Saturday, June 06, 2009

Gumblar's 48,000 Compromised Domains Makes the Web a Dangerous Place

Last week one of the students in the UAB Computer Forensics program came to see me about a virus problem he'd been working on for a classmate. Her computer was infected with many malware programs, and my student, who works for me as a Malware Analyst, decided to take a look.

He came by to tell me about the situation, which involved a Facebook group that his classmate had joined. It was a group dedicated to organizing political action around a particular cause, with more than 40,000 members. At the top of their site it says "If you're looking for more information ..., visit our website" and gives the link.

Unfortunately, when any of the 40,000 members visited the link, they got a little extra surprise. The organizers didn't strike us as the type to be involved in infecting their membership to steal passwords, so we decided to make contact. They called back, and after checking my team out with some law enforcement references to verify that we are nice guys who are good at looking at viruses, they sent us everything they knew about their situation.

Their xfer logs indicated that the malicious content was uploaded to their server by a visitor from the Ukraine, who had logged in using their webmaster's correct userid and password. It wasn't a poorly chosen password, and it wasn't brute forced. They logged in successfully on the first try, indicating that their webmaster probably had a keylogger running on his home computer. In other words, the webmaster's FTP password was known to the criminals.

The biggest hint was the names of the two IFRAMEs which were located on the site:

http://dotcomnameshop.cn/in.cgi?income25
and
http://namesupermart.cn/in.cgi?income20

(Update: This campaign is also associated with two other injection keywords:

/ts/in.cgi?mozila## found on:

nonfatautobest.cn
greatliteautobest.cn
litefinestdirect.cn
yourlitetop.cn

/ts/in.cgi?pepsi## found on:

findbigboob.cn
bigtopmanagement.cn
finditinbigapple.cn
greatnamemovie.cn
homebrandname.cn
homenameworld.cn
hugebest.cn
hugepremium.cn
hugetopdiscover.cn
litepremium.cn
mediahomenameshoppicture.cn
mediahousenamemartmovie.cn
mynewnameshop.cn
namebuyfilmlife.cn
nameclaimstore.cn
namemartfilm.cn
namestorevideo.cn
technologybigtop.cn
thebestyoucanfind.cn
thefilmmusic.cn
topfindworld.cn
topfindworld.cn
toplitesite.cn
tvnameshop.cn
tvnameshop.cn
usednamestore.cn

Their original content was still in place, but someone had saved the code, added IFRAMEs pointing to the above URLs, and then logged in as the webmaster to upload the modified pages.

The two domains both resolve to the IP address, 67.228.194.237, which is SoftLayer Technologies in Dallas, Texas. We decided to look at what other domains were on the same IP address, and found 59 others.

Now, we know that just because two domains resolve to the same IP address does not mean they are related, so we compared the WHOIS information for some of the domains to each other.

For instance:

Domain Name: namesupermart.cn
ROID: 20081007s10001s46287853-cn
Domain Status: clientTransferProhibited
Registrant Organization: Scott Bell
Registrant Name: Scott Bell
Administrative Email: scottkbell@missiongossip.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostserver.com
Name Server:ns2.freednshostserver.com
Registration Date: 2008-10-07 04:47
Expiration Date: 2009-10-07 04:47

Domain Name: thelotbet.cn
ROID: 20081108s10001s82360691-cn
Domain Status: clientTransferProhibited
Registrant Organization: Raymond Keaton
Registrant Name: Raymond Keaton
Administrative Email: keaton@cybernauttech.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostway.com
Name Server:ns2.freednshostway.com
Registration Date: 2008-11-08 16:13
Expiration Date: 2009-11-08 16:13

Many of the domains were registered to Raymond Keaton or Scott Bell above, or also to Michelle Rea rea@cybernauttech.com.

Many of the domains were EXTREMELY POPULAR as well. For instance, "superbetfair.cn" had more than 50,000 visitors last month. (By comparison, this blog only gets around 10,000 visitors per month.)

But are all the domains malicious? To answer that question, we asked Google's SafeBrowsing project to assess whether the domains were known to be associated with malware, and if so, how many domains seemed to have been infected by the malware.

Here's the results we got. You can click on the number in the right hand column to visit the current Google SafeBrowsing page for each domain. The numbers listed are the results as shown on Friday, June 5, 2009.


IFRAME DomainInfected Domain Count
coolnameshop.cn935
cutlot.cn1549
denverfilmdigitalmedia.cn601
diettopseek.cn477
dotcomnameshop.cn399
filmlifemediaguide.cn0
filmlifemusicsite.cn38
filmtypemedia.cn0
findbigname.cn452
findbigurls.cn371
homenameregistration.cn542
hotslotpot.cn860
internetnamestore.cn956
liteautotop.cn965
litecarfinestsite.cn2324
litecartop.cn3889
litedownloadseek.cn805
litegreatestdirect.cn2664
litepremiumlist.cn0
litetopfindworld.cn1375
litetoplocatesite.cn202
lotante.cn1699
lotbetworld.cn741
lotmachinesguide.cn3654
lotultimatebet.cn546
mainnameshop.cn459
mediahomenamemartvideo.cn240
mediahousenameshopfilm.cn265
mixante.cn1050
nameashop.cn645
namebuyline.cn310
namebuypicture.cn2692
namestorefilmlife.cn351
namesupermart.cn424
nanotopfind.cn14
nonfatautobest.cn271
nonfatcarbest.cn744
perfectnamestore.cn662
playbetwager.cn383
promixgroup.cn823
superbetfair.cn3967
superlitecarbest.cn677
thelotbet.cn415
yourfilmmovie.cn0
yourliteseek.cn59


It should be noted that these domain names have been moved on several occasions (possibly as many as eleven as of this timestamp). We know that many of these domains previously resolved to: 94.247.3.150 and 77.221.154.138

Here are some searches on the site "Malware Domain List" that will be useful for tracking these domains:

http://www.malwaredomainlist.com/mdl.php?search=in.cgi%3Fincome&colsearch=All&quantity=50

It is common for malware in this group to have as the file and attributes in its IFRAME "in.cgi?income##" or "in.cgi?cocacola##", where ## is any two digit number. We believe the "income" and "cocacola" are similar to affiliate tags, and that different malware may be dropped depending on which affiliate has routed the computer to the malware drop site.

But what happens after you are sent to one of these IFRAME pages? That's what UAB Malware Analyst Brian Tanner set about to determine.

The pages that receive the IFRAME traffic currently have two exploits present on them - one which takes advantage of a known Flash Player exploit, and the other which takes advantage of a known Adobe PDF Reader exploit. By visiting the page, a poorly configured browser will attempt to play the ".swf" file with Flash Player and open the ".pdf" file with Adobe Reader. If they are using unpatched versions of either the Player or the Reader, they will become infected.

Brian tested the PDF by installing Adobe Reader 7.0 (although we have since confirmed that all of the 7.x and 8.x versions of Adobe Reader are exploitable with this trick.)

Upon opening the PDF file, Javascript code embedded within the PDF causes it to download a program called pdfupd.exe. In our test example, it did so by visiting the site giantbeaversdiet.cn:8080/landig.php?id=8

Domain Name: giantbeaversdiet.cn
ROID: 20081114s10001s24254090-cn
Registrant Organization: Raymond Best
Registrant Name: Raymond Best
Administrative Email: raymond@cybernauttech.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostway.com
Name Server:ns2.freednshostway.com
Registration Date: 2008-11-14 21:48
Expiration Date: 2009-11-14 21:48

Hmmm...another CyberNautTech.com email address. I think that will count as a link. This domain was hosted on The Planet at the time of our testing on the IP address: 70.85.142.250

They've since been kicked off The Planet and are now residing here:
87.106.103.122
on Schlund's network in the UK.

On the day when Brian ran his analysis, here is what VirusTotal had to say about his infected PDF, and the executable that it dropped:

The following is the Virus Total scan for readme.pdf
File size: 6560 bytes
MD5...: 754b90b3850a17264be95e00ec005b48
8/39 detections:
a-squared -
AhnLab-V3 -
AntiVir -
Antiy-AVL -
Authentium PDF/CollabExpl.E!Camelot
Avast JS:Packed-P
AVG -
BitDefender Exploit.PDF-JS.Gen
CAT-QuickHeal -
ClamAV Exploit.PDF-63
Comodo -
DrWeb -
eSafe -
eTrust-Vet -
F-Prot -
F-Secure -
Fortinet -
GData Exploit.PDF-JS.Gen
Ikarus -
K7AntiVirus -
Kaspersky -
McAfee -
McAfee+Artemis -
McAfee-GW-Edition -
Microsoft -
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx -
Rising -
Sophos Troj/PDFJs-L
Sunbelt Exploit.PDF-JS.Gen (v)
Symantec Bloodhound.Exploit.196
TheHacker -
TrendMicro -
VBA32 -
ViRobot -


The following is the Virus Total scan for pdfupd.exe (and load.exe):
File size: 20992 bytes
MD5...: 03d959dde5b7f9b9f62f12762ba72f43
2/40 detections:
a-squared -
AhnLab-V3 -
AntiVir -
Antiy-AVL -
Authentium -
Avast -
AVG -
BitDefender -
CAT-QuickHeal -
ClamAV -
Comodo -
DrWeb -
eSafe Suspicious File
eTrust-Vet -
F-Prot -
F-Secure -
Fortinet -
GData -
Ikarus -
K7AntiVirus -
Kaspersky -
McAfee -
McAfee+Artemis -
McAfee-GW-Edition -
Microsoft -
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx Medium Risk Malware
Rising -
Sophos -
Sunbelt -
Symantec -
TheHacker -
TrendMicro -
VBA32 -
ViRobot -
VirusBuster -

So, what do we have?

IFRAMEs which have been injected into more than 48,000 domains, probably via an FTP upload of an altered webpage. How much traffic is going to the domain which indicates a successful compromise via the PDF exploit?

Some of the domains, which we decline to name here, have seen more than 260,000 unique US IP addresses visit them during the month of April 2009, according to Quantcast and Compete.com

An interesting comment in the PDF file:

Boris like horilka

The Ukrainian word for vodka is horilka. We'd love to see more PDFs with that comment in them if you have any samples, please send them to me!

Here is an expanded list of domains connected with this malware campaign:

autobestwestern.cn
bestfindaloan.cn
bestfinderr.cn
bestlitediscover.cn
bestlitetopfind.cn
bestlotron.cn
bestwebfind.cn
betbigwager.cn
betstarwager.cn
betworldwager.cn
bigbestfind.cn
bigtopcabaret.cn
bigtopmanagement.cn
bigtopsuper.cn
casinoslotbet.cn
cheapslotplay.cn
combinebet.cn
coolnameshop.cn
cutalot.cn
cutlot.cn
denverfilmdigitalmedia.cn
diettopseek.cn
dotcomnameshop.cn
filmlifemediaguide.cn
filmlifemusicsite.cn
filmtypemedia.cn
findbigbearproperty.cn
findbigboob.cn
findbigbrother.cn
findbigmoneygame.cn
findbigname.cn
findbigsoftpack.cn
findbigurls.cn
finditbig.cn
finditinbigapple.cn
findyourbigwhy.cn
giantbeaversdiet.cn
giantnonfat.cn
gianttoplocate.cn
globalnameshop.cn
greatbethere.cn
greatliteautobest.cn
greatnamemovie.cn
homebrandname.cn
homenameregistration.cn
homenameworld.cn
hotslotpot.cn
hugebest.cn
hugebestbuys.cn
hugepremium.cn
hugetopdiscover.cn
hugetoplocate.cn
intend_allergy-54.somehelpful.com
internetnamestore.cn
liteautotop.cn
litecarfinestsite.cn
litecartop.cn
litedownloadseek.cn
litefinestdirect.cn
litegreatestdirect.cn
litehighestmodel.cn
litepremium.cn
litepremiumlist.cn
litetopdiscoversite.cn
litetopfinddirect.cn
litetopfindworld.cn
litetoplocatesite.cn
litetopseeksite.cn
lotante.cn
lotbetsite.cn
lotbetworld.cn
lotmachinesguide.cn
lotultimatebet.cn
lotwageronline.cn
mainnameshop.cn
mediahomenamemartvideo.cn
mediahomenameshoppicture.cn
mediahousenamemartmovie.cn
mediahousenameshopfilm.cn
mixante.cn
mynewnameshop.cn
nameashop.cn
namebrandmart.cn
namebuyfilmlife.cn
namebuyline.cn
namebuypicture.cn
nameclaimstore.cn
namemartfilm.cn
namestorefilmlife.cn
namestorevideo.cn
namesupermart.cn
nanotopdiscover.cn
nanotopfind.cn
nonfatautobest.cn
nonfatcarbest.cn
nonfathighestlocate.cn
odmina.ru
perfectnamestore.cn
playbetwager.cn
premiumlocate.cn
promixgroup.cn
somehelpful.com
superbetfair.cn
superdietfind.cn
superlitecarbest.cn
technologybigtop.cn
thebestwaytofind.cn
thebestyoucanfind.cn
thefilmmusic.cn
thelotbet.cn
topfindworld.cn
toplitesite.cn
tvnameshop.cn
usednamestore.cn
usrv03.ru
v-state.com
yourfilmmovie.cn
yourliteseek.cn
yourlitetop.cn
yourlitetopfind.cn

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.