Auto Generated Iframes To Blackhole Exploit Kit – Following the Cookie Trail

We often talk about websites being compromised and injected with malware that redirect users to exploit kits. We unfortunately don’t give you a complete picture of what the distribution payload is doing on your local machine very often. Today we’ll try to improve that analysis by giving you a more complete picture of the full life cycle of a specific distribution payload.

In this example, we’ll be showing you how an attacker is injecting a site with a dynamic iFrame generator, which then attempts to install a malicious payload on your machine. More importantly, we’ll show you what that file is doing locally.

We were actually very lucky in this instance. Instead of a banking trojan, we were able to get our hands on a payload that is designed to steal not only your Browser information, but your FTP credentials as well. This can then be used to compromise any website you own, completing the life cycle of the injection:

compromised site -> compromised desktop -> stolen FTP passwords -> more compromised sites


1- Compromised sites with auto generated iframes

A WordPress site was hacked via brute forcing their wp-admin admin password. We were able to see in the logs that after multiple login attempts, the attackers succeeded and logged in as administrator and used the theme editor to insert the following code at the top of the header.php of the theme:

Screen Shot 2013-05-05 at 11.14.20 AM

If you don’t know PHP, this code will contact the website http://82.200.204.151/config.inc.php and will act as a connection to the command and control server to get confirmation of what it should do. This is done in this part of the code:

Screen Shot 2013-05-05 at 11.15.22 AM

Which we can easily replicate using Curl to see what it replies:

Screen Shot 2013-05-05 at 11.17.08 AM

As I am writing this post, it returns “httx://andlettherebelight.com/news/faults-ending.php”. The same code will get that URL and inject the following iFrame at the bottom of the website, usually after the closing “” tag:

Screen Shot 2013-05-05 at 11.22.24 AM

2- From server level code to browser injection

That iFrame from httx://andlettherebelight.com/news/faults-ending.php gets executed every time someone visits the compromised site. And once called, it returns code from the infamous Blackhole Exploit kit. It is a heavily obfuscated JavaScript that looks something like this:

<body asd=123><script>z=eval ; ss=String;
dd="d"+"i"+"v"; 
function vq(){for(i=0;a.length>i;i++){if(az)zz();}}gg=("getElementsByTagName");..
<style>.d{visibility:hidden;}</style><div class="d">95.89.95.89.62.a0.9b.8a.97.98.8e.94.93.5f.47.55.53.5c.53.5e.47.51.93.86.92.8a.5f.47.
95.89.95.89.47.51.8d.86.93.89.91.8a.97.5f.8b.9a.93.88.99.8e.94.93.4d.88.51.87.51.86.4e.a0.97.8a.99.9a.97.93.45.8b.9a.93.88.99.8e.94.93.4d.4e.a0.88.4d.
87.51.86.4e.a2.a2.51.94.95.8a.93.79.86.8c.5f.47...
... long long code..

A check shows that the distribution payload is not very well detected by Anti-Virus companies. As you can see on VirusTotal, it is 1/46 for one sample:

First sample https://www.virustotal.com/en/file/404dce722c425a7b64b626a32848a22734b2136b35dbbe62760bf9355b86a0da/analysis/1367070666/:

Screen Shot 2013-05-05 at 11.28.16 AM

And 1/46 for another one: https://www.virustotal.com/en/file/45ccc879794713da5ba59c212f87b0d9fbb5bcc95e8acdbf086015827edf7563/analysis/1367070678/:

Screen Shot 2013-05-05 at 11.26.29 AM

This means that out of 46 engines, only 1 detected those samples, AVG on the first one and Fortinet on the second. This doesn’t mean that it you won’t be protected at the end-point, but it does mean that they are not able to detect this distribution payload.

4- Command and control and new URLS

Below is a list of all the sites that have been used in the compromise in the time that we have been monitoring this C&C. They seem to rotate out every few hours and the domain does not replicate, this can be for a number of reasons like evading detection, website is cleared of compromise, etc…

Here is the list of the various domains that have been used:

http://john-aaroe-group-sherman-oaks.com/news/faults-ending.php  (50.116.6.12)
http://listingpresentationonline.com/news/faults-ending.php (50.116.6.12)
http://sagerealestate.ca/news/faults-ending.php (184.172.149.128)
http://palmspringsrentalsvacation.com/news/faults-ending.php (50.116.6.12)
http://realtor-com-hollywood-hills-ca.com/news/faults-ending.php (50.116.6.12)
http://realtor-com-larchmont-village-ca.com/news/faults-ending.php (50.116.6.12)
http://realtor-com-sherman-oaks.com/news/faults-ending.php (50.116.6.12)
http://mydadsbest.com/news/faults-ending.php (66.228.44.144)
http://andlettherebelight.com/news/faults-ending.php (66.228.44.144)
http://firepointmedia.net/news/faults-ending.php (66.228.44.144)
http://burienanimalcontrol.com/news/faults-ending.php (50.116.61.32)
http://burienbandapalooza.com/news/faults-ending.php (50.116.61.32)
http://iloveburien.com/news/faults-ending.php (50.116.61.32)
http://markrestaurant.com/news/faults-ending.php (50.116.61.32)
http://optimarkeyecare.com/news/faults-ending.php (50.116.61.32)
http://enteratebusiness.com/news/faults-ending.php (50.116.61.32)
http://enteratecalifornia.com/news/faults-ending.php (50.116.61.32)
http://igreenmarketing.com/news/faults-ending.php (50.116.61.32)
http://spencerandashley.com/news/faults-ending.php (50.116.61.32)
http://usedchairlifts.com/news/faults-ending.php (50.116.61.32)
http://sherman-oaks-condos-for-sale.com/news/faults-ending.php (173.230.128.250)
http://atlanticshowroom.com/news/faults-ending.php (173.230.128.250)
http://albiontirecity.com/news/faults-ending.php (173.230.128.250)
http://seniorcarecard.com/news/faults-ending.php (50.116.12.172)
http://thisplaceiknow.co/news/faults-ending.php (50.116.12.172)
http://thisplaceiknow.info/news/faults-ending.php (50.116.12.172)
http://thisplaceweknow.org/news/faults-ending.php (50.116.12.172)
http://wegotaplace.co/news/faults-ending.php (50.116.12.172)
http://wegotaplace.info/news/faults-ending.php (50.116.12.172)
http://wegotaplace.net/news/faults-ending.php (50.116.12.172)
http://wehaveaplace.net/news/faults-ending.php (50.116.12.172)
http://weknowhomecare.com/news/faults-ending.php (50.116.12.172)
http://weknowhomecare.info/news/faults-ending.php (50.116.12.172)
http://allamericantireinc.com/news/faults-ending.php (174.140.171.249)
http://allautoandtruck.net/news/faults-ending.php (174.140.171.249)
http://allstatetire.net/news/faults-ending.php (174.140.171.249)

5- From browser injection to owned Desktop

We wanted to see if they are using the same payload each time, and it appears they are. Unlike most of our other research, we decided to see what it might be doing at the end-point. Special thanks to Jerome Segura of Malwarebytes for the help on this front.

It appears that the attackers are performing a drive-by-download in an effort to steal credentials. We often talk about this, but today we can show you more. In this instance working off Windows OS with IE8, we were able to trigger the payload when the conditions are met. This is what the user was greeted with:

Sucuri Adobe Drive By

If you’re not aware, this is pretty close to what the old download page looked like. This is what it looks like today:

Screen Shot 2013-05-05 at 11.37.31 AM

The first sign of fraud should be the domains. The fake one is coming from hxxp://graphicsspecialistsgroup.com/adobe/ and the real one comes from get.adobe.com/flashplayer. When the user clicks on the download the browser will download a file called update_flash_player.exe. This file is being stored on the compromised server and is located in the same directory mentioned above /adobe.

When the user installs the payload, it performs a silent install. There are not actions required by the user, unclear why but it kills the Windows Rundll32 library, then it goes silent. There is no other action to show that something has occurred and to the unsuspecting user it would seem as the update went flawlessly.

This is where our friend Jerome comes into play, he was able to point us in the direction of a few resources that would help us better diagnose what the payload was doing. Surprisingly, when we checked with VirusTotal to see which end-point solutions would detect the payload, only 10 of the 46 players detected.

Sucuri - VirusTotal Adobe Drive By

Fortunately, there are a few good resources out there and we were able to break down the payload further to understand what it was doing. Here is what we know:

  • It starts a server listening agent on 0.0.0.0:0
  • Steals private local information from local internet browsers
  • Harvest credentials from local FTP client software
  • Installs itself for auto run at Windows startup

Here is a list of all the domains it touches, or reaches out to, when installed:

mail.yaklasim.com	            212.58.4.13
www.brozziassicurazioni.it	    62.149.130.81
www.google.com	            173.194.78.147
www.google.nl	            173.194.78.94
cdn162.filesnetuploadlist.com  78.131.140.159

Here are a few examples of some of the data points it looks to harvest:

C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP\*.*
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Pro\*.*
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
C:\Documents and Settings\User\Application Data\GlobalSCAPE\CuteFTP Lite\*.*
C:\Documents and Settings\User\Application Data\FlashFXP\3\Sites.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\Sites.dat
C:\Documents and Settings\User\Application Data\FlashFXP\3\Quick.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\Quick.dat
C:\Documents and Settings\User\Application Data\FlashFXP\3\History.dat
C:\Documents and Settings\User\Application Data\FlashFXP\4\History.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Sites.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Sites.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\Quick.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\Quick.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\3\History.dat
C:\Documents and Settings\All Users\Application Data\FlashFXP\4\History.dat
C:\Documents and Settings\User\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\All Users\Application Data\FileZilla\sitemanager.xml
C:\Documents and Settings\All Users\Application Data\FileZilla\recentservers.xml
C:\Documents and Settings\All Users\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\User\Local Settings\Application Data\FileZilla\sitemanager.xml
C:\Documents and Settings\User\Local Settings\Application Data\FileZilla\recentservers.xml
C:\Documents and Settings\User\Local Settings\Application Data\FileZilla\filezilla.xml
C:\Documents and Settings\User\Local Settings\Application Data\BulletProof Software\*.*
C:\Documents and Settings\User\Application Data\BulletProof Software\*.*
C:\Documents and Settings\All Users\Application Data\BulletProof Software\*.*
C:\Documents and Settings\User\Application Data\SmartFTP\*.*
C:\Documents and Settings\All Users\Application Data\SmartFTP\*.*
C:\Documents and Settings\User\Local Settings\Application Data\SmartFTP\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\profiles.ini
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\bookmarkbackups\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\minidumps\*.*
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\signons.sqlite
C:\Program Files\Mozilla Firefox
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default/secmod.db
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\vglnv7s6.default\secmod.db
.......

Any of these names ring a bell? What you have here is a perfect example of a payload looking to harvest the data you are storing in your local clients, both browser and FTP.

When it installs it also makes connection with a number of different sites:

Screen Shot 2013-05-05 at 11.57.11 AM

Here you can see two things, the authentication is occurring in the first step against the yaklasim.com site, and the payload is being retrieved from the brozziassicurazioni.it site. If you do some more research you find that that the yaklasim site is actually a known malicious domain. This domain is being used for a number of drive by download attacks ranging from stealing credentials like what I described above, to installing banking trojans. Further research shows that the authentication boxes seem to be originating out of Turkey:

IP Address	213.128.73.123
Host server-213.128.73.123.radore.net.tr
Location TR, Turkey

5- Cleaning up and preventing

As you can see, this type of malware goes the full circle. It compromises websites and use them to infect desktops. Once a desktop is infected, it will use it as part of their botnets, and if the owner of the desktop also has a website, it will use that to inject malware as well.

Our SiteCheck scanner detects this type of injection so if you suspect your site has been compromised, you can check it in there.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://twitter.com/wmwebdes Keith Davis

    Daniel / Tony
    Thanks for this.
    On the fake Adobe graphic it says… “….. you may have to temporarily disable your antivirus software”

    Presumably you should never have to disable your antivirus software to update applications?
    And would antivirus software such as Norton pick this up?

  • Melindrea

    Very good article, and it has convinced me that I want to disable the editor on all my WordPress sites!

    Did you test this with *nix computers as well? I am a bit curious on whether they’d also put in the effort to harvest those.

    (on another note, I think you forgot to close a pre-tag, your 5th header is inside of them)

  • http://www.yepi6.org/ yepi 6

    thank you share, the information will be useful to protect tooibaor good for my computer.

  • Vic

    Great research, reverse engineering and thanks for your detailed findings.