The famous "DNS Changer" case that was featured on the FBI's website in the story Case against Internet fraud ring reveals millions unknowingly affected worldwide actually began when criminals were using such malicious ads to push Fake Antivirus malware to a variety of high profile websites, including the New York Times, which explained its own breach in this September 2009 story, Advertising - On the Web, Ads Can Be a Security Hole.
In the current Yahoo campaign, it was the excellent researchers at Fox-IT in the Netherlands who broke the news. Their story, Malicious advertisements served via Yahoo showed some key information about what was going on.
Basically, some of the advertisements that appeared through Yahoo's ad network contained an IFRAME. An IFRAME is an HTML command that says "go get some content from this OTHER website, and display it as part of what is being shown here." According to Fox's article, some of the domains where the IFRAMEs were hosted included:
- blistartoncom.org (18.104.22.168), registered on 1 Jan 2014
- slaponitkons.net (22.214.171.124), registered on 1 Jan 2014
- origina-filmsonline.com (126.96.36.199)
- funnyboobsonline.org (188.8.131.52)
- yagerass.org (184.108.40.206)
Magnitude Exploit KitTheir article also says that the IFRAME would redirect the computer to a copy of an Exploit Kit known as "Magnitude" by issuing an HTTP REDIRECT statement. You may be familiar with the most famous Exploit Kit in history, the Blackhole Exploit Kit. Back in December this blog ran a story Paunch and the Black Hole / Cool EK Exploit Kit that discussed the fact that the criminals behind that kit have finally been apprehended, and that since their arrest in October, there had been a marked decline in Exploit Kit-based infections.
One reason to believe that Magnitude may dominate this space is to look at where known cybercriminals moved their goods after the demise of BlackHole Exploit Kit. BlackHole was actually one of TWO Exploit Kits run by Paunch. The "premium" Exploit Kit was called "Cool EK" and delivered zero-day (0-day) exploits that were not publicly available anywhere else. After the zero-days became publicly disclosed, Paunch would push those exploits to the lower cost and more common BlackHole Exploit Kit. The primary buyers of the Cool EK throughout the summer were the criminals behind Reveton, which was also known as "Police Lock Ransomware".
One of the early uses of the Magnitude EK was disclosed on the website "kahusecurity", in their article Deobfuscating Magnitude Exploit Kit. The analysis shows that Magnitude was pushing very new Zero-day exploits, and more interestingly, the end-game of the infection was to install the Reveton PoliceLock Exploit Kit!
This is also not the first time that the Magnitude Exploit Kit has been associated with a high-profile website "drive-by infection". Our friend Fabio Assolini, of Kaspersky Security, confirmed that PHP.net, the official website of PHP, was actually injected with a malicious iframe that pointed to the Magnitude Exploit Kit and infected visitors with the Tepfer Trojan (which is better known in some circles as Papras). Here's his tweet (thanks to KahuSecurity for the link):
Other great analysis links for understanding Magnitude EK include:
- Kaffeine's blog "MalwareDon'tNeedCoffee" -- Magnitude EK: Pop! Pop! (March 2013! Kaffeine ahead of us all!)
- Dell SecureWorks's blog -- Cutwail Spam Swapping Blackhole for Magnitude
- ProofPoint's ThreatInsight post -- Paunch Arrest May Mean Magnitude Exploit Kit is the New Blackhole
Magnitude used in ADP SpamWe certainly agree with ProofPoint and Dell on their assertion that Cutwail is using Magnitude. While Reveton was a primary user of the Cool EK, the heaviest user of the BlackHole EK were the malware spammers behind Cutwail. One example of Cutwail using Magnitude would be the October 22, 2013 ADP Payroll spam campaign. In that campaign, Malcovery's T3 Report customers would have been warned of spam messages with subjects "ADP payroll: Account Charge Alert" and "ADP RUN: Account Charge Alert" where URLs on compromised WordPress sites, including cinematracks.com, campwow.com, ceo-interviews.com, and businessblogtechs.com were being used to send visitors to the Magnitude EK site abrakandabr.ru to retrieve "adp.report.php" from port 8080. Just as in this weekend's Yahoo exploit, the primary infection method was a hostile ".jar" file dropped from the Exploit Kit. On October 22, 2013, the ADP spam campaign's Magnitude server dropped the jar file we reported to VirusTotal in this report. which when last scanned was detected as hostile by 6 of 47 Antivirus vendors.
Check Your Logs for . . .Fox-IT lists that there were several "seemingly random subdomains" on the following domains that were used in the redirection, which they list as:
- and others
Based on some research that I've done in the Internet Identity Passive DNS Research platform, I was able to find those names ... here are some examples:
201214.yqs.lucd.ici.ptwd.ivntyzjdlzuk.boxsdiscussing.net 201211.ef.ivntyzjdlzuk.boxsdiscussing.net 201116.vbnf.mkr.ovei.zza.cgu.ivntyzjdlzuk.boxsdiscussing.net 201214.rcfg.bgy.tej.veae.juv.ivntyzjdlzuk.boxsdiscussing.net 201311.leo.dx.ivntyzjdlzuk.boxsdiscussing.net 201115.fe.srqe.sbisakxivel.boxsdiscussing.net 2018.xfi.eah.mhi.sbisakxivel.boxsdiscussing.net 201311.zn.sbisakxivel.boxsdiscussing.net 201216.ehp.sbisakxivel.boxsdiscussing.net 201216.rmji.kjm.hrp.xpex.sbisakxivel.boxsdiscussing.net 201115.obw.wx.sbisakxivel.boxsdiscussing.net 201116.bomw.tswi.vpzy.ir.kqdy.sbisakxivel.boxsdiscussing.net 201311.qw.wvtj.cb.eveourvczt.crisisreverse.net 201311.hrph.sqee.zo.eveourvczt.crisisreverse.net 201118.bfcq.eveourvczt.crisisreverse.net 201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net 201311.zjn.ejh.rws.hwhd.twiurmgmvw.crisisreverse.net 201116.zllf.zj.lbz.be.twiurmgmvw.crisisreverse.net 201216.udi.wke.twiurmgmvw.crisisreverse.net 201311.nez.uj.kbwc.atk.pbgu.twiurmgmvw.crisisreverse.net 201214.quqc.gm.rf.we.tg.fmpryuyqoz.crisisreverse.net 201311.mak.fmpryuyqoz.crisisreverse.net 201311.nsm.fmpryuyqoz.crisisreverse.net 201311.zm.fmpryuyqoz.crisisreverse.net 201115.ysw.fmpryuyqoz.crisisreverse.net 201115.eoju.zqlj.ze.tt.cmxf.paftwtdqc.limitingbeyond.net 201116.pg.paftwtdqc.limitingbeyond.net 201115.pz.rbnq.rwg.paftwtdqc.limitingbeyond.net 201210.xm.sym.paftwtdqc.limitingbeyond.net 201111.bao.paftwtdqc.limitingbeyond.net 201116.wi.tdc.xgx.jfuo.paftwtdqc.limitingbeyond.net 201514.pbcp.paftwtdqc.limitingbeyond.net 201214.aeo.nwfn.cbpz.efs.paftwtdqc.limitingbeyond.net 201216.yjg.ynnu.paftwtdqc.limitingbeyond.net 201210.yu.paftwtdqc.limitingbeyond.net 201116.jy.ek.tma.fuiv.paftwtdqc.limitingbeyond.net 201116.fo.hea.dyu.wqi.cnsw.paftwtdqc.limitingbeyond.net 201514.fwsj.qygk.dmd.bia.vhy.paftwtdqc.limitingbeyond.net 201214.nsnz.paftwtdqc.limitingbeyond.netIn addition to the domains listed by Fox-IT, we were able to confirm these additional domains, which all used the same hostname/subdomain patterns, and all resolved to the same IP address, 220.127.116.11.
Fox-IT illustrates the Infection FlowPlease visit the excellent post by Fox-IT to read their analysis, but I've borrowed their graphic from there as a better way to show the traffic flow.
(click graphic to visit original article)