Following the Trail of Web-Based Malware

Thursday, December 15, 2011

Mark Baldwin

6648b1abd4a9b964566c3690613f20a6
 

 

Recently a client of mine alerted me to an email that was received by one of their HR staff members.  

The body of the email states:

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure all the issues are matching your interests.

Contract.doc 72kb

With Best Wishes,

Elvina Riggs

Secure Checksum: 9d08e1116b5

Despite having received security awareness training, the staff member clicked on the link thinking this was a document that needed to be reviewed.  In actuality, it was a link to a malicious site.

Fortunately, there were technical controls in place that prevented the user’s machine from being compromised, but I thought it would be illuminating to follow the trail of this attack.

Step 1

The email bypassed the client’s anti-spam and anti-malware defenses most likely because the link in the email was actually to a legitimate website rather than a known malicious site, the email came from a well known email provider, and there was little else in the message.  

Below is the actual html contained in the email.  Notice the part in bold as this is the hyperlink used in the email (click image to enlarge):

Baldwin - malware email

Step 2

Once the user clicked on the link, they were taken to the site hxxp://moneymix.cuna.org.  This is a legitimate site operated by the Credit Union National Association, a credit union trade association.

Moneymix is a service offered by the association to other credit unions to provide social media content to the websites of credit unions that sign up for the service.  Hackers had injected a malicious iframe on this website that would then redirect the user to hxxp://ciredret.ru/main.php.

Step 3

The main.php script contained javascript that attempted to exploit several potential vulnerabilities on the user’s machine. I was able to download the script and analyze it. By inserting an “alert” statement into the script just prior to the actual execution of the code, we can get a good idea of what the script does.

Below is a sample of the output (click image to enlarge):

image  

This exploit checks the installed versions of a number of applications including browsers, java, flash and Adobe reader.  If it finds a vulnerable version, it attempts to exploit the vulnerability and compromise the machine.  

This code appears to be very widely used as I found numerous copies of it on sites such as Pastebin.  A more readable version of the above code can be found here.  Given that this script is being used on so many sites, it seems likely that it is part of one of the many commercial exploit packs that are available on the web.

Conclusion

Based on this research we can draw some conclusions about appropriate countermeasures to address this type of threat.  First, user awareness is key. Users must be educated about these types of threats so that they can identify and avoid them.

Second, defense in depth is a must. In this case the client had anti-spam and anti-malware technology on their mail gateway, but this threat still made it through. Additional countermeasures such as a web security gateway or proxy server are also recommended.  The last line of defense would be on the endpoint itself.

Third, it is important to understand that even legitimate websites can be victimized and used to spread malware. Don’t assume that because a site is well known or in a particular industry that it is safe.

Lastly, keep your systems patched, including third party applications. Ninety-five percent of known exploits are useless against a fully patched system.

Note: I contacted the administrators of the Credit Union National Association website to advise them of the fact that their site was compromised. To their credit they removed the offending file very quickly.

Cross-posted from InfosecStuff

Possibly Related Articles:
6065
Viruses & Malware
Information Security
Email malware Javascript Attack iFrame Injection Defense in Depth Malicious Code Redirects
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.