Tag Archives: Redkit

Spin.com visitors served malware instead of music

Compromised site sent visitors to Rig exploit kit to infect them with a range of malware including Infostealer.Dyranges and Trojan.Zbot.

Toolbox_concept.png

On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website spin.com was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the askmen.com compromise back in June.

At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.

Fig1.png
Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise

How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.

Fig2_13.png
Figure 2. Injected iframe on compromised spin.com website

When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.

Fig3_0.PNG
Figure 3. Rig EK searches for driver files used by security software products

The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:

Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).

Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:

Intrusion prevention

Antivirus

Rendering the Web Red with Redkit

On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.

Attack details

Code is injected into a jQuery script.

Redkit 1 edit_0.png

Figure 1. jQuery script with code injection

The malicious code is present in the jquery.min.js JavaScript.

Redkit 2 edit.png

Figure 2. Malicious code in jquery.min.js

The injected JavaScript decodes to a malicious iframe, which redirects to a landing page. This also sets up a cookie after the redirection so that users are not compromised more than once.

Redkit 3-1 edit.png

Decodes to:

Redkit 3-2 edit.png

Figure 3. JavaScript decodes to a malicious iframe

The iframe redirects to a Redkit landing page:

  • [REMOVED]. [REMOVED].co.uk/abcd.html

The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.

Redkit 4 edit.png

Figure 4. Obfuscated URL received from “param value=”

The encoded string resolves to:

  • http://[REMOVED]. [REMOVED].co.uk/19.html

The JNLP script is used to deploy malicious JAR files on user’s computer.

Redkit 5 edit.png

Figure 5. JNLP script used to deploy malicious JAR files

The URI for the JAR files:

  • http://[REMOVED]. [REMOVED].co.uk/8o.jar

Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.

The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)

Redkit 6 edit.png_0.png

Figure 6. Java type confusion being exploited

The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.

Redkit 7 edit_0.png

Figure 7. Cipher scheme used to decode URL

Several pieces of malware are dropped in this attack:

Redkit 8 edit_0.png

Figure 8. Attack scenario

Conclusion

Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.

Recently, we have observed landing pages with the following URI patterns:

  • [REMOVED]. [REMOVED]/hfiv.htm
  • [REMOVED]. [REMOVED]/hmtg.htm
  • [REMOVED].[REMOVED]/hmtg.htm

Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.

Redkit exploits several Java vulnerabilities:

Redkit is known to drop:                                                  

Symantec blocked approximately 150,000 Redkit attacks last month.

Redkit 9 edit.png_0.png

Figure 9. Geographical distribution of attacks

North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.

Protection

The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.

Symantec has the following protection in place to protect customers from this attack:

Intrusion prevention:

Antivirus:

Java ???? CVE-2013-2432 ???????

      No Comments on Java ???? CVE-2013-2432 ???????

Java の脆弱性は、サイバー犯罪者(悪用ツールキットの作成者)の間で常に悪用の対象となってきました。Java はオペレーティングシステムやブラウザの種類を超えて動作し、大量のユーザーに感染させられる可能性が非常に高いためです。

4 月 16 日に Oracle 社は、サポート対象の多数の製品で見つかった脆弱性に対処する 2013 年 4 月版の Java Critical Patch Update(CPU)をリリースしました。興味深いことに、それらの脆弱性のひとつ CVE-2013-2432 は、この翌日に公表され、続く 4 月 20 日に Metasploit の概念実証が公開されています。

悪用ツールキットの作成者は、一般に公開されたこの脆弱性をさっそく悪用し始めています。現在確認されているのは、Redkit と Cool 悪用ツールキットが今回の新しい Java 脆弱性を利用するケースですが、その他の悪用ツールキットにも波及するものと予測されます。

Redkit と Cool 悪用ツールキットを使ってこの脆弱性を悪用する攻撃を遮断するために、以下の侵入防止シグネチャ(IPS)が提供されています。

シマンテックのウイルス対策技術では、これらの悪質なファイルは Trojan.Maljava として検出されます。

現在この脆弱性は重大度が高いと考えられているので、Oracle 社からリリースされている Java Critical Patch Update を適用することをお勧めします。また、上記のように、脅威を未然に検出する新しい IPS シグネチャがリリースされていますので、シマンテックのセキュリティ製品を更新して最新のセキュリティコンポーネントをインストールすることもお勧めします。ただし、ソフトウェア更新やパッチに偽装するマルウェアに注意して、パッチは必ず公式 Web サイトからダウンロードしてください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Java Exploit CVE-2013-2432 Coverage

      No Comments on Java Exploit CVE-2013-2432 Coverage

Java vulnerabilities have always been popular among cybercriminals (exploit kits authors) since they can work across multiple browsers and even multiple operating systems, the potential for infecting large numbers of users is very high.
On April 16, Or…