb45e5ba80eed76e
MD5: cfc727a0ad51eb1f111305873d2ade04
MD5: 1b6de030ed3b42e939690630f63d6933
MD5: fa9e92d42580e1789ed04e551a379e4e
MD5: 2ed9d63e4d557667bad7806872cf4412
MD5: bef16d25b2cada2a388ea06c204b44f3
MD5: 77a93ba48d6532e069745bca117d26ed
MD5: 7c7e4cef8a7181f7982a841f7f752368
MD5: 57b5e6f38998e32fa93856970cc66c5e
MD5: 5d388b1f2bf2dc9493f5c4cfb9d53ca0
MD5: ec24a959e39c5d2eb7dc769f4b098efb
MD5: 6357085196499ef5301548ff17b62619
MD5: 3173d4be34f489a4630f2439f9653c2c
MD5: 3bd239ee46ab8ba02f57ed1762bd3ae6
MD5: dce3e33eb294f0a7688be5bea6b7e9d4
MD5: 1ed678e9d29c25043fdd1b4c44f5b2ea
MD5: eccce6f5f509f4ef986d426445a98f0d
MD5: 74e1e2f2d562ab6883124cfa43300cf2
MD5: 6922efa2e5aa16b78c982d633cbe44e9

Responding to 85.195.104.90 are also the following malicious domains:
catch-cdn.com
corp-firewall.com
kronoemail.com
main-firewalls.com
viacominfosys.com
emaildatastore.com

The following malicious MD5s are also known to have phoned back to the same IP (85.195.104.90) in the past:
MD5: 88110dbce9591b68b06b859e7965d509
MD5: 0e055888564fb59cb6d4e35a5c5fb33d
MD5: e9d8d2842b576fd4f6ef9dde1fea4b9f
MD5: e750031fc9b9264852133d8f7284ac7a
MD5: e0da2ca4e9a174cd3c6f8a348e4861ad
MD5: b23a579d7b8bf5a03c121d2f74234b2d
MD5: a1ee5246d984d900f27ce94fbfc37c2b
MD5: 2118a70a2ccf0a7772725e765ad64e08
MD5: f26848e64040b4b6614d95bd967045df
MD5: 9c5997b32bea6945f0cb9ff0c18cf040
MD5: 353305483087a5316fd75f63d641ec1f
MD5: 34e67771ca411b163866f1e795b2e72e
MD5: 571e04b5af915979efc5a7f77794facb
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76
MD5: e2137edd5f550b1942c16e70095c436b
MD5: 97437f6d670db2596b6a6b53c887055c

Such type of factual attribution based on gathered historical OSINT, isn't surprising, thanks to the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the "usual suspects" continue operating for the sake of achieving their fraudulent and malicious objectives.

Updates will be posted as soon as new developments take place. Continue reading →

U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise

UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, once again parked at 217.23.14.14, AS49981, WorldStream.

jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net

Sample exploitation structure:
- jumpsearches.com/bing.com /load.php?spl=mdac
    - jumpsearches.com/bing.com /error.js.php
        - jumpsearches.com/bing.com /pdf.php
            - jumpsearches.com/bing.com /?spl=2&br=MSIE&vers=7.0&s=
                - jumpsearches.com/bing.com /load.php?spl=pdf_2030
                    - jumpsearches.com/bing.com /load.php?spl=MS09-002

UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign continue introducing new domains -- all of which are currently in a cover-up phrase pointing to 127.0.0.1 -- over the past 24 hours. What's particularly interesting, is that all of them reside within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands.

- twcorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
    - MD5: ebcfaa2f595ccea81176f6f125b31ac7
- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey

All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also actively serving client-side exploits. Sample update obtained from the same domain:
- update4303.exe - Trojan.Win32.VBKrypt - Result: 5/41 (12.2%)

Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the home of currently active ZeuS crimeware C&Cs.

AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB)
brunongino.com
slavenkad.com
frondircass.cn
pradsuyz.cn

AS44565 (VITAL VITAL TEKNOLOJI)
spacebuxer.com
odboe.info
212.252.32.69
jokersimson.net
whoismak.net
188.124.7.247
www.bumagajet.net
barmatuxa.info
barmatuxa.net

UPDATED: A researcher just pinged me with details on something that I should be flattered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in_t.php which then redirects to my Blogger profile.

In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1.

Let's see for how long, until then, The Beatles - You Know My Name seems to be the appropriate music choice.

AVG and PandaLabs are reporting that the web sites of the U.S. Bureau of Engraving and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that ultimately expose the visitor to scareware (The Ultimate Guide to Scareware Protection).

What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d domain registered using the same email as the client-side exploits serving domains from the NetworkSolutions campaign -- alex1978a@bigmir.net -- but also, the dropped scareware's phone back location -- mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: alex1978a@bigmir.net -- is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.

The client-side exploit serving domain used in the the U.S Treasury site compromise, has also been reported by a large number of NetworkSolutions customers in the most recent campaign affecting WordPress blogs.

The exploit-serving structure, including the detection rates for the dropped scareware and exploits used in the U.S Treasury compromise campaign, is as follows:

- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net
    - thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net
        - thejustb.com /just/pdf.php
            - thejustb.com /just/1.pdf
                - thejustb.com /just/load.php?spl=javas
                    - thejustb.com /just/j1_893d.jar
                        - thejustb.com /just/j2_079.jar

- 1.pdf - Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44%)
- j1_893d.jar - Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20%)
- j2_079.jar - EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96%)
- grepad.exe - Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 (19.51%)

Upon successful exploitation the dropped grepad.exe, phones back to to mazcostrol.com/inst.php?aid=blackout - 188.124.16.134, AS44565, VITAL TEKNOLOJI - Email: alex1978a@bigmir.net, with the same phone back location also used in the NetworkSolutions mass compromise campaign. 

Known MD5's used by the same campaigner from previous campaigns, phoning back to the same domain+identical affiliate ID:
MD5=4734162bb33eff7af7e18243821b397e
MD5=1c9ce1e5f4c2f3ec1791554a349bf456
MD5=d11d76c6ecf6a9a87dcd510294104a66
MD5=c33750c553e6d6bdc7dac6886f65b51d
MD5=74cdadfb15181a997b15083f033644d0
MD5=3c7d8cdc73197edd176167cd069878bd

Attempting to interact with the campaign's directories often results in a "nice try, idiot." message. Lovely!

Related posts:
GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
Dissecting the WordPress Blogs Compromise at Network Solutions

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Dissecting the WordPress Blogs Compromise at Network Solutions

UPDATED: Network Solutions issued an update to the situation.

The folks at Sucuri Security have posted an update on the reemergence of  mass site compromises at Network Solutions, following last week's WordPress attack.

What has changed since last week's campaign? Several new domains were introduced, including new phone back locations, with the majority of new domains once again parked on the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA.

The exploitation chain of the currently embedded domain is as follows:
- corpadsinc.com/grep /?spl=3&br=MSIE&vers=7.0&s=
        - corpadsinc.com /grep/soc.php
            - corpadsinc.com /grep/load.php?spl=ActiveX_pack
                - corpadsinc.com /grep/load.php?spl=pdf_2020
                    - corpadsinc.com /grep/load.php?spl=javal
                        - corpadsinc.com /grep/j2_079.jar

Detection rates for some of the obtained exploits:
- update.vbe - VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5%)
- j2_079.jar - Exploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 5/40 (12.5%)

Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by MZIMA are also:
binglbalts.com - Email: alex1978a@bigmir.net
corpadsinc.com - Email: alex1978a@bigmir.net
fourkingssports.com - Email: alex1978a@bigmir.net
networkads.net - Email: alex1978a@bigmir.net
mainnetsoll.com - Email: alex1978a@bigmir.net
lasvegastechreport.com
mauiexperts.com
mauisportsinsider.com

Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - Trojan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50%).

The sample load.exe also phones back to the following locations:
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&b=7231522200&tm=8 - 188.124.16.95 - Email: alex1978a@bigmir.net
- nonstopacc.com/tmp /bb.php?v=200&id=130306319&tid=6&b=7231522200&r=1&tm=9
- 188.124.16.96 /blackout_dem.exe

Detection rate for blackout_dem.exe - Trojan-Dropper - Result: 7/40 (17.5%) which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: alex1978a@bigmir.net.

Interestingly, the sample attempts to install a Firefox add-on in the following way:
- %ProgramFiles%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6C0E355800CE02 Detected by different vendors as IRC/Flood.gen.h or TROJ_BUZUS.ZYX;

It's also worth pointing out that the campaign's admin panel is pointing to a third-party -- cybercrime friendly IP that's currently offline -- corpadsinc.com/grep/stats.php -> HTTP/1.1 302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW.

The bottom line - although Network Solutions criticized the media last week, for blaming this on Network Solutions, or WordPress itself, the company should realize that for the sake of its reputation it should always use the following mentality - "protect the end user from himself" when offering any of its services.

Related WordPress security resources:
20 Wordpress Security Plug-ins And Tips To keep Hackers Away
11 Best Ways to Improve WordPress Security
20+ Powerful Wordpress Security Plugins and Some Tips and Tricks

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →