HACKER MEDICINE

At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.

Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise

How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.

Figure 2. Injected iframe on compromised spin.com website

When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.

Figure 3. Rig EK searches for driver files used by security software products

The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:

• Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) 
• Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
• Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0497)
• Microsoft Silverlight Double Deference Remote Code Execution Vulnerability (CVE-2013-0074)
• Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
• Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
• Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2013-7331)

Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).

Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:

Intrusion prevention

• Web Attack: Exploit Toolkit Website 47
• Web Attack: Malicious Executable Download 2
• Web Attack: MSIE CVE-2013-2551 3
• Web Attack: Rig Exploit Kit Website 5
• Web Attack: Rig Exploit Kit Website 9
• Web Attack: Rig Exploit Kit Website 4
• Web Attack: Rig Exploit Kit Website 21
• Web Attack: MSIE XMLDOM ActiveX CVE-2013-7331 2
• Web Attack: MSIE XMLDOM ActiveX CVE-2013-7331
• Web Attack: Malicious Exploit Kit Silverlight Exploit 2

Antivirus

• Trojan.Maljava
• Trojan.Swifi
• Trojan.Zbot
• Infostealer.Dyranges
• Downloader