Yahoo Malware, additional data based on Fox-IT report

This weekend on the news, or perhaps Monday morning on NPR, you heard that the popular Yahoo domain has been targeted by criminals who pushed malicious advertisements through their services to unsuspecting victims. This technique, generally known as "malvertising", works because advertisement hosters, such as Yahoo, Microsoft, and Google, run deep networks of ads that pull in third party content, which can itself pull in third party content, through many links down an increasingly untrustworthy and untraceable chain. This is nothing new, but is still concerning after at least five years worth of investigations into how to protect ad networks better.

The famous "DNS Changer" case that was featured on the FBI's website in the story Case against Internet fraud ring reveals millions unknowingly affected worldwide actually began when criminals were using such malicious ads to push Fake Antivirus malware to a variety of high profile websites, including the New York Times, which explained its own breach in this September 2009 story, Advertising - On the Web, Ads Can Be a Security Hole.

In the current Yahoo campaign, it was the excellent researchers at Fox-IT in the Netherlands who broke the news. Their story, Malicious advertisements served via Yahoo showed some key information about what was going on.

One very important difference between what you are hearing on the news and reality ... NO ONE HAD TO CLICK the ads in order to be infected. Because the ads displayed an "IFRAME" which caused a REDIRECT to be executed, simply having the ad displayed in your JavaScript aware browser was enough to cause the Exploit Kit to be visited. Over 300,000 computers per hour were visiting the Exploit kit, and roughly 11% of them, 27,000 per hour, were actually infected with malware as a result of the visit. These are very acceptable numbers in the malware distribution world. (visit and infection rates based on Fox-IT's analysis of the destination server hosted in the Netherlands.)

Basically, some of the advertisements that appeared through Yahoo's ad network contained an IFRAME. An IFRAME is an HTML command that says "go get some content from this OTHER website, and display it as part of what is being shown here." According to Fox's article, some of the domains where the IFRAMEs were hosted included:

• blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
• slaponitkons.net (192.133.137.100), registered on 1 Jan 2014
• origina-filmsonline.com (192.133.137.63)
• funnyboobsonline.org (192.133.137.247)
• yagerass.org (192.133.137.56)

Magnitude Exploit Kit

Their article also says that the IFRAME would redirect the computer to a copy of an Exploit Kit known as "Magnitude" by issuing an HTTP REDIRECT statement. You may be familiar with the most famous Exploit Kit in history, the Blackhole Exploit Kit. Back in December this blog ran a story Paunch and the Black Hole / Cool EK Exploit Kit that discussed the fact that the criminals behind that kit have finally been apprehended, and that since their arrest in October, there had been a marked decline in Exploit Kit-based infections.

During my "Malcovery Security Year in Review 2013" webinar (recording available here), one of my predictions was "Prediction #6: Malicious Email Innovators will expand into the vaccum left by Black Hole Exploit arrests". We'll be watching the Magnitude Exploit Kit to see if it can rise to that level.

One reason to believe that Magnitude may dominate this space is to look at where known cybercriminals moved their goods after the demise of BlackHole Exploit Kit. BlackHole was actually one of TWO Exploit Kits run by Paunch. The "premium" Exploit Kit was called "Cool EK" and delivered zero-day (0-day) exploits that were not publicly available anywhere else. After the zero-days became publicly disclosed, Paunch would push those exploits to the lower cost and more common BlackHole Exploit Kit. The primary buyers of the Cool EK throughout the summer were the criminals behind Reveton, which was also known as "Police Lock Ransomware".

One of the early uses of the Magnitude EK was disclosed on the website "kahusecurity", in their article Deobfuscating Magnitude Exploit Kit. The analysis shows that Magnitude was pushing very new Zero-day exploits, and more interestingly, the end-game of the infection was to install the Reveton PoliceLock Exploit Kit!

(Click image to visit the KahuSecurity report on Magnitude EK)

This is also not the first time that the Magnitude Exploit Kit has been associated with a high-profile website "drive-by infection". Our friend Fabio Assolini, of Kaspersky Security, confirmed that PHP.net, the official website of PHP, was actually injected with a malicious iframe that pointed to the Magnitude Exploit Kit and infected visitors with the Tepfer Trojan (which is better known in some circles as Papras). Here's his tweet (thanks to KahuSecurity for the link):

Other great analysis links for understanding Magnitude EK include:

• Kaffeine's blog "MalwareDon'tNeedCoffee" -- Magnitude EK: Pop! Pop! (March 2013! Kaffeine ahead of us all!)
• Dell SecureWorks's blog -- Cutwail Spam Swapping Blackhole for Magnitude
• ProofPoint's ThreatInsight post -- Paunch Arrest May Mean Magnitude Exploit Kit is the New Blackhole

Magnitude used in ADP Spam

We certainly agree with ProofPoint and Dell on their assertion that Cutwail is using Magnitude. While Reveton was a primary user of the Cool EK, the heaviest user of the BlackHole EK were the malware spammers behind Cutwail. One example of Cutwail using Magnitude would be the October 22, 2013 ADP Payroll spam campaign. In that campaign, Malcovery's T3 Report customers would have been warned of spam messages with subjects "ADP payroll: Account Charge Alert" and "ADP RUN: Account Charge Alert" where URLs on compromised WordPress sites, including cinematracks.com, campwow.com, ceo-interviews.com, and businessblogtechs.com were being used to send visitors to the Magnitude EK site abrakandabr.ru to retrieve "adp.report.php" from port 8080. Just as in this weekend's Yahoo exploit, the primary infection method was a hostile ".jar" file dropped from the Exploit Kit. On October 22, 2013, the ADP spam campaign's Magnitude server dropped the jar file we reported to VirusTotal in this report. which when last scanned was detected as hostile by 6 of 47 Antivirus vendors.

Check Your Logs for . . .

Fox-IT lists that there were several "seemingly random subdomains" on the following domains that were used in the redirection, which they list as:

• boxsdiscussing.net
• crisisreverse.net
• limitingbeyond.net
• and others

Based on some research that I've done in the Internet Identity Passive DNS Research platform, I was able to find those names ... here are some examples:

201214.yqs.lucd.ici.ptwd.ivntyzjdlzuk.boxsdiscussing.net
201211.ef.ivntyzjdlzuk.boxsdiscussing.net
201116.vbnf.mkr.ovei.zza.cgu.ivntyzjdlzuk.boxsdiscussing.net
201214.rcfg.bgy.tej.veae.juv.ivntyzjdlzuk.boxsdiscussing.net
201311.leo.dx.ivntyzjdlzuk.boxsdiscussing.net
201115.fe.srqe.sbisakxivel.boxsdiscussing.net
2018.xfi.eah.mhi.sbisakxivel.boxsdiscussing.net
201311.zn.sbisakxivel.boxsdiscussing.net
201216.ehp.sbisakxivel.boxsdiscussing.net
201216.rmji.kjm.hrp.xpex.sbisakxivel.boxsdiscussing.net
201115.obw.wx.sbisakxivel.boxsdiscussing.net
201116.bomw.tswi.vpzy.ir.kqdy.sbisakxivel.boxsdiscussing.net

201311.qw.wvtj.cb.eveourvczt.crisisreverse.net
201311.hrph.sqee.zo.eveourvczt.crisisreverse.net
201118.bfcq.eveourvczt.crisisreverse.net
201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net
201311.zjn.ejh.rws.hwhd.twiurmgmvw.crisisreverse.net
201116.zllf.zj.lbz.be.twiurmgmvw.crisisreverse.net
201216.udi.wke.twiurmgmvw.crisisreverse.net
201311.nez.uj.kbwc.atk.pbgu.twiurmgmvw.crisisreverse.net
201214.quqc.gm.rf.we.tg.fmpryuyqoz.crisisreverse.net
201311.mak.fmpryuyqoz.crisisreverse.net
201311.nsm.fmpryuyqoz.crisisreverse.net
201311.zm.fmpryuyqoz.crisisreverse.net
201115.ysw.fmpryuyqoz.crisisreverse.net

201115.eoju.zqlj.ze.tt.cmxf.paftwtdqc.limitingbeyond.net
201116.pg.paftwtdqc.limitingbeyond.net
201115.pz.rbnq.rwg.paftwtdqc.limitingbeyond.net
201210.xm.sym.paftwtdqc.limitingbeyond.net
201111.bao.paftwtdqc.limitingbeyond.net
201116.wi.tdc.xgx.jfuo.paftwtdqc.limitingbeyond.net
201514.pbcp.paftwtdqc.limitingbeyond.net
201214.aeo.nwfn.cbpz.efs.paftwtdqc.limitingbeyond.net
201216.yjg.ynnu.paftwtdqc.limitingbeyond.net
201210.yu.paftwtdqc.limitingbeyond.net
201116.jy.ek.tma.fuiv.paftwtdqc.limitingbeyond.net
201116.fo.hea.dyu.wqi.cnsw.paftwtdqc.limitingbeyond.net
201514.fwsj.qygk.dmd.bia.vhy.paftwtdqc.limitingbeyond.net
201214.nsnz.paftwtdqc.limitingbeyond.net

In addition to the domains listed by Fox-IT, we were able to confirm these additional domains, which all used the same hostname/subdomain patterns, and all resolved to the same IP address, 193.169.245.78.

• boxsdiscussing.net
• chapterwild.net
• crisisreverse.net
• elsecommenting.net
• farmtrains.net
• federalpoet.net
• irritatedpound.net
• layfriend.net
• liechecks.net
• limitingbeyond.net
• suggestsfilm.net

One example of each of those hostname/subdomain patterns for each of those domains, all observed in the IID Passive DNS collection resolving to 193.169.245.78, are given here:

• 201311.koha.uue.vwm.swp.cfmg.buosehgr.boxsdiscussing.net
• 201311.et.ck.fsc.gjwa.dh.acirtcbrjmcm.chapterwild.net
• 201116.sp.xdq.xwgt.vqna.ms.eveourvczt.crisisreverse.net
• 201214.ups.xwo.jrw.hoy.bmm.bhzoahcvhbv.elsecommenting.net
• 201210.kyy.qfw.qji.lg.agw.douvcaghuuh.farmtrains.net
• 201214.lu.oqkt.vu.qfmw.xsyn.gjsjixxiskxe.federalpoet.net
• 201116.ivfi.pmar.vv.hw.fvyg.aicnkapom.irritatedpound.net
• 201116.gp.hnpd.lwp.nv.aj.armlnjjyot.layfriend.net
• 201210.uzb.cavs.bqkw.kpou.cwp.blenzspz.liechecks.net
• 201210.bigc.opt.jcov.widl.hpv.duohlqzrzqw.limitingbeyond.net
• 201116.jjia.wo.nmf.chl.sog.gvkqjqvzf.suggestsfilm.net

Fox-IT illustrates the Infection Flow

Please visit the excellent post by Fox-IT to read their analysis, but I've borrowed their graphic from there as a better way to show the traffic flow.
(click graphic to visit original article)