You are the weakest link, goodbye!

Filed Under: SophosLabs

"A chain is only as strong as the weakest link". Breaking a link will break the chain. Modern malware often uses complex infection mechanisms to attack the Endpoint. Detection of any component of the infection mechanism, be it at the Gateway or Endpoint, will break the infection chain, leaving the Endpoint secure.

A typical infection chain will be:

  1. Spamming (IM or email) of message containing malicious link
  2. Redirection through one or more sites
  3. Site hosting malicious script exploits
  4. Download of malicious executable(s) from other sites
  5. ...

Attacks following this modus operandi are common (see the posting about the recent .hk attacks for example).

Recently, there have been several documented attacks targeting Italian sites. These attacks have involved the use of a package (known as MPack) to create exploit scripts to infect vulnerable users. One of the attacks using this package resulted in the following infection chain:

  1. ...
  2. Many Italian sites compromised with an Iframe
  3. Iframe redirects to a site serving up multiple exploits
  4. Downloader Trojan executable downloaded to vulnerable machines
  5. ...

SophosLabs have yet to see the first link in the chain. Given that compromised sites have been used, it may be that the hackers were relying on slow infections as people visited the sites.

The second link, multiple compromised pages, is now detected by an update to Mal/Iframe-F. Curiously, some of the sites showed other infections (for example Mal/FunDF-A), suggesting they had been compromised multiple times. In fact over the last few months SophosLabs has noticed several attacks to Italian domains. In March ~5000 pages were hacked with JS/EncIFra-A and we have blogged in the past about other Italian hacks (1, 2, 3, ...).

The third link concerns the site hosting malicious scripts to target multiple browser vulnerabilities. This is the creation of the recently discussed MPack package. The Iframe in the compromised site loads a malicious script (via a redirect) from URLs such as:

xx.xx.xx.xx/~ftpcom/index.html

This file is still being analysed but it does appear to use multiple exploits. We will be releasing detection for this as Mal/ObfJS-D. Preliminary analysis of the exploit code shows it to download a file from the following URL:

xx.xx.xx.xx/~ftpcom//file.php

Interestingly, the URL in question is already known to SophosLabs. We saw malware hosted here over a month ago (May 15th). Consequently, the site has been proactively blocked by our Web Secure appliance (WS1000) from that date.

The fourth link, file.php, is not an PHP file, at least not if you download it correctly :-) It is actually an executable, proactively detected as Mal/Clagger-E. This detection was released at the end of May and we have since seen ~100 unique malicious files detected.

For users protected via Gateway or Endpoint solutions the chain would have been broken, proactively, at link four:

  • the request to download file.php would have been blocked by the WS1000
  • even if it succeeded, the file itself would have been detected as Mal/Clagger-E

Subsequent links in the chain (ie. downloading of further malicious files) are therefore neutered.

Job done, well at least so far as protecting customers from this attack. All that remains is to sweep up the droppings and ensure all other components are detected as necessary. Hopefully, one of these detections will break the chain in the next attack!

You might like