2. Drive-By-Download
• Hackers distribute
malware by "poisoning"
legitimate websites
• Hacker injects malicious
iframes into HTML
content
• Vulnerabilities in
Browsers, Acrobat, Java,
Flash Player, etc, used You just want information
by attacker about insurance, nothing
more, but…
3. What does it look like?
Host ready
Malware
Malware server
controlled by attacker
PC connected to
the Internet
Exploit
OS, browser
plugins, etc. INFO
Exploit server
controlled by attacker
Known server with Intermediate server
iframe controlled by attacker
4. How we find it?
Date/Time 2011-08-05 10:44:53 YEKST
Tag Name PDF_XFA_Script
Observance Type Intrusion Detection
Cleared Flag false
Target IP Address 10.X.X.X
Target Object Name 9090
Target Object Type Target Port
Target Service unknown
Source IP Address 10.X.X.Y
SourcePort Name 2359
:compressed zlib
:server total.logeater.org
:URL //images/np/45eeb
b038bd46a63e08665f308
1fb408/6cd14aca5927118
2c8a04159f9ad2804.pdf
5. DOES USER NEED IT??
How we find it?
Date/Time 2011-08-05 10:44:53
Tag Name PDF_XFA_Script
Target IP Address 10.X.X.X
Target Object Name 9090
Target Object Type Target Port
Source IP Address 10.X.X.Y
SourcePort Name 2359
:compressed zlib
:server total.logeater.org
:URL //images/np/45eebb
038bd46a63e08665f3081
fb408/6cd14aca59271182
c8a04159f9ad2804.pdf
6. First indicators
Date/Time 2011-07-26 11:24:37
Tag Name PDF_XFA_Script
arg 3592ba48df0fae9e5f5c5b09535a
070d0b04020600510f0c56075c0
6040750
compressed zlib
server mamjhvbw.dyndns.pro
URL /ghqlv3ym/
7. First indicators
Date/Time 2011-08-16 13:24:44
Tag Name ActiveX_Warning
:clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server skipetar.in
URL /jb/pda.js
Date/Time 2011-08-18 19:00:13
Tag Name ActiveX_Warning
clsid CAFEEFAC-DEC7-0000-0000-
ABCDEFFEDCBA
server e1in.in
URL /stat/574a353789f/pda.js
8. First indicators
Date/Time 2011-08-09 10:17:14
Tag Name PDF_XFA_Script
arg host=http://inaptly.in&b=486def4
compressed gzip
server inaptly.in
URL /jb/lastrger.php
Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13
Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script
:arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root
:compressed gzip compressed zlib
:server oligist.in server e1in.in
URL /stat/574a353789f/lastrger.php
:URL /jb/lastrger.php
9. First indicators
Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44
Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script
arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning
compressed gzip :clsid CAFEEFAC-DEC7-0000-0000-
arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA
070d0b04020600510f0c56075c0 server inaptly.in
6040750
compressed zlib
server skipetar.in
server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js
URL /ghqlv3ym/
Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13
Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script
:arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root
clsid CAFEEFAC-DEC7-0000-0000-
:compressed gzip compressed zlib
ABCDEFFEDCBA
:server oligist.in server e1in.in
server e1in.in
URL /stat/574a353789f/lastrger.php
URL /stat/574a353789f/pda.js
:URL /jb/lastrger.php
15. Drive By Download o-strahovanie.ru Sep 02
NO
Host ready Malware
Malware server
PC connected to
the Internet
Exploit NO
OS, browser
plugins, etc. INFO
Exploit
server
Known server with Intermediate server
iframe disregarding.in
16. Drive By Download o-strahovanie.ru Sep 12
Host ready
Malware
Malware server
chamberwoman.in
PC connected to
janiculum.in
the Internet
Exploit
OS, browser
plugins, etc. INFO
Exploit server
chamberwoman.in
janiculum.in
Known server with Intermediate server
iframe disregarding.in
17. Example: o-strahovanie.ru
Domain Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Registrant Name:Russell Rosario
Registrant Street1:136 Oakdale Avenue
City:Winter Haven
Registrant Country:US
Email:russellsrosario@teleworm.com
Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN
Created On:12-Sep-2011 08:14 UTC
Registrant Name:Russell Rosario
18. Example: o-strahovanie.ru
Domain Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Domain Name:JANICULUM.IN, CHAMBERWOMAN.IN
Created On:12-Sep-2011 08:14 UTC
Registrant Name:Russell Rosario
No Payload, because No Payload Requests?
Are they looking for customers?
19. Example: o-strahovanie.ru
Domain ID:D5165642-AFIN Domain
Name:DISREGARDING.IN
Created On:14-Jul-2011 11:09:59 UTC
Registrant Name: Russell Rosario
Registrant Street1:136 Oakdale Avenue
City:Winter Haven
Registrant Country:US
Email:russellsrosario@teleworm.com
Name Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
20. Russell Rosario
Domain Name:FILTRATED.IN
filtrated.in Created On:14-Jul-2011 11:09:53 UTC
Sponsoring Registrar:Directi Web
Services Pvt. Ltd. (R118-AFIN)
Created On:14-Jul-2011 11:09:56 UTC
Registrant ID:TS_16731618
raptnesses.in Registrant Name:Russell Rosario
Registrant Street1:136 Oakdale Avenue
Created On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven
Registrant State/Province:Florida
tansies.in Registrant Postal Code:33830
Registrant Country:US
Created On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308
Email:russellsrosario@teleworm.com
But Sally Doesn't Know…
21. Attack before public disclosure
• Primary location for malicious sites: .IN
• Physical servers location by IP-Address:
Romania
• Responsible person: Russell Rosario
• Domains are new
22. Domain owner is the same
Domain Name Created On Registrant Name
irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario
comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario
hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario
suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario
ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario
20-Jul-2011 Acrobat Vulnerability vendor notified
23. Vulnerability reported to vendor
VUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow Vulnerability
VUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow Vulnerability
X. DISCLOSURE TIMELINE
-----------------------------
2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers
2011-09-14 - Public disclosure
ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability
-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-26 - Coordinated public release of advisory
ZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability
-- Disclosure Timeline:
2011-07-20 - Vulnerability reported to vendor
2011-10-27 - Coordinated public release of advisory
24. Harvetering machine started
Domain Name Created On Registrant Name
microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario
oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario
provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario
vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario
kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario
invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario
alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario
dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario
xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario
alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario
skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario
inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario
allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
25. But may be someone knows?
• Spamlists
• AV Vendors
• Safebrowsing
• Securityfocus
29. Securityfocus Sep 07
Sent: Wednesday, September 07, 2011 11:31 PM
Subject: There is a strange get request header in all web
pages of my site? I'm worry about Trojan attack!
Today I found that Kasper Anti Virus has blocked my site
and says to the clients that this site is affected by a Trojan.
I traced my site with Fiddler debugging tool and I found
that every time I send a request
to the site
a GET request handler is established
to the following URL:
"http://carlos.c0m.li/iframe.php?id=v4pfa2
4nw91yhoszkdmoh413ywv6cp7"
33. “New generation”
Host ready
Malware Malware server
controlled by attacker
PC connected to
Exploit
the Internet
OS, browser
plugins, etc. INFO Exploit server
controlled by attacker
Intermediate server
controlled by attacker
Known server with Other known server
iframe NOT controlled by attacker
34. Attack after public disclosure
• Primary location for malicious sites:
.IN, .RU, .CX.CC, .BIZ, .INFO,…
• Physical servers location by IP-Address: International
• Domains registered to different spurious persons
• Domain lifetime ~ time to Blacklists appearance
• Attack refers to malicious server for a short period of time,
and to well known one almost all day long (Blacklist evasion
technique)
• If you don't know exact malware URL, site redirects to well
known server
• Different types of payload used: password stealers, win
lockers, and even “normal” (or another ZD) files installed
47. Other examples:
ria.ru (news 667 222 visits per day)
Datetime [09/Nov/2011:12:26:45 +0300]
Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0
IP 176.9.50.178
Site jya56yhsvcsss.com
Referrer http://ria.ru/
48. Other examples: inosmi.ru (news
175 361visits per day)
Datetime [09/Nov/2011:12:28:10 +0300]
Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.1
IP 176.9.50.178
Site jya56yhsvcsss.com
Referrer http://inosmi.ru/
49. Other examples:
glavbukh.ru (15 200 visits per day)
Datetime [09/Nov/2011:12:14:46 +0300]
Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0
IP 176.9.50.178
Site jya56yhsvcsss.com
Referrer http://www.glavbukh.ru/
65. What can we do?
• Patch endpoint
• Tighten the Internet filtering (default deny
if possible)
• No Internet surfing with admin rights
• See what’s happening (continuous
monitoring)
• Check if you’re well (regular technical
audits)
• Educate people
66. Credits
• Sergey V. Soldatov,
TBINFORM (TNK-BP Group)
• Konstantin Y. Kadushkin,
TBINFORM (TNK-BP Group)
• Wayne Huang,
ARMORIZE
67. THE END
Vladimir B. Kropotov
Information security analyst
TBINFORM (TNK-BP Group)
vbkropotov@tnk-bp.com
kropotov@ieee.org