Blog|Login|中文Deutsche日本語
October 19, 2011
 Dissecting The Urchin Script Injection Attack
Pin It

Imperva's Tomer Biton examines a new mass script injection attack targets ASP ASP.NET websites.  As usual, this is a major technical dissection.

Urchin

First, by searching the javascripts payload names in Google we can see the mass of the infected pages (click image to BIGGIFY):

Asp1

 The injection includes iframes to one of the following javascripts payloads to two sites (URLs not listed).

 The Injected Script (click image to BIGGIFY):

  Asp2

Now, let's deobfuscate the script:

Asp3

The script targets visitors of 6 particular languages:

  • en = English,
  • de = German (Standard).
  • Fr = French
  • It = Italian
  • Pl = Polish
  • Br = Breton (yes, for real).

The redirector:

We can see the ‘go_to’ statement that redirects the visitor’s browsers to www3.strongdefenseiz.in domain:

Asp4

By robtex.com:

strongdefenseiz.in returns 302 redirection response with one of the following domains: 

  • hXXp://www2.strong-dvmaster.rr.nu
  • hXXp://www2.simple-guardo.rr.nu

 How do you like your malware?

We were able to identify 3 different scripts from above domains. The scripts are downloaded as a gzip encoded.  However, with the Malzilla tool we can see get them in a better view (click image to BIGGIFY):

Asp5
Once the scripts get executed in the visitor’s browser one of the following pages loads (click images to BIGGIFY):

Script # 1: Top 10 Famous Celebrity Sex Scandals

Asp6

Script #2: Emma Watson never seen before home video

  Asp7

Script #3: Scarware/Fake Anti-Virus

Asp8

What About The Malware?

The malware's main characteristics include:

  • FileSize: 292.00 KB (299013 bytes)
  • MD5: 8DACD674BF9F7A08BFF667721E53B106
  • SHA1: 38954871CE0D2249BCFA500F24A00A5FAF93BFA0

The binary presents a layer of UPX compression.  The Section Header is composed as usual by the following sections:

  •  .UPX0
  • .UPX1
  • .rsrc.   

This sample designed to redirect web search results of Bing.com and Google.com.  It uses rootkit techniques to hide its presence from the victim and security products. This is not the first time we see this kind of behavior, malware from the TDSS (TDL3 and TDL4) and ZeroAccess/Serifef families were involved in nearly all cases of those annoying redirects.

I’m guessing, the sample is routing the traffic eventually to Google after monitoring it or logging it for whatever reason.

Once executed the sample creates a service by loading a kernel mode driver – 5640.sys:

Asp9
   Asp10

 SYSTEM process (PID 4) gets infected by a malicious thread injection (click to BIGGIFY):

Asp12

The local pharming technique?  The sample modifies locks and set as hidden the system file /etc/hosts (click to BIGGIFY):

  Asp13

After entering ~ 60 CRLF lines also adds the following entries (must pageDn in order to see the entries):

Asp14

The sample also copies itself to a tmp folder with a .tmp extension:

Asp15

As described above, the sample is designed to redirect user searches from ‘Google’ and ‘Bing’.  After infection pinging Google.com and bing.com returned the same IP (click to BIGGIFY):   

Before Infection                 After Infection

  Asp16

Whereas Facebook.com is not a target:

Asp17

Be safe.


Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« Oracle’s Q3 CPU Release | Main | E-Health Records: Are We Screwed? »

Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Authors
Monthly Archives
Email Subscription
Sign up here to receive our blog: